Update IAM role usage directions in Managed Instances guide

aws-solutions / media-services-application-mapper

Media Services Application Mapper is a browser-based tool that allows operators to visualize the structure and logical connections among AWS Media Services and supporting services in the cloud. The tool can be used as a top-down resource monitoring tool when integrated with CloudWatch.

Apache License 2.0

84 stars 27 forks source link

Update IAM role usage directions in Managed Instances guide #240

Closed JimTharioAmazon closed 2 years ago

JimTharioAmazon commented 3 years ago

It looks like we need an updated set of policy permissions for managed instances.

We need to create a role for managed instances (MSAM-Managed-Instances) that includes:

AmazonSSMManagedInstanceCore (for basic control functionality), and
Inline policy similar to AWSLambdaBasicExecutionRole with logging permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

JimTharioAmazon commented 3 years ago

@jleyvacorrivium FYI

JimTharioAmazon commented 2 years ago

The SSM team has updated their documentation about assigning roles to managed instances, and call out different levels of role including one for CloudWatch logging. We link to this from our MANAGED_INSTANCES.md guide.

https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html