AWSTemplateFormatVersion: "2010-09-09"
Description:
Sample CloudFormation Template for Use of SSM Session Manager.
Metadata:
"AWS::CloudFormation::Interface":
ParameterGroups:
- Label:
default: "EC2 Instance"
Parameters:
- EC2InstanceId
- Label:
default: "IAM Group"
Parameters:
- NameOfIamGroup
- NameOfIamPolicyForSsmSession
- NameOfIamPolicyForRotatingAccessKey
- Label:
default: "IAM User 01"
Parameters:
- NameOfIamUser01
- Label:
default: "IAM User 02"
Parameters:
- CreateIamUser02
- NameOfIamUser02
- Label:
default: "IAM User 03"
Parameters:
- CreateIamUser03
- NameOfIamUser03
- Label:
default: "IAM User 04"
Parameters:
- CreateIamUser04
- NameOfIamUser04
- Label:
default: "IAM User 05"
Parameters:
- CreateIamUser05
- NameOfIamUser05
ParameterLabels:
EC2InstanceId:
default: "EC2 Instance ID"
NameOfIamGroup:
default: "Name of IAM Group"
NameOfIamPolicyForSsmSession:
default: "Name of IAM Policy For Executiong SSM Session Manager"
NameOfIamPolicyForRotatingAccessKey:
default: "Name of IAM Policy For Rotating Access Key"
NameOfIamUser01:
default: "User Name"
CreateIamUser02:
default: "User Create"
NameOfIamUser02:
default: "User Name"
CreateIamUser03:
default: "User Create"
NameOfIamUser03:
default: "User Name"
CreateIamUser04:
default: "User Create"
NameOfIamUser04:
default: "User Name"
CreateIamUser05:
default: "User Create"
NameOfIamUser05:
default: "User Name"
# ------------------------------------------------------------#
# Input Parameters
# ------------------------------------------------------------#
Parameters:
EC2InstanceId:
Type: AWS::EC2::Instance::Id
NameOfIamGroup:
Type: String
Default: "SSM-Session-Manager_Executors"
NameOfIamPolicyForSsmSession:
Type: String
Default: "Execute_SSM-Session-Manager_to_Specific-Instance"
NameOfIamPolicyForRotatingAccessKey:
Type: String
Default: "Rotate_Self-AccessKey"
NameOfIamUser01:
Type: String
Default: "IAM-User01"
CreateIamUser02:
Type: String
Default: false
AllowedValues:
- true
- false
NameOfIamUser02:
Type: String
Default: "IAM-User02"
CreateIamUser03:
Type: String
Default: false
AllowedValues:
- true
- false
NameOfIamUser03:
Type: String
Default: "IAM-User03"
CreateIamUser04:
Type: String
Default: false
AllowedValues:
- true
- false
NameOfIamUser04:
Type: String
Default: "IAM-User04"
CreateIamUser05:
Type: String
Default: false
AllowedValues:
- true
- false
NameOfIamUser05:
Type: String
Default: "IAM-User05"
# ------------------------------------------------------------#
# Conditions
# ------------------------------------------------------------#
Conditions:
# Create or Not: IAM Users
CreateIamUser02True: !Equals [ !Ref CreateIamUser02, true ]
CreateIamUser03True: !Equals [ !Ref CreateIamUser03, true ]
CreateIamUser04True: !Equals [ !Ref CreateIamUser04, true ]
CreateIamUser05True: !Equals [ !Ref CreateIamUser05, true ]
Resources:
# ------------------------------------------------------------#
# IAM Group
# ------------------------------------------------------------#
# IAM Group
IamGroup:
Type: AWS::IAM::Group
Properties:
GroupName: !Ref NameOfIamGroup
# IAM Policy For Executing SSM Session Manager
IamPolicyForSsmSession:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Ref NameOfIamPolicyForSsmSession
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ssm:StartSession
Resource:
- !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/${EC2InstanceId}"
- !Sub "arn:aws:ssm:${AWS::Region}::document/AWS-StartPortForwardingSession"
- Effect: Allow
Action:
- ssm:TerminateSession
Resource: arn:aws:ssm:*:*:session/${aws:username}-*
Groups:
- !Ref IamGroup
# IAM Policy For Rotating Access Key
IamPolicyForRotatingAccessKey:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Ref NameOfIamPolicyForRotatingAccessKey
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- iam:CreateAccessKey
- iam:DeleteAccessKey
Resource: !Join
- ''
- - !Sub "arn:aws:iam::${AWS::AccountId}:user/"
- ${aws:username}
Groups:
- !Ref IamGroup
# ------------------------------------------------------------#
# IAM Users
# ------------------------------------------------------------#
# IAM User 01
IamUser01:
Type: AWS::IAM::User
Properties:
UserName: !Ref NameOfIamUser01
Groups:
- !Ref IamGroup
# Access Key 01
AccessKey01:
Type: AWS::IAM::AccessKey
Properties:
Status: Active
UserName: !Ref IamUser01
# IAM User 02
IamUser02:
Type: AWS::IAM::User
Condition: CreateIamUser02True
Properties:
UserName: !Ref NameOfIamUser02
Groups:
- !Ref IamGroup
# Access Key 02
AccessKey02:
Type: AWS::IAM::AccessKey
Condition: CreateIamUser02True
Properties:
Status: Active
UserName: !Ref IamUser02
# IAM User 03
IamUser03:
Type: AWS::IAM::User
Condition: CreateIamUser03True
Properties:
UserName: !Ref NameOfIamUser03
Groups:
- !Ref IamGroup
# Access Key 03
AccessKey03:
Type: AWS::IAM::AccessKey
Condition: CreateIamUser03True
Properties:
Status: Active
UserName: !Ref IamUser03
# IAM User 04
IamUser04:
Type: AWS::IAM::User
Condition: CreateIamUser04True
Properties:
UserName: !Ref NameOfIamUser04
Groups:
- !Ref IamGroup
# Access Key 04
AccessKey04:
Type: AWS::IAM::AccessKey
Condition: CreateIamUser04True
Properties:
Status: Active
UserName: !Ref IamUser04
# IAM User 05
IamUser05:
Type: AWS::IAM::User
Condition: CreateIamUser05True
Properties:
UserName: !Ref NameOfIamUser05
Groups:
- !Ref IamGroup
# Access Key 05
AccessKey05:
Type: AWS::IAM::AccessKey
Condition: CreateIamUser05True
Properties:
Status: Active
UserName: !Ref IamUser05
# ------------------------------------------------------------#
# OUTPUTS
# ------------------------------------------------------------#
Outputs:
01AccessKey:
Description: Access Key of IAM User 01
Value: !Ref AccessKey01
01SecretAccessKey:
Description: Secret Access Key of IAM User 01
Value: !GetAtt AccessKey01.SecretAccessKey
02AccessKey:
Description: Access Key of IAM User 02
Value: !Ref AccessKey02
Condition: CreateIamUser02True
02SecretAccessKey:
Description: Secret Access Key of IAM User 02
Value: !GetAtt AccessKey02.SecretAccessKey
Condition: CreateIamUser02True
03AccessKey:
Description: Access Key of IAM User 03
Value: !Ref AccessKey03
Condition: CreateIamUser03True
03SecretAccessKey:
Description: Secret Access Key of IAM User 03
Value: !GetAtt AccessKey03.SecretAccessKey
Condition: CreateIamUser03True
04AccessKey:
Description: Access Key of IAM User 04
Value: !Ref AccessKey04
Condition: CreateIamUser04True
04SecretAccessKey:
Description: Secret Access Key of IAM User 04
Value: !GetAtt AccessKey04.SecretAccessKey
Condition: CreateIamUser04True
05AccessKey:
Description: Access Key of IAM User 05
Value: !Ref AccessKey05
Condition: CreateIamUser05True
05SecretAccessKey:
Description: Secret Access Key of IAM User 05
Value: !GetAtt AccessKey05.SecretAccessKey
Condition: CreateIamUser05True