Created
June 25, 2019 14:13
-
-
Save adamabernathy/4f47c5f17c3ecdd5fc04fe81e952fc47 to your computer and use it in GitHub Desktop.
Create EC2 with IAM role that can read S3 bucket.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| AWSTemplateFormatVersion: '2010-09-09' | |
| Description: >- | |
| Creates EC2 instance with an IAM role that can access an S3 Bucket (also created). | |
| Parameters: | |
| KeyPairName: | |
| Description: EC2 Instance SSH Key | |
| Type: AWS::EC2::KeyPair::KeyName | |
| InstanceType: | |
| Description: EC2 instance specs configuration | |
| Type: String | |
| Default: t2.micro | |
| AllowedValues: | |
| - t2.micro | |
| - t2.small | |
| - t2.medium | |
| BucketName: | |
| Description: S3 Bucket to be accessed by newly created EC2 | |
| Type: String | |
| Default: private-bucket | |
| Mappings: | |
| AMIs: | |
| us-east-1: | |
| Name: ami-8c1be5f6 | |
| us-east-2: | |
| Name: ami-c5062ba0 | |
| Resources: | |
| ResourceBucket: | |
| Type: AWS::S3::Bucket | |
| Properties: | |
| BucketName: !Sub '${AWS::StackName}-${AWS::Region}-${BucketName}' | |
| AccessControl: Private | |
| BucketEncryption: | |
| ServerSideEncryptionConfiguration: | |
| - ServerSideEncryptionByDefault: | |
| SSEAlgorithm: AES256 | |
| DeletionPolicy: Delete | |
| EC2Instance: | |
| Type: AWS::EC2::Instance | |
| Properties: | |
| InstanceType: !Ref InstanceType | |
| ImageId: !FindInMap | |
| - AMIs | |
| - !Ref AWS::Region | |
| - Name | |
| KeyName: !Ref KeyPairName | |
| IamInstanceProfile: !Ref EC2InstanceProfile | |
| SecurityGroupIds: | |
| - !Ref EC2InstanceSecGroup | |
| Tags: | |
| - Key: Name | |
| Value: S3BucketReader | |
| EC2InstanceSecGroup: | |
| Type: AWS::EC2::SecurityGroup | |
| Properties: | |
| GroupDescription: Allow SSH access from anywhere | |
| SecurityGroupIngress: | |
| - IpProtocol: tcp | |
| CidrIp: '0.0.0.0/0' | |
| FromPort: 22 | |
| ToPort: 22 | |
| Tags: | |
| - Key: Name | |
| Value: EC2InstanceSecGroup | |
| EC2InstanceProfile: | |
| Type: AWS::IAM::InstanceProfile | |
| Properties: | |
| Path: / | |
| Roles: | |
| - !Ref EC2InstanceRole | |
| EC2InstancePolicy: | |
| Type: AWS::IAM::Policy | |
| Properties: | |
| PolicyName: EC2InstancePolicy | |
| PolicyDocument: | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - s3:* | |
| Resource: | |
| # You can also grant access to an existing bucket here | |
| - !Sub "arn:aws:s3:::${ResourceBucket}" | |
| Roles: | |
| - !Ref EC2InstanceRole | |
| EC2InstanceRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Service: | |
| - ec2.amazonaws.com | |
| Action: | |
| - sts:AssumeRole | |
| Path: / | |
| Outputs: | |
| EC2Instance: | |
| Description: EC2 IP address | |
| Value: !Join | |
| - '' | |
| - - ssh ec2-user@ | |
| - !GetAtt 'EC2Instance.PublicIp' | |
| - !Sub ' -i ${KeyPairName}.pem' | |
| S3Bucket: | |
| Description: S3 Bucket | |
| Value: !Ref S3Bucket | |
| ... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment