About the configuration profile IAM role

You can create the IAM role that provides access to the configuration data by using Amazon AppConfig. Or you can create the IAM role yourself. If you create the role by using Amazon AppConfig, the system creates the role and specifies one of the following permissions policies, depending on which type of configuration source you choose.

Configuration source is a Secrets Manager secret

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
             ],
            "Resource": [
                "arn:aws-cn:secretsmanager:Amazon Web Services Region:account_ID:secret:secret_name-a1b2c3"
            ]
        }
    ]
}

Configuration source is a Parameter Store parameter

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws-cn:ssm:Amazon Web Services Region:account_ID:parameter/parameter_name"
            ]
        }
    ]
    }

Configuration source is an SSM document

{

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetDocument"
            ],
            "Resource": [
                "arn:aws-cn:ssm:Amazon Web Services Region:account_ID:document/document_name"
            ]
        }
    ]
}

If you create the role by using Amazon AppConfig, the system also creates the following trust relationship for the role.

{

  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "appconfig.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}