AWS::SSM::ResourcePolicy
Creates or updates a Systems Manager resource policy. A resource policy helps you
to define the IAM entity (for example, an Amazon Web Services account)
that can manage your Systems Manager resources. Currently, OpsItemGroup
is the only resource that supports Systems Manager resource policies. The resource
policy for OpsItemGroup enables Amazon Web Services accounts to view and
interact with OpsCenter operational work items (OpsItems). OpsCenter is a capability of
Systems Manager.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SSM::ResourcePolicy", "Properties" : { "Policy" :Json, "ResourceArn" :String} }
YAML
Type: AWS::SSM::ResourcePolicy Properties: Policy:JsonResourceArn:String
Properties
Policy-
A policy you want to associate with a resource.
Required: Yes
Type: Json
Pattern:
^(?!\s*$).+Update requires: No interruption
ResourceArn-
The Amazon Resource Name (ARN) of the resource to which you want to attach a policy.
Required: Yes
Type: String
Minimum:
20Maximum:
2048Update requires: Replacement
Return values
Ref
Fn::GetAtt
PolicyHash-
ID of the current policy version. The hash helps to prevent a situation where multiple users attempt to overwrite a policy. You must provide this hash and the policy ID when updating or deleting a policy.
PolicyId-
ID of the current policy version.
Examples
Create a resource policy for OpsCenter
The following example specifies the management or delegated administrator account IDs for working with OpsItems across accounts.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Creates resources needed for a member account to work with OpsCenter OpsItems across multiple accounts.", "Parameters": { "AdminAccountIds": { "Description": "Allows one or more accounts to access OpsItems. Specify Amazon Organizations management account IDs and delegated administrator account IDs in a comma-separated list.", "Type": "CommaDelimitedList" }, "ParentDeploymentRegion": { "Description": "Primary Amazon Web Services Region used for creating global resources such as IAM roles.", "Type": "String" } }, "Conditions": { "IsParentDeploymentRegion": { "Fn::Equals": [ { "Ref": "AWS::Region" }, { "Ref": "ParentDeploymentRegion" } ] } }, "Resources": { "OpsItemCrossAccountResourcePolicy": { "Type": "AWS::SSM::ResourcePolicy", "Properties": { "Policy": { "Fn::Sub": [ "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowAdminAccountsToAccessOpsItems2\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"${AdminAccountIdsString}\"]},\"Action\":[\"ssm:CreateOpsItem\",\"ssm:AddTagsToResource\",\"ssm:GetOpsItem\",\"ssm:UpdateOpsItem\"],\"Resource\":[\"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:opsitem/*\",\"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:opsitemgroup/default\"]}]}", { "AdminAccountIdsString": { "Fn::Join": [ "\\\",\\\"", { "Ref": "AdminAccountIds" } ] } } ] }, "ResourceArn": { "Fn::Sub": "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:opsitemgroup/default" } } }, "OpsItemCrossAccountExecutionRole": { "Type": "AWS::IAM::Role", "Condition": "IsParentDeploymentRegion", "Properties": { "RoleName": "OpsItem-CrossAccountExecutionRole", "Description": "Role used by the management account or delegated administrator to remediate OpsItems", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": { "Ref": "AdminAccountIds" } }, "Condition": { "StringLike": { "aws:PrincipalArn": { "Fn::Split": [ ",", { "Fn::Sub": [ "arn:*:iam::${inner}:role/OpsItem-*Role*", { "inner": { "Fn::Join": [ ":role/OpsItem-*Role*,arn:*:iam::", { "Ref": "AdminAccountIds" } ] } } ] } ] } } }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/", "ManagedPolicyArns": [ { "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess" } ] } } } }
YAML
--- AWSTemplateFormatVersion: '2010-09-09' Description: Creates resources needed for a member account to work with OpsCenter OpsItems across multiple accounts. Parameters: AdminAccountIds: Description: Allows one or more accounts to access OpsItems. Specify Amazon Organizations management account IDs and delegated administrator account IDs in a comma-separated list. Type: CommaDelimitedList ParentDeploymentRegion: Description: Primary Amazon Web Services Region used for creating global resources such as IAM roles. Type: String Conditions: IsParentDeploymentRegion: Fn::Equals: - !Ref 'AWS::Region' - !Ref ParentDeploymentRegion Resources: OpsItemCrossAccountResourcePolicy: Type: AWS::SSM::ResourcePolicy Properties: Policy: !Sub - '{"Version":"2012-10-17","Statement":[{"Sid":"AllowAdminAccountsToAccessOpsItems2","Effect":"Allow","Principal":{"AWS":["${AdminAccountIdsString}"]},"Action":["ssm:CreateOpsItem","ssm:AddTagsToResource","ssm:GetOpsItem","ssm:UpdateOpsItem"],"Resource":["arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:opsitem/*","arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:opsitemgroup/default"]}]}' - AdminAccountIdsString: Fn::Join: - '\",\"' - !Ref AdminAccountIds ResourceArn: Fn::Sub: arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:opsitemgroup/default OpsItemCrossAccountExecutionRole: Type: AWS::IAM::Role Condition: IsParentDeploymentRegion Properties: RoleName: OpsItem-CrossAccountExecutionRole Description: 'Role used by the management account or delegated administrator to remediate OpsItems' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Ref AdminAccountIds Condition: StringLike: "aws:PrincipalArn": !Split - ',' - !Sub - 'arn:*:iam::${inner}:role/OpsItem-*Role*' - inner: !Join - ':role/OpsItem-*Role*,arn:*:iam::' - Ref: AdminAccountIds Action: - sts:AssumeRole Path: '/' ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess'