Example CloudFormation stack
Below you can find an example CFN stack that will be deployed to your AWS account when you add this AWS account as a Source in your Elastio tenant. For easier reading, you might want to copy this JSON to a file on your machine and review it there.
Important! Please, do not attempt to use this example to deploy to your AWS account. All deployments should be done through the Elastio Tenant.
{
"Resources": {
"connectoraccountiampoliciesSqsLambdaEventSourceMapping4AA6433D": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes",
"sqs:DeleteMessage"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"Description": "Allow lambda event source mapping to read from SQS managed by Elastio",
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "account-level-stack/connector-account-iam-policies/SqsLambdaEventSourceMapping/Resource"
}
},
"connectoraccountiampoliciesSqsSendMessageFB188D42": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"Description": "Allow sending messages to SQS managed by Elastio",
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "account-level-stack/connector-account-iam-policies/SqsSendMessage/Resource"
}
},
"connectoraccountiampoliciesManageDynamoDbData598770AC": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
}
}
],
"Version": "2012-10-17"
},
"Description": "Allow read/write access to data stored in DynamoDB tables managed by Elastio",
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "account-level-stack/connector-account-iam-policies/ManageDynamoDbData/Resource"
}
},
"connectoraccountiampoliciesElastioInstallerPart1F41F0414": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:RegisterScalableTarget",
"application-autoscaling:DeleteScalingPolicy"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeScalingActivities"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:CreateOrUpdateTags"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:autoscaling:*:",
{
"Ref": "AWS::AccountId"
},
":autoScalingGroup:*:autoScalingGroupName/elastio-*"
]
]
}
},
{
"Action": [
"sns:Unsubscribe",
"sns:DeleteTopic",
"sns:CreateTopic",
"sns:SetSubscriptionAttributes",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListTagsForResource",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:TagResource"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:sns:*:",
{
"Ref": "AWS::AccountId"
},
":elastio-*"
]
]
}
},
{
"Action": [
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:TagQueue",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListQueueTags",
"sqs:SetQueueAttributes"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:sqs:*:",
{
"Ref": "AWS::AccountId"
},
":elastio-*"
]
]
}
},
{
"Action": [
"scheduler:CreateSchedule",
"scheduler:GetSchedule",
"scheduler:DeleteSchedule",
"scheduler:UpdateSchedule"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:scheduler:*:",
{
"Ref": "AWS::AccountId"
},
":schedule/elastio-*"
]
]
}
},
{
"Action": [
"scheduler:ListTagsForResource",
"scheduler:GetScheduleGroup",
"scheduler:CreateScheduleGroup",
"scheduler:TagResource"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:scheduler:*:",
{
"Ref": "AWS::AccountId"
},
":schedule-group/elastio-*"
]
]
}
},
{
"Action": "scheduler:DeleteScheduleGroup",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:CreateFunction",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"lambda:DeleteFunction",
"lambda:DeleteFunctionEventInvokeConfig",
"lambda:AddPermission",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetFunctionCodeSigningConfig",
"lambda:GetFunctionEventInvokeConfig",
"lambda:GetPolicy",
"lambda:ListVersionsByFunction",
"lambda:PutFunctionEventInvokeConfig",
"lambda:RemovePermission",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:TagResource"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "lambda:GetEventSourceMapping",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"lambda:UpdateEventSourceMapping",
"lambda:CreateEventSourceMapping",
"lambda:DeleteEventSourceMapping"
],
"Condition": {
"StringLike": {
"lambda:FunctionArn": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:CreateBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketRequestPayment",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:GetObjectRetention",
"s3:PutObjectRetention",
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketObjectLockConfiguration",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketPublicAccessBlock",
"s3:GetBucketPublicAccessBlock",
"s3:PutBucketOwnershipControls",
"s3:GetBucketOwnershipControls"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-report*"
},
{
"Action": [
"s3:DeleteBucket",
"s3:GetObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::elastio-vault-*"
},
{
"Action": [
"s3:PutObject*",
"s3:GetObject*",
"s3:DeleteObject",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-account-level-stack-tfstate*"
},
{
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-artifacts-*"
},
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*"
]
]
}
},
{
"Action": "iam:GetRole",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/ElastioInstaller"
]
]
}
},
{
"Action": [
"kms:CreateKey",
"kms:CreateGrant",
"kms:ListResourceTags",
"kms:PutKeyPolicy",
"kms:TagResource",
"kms:ListAliases"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:UntagResource"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:CreateAlias",
"kms:DeleteAlias",
"kms:UpdateAlias"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:kms:*:",
{
"Ref": "AWS::AccountId"
},
":alias/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:kms:*:",
{
"Ref": "AWS::AccountId"
},
":key/*"
]
]
}
]
},
{
"Action": "kms:ScheduleKeyDeletion",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "kms:ScheduleKeyDeletion",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:vault": "*"
}
},
"Effect": "Deny",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameter",
"ssm:AddTagsToResource",
"ssm:ListTagsForResource",
"ssm:DeleteParameter",
"ssm:PutParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": [
"ssm:DescribeParameters",
"ssm:GetParameters"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "cur:DescribeReportDefinitions",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:cur:*:",
{
"Ref": "AWS::AccountId"
},
":definition/*"
]
]
}
},
{
"Action": [
"cur:PutReportDefinition",
"cur:DeleteReportDefinition",
"cur:ModifyReportDefinition"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:cur:*:",
{
"Ref": "AWS::AccountId"
},
":definition/elastio-*"
]
]
}
},
{
"Action": [
"states:CreateStateMachine",
"states:DeleteStateMachine",
"states:DescribeStateMachine",
"states:UpdateStateMachine",
"states:ListTagsForResource",
"states:TagResource",
"states:ListStateMachineVersions"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:states:*:",
{
"Ref": "AWS::AccountId"
},
":stateMachine:elastio-*"
]
]
}
}
],
"Version": "2012-10-17"
},
"Description": "Part of actions required for Elastio installation. Those had to be moved from the role's inline policy because the amount of permissions was reaching the limit",
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "account-level-stack/connector-account-iam-policies/ElastioInstallerPart1/Resource"
}
},
"connectoraccountiampoliciesElastioInstallerPart2B4DA9CB6": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:ListStacks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "cloudformation:GetTemplate",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:cloudformation:*:",
{
"Ref": "AWS::AccountId"
},
":stack/elastio-account-level-stack/*"
]
]
}
},
{
"Action": "dynamodb:DeleteTable",
"Effect": "Deny",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-vault-*"
]
]
}
},
{
"Action": [
"dynamodb:CreateTable",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:ListTagsOfResource",
"dynamodb:UpdateTimeToLive",
"dynamodb:UpdateContinuousBackups",
"dynamodb:TagResource"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
}
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-account-level-stack-tflocks*"
]
]
}
},
{
"Action": [
"batch:Create*",
"batch:Describe*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "batch:*",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":compute-environment/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":job-queue/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":job-definition/elastio-*"
]
]
}
]
},
{
"Action": [
"ecs:TagResource",
"ecs:UntagResource"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":*/elastio-*"
]
]
}
},
{
"Action": [
"ecs:CreateCapacityProvider",
"ecs:CreateCluster",
"ecs:ListTasks",
"ecs:DescribeTasks",
"ecs:DescribeClusters",
"ecs:RegisterTaskDefinition",
"ecs:DescribeTaskDefinition",
"ecs:DeregisterTaskDefinition",
"ecs:PutClusterCapacityProviders"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:DescribeCapacityProviders",
"ecs:UpdateCapacityProvider",
"ecs:DeleteCapacityProvider"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":capacity-provider/elastio-*"
]
]
}
},
{
"Action": "ecs:DescribeCapacityProviders",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":capacity-provider/*"
]
]
}
},
{
"Action": [
"ecs:DescribeServices",
"ecs:CreateService",
"ecs:DeleteService",
"ecs:UpdateService"
],
"Condition": {
"StringLike": {
"ecs:cluster": {
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":cluster/elastio-*"
]
]
}
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:DeleteCluster",
"ecs:UpdateCluster"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":cluster/elastio-*"
]
]
}
},
{
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRouteTables",
"ec2:DescribeRegions",
"ec2:DescribeTags",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeNatGateways",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DeleteLaunchTemplate",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteTags"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudwatch:DescribeAlarms",
"cloudwatch:ListTagsForResource"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudwatch:DeleteAlarms",
"cloudwatch:PutMetricAlarm"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:cloudwatch:*:",
{
"Ref": "AWS::AccountId"
},
":alarm:elastio-*"
]
]
}
},
{
"Action": [
"events:DeleteRule",
"events:DisableRule",
"events:EnableRule",
"events:DescribeRule",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"events:TagResource"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:events:*:",
{
"Ref": "AWS::AccountId"
},
":rule/elastio-*"
]
]
}
},
{
"Action": "events:ListTagsForResource",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"events:CreateEventBus",
"events:DeleteEventBus",
"events:DescribeEventBus",
"events:TagResource"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:events:*:",
{
"Ref": "AWS::AccountId"
},
":event-bus/elastio-*"
]
]
}
},
{
"Action": "logs:DescribeLogGroups",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:ListTagsLogGroup",
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"logs:TagLogGroup",
"logs:DeleteLogGroup"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:logs:*:",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/*/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:logs:*:",
{
"Ref": "AWS::AccountId"
},
":log-group:/ecs/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:logs:*:",
{
"Ref": "AWS::AccountId"
},
":log-group:sns/*/",
{
"Ref": "AWS::AccountId"
},
"/elastio-*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"Description": "Part of actions required for Elastio installation. Those had to be moved from the role's inline policy because the amount of permissions was reaching the limit",
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "account-level-stack/connector-account-iam-policies/ElastioInstallerPart2/Resource"
}
},
"customeriampolicieslocalbackup9F84C0E3": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-catalog-service-read"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-catalog-service-ingest"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-provisioner-service-lifecycle"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-jobs-status-service"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-provisioner-service-write"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"Description": "Allows stream, file, and block backups",
"ManagedPolicyName": {
"Fn::Join": [
"",
[
"ElastioLocalBackup",
{
"Ref": "customerManagedPoliciesNameSuffix"
}
]
]
},
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "account-level-stack/customer-iam-policies/local-backup/Resource"
}
},
"customeriampoliciesmountandrestoreE2941243": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-catalog-service-read"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-provisioner-service-lifecycle"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-jobs-status-service"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-provisioner-service-read"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"Description": "Allows performing of non-agentless restores and mounts of all backups.",
"ManagedPolicyName": {
"Fn::Join": [
"",
[
"ElastioMountAndRestore",
{
"Ref": "customerManagedPoliciesNameSuffix"
}
]
]
},
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "account-level-stack/customer-iam-policies/mount-and-restore/Resource"
}
},
"customeriampoliciesagentlessbackupandrestore43E241D3": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-catalog-service-read"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-catalog-service-ingest"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-provisioner-service-lifecycle"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-bg-jobs-service"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-provisioner-service-write"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-provisioner-service-read"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-jobs-status-service"
]
]
}
]
},
{
"Action": [
"ec2:DescribeHosts",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"Description": "Allows the running of (background) agentless backups of EC2 and EBS, as well as restoring them, and running all other background jobs as well.NOTE: this is a sensitive policy, the ability to run background jobs is a very powerful permission to grant.",
"ManagedPolicyName": {
"Fn::Join": [
"",
[
"ElastioAgentlessBackupAndRestore",
{
"Ref": "customerManagedPoliciesNameSuffix"
}
]
]
},
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "account-level-stack/customer-iam-policies/agentless-backup-and-restore/Resource"
}
},
"customeriampoliciesjobsadminF14BFF42": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-catalog-service-read"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-catalog-service-ingest"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-provisioner-service-lifecycle"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-bg-jobs-service"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-provisioner-service-write"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-provisioner-service-read"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-jobs-status-service"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-jobs-status-service-force-abort"
]
]
}
]
},
{
"Action": [
"ec2:DescribeHosts",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"Description": "Allows to run all background jobs (which means the ability to create and restore all agentless backups),and also the ability to force-abort all jobs.",
"ManagedPolicyName": {
"Fn::Join": [
"",
[
"ElastioJobsAdmin",
{
"Ref": "customerManagedPoliciesNameSuffix"
}
]
]
},
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "account-level-stack/customer-iam-policies/jobs-admin/Resource"
}
},
"customeriampoliciesbackupadmin85DB0DE7": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-catalog-service-read"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-catalog-service-ingest"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-catalog-service-update"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-catalog-service-soft-delete"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-catalog-service-post-backup-check"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-provisioner-service-lifecycle"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-jobs-status-service"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-provisioner-service-read"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-provisioner-service-write"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-bg-jobs-service"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-jobs-status-service-force-abort"
]
]
}
]
},
{
"Action": [
"ec2:DescribeHosts",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"Description": "Combines ElastioCreateBackups, ElastioRestoreBackups, plus the abilityto run arbitrary background jobs and to (soft) delete recovery points.",
"ManagedPolicyName": {
"Fn::Join": [
"",
[
"ElastioBackupAdmin",
{
"Ref": "customerManagedPoliciesNameSuffix"
}
]
]
},
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "account-level-stack/customer-iam-policies/backup-admin/Resource"
}
},
"customeriampoliciesfulladminF784E9F0": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": [
"cloudformation:DescribeStacks",
"sqs:GetQueueUrl",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"ssm:DescribeParameters",
"autoscaling:CreateAutoscalingGroup",
"batch:Describe*",
"autoscaling:Describe*",
"batch:Create*",
"ecs:Create*",
"ecs:Describe*",
"ecs:RegisterTaskDefinition",
"ecs:DeregisterTaskDefinition",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:Create*",
"ec2:Describe*",
"ec2:RunInstances",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DeleteScalingPolicy"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "kms:ListAliases",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:CreateAlias",
"kms:DeleteAlias"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:kms:*:",
{
"Ref": "AWS::AccountId"
},
":alias/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:kms:*:",
{
"Ref": "AWS::AccountId"
},
":key/*"
]
]
}
]
},
{
"Action": [
"kms:CreateKey",
"kms:CreateGrant",
"kms:PutKeyPolicy",
"kms:ListResourceTags",
"kms:TagResource",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ScheduleKeyDeletion"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:*",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "autoscaling:*",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:autoscaling:*:",
{
"Ref": "AWS::AccountId"
},
":autoScalingGroup:*:autoScalingGroupName/elastio-*"
]
]
}
},
{
"Action": "batch:*",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":compute-environment/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":job-queue/elastio-*"
]
]
}
]
},
{
"Action": "ssm:GetParameter",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":capacity-provider/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":service/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":cluster/elastio-*"
]
]
}
]
},
{
"Action": "ssm:*",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
}
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "dynamodb:*",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
}
},
{
"Action": "cloudformation:*",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:cloudformation:*:",
{
"Ref": "AWS::AccountId"
},
":stack/elastio-*"
]
]
}
},
{
"Action": "iam:*",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*"
]
]
}
},
{
"Action": "events:*",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:events:*:",
{
"Ref": "AWS::AccountId"
},
":rule/elastio-*"
]
]
}
}
],
"Version": "2012-10-17"
},
"Description": "Like the AWS built-in AdministratorAccess policy, except this limits the permissions granted to only those needed to perform all Elastio operations.",
"ManagedPolicyName": {
"Fn::Join": [
"",
[
"ElastioFullAdmin",
{
"Ref": "customerManagedPoliciesNameSuffix"
}
]
]
},
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "account-level-stack/customer-iam-policies/full-admin/Resource"
}
},
"tfstate42168D51": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"LifecycleConfiguration": {
"Rules": [
{
"NoncurrentVersionExpiration": {
"NoncurrentDays": 30
},
"Status": "Enabled"
}
]
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
],
"VersioningConfiguration": {
"Status": "Enabled"
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "account-level-stack/tf/state/Resource"
}
},
"tfstatePolicy19BC2525": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "tfstate42168D51"
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": {
"Fn::GetAtt": [
"tfstate42168D51",
"Arn"
]
},
"Sid": "Secure access only"
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "account-level-stack/tf/state/Policy/Resource"
}
},
"tflocks48A1C6E6": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"KeySchema": [
{
"AttributeName": "LockID",
"KeyType": "HASH"
}
],
"AttributeDefinitions": [
{
"AttributeName": "LockID",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "account-level-stack/tf/locks/Resource"
}
},
"tfpublicAccessBlocklambdaexecutionRole26C9E41D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/tf/publicAccessBlock/lambda/executionRole/Resource"
}
},
"tfpublicAccessBlocklambdaexecutionRoleDefaultPolicyC94F5765": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"s3:PutBucketPublicAccessBlock",
"s3:GetBucketPublicAccessBlock"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"tfstate42168D51",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "tfpublicAccessBlocklambdaexecutionRoleDefaultPolicyC94F5765",
"Roles": [
{
"Ref": "tfpublicAccessBlocklambdaexecutionRole26C9E41D"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/tf/publicAccessBlock/lambda/executionRole/DefaultPolicy/Resource"
}
},
"tfpublicAccessBlocklambdafunctionACCEFBBD": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"ZipFile": "const https = require(\"https\");\nconst url = require(\"url\");\n\n// The `send` function code source https://github.com/ispyinternet/cfn-response-promise/blob/master/index.js\n// Built-in `cfn-response` module doesn't work for async handlers.\nfunction sendImp(\n event,\n context,\n responseStatus,\n responseData,\n physicalResourceId,\n noEcho,\n) {\n return new Promise((resolve, reject) => {\n let reason = `See the details in CloudWatch Log Stream: ${context.logStreamName}`;\n if (responseStatus === \"FAILED\" && responseData.error) {\n reason += ` Error: ${responseData.error}`;\n }\n\n var responseBody = JSON.stringify({\n Status: responseStatus,\n Reason: reason,\n PhysicalResourceId: physicalResourceId || context.logStreamName,\n StackId: event.StackId,\n RequestId: event.RequestId,\n LogicalResourceId: event.LogicalResourceId,\n NoEcho: noEcho || false,\n Data: responseData,\n });\n\n console.log(\"Response body:\\n\", responseBody);\n\n var parsedUrl = url.parse(event.ResponseURL);\n var options = {\n hostname: parsedUrl.hostname,\n port: 443,\n path: parsedUrl.path,\n method: \"PUT\",\n headers: {\n \"content-type\": \"\",\n \"content-length\": responseBody.length,\n },\n };\n\n var request = https.request(options, function (response) {\n console.log(\"Status code: \" + response.statusCode);\n console.log(\"Status message: \" + response.statusMessage);\n\n if (response.statusCode < 400) {\n resolve();\n return;\n }\n\n const message = `Response status ${response.statusCode}: ${response.statusMessage}`;\n reject(new Error(message));\n });\n\n request.on(\"error\", function (error) {\n console.log(\n \"send(..) failed executing https.request(..): \" + error,\n );\n reject(error);\n });\n\n request.write(responseBody);\n request.end();\n });\n}\n\nasync function send(\n event,\n context,\n responseStatus,\n responseData,\n physicalResourceId,\n noEcho,\n) {\n const maxRetries = 60;\n const baseDelay = 200;\n const maxDelay = 10 * 1000;\n const backoffExponent = 2;\n\n let attempt = 0;\n let delay = 200;\n while (true) {\n try {\n await sendImp(\n event,\n context,\n responseStatus,\n responseData,\n physicalResourceId,\n noEcho,\n );\n break;\n } catch (err) {\n if (attempt >= maxRetries) {\n throw new Error(\n `Too many attempts sending response to Cloudformation S3 bucket. ${err}`,\n );\n }\n\n // Equal jitter algorithm taken from AWS blog post's code reference:\n // https://github.com/aws-samples/aws-arch-backoff-simulator/blob/66cb169277051eea207dbef8c7f71767fe6af144/src/backoff_simulator.py#L35-L38\n const expo = Math.min(\n maxDelay,\n baseDelay * backoffExponent ** attempt,\n );\n delay = expo / 2 + randomBetween(0, expo / 2);\n\n attempt += 1;\n\n console.warn(\n `Error sending response to Cloudformation S3 bucket (retry #${attempt} in ${delay}ms): ${err}`,\n );\n\n await sleep(delay);\n }\n }\n}\n\nfunction randomBetween(min, max) {\n return Math.floor(Math.random() * (max - min + 1)) + min;\n}\n\nconst sleep = (ms) => new Promise((r) => setTimeout(r, ms));\n\nfunction logJson(obj) {\n console.log(JSON.stringify(obj));\n}\n\nconst { S3 } = require(\"@aws-sdk/client-s3\");\nconst s3 = new S3();\n\nconst SUCCESS = \"SUCCESS\";\nconst FAILED = \"FAILED\";\n\nexports.handler = async (event, context) => {\n try {\n logJson({ message: \"Processing request...\", event });\n await tryHandler(event, context);\n await send(event, context, SUCCESS, {});\n logJson({ message: \"Exiting with success\" });\n } catch (err) {\n console.log(err);\n\n await send(event, context, FAILED, {\n message: \"Call failed. See lambda logs for details.\",\n error: String(err),\n });\n\n logJson({ message: \"Exiting with failure\" });\n\n throw err;\n }\n};\n\nasync function tryHandler(event, context) {\n if (event.RequestType === \"Delete\") {\n logJson({\n message: \"Delete request received. Exiting successfully...\",\n });\n return;\n }\n\n const { bucket } = event.ResourceProperties;\n\n logJson({ message: \"Reading the public access block...\", bucket });\n\n try {\n const block = await s3.getPublicAccessBlock({\n Bucket: bucket,\n });\n\n logJson({ message: \"Got public access block\", block, bucket });\n\n const isblockEnabled =\n block.PublicAccessBlockConfiguration &&\n block.PublicAccessBlockConfiguration.BlockPublicAcls &&\n block.PublicAccessBlockConfiguration.BlockPublicPolicy &&\n block.PublicAccessBlockConfiguration.IgnorePublicAcls &&\n block.PublicAccessBlockConfiguration.RestrictPublicBuckets;\n\n if (isblockEnabled) {\n logJson({\n message:\n \"Public access block is already enabled. Exiting successfully...\",\n });\n return;\n }\n } catch (err) {\n let message =\n \"The error is not expected. Either way, assuming no public access block is enabled.\";\n\n const errorString = String(err);\n if (errorString.includes(\"NoSuchPublicAccessBlockConfiguration\")) {\n message =\n \"The error is expected. It means no public access block is enabled at all.\";\n }\n\n logJson({\n message: `Getting public access block returned an error. ${message}`,\n error: errorString,\n });\n }\n\n logJson({ message: \"Enabling public access block...\", bucket });\n\n try {\n await s3.putPublicAccessBlock({\n Bucket: bucket,\n PublicAccessBlockConfiguration: {\n BlockPublicAcls: true,\n BlockPublicPolicy: true,\n IgnorePublicAcls: true,\n RestrictPublicBuckets: true,\n },\n });\n } catch (err) {\n console.log(err);\n logJson({\n message:\n \"Error enabling public access block for whatever reason. \" +\n \"Supposedly, there may be an SCP in place that blocks this. \" +\n \"Ignoring the error and keeping the bucket without the public access block.\",\n bucket,\n });\n }\n}\n"
},
"Role": {
"Fn::GetAtt": [
"tfpublicAccessBlocklambdaexecutionRole26C9E41D",
"Arn"
]
},
"Handler": "index.handler",
"Runtime": "nodejs18.x",
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
],
"Timeout": 900
},
"DependsOn": [
"tfpublicAccessBlocklambdaexecutionRoleDefaultPolicyC94F5765",
"tfpublicAccessBlocklambdaexecutionRole26C9E41D"
],
"Metadata": {
"aws:cdk:path": "account-level-stack/tf/publicAccessBlock/lambda/function/Resource"
}
},
"tfpublicAccessBlocklambdalogGroupAAA9C3A7": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/lambda/",
{
"Ref": "tfpublicAccessBlocklambdafunctionACCEFBBD"
}
]
]
},
"RetentionInDays": 7,
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "account-level-stack/tf/publicAccessBlock/lambda/logGroup/Resource"
}
},
"tfpublicAccessBlockcustomResource80725C2A": {
"Type": "AWS::CloudFormation::CustomResource",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"tfpublicAccessBlocklambdafunctionACCEFBBD",
"Arn"
]
},
"bucket": {
"Ref": "tfstate42168D51"
}
},
"DependsOn": [
"tfpublicAccessBlocklambdalogGroupAAA9C3A7"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "account-level-stack/tf/publicAccessBlock/customResource/customResource/Default"
}
},
"accountlevelstackelastioInstallerRoleE1FE2EE6": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "externalId"
}
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Ref": "tenantRoleArn"
}
}
}
],
"Version": "2012-10-17"
},
"Description": "Elastio tenant role to perform stack and vault install/uninstall operations.",
"ManagedPolicyArns": [
{
"Ref": "connectoraccountiampoliciesElastioInstallerPart1F41F0414"
},
{
"Ref": "connectoraccountiampoliciesElastioInstallerPart2B4DA9CB6"
}
],
"RoleName": "ElastioInstaller",
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioInstallerRole/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"accountlevelstackelastioTenantRoleACFC2BBD": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "externalId"
}
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Ref": "tenantRoleArn"
}
}
}
],
"Version": "2012-10-17"
},
"Description": "Special role which the Elastio tenant at app.elastio.com is able to assume in order to manage the Elastio deployments in this account.",
"RoleName": "ElastioTenant",
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioTenantRole/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"accountlevelstackelastioTenantReadAwsBackupInventoryE40BB772": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"backup:ListBackupVaults",
"backup:DescribeBackupVault",
"backup:ListRecoveryPointsByBackupVault",
"backup:ListRecoveryPointsByResource",
"backup:DescribeRecoveryPoint",
"backup:GetRecoveryPointRestoreMetadata",
"backup:ListTags",
"backup:ListProtectedResources",
"backup:ListProtectedResourcesByBackupVault"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ReadAwsBackupInventory",
"Roles": [
{
"Ref": "accountlevelstackelastioTenantRoleACFC2BBD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioTenantReadAwsBackupInventory/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"accountlevelstackelastioTenantReadAwsEfsInventory9E86161B": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:ListTagsForResource",
"elasticfilesystem:DescribeTags"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ReadAwsEfsInventory",
"Roles": [
{
"Ref": "accountlevelstackelastioTenantRoleACFC2BBD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioTenantReadAwsEfsInventory/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"accountlevelstackelastioTenantReadAwsEbsInventoryBFC28B4A": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeTags",
"ebs:ListSnapshotBlocks",
"ebs:ListChangedBlocks"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ReadAwsEbsInventory",
"Roles": [
{
"Ref": "accountlevelstackelastioTenantRoleACFC2BBD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioTenantReadAwsEbsInventory/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"accountlevelstackelastioTenantReadAwsEc2InventoryE7DB30AE": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ssm:DescribeInstanceInformation"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ReadAwsEc2Inventory",
"Roles": [
{
"Ref": "accountlevelstackelastioTenantRoleACFC2BBD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioTenantReadAwsEc2Inventory/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"accountlevelstackelastioTenantReadAwsVpcInventory1D522113": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRouteTables",
"ec2:DescribeNatGateways"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ReadAwsVpcInventory",
"Roles": [
{
"Ref": "accountlevelstackelastioTenantRoleACFC2BBD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioTenantReadAwsVpcInventory/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"accountlevelstackelastioTenantReadAwsS3Inventory62A347FE": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketVersioning",
"s3:GetBucketPolicy",
"s3:GetBucketLogging"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ReadAwsS3Inventory",
"Roles": [
{
"Ref": "accountlevelstackelastioTenantRoleACFC2BBD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioTenantReadAwsS3Inventory/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"accountlevelstackelastioTenantReadAwsAccountsInventory0353C848": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "iam:ListAccountAliases",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ReadAwsAccountsInventory",
"Roles": [
{
"Ref": "accountlevelstackelastioTenantRoleACFC2BBD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioTenantReadAwsAccountsInventory/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"accountlevelstackelastioTenantReadAwsKmsInventoryDDAFF68A": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "kms:DescribeKey",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ReadAwsKmsInventory",
"Roles": [
{
"Ref": "accountlevelstackelastioTenantRoleACFC2BBD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioTenantReadAwsKmsInventory/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"accountlevelstackelastioTenantElastioAwsLambdaFunctionsApi5E1A30B0": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"lambda:GetFunction",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*-service-tenant"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-mishok-service"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "ElastioAwsLambdaFunctionsApi",
"Roles": [
{
"Ref": "accountlevelstackelastioTenantRoleACFC2BBD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioTenantElastioAwsLambdaFunctionsApi/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"accountlevelstackelastioTenantElastioAwsS3BucketsApi8FAA98D6": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::elastio-vault-*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ElastioAwsS3BucketsApi",
"Roles": [
{
"Ref": "accountlevelstackelastioTenantRoleACFC2BBD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioTenantElastioAwsS3BucketsApi/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"accountlevelstackelastioTenantElastioAwsSsmParametersApi3667225D": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ssm:PutParameter",
"ssm:DeleteParameter"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
}
},
{
"Action": "ssm:GetParameter",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "ElastioAwsSsmParametersApi",
"Roles": [
{
"Ref": "accountlevelstackelastioTenantRoleACFC2BBD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioTenantElastioAwsSsmParametersApi/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"accountlevelstackelastioTenantElastioAwsSqsQueuesApi564DB249": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"sqs:GetQueueUrl",
"sqs:ListQueueTags",
"sqs:ReceiveMessage",
"sqs:DeleteMessage"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:sqs:*:",
{
"Ref": "AWS::AccountId"
},
":elastio-*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "ElastioAwsSqsQueuesApi",
"Roles": [
{
"Ref": "accountlevelstackelastioTenantRoleACFC2BBD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/account-level-stack/elastioTenantElastioAwsSqsQueuesApi/Resource"
},
"Condition": "accountlevelstackassumeRoleCondition2064F09A"
},
"supportelastioSupportRole68CB7ACD": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"DateLessThan": {
"aws:CurrentTime": {
"Ref": "supportRoleExpirationDate"
}
},
"StringEquals": {
"sts:ExternalId": {
"Ref": "externalId"
}
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Ref": "tenantRoleArn"
}
}
}
],
"Version": "2012-10-17"
},
"Description": "The role that Elastio engineers use to provide support for Elastio services running in this account",
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/AmazonEC2ReadOnlyAccess"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/AmazonVPCReachabilityAnalyzerFullAccessPolicy"
]
]
},
{
"Ref": "connectoraccountiampoliciesManageDynamoDbData598770AC"
},
{
"Ref": "connectoraccountiampoliciesSqsSendMessageFB188D42"
}
],
"RoleName": "ElastioSupport",
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/support/elastioSupportRole/Resource"
},
"Condition": "supportDeploySupportRole90788A97"
},
"supportelastioSupportManageElastioSts86666BAF": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "sts:DecodeAuthorizationMessage",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ManageElastioSts",
"Roles": [
{
"Ref": "supportelastioSupportRole68CB7ACD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/support/elastioSupportManageElastioSts/Resource"
},
"Condition": "supportDeploySupportRole90788A97"
},
"supportelastioSupportManageElastioCloudwatchD9B9D65B": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:DescribeLogGroups",
"logs:GetLogRecord"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ManageElastioCloudwatch",
"Roles": [
{
"Ref": "supportelastioSupportRole68CB7ACD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/support/elastioSupportManageElastioCloudwatch/Resource"
},
"Condition": "supportDeploySupportRole90788A97"
},
"supportelastioSupportManageElastioS37FFC439D": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:ListAllMyBuckets",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectAttributes",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ManageElastioS3",
"Roles": [
{
"Ref": "supportelastioSupportRole68CB7ACD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/support/elastioSupportManageElastioS3/Resource"
},
"Condition": "supportDeploySupportRole90788A97"
},
"supportelastioSupportManageElastioLambda4701BF6C": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:ListFunctions",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:ListTags",
"lambda:ListVersionsByFunction"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ManageElastioLambda",
"Roles": [
{
"Ref": "supportelastioSupportRole68CB7ACD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/support/elastioSupportManageElastioLambda/Resource"
},
"Condition": "supportDeploySupportRole90788A97"
},
"supportelastioSupportManageElastioSsmD2017BBF": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "ssm:DescribeParameters",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath",
"ssm:PutParameter",
"ssm:DeleteParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ManageElastioSsm",
"Roles": [
{
"Ref": "supportelastioSupportRole68CB7ACD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/support/elastioSupportManageElastioSsm/Resource"
},
"Condition": "supportDeploySupportRole90788A97"
},
"supportelastioSupportManageElastioSqsA77418FE": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "sqs:ListQueues",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListQueueTags",
"sqs:PurgeQueue",
"sqs:ReceiveMessage",
"sqs:DeleteMessage"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ManageElastioSqs",
"Roles": [
{
"Ref": "supportelastioSupportRole68CB7ACD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/support/elastioSupportManageElastioSqs/Resource"
},
"Condition": "supportDeploySupportRole90788A97"
},
"supportelastioSupportManageElastioEcs860AB95E": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateTags",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"autoscaling:DescribeAutoScalingGroups"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "autoscaling:UpdateAutoScalingGroup",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:ListClusters",
"ecs:ListServices"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:UpdateService"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:RegisterTaskDefinition",
"ecs:ListTaskDefinitions"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "ManageElastioEcs",
"Roles": [
{
"Ref": "supportelastioSupportRole68CB7ACD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/support/elastioSupportManageElastioEcs/Resource"
},
"Condition": "supportDeploySupportRole90788A97"
},
"supportelastioSupportManageElastioBatchC5EC4C99": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"batch:ListJobs",
"batch:DescribeJobDefinitions",
"batch:DescribeComputeEnvironments"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"batch:DeregisterJobDefinition",
"batch:RegisterJobDefinition",
"batch:TagResource"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:*:batch:*:",
{
"Ref": "AWS::AccountId"
},
":job-definition/elastio-*"
]
]
}
},
{
"Action": "batch:UpdateComputeEnvironment",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ManageElastioBatch",
"Roles": [
{
"Ref": "supportelastioSupportRole68CB7ACD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/support/elastioSupportManageElastioBatch/Resource"
},
"Condition": "supportDeploySupportRole90788A97"
},
"supportelastioSupportManageElastioDynamoDb8D066249": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "dynamodb:DescribeTable",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "dynamodb:ListTables",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ManageElastioDynamoDb",
"Roles": [
{
"Ref": "supportelastioSupportRole68CB7ACD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/support/elastioSupportManageElastioDynamoDb/Resource"
},
"Condition": "supportDeploySupportRole90788A97"
},
"supportelastioSupportManageElastioVaultCC1D1E77": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:PutObjectTagging",
"s3:PutObjectRetention",
"s3:PutBucketTagging",
"s3:PutBucketPolicy",
"s3:PutBucketLogging",
"s3:ListMultipartUploadParts",
"s3:ListJobs",
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads",
"s3:GetReplicationConfiguration",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionAttributes",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold",
"s3:GetObjectAcl",
"s3:GetLifecycleConfiguration",
"s3:GetIntelligentTieringConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetBucketVersioning",
"s3:GetBucketTagging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketLogging",
"s3:GetBucketLocation",
"s3:DescribeJob",
"s3:DeleteObjectTagging",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-vault-*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ManageElastioVault",
"Roles": [
{
"Ref": "supportelastioSupportRole68CB7ACD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/support/elastioSupportManageElastioVault/Resource"
},
"Condition": "supportDeploySupportRole90788A97"
},
"supportelastioSupportManageElastioEc23ABDF142": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "ec2:TerminateInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ManageElastioEc2",
"Roles": [
{
"Ref": "supportelastioSupportRole68CB7ACD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/support/elastioSupportManageElastioEc2/Resource"
},
"Condition": "supportDeploySupportRole90788A97"
},
"deploymentnotifierlambdaexecutionRole1A8C4C7D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/deployment-notifier/lambda/executionRole/Resource"
}
},
"deploymentnotifierlambdaexecutionRoleDefaultPolicy930C7478": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "cloudformation:DescribeStacks",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:cloudformation:*:",
{
"Ref": "AWS::AccountId"
},
":stack/",
{
"Ref": "AWS::StackName"
},
"/*"
]
]
}
},
{
"Action": "sns:Publish",
"Effect": "Allow",
"Resource": {
"Fn::If": [
"deploymentnotifiernotificationTopicArnCondition89AADD39",
{
"Ref": "deploymentNotificationTopicArn"
},
"*"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "deploymentnotifierlambdaexecutionRoleDefaultPolicy930C7478",
"Roles": [
{
"Ref": "deploymentnotifierlambdaexecutionRole1A8C4C7D"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/deployment-notifier/lambda/executionRole/DefaultPolicy/Resource"
}
},
"deploymentnotifierlambdafunction099F2C22": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"ZipFile": "const https = require(\"https\");\nconst url = require(\"url\");\n\n// The `send` function code source https://github.com/ispyinternet/cfn-response-promise/blob/master/index.js\n// Built-in `cfn-response` module doesn't work for async handlers.\nfunction sendImp(\n event,\n context,\n responseStatus,\n responseData,\n physicalResourceId,\n noEcho,\n) {\n return new Promise((resolve, reject) => {\n let reason = `See the details in CloudWatch Log Stream: ${context.logStreamName}`;\n if (responseStatus === \"FAILED\" && responseData.error) {\n reason += ` Error: ${responseData.error}`;\n }\n\n var responseBody = JSON.stringify({\n Status: responseStatus,\n Reason: reason,\n PhysicalResourceId: physicalResourceId || context.logStreamName,\n StackId: event.StackId,\n RequestId: event.RequestId,\n LogicalResourceId: event.LogicalResourceId,\n NoEcho: noEcho || false,\n Data: responseData,\n });\n\n console.log(\"Response body:\\n\", responseBody);\n\n var parsedUrl = url.parse(event.ResponseURL);\n var options = {\n hostname: parsedUrl.hostname,\n port: 443,\n path: parsedUrl.path,\n method: \"PUT\",\n headers: {\n \"content-type\": \"\",\n \"content-length\": responseBody.length,\n },\n };\n\n var request = https.request(options, function (response) {\n console.log(\"Status code: \" + response.statusCode);\n console.log(\"Status message: \" + response.statusMessage);\n\n if (response.statusCode < 400) {\n resolve();\n return;\n }\n\n const message = `Response status ${response.statusCode}: ${response.statusMessage}`;\n reject(new Error(message));\n });\n\n request.on(\"error\", function (error) {\n console.log(\n \"send(..) failed executing https.request(..): \" + error,\n );\n reject(error);\n });\n\n request.write(responseBody);\n request.end();\n });\n}\n\nasync function send(\n event,\n context,\n responseStatus,\n responseData,\n physicalResourceId,\n noEcho,\n) {\n const maxRetries = 60;\n const baseDelay = 200;\n const maxDelay = 10 * 1000;\n const backoffExponent = 2;\n\n let attempt = 0;\n let delay = 200;\n while (true) {\n try {\n await sendImp(\n event,\n context,\n responseStatus,\n responseData,\n physicalResourceId,\n noEcho,\n );\n break;\n } catch (err) {\n if (attempt >= maxRetries) {\n throw new Error(\n `Too many attempts sending response to Cloudformation S3 bucket. ${err}`,\n );\n }\n\n // Equal jitter algorithm taken from AWS blog post's code reference:\n // https://github.com/aws-samples/aws-arch-backoff-simulator/blob/66cb169277051eea207dbef8c7f71767fe6af144/src/backoff_simulator.py#L35-L38\n const expo = Math.min(\n maxDelay,\n baseDelay * backoffExponent ** attempt,\n );\n delay = expo / 2 + randomBetween(0, expo / 2);\n\n attempt += 1;\n\n console.warn(\n `Error sending response to Cloudformation S3 bucket (retry #${attempt} in ${delay}ms): ${err}`,\n );\n\n await sleep(delay);\n }\n }\n}\n\nfunction randomBetween(min, max) {\n return Math.floor(Math.random() * (max - min + 1)) + min;\n}\n\nconst sleep = (ms) => new Promise((r) => setTimeout(r, ms));\n\nfunction logJson(obj) {\n console.log(JSON.stringify(obj));\n}\n\nconst aws = require(\"aws-sdk\");\nconst cloudformation = new aws.CloudFormation();\nconst sns = new aws.SNS();\n\nconst SUCCESS = \"SUCCESS\";\n\nconst stackDeployFinished = function (status) {\n return status.endsWith(\"_COMPLETE\") || status.endsWith(\"_FAILED\");\n};\n\nexports.handler = async (event, context) => {\n logJson({ message: \"Processing request...\", event });\n\n const { stackName, maxTries, pollIntervalSeconds } =\n event.ResourceProperties;\n\n // We need to send the deletion notification before we submit success to CFN\n // because once the success is submitted to the CFN our lambda and its IAM\n // role will be deleted\n if (event.RequestType == \"Delete\") {\n const stackStatus = await getStackStatus(stackName);\n\n await sendSnsNotification(event, stackStatus).catch((err) => {\n console.log(\"Sending stack delete notification failed\", err);\n });\n await send(event, context, SUCCESS, {});\n return;\n }\n\n // Respond SUCCESS to CFN to avoid stack creation blocking\n await send(event, context, SUCCESS, {});\n\n let attempt = 1;\n\n while (attempt <= maxTries) {\n const isLastTry = attempt === maxTries;\n const stackStatus = await getStackStatus(stackName);\n\n logJson({\n message: \"Received stack status\",\n stackName,\n stackStatus,\n attempt,\n });\n\n if (stackDeployFinished(stackStatus) || isLastTry) {\n await sendSnsNotification(event, stackStatus);\n\n return;\n }\n await sleep(pollIntervalSeconds * 1000);\n attempt += 1;\n }\n};\n\nasync function getStackStatus(stackName) {\n const describeStacksResponse = await cloudformation\n .describeStacks({ StackName: stackName })\n .promise();\n return describeStacksResponse.Stacks[0].StackStatus;\n}\n\nasync function sendSnsNotification(event, stackStatus) {\n let oldStackVersion = null;\n if (event.OldResourceProperties != null) {\n oldStackVersion = event.OldResourceProperties.payload.stackVersion;\n }\n\n const { notificationTopicArn, payload } = event.ResourceProperties;\n\n const snsMessage = {\n stackStatus,\n oldStackVersion,\n ...payload,\n };\n\n logJson({\n message: \"Sending status notification...\",\n notificationTopicArn,\n stackStatus,\n snsMessage,\n });\n\n if (notificationTopicArn === \"\") {\n console.warn(\n JSON.stringify({\n message:\n \"notificationTopicArn is empty. Unable to publish SNS message...\",\n snsMessage,\n }),\n );\n return;\n }\n\n await sns\n .publish({\n TopicArn: notificationTopicArn,\n Message: JSON.stringify(snsMessage),\n })\n .promise();\n}\n"
},
"Role": {
"Fn::GetAtt": [
"deploymentnotifierlambdaexecutionRole1A8C4C7D",
"Arn"
]
},
"Handler": "index.handler",
"Runtime": "nodejs16.x",
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
],
"Timeout": 900
},
"DependsOn": [
"deploymentnotifierlambdaexecutionRoleDefaultPolicy930C7478",
"deploymentnotifierlambdaexecutionRole1A8C4C7D"
],
"Metadata": {
"aws:cdk:path": "account-level-stack/deployment-notifier/lambda/function/Resource"
}
},
"deploymentnotifierlambdalogGroup8AE17B70": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/lambda/",
{
"Ref": "deploymentnotifierlambdafunction099F2C22"
}
]
]
},
"RetentionInDays": 7,
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "account-level-stack/deployment-notifier/lambda/logGroup/Resource"
}
},
"deploymentnotifiercustomResourceF7461341": {
"Type": "AWS::CloudFormation::CustomResource",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"deploymentnotifierlambdafunction099F2C22",
"Arn"
]
},
"stackName": {
"Ref": "AWS::StackName"
},
"notificationTopicArn": {
"Ref": "deploymentNotificationTopicArn"
},
"maxTries": 89,
"pollIntervalSeconds": 10,
"payload": {
"accountId": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
},
"notificationToken": {
"Ref": "deploymentNotificationToken"
},
"stackKind": "connector",
"stackVersion": "2024-02-23",
"tenantName": {
"Fn::If": [
"tenantRoleArnCondition",
{
"Fn::Select": [
1,
{
"Fn::Split": [
"/",
{
"Fn::Select": [
5,
{
"Fn::Split": [
":",
{
"Ref": "tenantRoleArn"
}
]
}
]
}
]
}
]
},
""
]
}
}
},
"DependsOn": [
"deploymentnotifierlambdalogGroup8AE17B70"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "account-level-stack/deployment-notifier/customResource/customResource/Default"
}
},
"deploymentnotifiernotifyDeploymentCompleteLambdaLambdaExecutionRoleEB48FD8C": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/deployment-notifier/notifyDeploymentCompleteLambdaLambdaExecutionRole/Resource"
}
},
"deploymentnotifiernotifyDeploymentCompleteLambdaLambdaExecutionRoleDefaultPolicy120D23CD": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "deploymentnotifiernotifyDeploymentCompleteLambdaLambdaExecutionRoleDefaultPolicy120D23CD",
"Roles": [
{
"Ref": "deploymentnotifiernotifyDeploymentCompleteLambdaLambdaExecutionRoleEB48FD8C"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/deployment-notifier/notifyDeploymentCompleteLambdaLambdaExecutionRole/DefaultPolicy/Resource"
}
},
"deploymentnotifiernotifyDeploymentCompleteLambda38D065B2": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"ZipFile": "const https = require(\"https\");\nconst url = require(\"url\");\n\n// The `send` function code source https://github.com/ispyinternet/cfn-response-promise/blob/master/index.js\n// Built-in `cfn-response` module doesn't work for async handlers.\nfunction sendImp(\n event,\n context,\n responseStatus,\n responseData,\n physicalResourceId,\n noEcho,\n) {\n return new Promise((resolve, reject) => {\n let reason = `See the details in CloudWatch Log Stream: ${context.logStreamName}`;\n if (responseStatus === \"FAILED\" && responseData.error) {\n reason += ` Error: ${responseData.error}`;\n }\n\n var responseBody = JSON.stringify({\n Status: responseStatus,\n Reason: reason,\n PhysicalResourceId: physicalResourceId || context.logStreamName,\n StackId: event.StackId,\n RequestId: event.RequestId,\n LogicalResourceId: event.LogicalResourceId,\n NoEcho: noEcho || false,\n Data: responseData,\n });\n\n console.log(\"Response body:\\n\", responseBody);\n\n var parsedUrl = url.parse(event.ResponseURL);\n var options = {\n hostname: parsedUrl.hostname,\n port: 443,\n path: parsedUrl.path,\n method: \"PUT\",\n headers: {\n \"content-type\": \"\",\n \"content-length\": responseBody.length,\n },\n };\n\n var request = https.request(options, function (response) {\n console.log(\"Status code: \" + response.statusCode);\n console.log(\"Status message: \" + response.statusMessage);\n\n if (response.statusCode < 400) {\n resolve();\n return;\n }\n\n const message = `Response status ${response.statusCode}: ${response.statusMessage}`;\n reject(new Error(message));\n });\n\n request.on(\"error\", function (error) {\n console.log(\n \"send(..) failed executing https.request(..): \" + error,\n );\n reject(error);\n });\n\n request.write(responseBody);\n request.end();\n });\n}\n\nasync function send(\n event,\n context,\n responseStatus,\n responseData,\n physicalResourceId,\n noEcho,\n) {\n const maxRetries = 60;\n const baseDelay = 200;\n const maxDelay = 10 * 1000;\n const backoffExponent = 2;\n\n let attempt = 0;\n let delay = 200;\n while (true) {\n try {\n await sendImp(\n event,\n context,\n responseStatus,\n responseData,\n physicalResourceId,\n noEcho,\n );\n break;\n } catch (err) {\n if (attempt >= maxRetries) {\n throw new Error(\n `Too many attempts sending response to Cloudformation S3 bucket. ${err}`,\n );\n }\n\n // Equal jitter algorithm taken from AWS blog post's code reference:\n // https://github.com/aws-samples/aws-arch-backoff-simulator/blob/66cb169277051eea207dbef8c7f71767fe6af144/src/backoff_simulator.py#L35-L38\n const expo = Math.min(\n maxDelay,\n baseDelay * backoffExponent ** attempt,\n );\n delay = expo / 2 + randomBetween(0, expo / 2);\n\n attempt += 1;\n\n console.warn(\n `Error sending response to Cloudformation S3 bucket (retry #${attempt} in ${delay}ms): ${err}`,\n );\n\n await sleep(delay);\n }\n }\n}\n\nfunction randomBetween(min, max) {\n return Math.floor(Math.random() * (max - min + 1)) + min;\n}\n\nconst sleep = (ms) => new Promise((r) => setTimeout(r, ms));\n\nfunction logJson(obj) {\n console.log(JSON.stringify(obj));\n}\n\n exports.handler = async (event, context) => {\n console.log(\"Doing nothing and exiting (for legacy reasons)...\");\n await send(event, context, \"SUCCESS\", {});\n }"
},
"Role": {
"Fn::GetAtt": [
"deploymentnotifiernotifyDeploymentCompleteLambdaLambdaExecutionRoleEB48FD8C",
"Arn"
]
},
"Handler": "index.handler",
"Runtime": "nodejs16.x",
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"DependsOn": [
"deploymentnotifiernotifyDeploymentCompleteLambdaLambdaExecutionRoleDefaultPolicy120D23CD",
"deploymentnotifiernotifyDeploymentCompleteLambdaLambdaExecutionRoleEB48FD8C"
],
"Metadata": {
"aws:cdk:path": "account-level-stack/deployment-notifier/notifyDeploymentCompleteLambda/Resource"
}
},
"deploymentnotifiernotifyDeploymentCompleteLambdaLogGroup7121A990": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/lambda/",
{
"Ref": "deploymentnotifiernotifyDeploymentCompleteLambda38D065B2"
}
]
]
},
"RetentionInDays": 7,
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "account-level-stack/deployment-notifier/notifyDeploymentCompleteLambdaLogGroup/Resource"
}
},
"deploymentnotifiernotifyDeploymentCompleteE54AEC01": {
"Type": "AWS::CloudFormation::CustomResource",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"deploymentnotifiernotifyDeploymentCompleteLambda38D065B2",
"Arn"
]
},
"stackName": {
"Ref": "AWS::StackName"
},
"notificationTopicArn": {
"Ref": "deploymentNotificationTopicArn"
},
"maxTries": 89,
"pollIntervalSeconds": 10,
"payload": {
"accountId": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
},
"notificationToken": {
"Ref": "deploymentNotificationToken"
},
"stackKind": "connector",
"stackVersion": "2024-02-23",
"tenantName": {
"Fn::If": [
"tenantRoleArnCondition",
{
"Fn::Select": [
1,
{
"Fn::Split": [
"/",
{
"Fn::Select": [
5,
{
"Fn::Split": [
":",
{
"Ref": "tenantRoleArn"
}
]
}
]
}
]
}
]
},
""
]
}
}
},
"DependsOn": [
"deploymentnotifiernotifyDeploymentCompleteLambdaLogGroup7121A990"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "account-level-stack/deployment-notifier/notifyDeploymentComplete/Default"
}
},
"accsServiceBF8E5156": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/accsService/Resource"
}
},
"accsServiceDefaultPolicyECF77B69": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"ssm:AddTagsToResource",
"ssm:GetParameter",
"ssm:PutParameter"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "events:PutPermission",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "accsServiceDefaultPolicyECF77B69",
"Roles": [
{
"Ref": "accsServiceBF8E5156"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/accsService/DefaultPolicy/Resource"
}
},
"accsHandlerJobsEventsFE945E0E": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/accsHandlerJobsEvents/Resource"
}
},
"accsHandlerJobsEventsDefaultPolicy8D70515D": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "accsHandlerJobsEventsDefaultPolicy8D70515D",
"Roles": [
{
"Ref": "accsHandlerJobsEventsFE945E0E"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/accsHandlerJobsEvents/DefaultPolicy/Resource"
}
},
"catalogServiceB080536D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogService/Resource"
}
},
"catalogServiceDefaultPolicyBCC51D5F": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"sqs:PurgeQueue"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "events:PutEvents",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:events:*:",
{
"Ref": "AWS::AccountId"
},
":event-bus/elastio-*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "catalogServiceDefaultPolicyBCC51D5F",
"Roles": [
{
"Ref": "catalogServiceB080536D"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogService/DefaultPolicy/Resource"
}
},
"catalogHandlerJobsEventsDC2A7EC5": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "connectoraccountiampoliciesSqsSendMessageFB188D42"
}
],
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogHandlerJobsEvents/Resource"
}
},
"catalogHandlerJobsEventsDefaultPolicy646E6D10": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "catalogHandlerJobsEventsDefaultPolicy646E6D10",
"Roles": [
{
"Ref": "catalogHandlerJobsEventsDC2A7EC5"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogHandlerJobsEvents/DefaultPolicy/Resource"
}
},
"catalogHandlerInternalReplication624E7FA4": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "connectoraccountiampoliciesSqsLambdaEventSourceMapping4AA6433D"
},
{
"Ref": "connectoraccountiampoliciesSqsSendMessageFB188D42"
}
],
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogHandlerInternalReplication/Resource"
}
},
"catalogHandlerInternalReplicationDefaultPolicy05DEAF95": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "catalogHandlerInternalReplicationDefaultPolicy05DEAF95",
"Roles": [
{
"Ref": "catalogHandlerInternalReplication624E7FA4"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogHandlerInternalReplication/DefaultPolicy/Resource"
}
},
"catalogHandlerObjectStorageReplicationD05E3461": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "connectoraccountiampoliciesSqsLambdaEventSourceMapping4AA6433D"
}
],
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogHandlerObjectStorageReplication/Resource"
}
},
"catalogHandlerObjectStorageReplicationDefaultPolicy3B59CF9F": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "catalogHandlerObjectStorageReplicationDefaultPolicy3B59CF9F",
"Roles": [
{
"Ref": "catalogHandlerObjectStorageReplicationD05E3461"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogHandlerObjectStorageReplication/DefaultPolicy/Resource"
}
},
"catalogHandlerSafetyLock207B495D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogHandlerSafetyLock/Resource"
}
},
"catalogHandlerSafetyLockDefaultPolicy34A6E945": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObjectRetention"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "catalogHandlerSafetyLockDefaultPolicy34A6E945",
"Roles": [
{
"Ref": "catalogHandlerSafetyLock207B495D"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogHandlerSafetyLock/DefaultPolicy/Resource"
}
},
"catalogServiceTenantFFDDDBC2": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "connectoraccountiampoliciesSqsSendMessageFB188D42"
}
],
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogServiceTenant/Resource"
}
},
"catalogServiceTenantDefaultPolicy2D879CBB": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "catalogServiceTenantDefaultPolicy2D879CBB",
"Roles": [
{
"Ref": "catalogServiceTenantFFDDDBC2"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogServiceTenant/DefaultPolicy/Resource"
}
},
"mishokServiceE09B6C9B": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/mishokService/Resource"
}
},
"mishokServiceDefaultPolicy52965B0E": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": [
"kms:DescribeKey",
"kms:ListAliases",
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketVersioning",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:DeleteObjectVersionTagging",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "ec2:DescribeVpcs",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "mishokServiceDefaultPolicy52965B0E",
"Roles": [
{
"Ref": "mishokServiceE09B6C9B"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/mishokService/DefaultPolicy/Resource"
}
},
"credsService7F18E705": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/credsService/Resource"
}
},
"credsServiceDefaultPolicy9F590D2B": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": "ssm:GetParameter",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "credsServiceDefaultPolicy9F590D2B",
"Roles": [
{
"Ref": "credsService7F18E705"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/credsService/DefaultPolicy/Resource"
}
},
"credsServiceTenant5318B514": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/credsServiceTenant/Resource"
}
},
"credsServiceTenantDefaultPolicy526CCDAB": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"ssm:AddTagsToResource",
"ssm:DeleteParameter",
"ssm:PutParameter"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "credsServiceTenantDefaultPolicy526CCDAB",
"Roles": [
{
"Ref": "credsServiceTenant5318B514"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/credsServiceTenant/DefaultPolicy/Resource"
}
},
"cwpumpHandlerCloudwatch16E2F27D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/cwpumpHandlerCloudwatch/Resource"
}
},
"cwpumpHandlerCloudwatchDefaultPolicy1397E51F": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "cloudwatch:GetMetricData",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "tag:GetResources",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "cwpumpHandlerCloudwatchDefaultPolicy1397E51F",
"Roles": [
{
"Ref": "cwpumpHandlerCloudwatch16E2F27D"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/cwpumpHandlerCloudwatch/DefaultPolicy/Resource"
}
},
"provisionerServiceWriteDA843106": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/provisionerServiceWrite/Resource"
}
},
"provisionerServiceWriteDefaultPolicyED4EDC71": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"ecs:DescribeTasks",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "autoscaling:DescribeAutoScalingGroups",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "autoscaling:SetDesiredCapacity",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ecs:ListTasks",
"Condition": {
"StringLike": {
"ecs:cluster": {
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":cluster/elastio-*"
]
]
}
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ecs:UpdateService",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstances",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "kms:Sign",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "tag:GetResources",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "provisionerServiceWriteDefaultPolicyED4EDC71",
"Roles": [
{
"Ref": "provisionerServiceWriteDA843106"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/provisionerServiceWrite/DefaultPolicy/Resource"
}
},
"provisionerServiceReadBB149517": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/provisionerServiceRead/Resource"
}
},
"provisionerServiceReadDefaultPolicy2E84A0B9": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"ecs:DescribeTasks",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "autoscaling:DescribeAutoScalingGroups",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "autoscaling:SetDesiredCapacity",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ecs:ListTasks",
"Condition": {
"StringLike": {
"ecs:cluster": {
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":cluster/elastio-*"
]
]
}
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ecs:UpdateService",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstances",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "kms:Sign",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "tag:GetResources",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "provisionerServiceReadDefaultPolicy2E84A0B9",
"Roles": [
{
"Ref": "provisionerServiceReadBB149517"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/provisionerServiceRead/DefaultPolicy/Resource"
}
},
"provisionerServiceDeleteFF166939": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/provisionerServiceDelete/Resource"
}
},
"provisionerServiceDeleteDefaultPolicyA3FDD164": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"ecs:DescribeTasks",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "autoscaling:DescribeAutoScalingGroups",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "autoscaling:SetDesiredCapacity",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ecs:ListTasks",
"Condition": {
"StringLike": {
"ecs:cluster": {
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":cluster/elastio-*"
]
]
}
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ecs:UpdateService",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstances",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "kms:Sign",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "tag:GetResources",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "provisionerServiceDeleteDefaultPolicyA3FDD164",
"Roles": [
{
"Ref": "provisionerServiceDeleteFF166939"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/provisionerServiceDelete/DefaultPolicy/Resource"
}
},
"provisionerHandlerLeaseGcA9F75DFC": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/provisionerHandlerLeaseGc/Resource"
}
},
"provisionerHandlerLeaseGcDefaultPolicyAC9EAAFC": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"ecs:DescribeTasks",
"ecs:ListTasks",
"ecs:DescribeServices",
"ecs:DescribeContainerInstances"
],
"Condition": {
"StringLike": {
"ecs:cluster": {
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":cluster/elastio-*"
]
]
}
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ecs:UpdateService",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":service/elastio-*"
]
]
}
},
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "autoscaling:SetDesiredCapacity",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "tag:GetResources",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "provisionerHandlerLeaseGcDefaultPolicyAC9EAAFC",
"Roles": [
{
"Ref": "provisionerHandlerLeaseGcA9F75DFC"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/provisionerHandlerLeaseGc/DefaultPolicy/Resource"
}
},
"provisionerServiceTenantF6F946DE": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/provisionerServiceTenant/Resource"
}
},
"provisionerServiceTenantDefaultPolicyCAC2021B": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "provisionerServiceTenantDefaultPolicyCAC2021B",
"Roles": [
{
"Ref": "provisionerServiceTenantF6F946DE"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/provisionerServiceTenant/DefaultPolicy/Resource"
}
},
"provisionerServiceLeaseLifecycle79E6B47C": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/provisionerServiceLeaseLifecycle/Resource"
}
},
"provisionerServiceLeaseLifecycleDefaultPolicy9B80BFB5": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"ecs:DescribeTasks",
"ecs:ListTasks",
"ecs:DescribeServices",
"ecs:DescribeContainerInstances"
],
"Condition": {
"StringLike": {
"ecs:cluster": {
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":cluster/elastio-*"
]
]
}
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "ECSReadOnlyActions"
},
{
"Action": "ecs:UpdateService",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:ecs:*:",
{
"Ref": "AWS::AccountId"
},
":service/elastio-*"
]
]
},
"Sid": "ECSWriteActionsElastioServices"
},
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeInstances"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "VMsReadOnlyActions"
},
{
"Action": "autoscaling:SetDesiredCapacity",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "VMsWriteActionsElastioServices"
},
{
"Action": "kms:Sign",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "tag:GetResources",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "provisionerServiceLeaseLifecycleDefaultPolicy9B80BFB5",
"Roles": [
{
"Ref": "provisionerServiceLeaseLifecycle79E6B47C"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/provisionerServiceLeaseLifecycle/DefaultPolicy/Resource"
}
},
"jobsStatusService1B791F9F": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "connectoraccountiampoliciesManageDynamoDbData598770AC"
}
],
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/jobsStatusService/Resource"
}
},
"jobsStatusServiceDefaultPolicy027C2E61": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "sns:Publish",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:sns:*:",
{
"Ref": "AWS::AccountId"
},
":elastio-*jobs-status-notifications"
]
]
}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*job-attachments*"
},
{
"Action": [
"batch:TerminateJob",
"events:PutEvents"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "jobsStatusServiceDefaultPolicy027C2E61",
"Roles": [
{
"Ref": "jobsStatusService1B791F9F"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/jobsStatusService/DefaultPolicy/Resource"
}
},
"jobsStatusHandlerGcF2E0B9F2": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "connectoraccountiampoliciesManageDynamoDbData598770AC"
}
],
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/jobsStatusHandlerGc/Resource"
}
},
"jobsStatusHandlerGcDefaultPolicy88745724": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "sns:Publish",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:sns:*:",
{
"Ref": "AWS::AccountId"
},
":elastio-*jobs-status-notifications"
]
]
}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*job-attachments*"
},
{
"Action": [
"batch:TerminateJob",
"events:PutEvents"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "batch:DescribeJobs",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "jobsStatusHandlerGcDefaultPolicy88745724",
"Roles": [
{
"Ref": "jobsStatusHandlerGcF2E0B9F2"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/jobsStatusHandlerGc/DefaultPolicy/Resource"
}
},
"jobsStatusHandlerAwsBatchA285B34F": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "connectoraccountiampoliciesManageDynamoDbData598770AC"
}
],
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/jobsStatusHandlerAwsBatch/Resource"
}
},
"jobsStatusHandlerAwsBatchDefaultPolicy81A79C69": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "sns:Publish",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:sns:*:",
{
"Ref": "AWS::AccountId"
},
":elastio-*jobs-status-notifications"
]
]
}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*job-attachments*"
},
{
"Action": [
"batch:TerminateJob",
"events:PutEvents"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "jobsStatusHandlerAwsBatchDefaultPolicy81A79C69",
"Roles": [
{
"Ref": "jobsStatusHandlerAwsBatchA285B34F"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/jobsStatusHandlerAwsBatch/DefaultPolicy/Resource"
}
},
"jobsStatusServiceTenant2F30F6E9": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "connectoraccountiampoliciesManageDynamoDbData598770AC"
}
],
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/jobsStatusServiceTenant/Resource"
}
},
"jobsStatusServiceTenantDefaultPolicy5E8B7EB3": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "sns:Publish",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:sns:*:",
{
"Ref": "AWS::AccountId"
},
":elastio-*jobs-status-notifications"
]
]
}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*job-attachments*"
},
{
"Action": [
"batch:TerminateJob",
"events:PutEvents"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "jobsStatusServiceTenantDefaultPolicy5E8B7EB3",
"Roles": [
{
"Ref": "jobsStatusServiceTenant2F30F6E9"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/jobsStatusServiceTenant/DefaultPolicy/Resource"
}
},
"jobsStatusServiceForceAbortJobs28EAAE5E": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Ref": "connectoraccountiampoliciesManageDynamoDbData598770AC"
}
],
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/jobsStatusServiceForceAbortJobs/Resource"
}
},
"jobsStatusServiceForceAbortJobsDefaultPolicy7A38C60C": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "sns:Publish",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:sns:*:",
{
"Ref": "AWS::AccountId"
},
":elastio-*jobs-status-notifications"
]
]
}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*job-attachments*"
},
{
"Action": [
"batch:TerminateJob",
"events:PutEvents"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "jobsStatusServiceForceAbortJobsDefaultPolicy7A38C60C",
"Roles": [
{
"Ref": "jobsStatusServiceForceAbortJobs28EAAE5E"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/jobsStatusServiceForceAbortJobs/DefaultPolicy/Resource"
}
},
"statusDeliveryLogging2C3AA828": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/statusDeliveryLogging/Resource"
}
},
"statusDeliveryLoggingDefaultPolicy581C8114": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutMetricFilter",
"logs:PutRetentionPolicy"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:logs:*:",
{
"Ref": "AWS::AccountId"
},
":log-group:sns/*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "statusDeliveryLoggingDefaultPolicy581C8114",
"Roles": [
{
"Ref": "statusDeliveryLogging2C3AA828"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/statusDeliveryLogging/DefaultPolicy/Resource"
}
},
"bgJobsServiceAwsBackupIntegrationB1EB624D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/bgJobsServiceAwsBackupIntegration/Resource"
}
},
"bgJobsServiceAwsBackupIntegrationDefaultPolicy3C573AA4": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/job/*"
]
]
}
},
{
"Action": "tag:GetResources",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"batch:DescribeJobDefinitions",
"batch:DescribeJobQueues",
"batch:DescribeComputeEnvironments"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "BatchReadOnlyActions"
},
{
"Action": "ec2:DescribeSubnets",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "batch:SubmitJob",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":job-definition/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":job-queue/elastio-*"
]
]
}
]
},
{
"Action": "batch:TagResource",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":*/elastio-*"
]
]
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "backup:DescribeRecoveryPoint",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "bgJobsServiceAwsBackupIntegrationDefaultPolicy3C573AA4",
"Roles": [
{
"Ref": "bgJobsServiceAwsBackupIntegrationB1EB624D"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/bgJobsServiceAwsBackupIntegration/DefaultPolicy/Resource"
}
},
"bgJobsService0B958966": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/bgJobsService/Resource"
}
},
"bgJobsServiceDefaultPolicy0A4787C7": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/job/*"
]
]
}
},
{
"Action": "tag:GetResources",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"batch:DescribeJobDefinitions",
"batch:DescribeJobQueues",
"batch:DescribeComputeEnvironments"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "BatchReadOnlyActions"
},
{
"Action": "ec2:DescribeSubnets",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "batch:SubmitJob",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":job-definition/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":job-queue/elastio-*"
]
]
}
]
},
{
"Action": "batch:TagResource",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":*/elastio-*"
]
]
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "bgJobsServiceDefaultPolicy0A4787C7",
"Roles": [
{
"Ref": "bgJobsService0B958966"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/bgJobsService/DefaultPolicy/Resource"
}
},
"bgJobsServiceTenant061E763D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/bgJobsServiceTenant/Resource"
}
},
"bgJobsServiceTenantDefaultPolicyAC2565EC": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/job/*"
]
]
}
},
{
"Action": "tag:GetResources",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"batch:DescribeJobDefinitions",
"batch:DescribeJobQueues",
"batch:DescribeComputeEnvironments"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "BatchReadOnlyActions"
},
{
"Action": "ec2:DescribeSubnets",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "batch:SubmitJob",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":job-definition/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":job-queue/elastio-*"
]
]
}
]
},
{
"Action": "batch:TagResource",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:batch:*:",
{
"Ref": "AWS::AccountId"
},
":*/elastio-*"
]
]
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "bgJobsServiceTenantDefaultPolicyAC2565EC",
"Roles": [
{
"Ref": "bgJobsServiceTenant061E763D"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/bgJobsServiceTenant/DefaultPolicy/Resource"
}
},
"schedulerEventTargetF951390A": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::FindInMap": [
"ServiceprincipalMap",
{
"Ref": "AWS::Region"
},
"states"
]
}
}
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/schedulerEventTarget/Resource"
}
},
"schedulerEventTargetDefaultPolicyC43EFFD3": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "states:StartExecution",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "schedulerEventTargetDefaultPolicyC43EFFD3",
"Roles": [
{
"Ref": "schedulerEventTargetF951390A"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/schedulerEventTarget/DefaultPolicy/Resource"
}
},
"awsSchedulerExecution92B03CD1": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "scheduler.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsSchedulerExecution/Resource"
}
},
"awsSchedulerExecutionDefaultPolicy90750968": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsSchedulerExecutionDefaultPolicy90750968",
"Roles": [
{
"Ref": "awsSchedulerExecution92B03CD1"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsSchedulerExecution/DefaultPolicy/Resource"
}
},
"schedulerHandlerInventoryEventsStepFunction5BF71A36": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::FindInMap": [
"ServiceprincipalMap",
{
"Ref": "AWS::Region"
},
"states"
]
}
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/schedulerHandlerInventoryEventsStepFunction/Resource"
}
},
"schedulerHandlerInventoryEventsStepFunctionDefaultPolicyDFBCCB8E": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "schedulerHandlerInventoryEventsStepFunctionDefaultPolicyDFBCCB8E",
"Roles": [
{
"Ref": "schedulerHandlerInventoryEventsStepFunction5BF71A36"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/schedulerHandlerInventoryEventsStepFunction/DefaultPolicy/Resource"
}
},
"schedulerService7518A0DF": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/schedulerService/Resource"
}
},
"schedulerServiceDefaultPolicy5E84605A": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"elasticfilesystem:DescribeFileSystems"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "schedulerServiceDefaultPolicy5E84605A",
"Roles": [
{
"Ref": "schedulerService7518A0DF"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/schedulerService/DefaultPolicy/Resource"
}
},
"schedulerServiceTenant9FDF09E4": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/schedulerServiceTenant/Resource"
}
},
"schedulerServiceTenantDefaultPolicy897E502D": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"elasticfilesystem:DescribeFileSystems"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "sqs:SendMessage",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:sqs:*:",
{
"Ref": "AWS::AccountId"
},
":elastio-*"
]
]
}
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "schedulerServiceTenantDefaultPolicy897E502D",
"Roles": [
{
"Ref": "schedulerServiceTenant9FDF09E4"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/schedulerServiceTenant/DefaultPolicy/Resource"
}
},
"retention3837FEBD": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/retention/Resource"
}
},
"retentionDefaultPolicy57F06DD7": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "retentionDefaultPolicy57F06DD7",
"Roles": [
{
"Ref": "retention3837FEBD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/retention/DefaultPolicy/Resource"
}
},
"schedulerHandlerCloudwatch8388F9CC": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/schedulerHandlerCloudwatch/Resource"
}
},
"schedulerHandlerCloudwatchDefaultPolicy7C57F858": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"elasticfilesystem:DescribeFileSystems"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "sqs:SendMessage",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:sqs:*:",
{
"Ref": "AWS::AccountId"
},
":elastio-*"
]
]
}
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "tag:GetResources",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "batch:UpdateComputeEnvironment",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "batch:DescribeComputeEnvironments",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "schedulerHandlerCloudwatchDefaultPolicy7C57F858",
"Roles": [
{
"Ref": "schedulerHandlerCloudwatch8388F9CC"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/schedulerHandlerCloudwatch/DefaultPolicy/Resource"
}
},
"schedulerHandlerInventoryEvents9FB2154E": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/schedulerHandlerInventoryEvents/Resource"
}
},
"schedulerHandlerInventoryEventsDefaultPolicy1BE378E2": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"elasticfilesystem:DescribeFileSystems"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "sqs:SendMessage",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:sqs:*:",
{
"Ref": "AWS::AccountId"
},
":elastio-*"
]
]
}
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "schedulerHandlerInventoryEventsDefaultPolicy1BE378E2",
"Roles": [
{
"Ref": "schedulerHandlerInventoryEvents9FB2154E"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/schedulerHandlerInventoryEvents/DefaultPolicy/Resource"
}
},
"iscanParamsServiceTenantA523EB2C": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/iscanParamsServiceTenant/Resource"
}
},
"iscanParamsServiceTenantDefaultPolicy875D6FFD": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"ssm:PutParameter",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "iscanParamsServiceTenantDefaultPolicy875D6FFD",
"Roles": [
{
"Ref": "iscanParamsServiceTenantA523EB2C"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/iscanParamsServiceTenant/DefaultPolicy/Resource"
}
},
"janitorGc2DA9D15F": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/janitorGc/Resource"
}
},
"janitorGcDefaultPolicy2E4741FF": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeTags"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:InvokeFunction",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DetachVolume",
"ec2:DeleteVolume"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "janitorGcDefaultPolicy2E4741FF",
"Roles": [
{
"Ref": "janitorGc2DA9D15F"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/janitorGc/DefaultPolicy/Resource"
}
},
"importedAssetsHandlerJobs9E07406A": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/importedAssetsHandlerJobs/Resource"
}
},
"importedAssetsHandlerJobsDefaultPolicy60367352": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": "ec2:DescribeSnapshots",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "importedAssetsHandlerJobsDefaultPolicy60367352",
"Roles": [
{
"Ref": "importedAssetsHandlerJobs9E07406A"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/importedAssetsHandlerJobs/DefaultPolicy/Resource"
}
},
"securityHubEventBusHandlerF53CFEE4": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/securityHubEventBusHandler/Resource"
}
},
"securityHubEventBusHandlerDefaultPolicy5022DABA": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*job-attachments*"
},
{
"Action": "securityhub:BatchImportFindings",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:securityhub:*:",
{
"Ref": "AWS::AccountId"
},
":product/*/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:securityhub:*:",
{
"Ref": "AWS::AccountId"
},
":hub/default"
]
]
}
]
},
{
"Action": "lambda:InvokeFunction",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "securityHubEventBusHandlerDefaultPolicy5022DABA",
"Roles": [
{
"Ref": "securityHubEventBusHandlerF53CFEE4"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/securityHubEventBusHandler/DefaultPolicy/Resource"
}
},
"serviceLinkedRoleslambdaexecutionRoleEB7F8622": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/serviceLinkedRoles/lambda/executionRole/Resource"
}
},
"serviceLinkedRoleslambdaexecutionRoleDefaultPolicy4E8CB30A": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "iam:ListRoles",
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/ecs.amazonaws.com/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/batch.amazonaws.com/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/spot.amazonaws.com/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/spotfleet.amazonaws.com/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/ecs.application-autoscaling.amazonaws.com/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/autoscaling.amazonaws.com/*"
]
]
}
]
},
{
"Action": "iam:CreateServiceLinkedRole",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "ecs.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/ecs.amazonaws.com/*"
]
]
}
},
{
"Action": "iam:CreateServiceLinkedRole",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "batch.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/batch.amazonaws.com/*"
]
]
}
},
{
"Action": "iam:CreateServiceLinkedRole",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "spot.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/spot.amazonaws.com/*"
]
]
}
},
{
"Action": "iam:CreateServiceLinkedRole",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "spotfleet.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/spotfleet.amazonaws.com/*"
]
]
}
},
{
"Action": "iam:CreateServiceLinkedRole",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "ecs.application-autoscaling.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/ecs.application-autoscaling.amazonaws.com/*"
]
]
}
},
{
"Action": "iam:CreateServiceLinkedRole",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "autoscaling.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/autoscaling.amazonaws.com/*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "serviceLinkedRoleslambdaexecutionRoleDefaultPolicy4E8CB30A",
"Roles": [
{
"Ref": "serviceLinkedRoleslambdaexecutionRoleEB7F8622"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/serviceLinkedRoles/lambda/executionRole/DefaultPolicy/Resource"
}
},
"serviceLinkedRoleslambdafunctionCB2DF6C8": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"ZipFile": "const https = require(\"https\");\nconst url = require(\"url\");\n\n// The `send` function code source https://github.com/ispyinternet/cfn-response-promise/blob/master/index.js\n// Built-in `cfn-response` module doesn't work for async handlers.\nfunction sendImp(\n event,\n context,\n responseStatus,\n responseData,\n physicalResourceId,\n noEcho,\n) {\n return new Promise((resolve, reject) => {\n let reason = `See the details in CloudWatch Log Stream: ${context.logStreamName}`;\n if (responseStatus === \"FAILED\" && responseData.error) {\n reason += ` Error: ${responseData.error}`;\n }\n\n var responseBody = JSON.stringify({\n Status: responseStatus,\n Reason: reason,\n PhysicalResourceId: physicalResourceId || context.logStreamName,\n StackId: event.StackId,\n RequestId: event.RequestId,\n LogicalResourceId: event.LogicalResourceId,\n NoEcho: noEcho || false,\n Data: responseData,\n });\n\n console.log(\"Response body:\\n\", responseBody);\n\n var parsedUrl = url.parse(event.ResponseURL);\n var options = {\n hostname: parsedUrl.hostname,\n port: 443,\n path: parsedUrl.path,\n method: \"PUT\",\n headers: {\n \"content-type\": \"\",\n \"content-length\": responseBody.length,\n },\n };\n\n var request = https.request(options, function (response) {\n console.log(\"Status code: \" + response.statusCode);\n console.log(\"Status message: \" + response.statusMessage);\n\n if (response.statusCode < 400) {\n resolve();\n return;\n }\n\n const message = `Response status ${response.statusCode}: ${response.statusMessage}`;\n reject(new Error(message));\n });\n\n request.on(\"error\", function (error) {\n console.log(\n \"send(..) failed executing https.request(..): \" + error,\n );\n reject(error);\n });\n\n request.write(responseBody);\n request.end();\n });\n}\n\nasync function send(\n event,\n context,\n responseStatus,\n responseData,\n physicalResourceId,\n noEcho,\n) {\n const maxRetries = 60;\n const baseDelay = 200;\n const maxDelay = 10 * 1000;\n const backoffExponent = 2;\n\n let attempt = 0;\n let delay = 200;\n while (true) {\n try {\n await sendImp(\n event,\n context,\n responseStatus,\n responseData,\n physicalResourceId,\n noEcho,\n );\n break;\n } catch (err) {\n if (attempt >= maxRetries) {\n throw new Error(\n `Too many attempts sending response to Cloudformation S3 bucket. ${err}`,\n );\n }\n\n // Equal jitter algorithm taken from AWS blog post's code reference:\n // https://github.com/aws-samples/aws-arch-backoff-simulator/blob/66cb169277051eea207dbef8c7f71767fe6af144/src/backoff_simulator.py#L35-L38\n const expo = Math.min(\n maxDelay,\n baseDelay * backoffExponent ** attempt,\n );\n delay = expo / 2 + randomBetween(0, expo / 2);\n\n attempt += 1;\n\n console.warn(\n `Error sending response to Cloudformation S3 bucket (retry #${attempt} in ${delay}ms): ${err}`,\n );\n\n await sleep(delay);\n }\n }\n}\n\nfunction randomBetween(min, max) {\n return Math.floor(Math.random() * (max - min + 1)) + min;\n}\n\nconst sleep = (ms) => new Promise((r) => setTimeout(r, ms));\n\nfunction logJson(obj) {\n console.log(JSON.stringify(obj));\n}\n\nconst aws = require(\"aws-sdk\");\nconst iam = new aws.IAM();\n\nexports.handler = async (event, context) => {\n console.log(\"Request received:\\n\" + JSON.stringify(event));\n\n if (event.RequestType === \"Delete\") {\n // we do not remove service linked role\n // because it is a special one and it can be used by another resource\n return await send(event, context, SUCCESS, {});\n }\n\n const { awsServiceName, rolePathPrefix } = event.ResourceProperties;\n\n try {\n const listRoles = await iam\n .listRoles({ PathPrefix: rolePathPrefix, MaxItems: 1 })\n .promise();\n const serviceLinkedRoleFound = listRoles.Roles.length > 0;\n\n if (!serviceLinkedRoleFound) {\n console.log(\n `There is no role with prefix \"${rolePathPrefix}\" in the account. Creating...`,\n );\n await iam\n .createServiceLinkedRole({ AWSServiceName: awsServiceName })\n .promise();\n }\n\n console.log(\"Success.\");\n\n return await send(event, context, SUCCESS, {});\n } catch (err) {\n console.log(err);\n\n return await send(event, context, FAILED, {\n message: \"Call failed. See lambda logs for details.\",\n error: String(err),\n });\n }\n};\n\nconst SUCCESS = \"SUCCESS\";\nconst FAILED = \"FAILED\";\n"
},
"Role": {
"Fn::GetAtt": [
"serviceLinkedRoleslambdaexecutionRoleEB7F8622",
"Arn"
]
},
"Handler": "index.handler",
"Runtime": "nodejs16.x",
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
],
"Timeout": 900
},
"DependsOn": [
"serviceLinkedRoleslambdaexecutionRoleDefaultPolicy4E8CB30A",
"serviceLinkedRoleslambdaexecutionRoleEB7F8622"
],
"Metadata": {
"aws:cdk:path": "account-level-stack/serviceLinkedRoles/lambda/function/Resource"
}
},
"serviceLinkedRoleslambdalogGroupBACA6C83": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/lambda/",
{
"Ref": "serviceLinkedRoleslambdafunctionCB2DF6C8"
}
]
]
},
"RetentionInDays": 7,
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "account-level-stack/serviceLinkedRoles/lambda/logGroup/Resource"
}
},
"serviceLinkedRolesecsamazonawscomServiceLinkedRolecustomResource391FAA80": {
"Type": "AWS::CloudFormation::CustomResource",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"serviceLinkedRoleslambdafunctionCB2DF6C8",
"Arn"
]
},
"rolePathPrefix": "/aws-service-role/ecs.amazonaws.com",
"awsServiceName": "ecs.amazonaws.com"
},
"DependsOn": [
"serviceLinkedRoleslambdalogGroupBACA6C83"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "account-level-stack/serviceLinkedRoles/ecs.amazonaws.comServiceLinkedRole/customResource/Default"
}
},
"serviceLinkedRolesbatchamazonawscomServiceLinkedRolecustomResource62A2B840": {
"Type": "AWS::CloudFormation::CustomResource",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"serviceLinkedRoleslambdafunctionCB2DF6C8",
"Arn"
]
},
"rolePathPrefix": "/aws-service-role/batch.amazonaws.com",
"awsServiceName": "batch.amazonaws.com"
},
"DependsOn": [
"serviceLinkedRoleslambdalogGroupBACA6C83"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "account-level-stack/serviceLinkedRoles/batch.amazonaws.comServiceLinkedRole/customResource/Default"
}
},
"serviceLinkedRolesspotamazonawscomServiceLinkedRolecustomResource666ACBDF": {
"Type": "AWS::CloudFormation::CustomResource",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"serviceLinkedRoleslambdafunctionCB2DF6C8",
"Arn"
]
},
"rolePathPrefix": "/aws-service-role/spot.amazonaws.com",
"awsServiceName": "spot.amazonaws.com"
},
"DependsOn": [
"serviceLinkedRoleslambdalogGroupBACA6C83"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "account-level-stack/serviceLinkedRoles/spot.amazonaws.comServiceLinkedRole/customResource/Default"
}
},
"serviceLinkedRolesspotfleetamazonawscomServiceLinkedRolecustomResource04DC6823": {
"Type": "AWS::CloudFormation::CustomResource",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"serviceLinkedRoleslambdafunctionCB2DF6C8",
"Arn"
]
},
"rolePathPrefix": "/aws-service-role/spotfleet.amazonaws.com",
"awsServiceName": "spotfleet.amazonaws.com"
},
"DependsOn": [
"serviceLinkedRoleslambdalogGroupBACA6C83"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "account-level-stack/serviceLinkedRoles/spotfleet.amazonaws.comServiceLinkedRole/customResource/Default"
}
},
"serviceLinkedRolesecsapplicationautoscalingamazonawscomServiceLinkedRolecustomResource3D831F58": {
"Type": "AWS::CloudFormation::CustomResource",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"serviceLinkedRoleslambdafunctionCB2DF6C8",
"Arn"
]
},
"rolePathPrefix": "/aws-service-role/ecs.application-autoscaling.amazonaws.com",
"awsServiceName": "ecs.application-autoscaling.amazonaws.com"
},
"DependsOn": [
"serviceLinkedRoleslambdalogGroupBACA6C83"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "account-level-stack/serviceLinkedRoles/ecs.application-autoscaling.amazonaws.comServiceLinkedRole/customResource/Default"
}
},
"serviceLinkedRolesautoscalingamazonawscomServiceLinkedRolecustomResourceFD2758B6": {
"Type": "AWS::CloudFormation::CustomResource",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"serviceLinkedRoleslambdafunctionCB2DF6C8",
"Arn"
]
},
"rolePathPrefix": "/aws-service-role/autoscaling.amazonaws.com",
"awsServiceName": "autoscaling.amazonaws.com"
},
"DependsOn": [
"serviceLinkedRoleslambdalogGroupBACA6C83"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "account-level-stack/serviceLinkedRoles/autoscaling.amazonaws.comServiceLinkedRole/customResource/Default"
}
},
"ecsTaskExecutionC01B20C8": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ecsTaskExecution/Resource"
}
},
"ecsTaskExecutionDefaultPolicy0110E86D": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ecsTaskExecutionDefaultPolicy0110E86D",
"Roles": [
{
"Ref": "ecsTaskExecutionC01B20C8"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ecsTaskExecution/DefaultPolicy/Resource"
}
},
"ebsBgJobsEFF6DE00": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ebsBgJobs/Resource"
}
},
"ebsBgJobsDefaultPolicy7D7A6F3B": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": [
"ebs:StartSnapshot",
"ebs:PutSnapshotBlock",
"ebs:CompleteSnapshot"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*::snapshot/*"
},
{
"Action": [
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ebsBgJobsDefaultPolicy7D7A6F3B",
"Roles": [
{
"Ref": "ebsBgJobsEFF6DE00"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ebsBgJobs/DefaultPolicy/Resource"
}
},
"ec2BgJobs2074A844": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ec2BgJobs/Resource"
}
},
"ec2BgJobsDefaultPolicy141F8D18": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": [
"ec2:DescribeHosts",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ModifyInstanceAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": "ec2:RunInstances",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ssm:GetConnectionStatus",
"ssm:GetCommandInvocation",
"ssm:ListCommands",
"iam:GetInstanceProfile",
"iam:SimulatePrincipalPolicy"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:*:document/*",
"arn:aws:ec2:*:*:instance/*"
]
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ebs:StartSnapshot",
"ebs:PutSnapshotBlock",
"ebs:CompleteSnapshot"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*::snapshot/*"
},
{
"Action": [
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ec2BgJobsDefaultPolicy141F8D18",
"Roles": [
{
"Ref": "ec2BgJobs2074A844"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ec2BgJobs/DefaultPolicy/Resource"
}
},
"awsBackupRpImportBgJobCA78582D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpImportBgJob/Resource"
}
},
"awsBackupRpImportBgJobDefaultPolicyC01DED50": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": [
"ec2:DescribeHosts",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ModifyInstanceAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": "ec2:RunInstances",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ssm:GetConnectionStatus",
"ssm:GetCommandInvocation",
"ssm:ListCommands",
"iam:GetInstanceProfile",
"iam:SimulatePrincipalPolicy"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:*:document/*",
"arn:aws:ec2:*:*:instance/*"
]
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ebs:StartSnapshot",
"ebs:PutSnapshotBlock",
"ebs:CompleteSnapshot"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*::snapshot/*"
},
{
"Action": [
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"backup:DescribeRecoveryPoint",
"backup:GetRecoveryPointRestoreMetadata",
"backup:ListBackupVaults",
"backup:ListRecoveryPointsByBackupVault"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsBackupRpImportBgJobDefaultPolicyC01DED50",
"Roles": [
{
"Ref": "awsBackupRpImportBgJobCA78582D"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpImportBgJob/DefaultPolicy/Resource"
}
},
"awsBackupRpIscanBgJobD24516F7": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpIscanBgJob/Resource"
}
},
"awsBackupRpIscanBgJobDefaultPolicy63E7E43C": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": [
"backup:DescribeRecoveryPoint",
"backup:GetRecoveryPointRestoreMetadata",
"backup:ListBackupVaults",
"backup:ListRecoveryPointsByBackupVault"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsBackupRpIscanBgJobDefaultPolicy63E7E43C",
"Roles": [
{
"Ref": "awsBackupRpIscanBgJobD24516F7"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpIscanBgJob/DefaultPolicy/Resource"
}
},
"iscanBgJobA77A4441": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/iscanBgJob/Resource"
}
},
"iscanBgJobDefaultPolicy2262E072": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "iscanBgJobDefaultPolicy2262E072",
"Roles": [
{
"Ref": "iscanBgJobA77A4441"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/iscanBgJob/DefaultPolicy/Resource"
}
},
"backupIntegrityBgJob78B2C215": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/backupIntegrityBgJob/Resource"
}
},
"backupIntegrityBgJobDefaultPolicyC73D892D": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "backupIntegrityBgJobDefaultPolicyC73D892D",
"Roles": [
{
"Ref": "backupIntegrityBgJob78B2C215"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/backupIntegrityBgJob/DefaultPolicy/Resource"
}
},
"fsCheckBgJobA3AE9B8B": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/fsCheckBgJob/Resource"
}
},
"fsCheckBgJobDefaultPolicyC58D7148": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "fsCheckBgJobDefaultPolicyC58D7148",
"Roles": [
{
"Ref": "fsCheckBgJobA3AE9B8B"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/fsCheckBgJob/DefaultPolicy/Resource"
}
},
"postgresRecoveryTestBgJob3026B28E": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/postgresRecoveryTestBgJob/Resource"
}
},
"postgresRecoveryTestBgJobDefaultPolicy330F31DC": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": [
"s3:GetObject",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "postgresRecoveryTestBgJobDefaultPolicy330F31DC",
"Roles": [
{
"Ref": "postgresRecoveryTestBgJob3026B28E"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/postgresRecoveryTestBgJob/DefaultPolicy/Resource"
}
},
"postgresBackupBgJobA3D33357": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/postgresBackupBgJob/Resource"
}
},
"postgresBackupBgJobDefaultPolicy8A0E5697": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": [
"rds:DescribeDBInstances",
"rds-db:connect"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "postgresBackupBgJobDefaultPolicy8A0E5697",
"Roles": [
{
"Ref": "postgresBackupBgJobA3D33357"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/postgresBackupBgJob/DefaultPolicy/Resource"
}
},
"postgresRestoreBgJob61395365": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/postgresRestoreBgJob/Resource"
}
},
"postgresRestoreBgJobDefaultPolicy0E95B9D4": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": [
"rds:DescribeDBInstances",
"rds-db:connect"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "postgresRestoreBgJobDefaultPolicy0E95B9D4",
"Roles": [
{
"Ref": "postgresRestoreBgJob61395365"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/postgresRestoreBgJob/DefaultPolicy/Resource"
}
},
"s3BackupBgJobECCD4BBE": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/s3BackupBgJob/Resource"
}
},
"s3BackupBgJobDefaultPolicy9400B9EC": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketAcl",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetIntelligentTieringConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetAccelerateConfiguration",
"s3:GetReplicationConfiguration"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "s3BackupBgJobDefaultPolicy9400B9EC",
"Roles": [
{
"Ref": "s3BackupBgJobECCD4BBE"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/s3BackupBgJob/DefaultPolicy/Resource"
}
},
"s3RestoreBgJobB7B3FB81": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/s3RestoreBgJob/Resource"
}
},
"s3RestoreBgJobDefaultPolicy10562DB0": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "s3RestoreBgJobDefaultPolicy10562DB0",
"Roles": [
{
"Ref": "s3RestoreBgJobB7B3FB81"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/s3RestoreBgJob/DefaultPolicy/Resource"
}
},
"retentionBgJob1661509E": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/retentionBgJob/Resource"
}
},
"retentionBgJobDefaultPolicy2F27BFB2": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "retentionBgJobDefaultPolicy2F27BFB2",
"Roles": [
{
"Ref": "retentionBgJob1661509E"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/retentionBgJob/DefaultPolicy/Resource"
}
},
"deployAssetRegionLevelStackBgJob9E30C25C": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/deployAssetRegionLevelStackBgJob/Resource"
}
},
"deployAssetRegionLevelStackBgJobDefaultPolicy44EEA959": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "deployAssetRegionLevelStackBgJobDefaultPolicy44EEA959",
"Roles": [
{
"Ref": "deployAssetRegionLevelStackBgJob9E30C25C"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/deployAssetRegionLevelStackBgJob/DefaultPolicy/Resource"
}
},
"destroyAssetRegionLevelStackBgJobF051217D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/destroyAssetRegionLevelStackBgJob/Resource"
}
},
"destroyAssetRegionLevelStackBgJobDefaultPolicy7742A109": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "destroyAssetRegionLevelStackBgJobDefaultPolicy7742A109",
"Roles": [
{
"Ref": "destroyAssetRegionLevelStackBgJobF051217D"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/destroyAssetRegionLevelStackBgJob/DefaultPolicy/Resource"
}
},
"catalogRestoreBgJobBDFE1B5B": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogRestoreBgJob/Resource"
}
},
"catalogRestoreBgJobDefaultPolicy35FE1370": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": "sqs:SendMessage",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:sqs:*:",
{
"Ref": "AWS::AccountId"
},
":elastio-*"
]
]
}
},
{
"Action": "s3:ListAllMyBuckets",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "catalogRestoreBgJobDefaultPolicy35FE1370",
"Roles": [
{
"Ref": "catalogRestoreBgJobBDFE1B5B"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogRestoreBgJob/DefaultPolicy/Resource"
}
},
"ecsScalezTask48AD43DA": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ecsScalezTask/Resource"
}
},
"ecsScalezTaskDefaultPolicy40CEA626": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/elastio-*/index/*"
]
]
}
]
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "kms:*",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ecsScalezTaskDefaultPolicy40CEA626",
"Roles": [
{
"Ref": "ecsScalezTask48AD43DA"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ecsScalezTask/DefaultPolicy/Resource"
}
},
"ec2SpotFleet212519BE": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "spotfleet.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole"
]
]
}
],
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ec2SpotFleet/Resource"
}
},
"ecsInstanceB00E0026": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/AmazonSSMManagedInstanceCore"
]
]
}
],
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ecsInstance/Resource"
}
},
"ecsScalezInstanceProfileId": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Roles": [
{
"Ref": "ecsInstanceB00E0026"
}
],
"InstanceProfileName": {
"Fn::Join": [
"",
[
{
"Ref": "ecsInstanceB00E0026"
},
"-ecsScalezInstanceProfile"
]
]
}
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ecsScalezInstanceProfileId"
}
},
"inventoryEventBridgeHandler60F51011": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/inventoryEventBridgeHandler/Resource"
}
},
"inventoryEventBridgeHandlerDefaultPolicyEB7DD133": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": [
"sns:Publish",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeImages"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"sqs:SendMessage",
"events:PutEvents"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "inventoryEventBridgeHandlerDefaultPolicyEB7DD133",
"Roles": [
{
"Ref": "inventoryEventBridgeHandler60F51011"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/inventoryEventBridgeHandler/DefaultPolicy/Resource"
}
},
"inventoryServiceTenant275E0E16": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/inventoryServiceTenant/Resource"
}
},
"inventoryServiceTenantDefaultPolicyC3994C9A": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "lambda:InvokeFunction",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "inventoryServiceTenantDefaultPolicyC3994C9A",
"Roles": [
{
"Ref": "inventoryServiceTenant275E0E16"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/inventoryServiceTenant/DefaultPolicy/Resource"
}
},
"inventoryForceScan4BF914F0": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/inventoryForceScan/Resource"
}
},
"inventoryForceScanDefaultPolicy8EE65EA0": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
},
{
"Action": [
"sns:Publish",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeImages"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:InvokeFunction",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "inventoryForceScanDefaultPolicy8EE65EA0",
"Roles": [
{
"Ref": "inventoryForceScan4BF914F0"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/inventoryForceScan/DefaultPolicy/Resource"
}
},
"awsBackupRpEc2ScanBgJobEA3DD765": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpEc2ScanBgJob/Resource"
}
},
"awsBackupRpEc2ScanBgJobDefaultPolicy117537CA": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"backup:DescribeRecoveryPoint",
"backup:GetRecoveryPointRestoreMetadata",
"backup:ListBackupVaults",
"backup:ListRecoveryPointsByBackupVault",
"backup:ListTags"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateVolume",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DeleteVolume",
"ec2:DeleteSnapshot",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsBackupRpEc2ScanBgJobDefaultPolicy117537CA",
"Roles": [
{
"Ref": "awsBackupRpEc2ScanBgJobEA3DD765"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpEc2ScanBgJob/DefaultPolicy/Resource"
}
},
"awsBackupRpEbsScanBgJob61C7541D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpEbsScanBgJob/Resource"
}
},
"awsBackupRpEbsScanBgJobDefaultPolicy237FE043": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"backup:DescribeRecoveryPoint",
"backup:GetRecoveryPointRestoreMetadata",
"backup:ListBackupVaults",
"backup:ListRecoveryPointsByBackupVault",
"backup:ListTags"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateVolume",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DeleteVolume",
"ec2:DeleteSnapshot",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsBackupRpEbsScanBgJobDefaultPolicy237FE043",
"Roles": [
{
"Ref": "awsBackupRpEbsScanBgJob61C7541D"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpEbsScanBgJob/DefaultPolicy/Resource"
}
},
"awsBackupRpEfsScanBgJobDE47317F": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpEfsScanBgJob/Resource"
}
},
"awsBackupRpEfsScanBgJobDefaultPolicyAA8419B5": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"backup:DescribeRecoveryPoint",
"backup:GetRecoveryPointRestoreMetadata",
"backup:ListBackupVaults",
"backup:ListRecoveryPointsByBackupVault",
"backup:ListTags"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticfilesystem:ClientMount",
"elasticfilesystem:ListTagsForResource",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeAvailabilityZones"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsBackupRpEfsScanBgJobDefaultPolicyAA8419B5",
"Roles": [
{
"Ref": "awsBackupRpEfsScanBgJobDE47317F"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpEfsScanBgJob/DefaultPolicy/Resource"
}
},
"awsBackupRpFsxOntapScanBgJob7A28B218": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpFsxOntapScanBgJob/Resource"
}
},
"awsBackupRpFsxOntapScanBgJobDefaultPolicyEAC8A50E": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsBackupRpFsxOntapScanBgJobDefaultPolicyEAC8A50E",
"Roles": [
{
"Ref": "awsBackupRpFsxOntapScanBgJob7A28B218"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpFsxOntapScanBgJob/DefaultPolicy/Resource"
}
},
"awsBackupRpS3ScanBgJob49427448": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpS3ScanBgJob/Resource"
}
},
"awsBackupRpS3ScanBgJobDefaultPolicy165EC4DE": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"backup:DescribeRecoveryPoint",
"backup:GetRecoveryPointRestoreMetadata",
"backup:ListBackupVaults",
"backup:ListRecoveryPointsByBackupVault",
"backup:ListTags"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketTagging"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsBackupRpS3ScanBgJobDefaultPolicy165EC4DE",
"Roles": [
{
"Ref": "awsBackupRpS3ScanBgJob49427448"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpS3ScanBgJob/DefaultPolicy/Resource"
}
},
"awsEc2ScanBgJobA7520807": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsEc2ScanBgJob/Resource"
}
},
"awsEc2ScanBgJobDefaultPolicy5FC29956": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateVolume",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DeleteVolume",
"ec2:DeleteSnapshot",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsEc2ScanBgJobDefaultPolicy5FC29956",
"Roles": [
{
"Ref": "awsEc2ScanBgJobA7520807"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsEc2ScanBgJob/DefaultPolicy/Resource"
}
},
"awsEc2AmiScanBgJob5E82FC95": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsEc2AmiScanBgJob/Resource"
}
},
"awsEc2AmiScanBgJobDefaultPolicy1FE3D016": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateVolume",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DeleteVolume",
"ec2:DeleteSnapshot",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsEc2AmiScanBgJobDefaultPolicy1FE3D016",
"Roles": [
{
"Ref": "awsEc2AmiScanBgJob5E82FC95"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsEc2AmiScanBgJob/DefaultPolicy/Resource"
}
},
"awsEbsScanBgJob0959E957": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsEbsScanBgJob/Resource"
}
},
"awsEbsScanBgJobDefaultPolicy5971374D": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateVolume",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DeleteVolume",
"ec2:DeleteSnapshot",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsEbsScanBgJobDefaultPolicy5971374D",
"Roles": [
{
"Ref": "awsEbsScanBgJob0959E957"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsEbsScanBgJob/DefaultPolicy/Resource"
}
},
"awsEbsSnapshotScanBgJobEF36A0AB": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsEbsSnapshotScanBgJob/Resource"
}
},
"awsEbsSnapshotScanBgJobDefaultPolicy78B0C74F": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateVolume",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DeleteVolume",
"ec2:DeleteSnapshot",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsEbsSnapshotScanBgJobDefaultPolicy78B0C74F",
"Roles": [
{
"Ref": "awsEbsSnapshotScanBgJobEF36A0AB"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsEbsSnapshotScanBgJob/DefaultPolicy/Resource"
}
},
"awsEfsScanBgJobBCC3DF58": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsEfsScanBgJob/Resource"
}
},
"awsEfsScanBgJobDefaultPolicy094B98C6": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticfilesystem:ClientMount",
"elasticfilesystem:ListTagsForResource",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeAvailabilityZones"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsEfsScanBgJobDefaultPolicy094B98C6",
"Roles": [
{
"Ref": "awsEfsScanBgJobBCC3DF58"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsEfsScanBgJob/DefaultPolicy/Resource"
}
},
"awsFsxOntapScanBgJob75C57F57": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsFsxOntapScanBgJob/Resource"
}
},
"awsFsxOntapScanBgJobDefaultPolicy0D5E77C4": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsFsxOntapScanBgJobDefaultPolicy0D5E77C4",
"Roles": [
{
"Ref": "awsFsxOntapScanBgJob75C57F57"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsFsxOntapScanBgJob/DefaultPolicy/Resource"
}
},
"awsS3ScanBgJob676E0619": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsS3ScanBgJob/Resource"
}
},
"awsS3ScanBgJobDefaultPolicy6A18D87D": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketTagging"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*/asset-check-results/*"
},
{
"Action": "events:PutEvents",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:iscan-event-bus": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsS3ScanBgJobDefaultPolicy6A18D87D",
"Roles": [
{
"Ref": "awsS3ScanBgJob676E0619"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsS3ScanBgJob/DefaultPolicy/Resource"
}
},
"awsBackupRpEc2ImportBgJob2AC3454B": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpEc2ImportBgJob/Resource"
}
},
"awsBackupRpEc2ImportBgJobDefaultPolicy8B4216F4": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"backup:DescribeRecoveryPoint",
"backup:GetRecoveryPointRestoreMetadata",
"backup:ListBackupVaults",
"backup:ListRecoveryPointsByBackupVault",
"backup:ListTags"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsBackupRpEc2ImportBgJobDefaultPolicy8B4216F4",
"Roles": [
{
"Ref": "awsBackupRpEc2ImportBgJob2AC3454B"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpEc2ImportBgJob/DefaultPolicy/Resource"
}
},
"awsBackupRpEbsImportBgJob2B27E1E5": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpEbsImportBgJob/Resource"
}
},
"awsBackupRpEbsImportBgJobDefaultPolicy8817EC4C": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"backup:DescribeRecoveryPoint",
"backup:GetRecoveryPointRestoreMetadata",
"backup:ListBackupVaults",
"backup:ListRecoveryPointsByBackupVault",
"backup:ListTags"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:StartInstances",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:instance": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Action": [
"ebs:ListChangedBlocks",
"ebs:ListSnapshotBlocks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:snapshot": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringLike": {
"ec2:CreateAction": "*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:ModifySnapshotAttribute"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:ssm:*:",
{
"Ref": "AWS::AccountId"
},
":parameter/elastio/*"
]
]
},
"arn:aws:ssm:*::parameter/aws/*"
]
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:lambda:*:",
{
"Ref": "AWS::AccountId"
},
":function:elastio-*"
]
]
}
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:volume": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:ModifyInstanceAttribute",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsBackupRpEbsImportBgJobDefaultPolicy8817EC4C",
"Roles": [
{
"Ref": "awsBackupRpEbsImportBgJob2B27E1E5"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpEbsImportBgJob/DefaultPolicy/Resource"
}
},
"awsEc2AmiImportBgJobFA7F1C71": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsEc2AmiImportBgJob/Resource"
}
},
"awsEc2AmiImportBgJobDefaultPolicy5C7847BB": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*",
"aws:ResourceTag/elastio:bastion-role": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*cloudConnectorBastion*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsEc2AmiImportBgJobDefaultPolicy5C7847BB",
"Roles": [
{
"Ref": "awsEc2AmiImportBgJobFA7F1C71"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsEc2AmiImportBgJob/DefaultPolicy/Resource"
}
},
"awsBackupRpImportBgJobExecution8CBB537B": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpImportBgJobExecution/Resource"
}
},
"awsBackupRpImportBgJobExecutionDefaultPolicy2AD42751": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsBackupRpImportBgJobExecutionDefaultPolicy2AD42751",
"Roles": [
{
"Ref": "awsBackupRpImportBgJobExecution8CBB537B"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpImportBgJobExecution/DefaultPolicy/Resource"
}
},
"awsBackupRpIscanBgJobExecutionB05D079C": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpIscanBgJobExecution/Resource"
}
},
"awsBackupRpIscanBgJobExecutionDefaultPolicyA1BA2D55": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "awsBackupRpIscanBgJobExecutionDefaultPolicyA1BA2D55",
"Roles": [
{
"Ref": "awsBackupRpIscanBgJobExecutionB05D079C"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/awsBackupRpIscanBgJobExecution/DefaultPolicy/Resource"
}
},
"ebsBgJobsExecution2A2D5443": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ebsBgJobsExecution/Resource"
}
},
"ebsBgJobsExecutionDefaultPolicy9DFAF107": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "ebsBgJobsExecutionDefaultPolicy9DFAF107",
"Roles": [
{
"Ref": "ebsBgJobsExecution2A2D5443"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ebsBgJobsExecution/DefaultPolicy/Resource"
}
},
"ec2BgJobsExecution1ABC553A": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ec2BgJobsExecution/Resource"
}
},
"ec2BgJobsExecutionDefaultPolicy1017972C": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "ec2BgJobsExecutionDefaultPolicy1017972C",
"Roles": [
{
"Ref": "ec2BgJobsExecution1ABC553A"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/ec2BgJobsExecution/DefaultPolicy/Resource"
}
},
"s3BackupBgJobExecution79B9097D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/s3BackupBgJobExecution/Resource"
}
},
"s3BackupBgJobExecutionDefaultPolicy0BE78423": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "s3BackupBgJobExecutionDefaultPolicy0BE78423",
"Roles": [
{
"Ref": "s3BackupBgJobExecution79B9097D"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/s3BackupBgJobExecution/DefaultPolicy/Resource"
}
},
"s3RestoreBgJobExecutionBE9B148D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/s3RestoreBgJobExecution/Resource"
}
},
"s3RestoreBgJobExecutionDefaultPolicyBE773835": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "s3RestoreBgJobExecutionDefaultPolicyBE773835",
"Roles": [
{
"Ref": "s3RestoreBgJobExecutionBE9B148D"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/s3RestoreBgJobExecution/DefaultPolicy/Resource"
}
},
"iscanBgJobExecution8C33E938": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/iscanBgJobExecution/Resource"
}
},
"iscanBgJobExecutionDefaultPolicy23AFEEAB": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "iscanBgJobExecutionDefaultPolicy23AFEEAB",
"Roles": [
{
"Ref": "iscanBgJobExecution8C33E938"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/iscanBgJobExecution/DefaultPolicy/Resource"
}
},
"backupIntegrityBgJobExecution1717A456": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/backupIntegrityBgJobExecution/Resource"
}
},
"backupIntegrityBgJobExecutionDefaultPolicy6B856B35": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "backupIntegrityBgJobExecutionDefaultPolicy6B856B35",
"Roles": [
{
"Ref": "backupIntegrityBgJobExecution1717A456"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/backupIntegrityBgJobExecution/DefaultPolicy/Resource"
}
},
"fsCheckBgJobExecutionF20471ED": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/fsCheckBgJobExecution/Resource"
}
},
"fsCheckBgJobExecutionDefaultPolicy49CCDC57": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "fsCheckBgJobExecutionDefaultPolicy49CCDC57",
"Roles": [
{
"Ref": "fsCheckBgJobExecutionF20471ED"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/fsCheckBgJobExecution/DefaultPolicy/Resource"
}
},
"postgresRecoveryTestBgJobExecution9E3CEA53": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/postgresRecoveryTestBgJobExecution/Resource"
}
},
"postgresRecoveryTestBgJobExecutionDefaultPolicyD5128F58": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "postgresRecoveryTestBgJobExecutionDefaultPolicyD5128F58",
"Roles": [
{
"Ref": "postgresRecoveryTestBgJobExecution9E3CEA53"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/postgresRecoveryTestBgJobExecution/DefaultPolicy/Resource"
}
},
"postgresBackupBgJobExecutionD550D0E9": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/postgresBackupBgJobExecution/Resource"
}
},
"postgresBackupBgJobExecutionDefaultPolicy7D48F8A1": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "postgresBackupBgJobExecutionDefaultPolicy7D48F8A1",
"Roles": [
{
"Ref": "postgresBackupBgJobExecutionD550D0E9"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/postgresBackupBgJobExecution/DefaultPolicy/Resource"
}
},
"postgresRestoreBgJobExecutionF27EB2BD": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/postgresRestoreBgJobExecution/Resource"
}
},
"postgresRestoreBgJobExecutionDefaultPolicy2021DDB5": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "postgresRestoreBgJobExecutionDefaultPolicy2021DDB5",
"Roles": [
{
"Ref": "postgresRestoreBgJobExecutionF27EB2BD"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/postgresRestoreBgJobExecution/DefaultPolicy/Resource"
}
},
"scalezMaintenanceBgJobExecution670F6AE3": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/scalezMaintenanceBgJobExecution/Resource"
}
},
"scalezMaintenanceBgJobExecutionDefaultPolicyBC4B30CA": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "scalezMaintenanceBgJobExecutionDefaultPolicyBC4B30CA",
"Roles": [
{
"Ref": "scalezMaintenanceBgJobExecution670F6AE3"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/scalezMaintenanceBgJobExecution/DefaultPolicy/Resource"
}
},
"retentionBgJobExecution5BDA31CC": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/retentionBgJobExecution/Resource"
}
},
"retentionBgJobExecutionDefaultPolicyCEEB6D8D": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "retentionBgJobExecutionDefaultPolicyCEEB6D8D",
"Roles": [
{
"Ref": "retentionBgJobExecution5BDA31CC"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/retentionBgJobExecution/DefaultPolicy/Resource"
}
},
"replicationBgJobExecution61C7FC3D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/replicationBgJobExecution/Resource"
}
},
"replicationBgJobExecutionDefaultPolicy0A8E811A": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "replicationBgJobExecutionDefaultPolicy0A8E811A",
"Roles": [
{
"Ref": "replicationBgJobExecution61C7FC3D"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/replicationBgJobExecution/DefaultPolicy/Resource"
}
},
"deployAssetRegionLevelStackBgJobExecution8E73C515": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/deployAssetRegionLevelStackBgJobExecution/Resource"
}
},
"deployAssetRegionLevelStackBgJobExecutionDefaultPolicy3D4FDE23": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "deployAssetRegionLevelStackBgJobExecutionDefaultPolicy3D4FDE23",
"Roles": [
{
"Ref": "deployAssetRegionLevelStackBgJobExecution8E73C515"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/deployAssetRegionLevelStackBgJobExecution/DefaultPolicy/Resource"
}
},
"destroyAssetRegionLevelStackBgJobExecution9F707D3F": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/destroyAssetRegionLevelStackBgJobExecution/Resource"
}
},
"destroyAssetRegionLevelStackBgJobExecutionDefaultPolicy6135FE35": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "destroyAssetRegionLevelStackBgJobExecutionDefaultPolicy6135FE35",
"Roles": [
{
"Ref": "destroyAssetRegionLevelStackBgJobExecution9F707D3F"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/destroyAssetRegionLevelStackBgJobExecution/DefaultPolicy/Resource"
}
},
"catalogRestoreBgJobExecutionA09CCC80": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogRestoreBgJobExecution/Resource"
}
},
"catalogRestoreBgJobExecutionDefaultPolicy2203425C": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "catalogRestoreBgJobExecutionDefaultPolicy2203425C",
"Roles": [
{
"Ref": "catalogRestoreBgJobExecutionA09CCC80"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/catalogRestoreBgJobExecution/DefaultPolicy/Resource"
}
},
"replicationBgJob425EAB61": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/replicationBgJob/Resource"
}
},
"replicationBgJobDefaultPolicy0991EBAD": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::*:role/ElastioReplicationTarget",
{
"Ref": "replicationTargetRoleNameSuffix"
}
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "replicationBgJobDefaultPolicy0991EBAD",
"Roles": [
{
"Ref": "replicationBgJob425EAB61"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/replicationBgJob/DefaultPolicy/Resource"
}
},
"replicationtargetrole1679DDE4": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalTag/elastio:resource": "*",
"aws:PrincipalArn": {
"Fn::If": [
"vaultReplicationSourceAccountIdsIsEmpty",
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*replicationBgJob*"
]
]
},
{
"Fn::Split": [
",",
{
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Fn::Join": [
",arn:aws:iam::",
{
"Fn::Split": [
",",
{
"Fn::Join": [
"",
[
{
"Fn::Join": [
":role/elastio-*replicationBgJob*,",
{
"Fn::Split": [
",",
{
"Fn::Join": [
"",
[
{
"Fn::Join": [
",",
{
"Ref": "vaultReplicationSourceAccountIds"
}
]
},
",",
{
"Ref": "AWS::AccountId"
}
]
]
}
]
}
]
},
":role/elastio-*replicationBgJob*"
]
]
}
]
}
]
}
]
]
}
]
}
]
}
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
}
}
],
"Version": "2012-10-17"
},
"RoleName": {
"Fn::Join": [
"",
[
"ElastioReplicationTarget",
{
"Ref": "replicationTargetRoleNameSuffix"
}
]
]
},
"Tags": [
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/replication-target-role/Resource"
}
},
"replicationtargetroleDefaultPolicy3EA083CB": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::elastio-*"
},
{
"Action": "cloudwatch:DescribeAlarmsForMetric",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:GetParameter",
"Condition": {
"StringEquals": {
"aws:ResourceTag/elastio:component": "telemetry"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sqs:SendMessage",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*/elastio-*:*",
"arn:aws:logs:*:*:log-group:/ecs/elastio-scalez-*:*"
]
},
{
"Action": [
"lambda:InvokeFunction",
"ssm:GetParameter"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "replicationtargetroleDefaultPolicy3EA083CB",
"Roles": [
{
"Ref": "replicationtargetrole1679DDE4"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/replication-target-role/DefaultPolicy/Resource"
}
},
"cloudConnectorBastion5E6F318E": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalTag/elastio:resource": "*",
"aws:PrincipalArn": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/elastio-*"
]
]
}
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
}
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": "elastio:bastion-role",
"Value": "true"
},
{
"Key": "elastio:resource",
"Value": "true"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/cloudConnectorBastion/Resource"
}
},
"cloudConnectorBastionDefaultPolicy20E04D7F": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:ResourceTag/elastio:resource": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/ElastioCloudConnector"
}
],
"Version": "2012-10-17"
},
"PolicyName": "cloudConnectorBastionDefaultPolicy20E04D7F",
"Roles": [
{
"Ref": "cloudConnectorBastion5E6F318E"
}
]
},
"Metadata": {
"aws:cdk:path": "account-level-stack/cloudConnectorBastion/DefaultPolicy/Resource"
}
}
},
"Parameters": {
"customerManagedPoliciesNameSuffix": {
"Type": "String",
"Default": "",
"Description": "[DON'T MODIFY THIS] Used to insert a custom suffix into the names of the managed IAM policies exposed to the customer. These managed policies can be attached to your IAM identities to grant them permissions for managing Elastio services deployed in your account via Elastio CLI"
},
"tenantRoleArn": {
"Type": "String",
"Default": "arn:aws:iam::account-id:role/first.app.elastio.com",
"Description": "[DON'T MODIFY THIS] ARN of the Elastio Tenant's IAM role that will be trusted to assume ElastioInstaller and ElastioTenant roles in this account for managing the Elastio Connectors in this account."
},
"externalId": {
"Type": "String",
"Default": "external-id",
"Description": "[DON'T MODIFY THIS] The secret token generated specifically for this account that authenticates Elastio Tenant to assume ElastioInstaller and ElastioTenant roles for managing the Elastio Connectors in this account."
},
"supportRoleExpirationDate": {
"Type": "String",
"Default": "",
"Description": "[YOU CAN MODIFY THIS] Specifies a date when the ElastioSupport role will be disabled. This role contains only the permissions necessary for managing the resources deployed by Elastio and it grants no write access to the resources owned by you. If this role is enabled Elastio will be able to provide support for this Connector to keep it in a healthy state. However, if you don't want this role to be enabled, leave this empty. To enable this support role but only for a defined period of time, enter an expiration date and time in this field, in which case Elastio support personnel will be able to use this role but only until the specified date. The date must be in the format YYYY-MM-DDTHH:MM:SSZ. Example value: 2020-04-01T14:20:30Z."
},
"deploymentNotificationTopicArn": {
"Type": "String",
"Default": "arn:aws:sns:us-east-2:account-id:cfn-deployment-notifications-us-east-2-production-free-tier",
"Description": "[DON'T MODIFY THIS] ARN of the SNS topic to publish a notification about a completed stack deployment"
},
"deploymentNotificationToken": {
"Type": "String",
"Default": "pIYtbP9PP0HUrJQXBHTS",
"Description": "[DON'T MODIFY THIS] Token sent to the SNS topic to authenticate the deployment notification"
},
"replicationTargetRoleNameSuffix": {
"Type": "String",
"Default": "",
"Description": "[DON'T MODIFY THIS] Used to avoid name collision in the CI account when running tests"
},
"vaultReplicationSourceAccountIds": {
"Type": "CommaDelimitedList",
"Default": "",
"Description": "[YOU CAN MODIFY THIS] A list of IDs of trusted AWS accounts that are allowed to replicate their vaults into any vault of this account."
}
},
"Outputs": {
"terraformStateBucket": {
"Value": {
"Ref": "tfstate42168D51"
}
},
"terraformLocksTable": {
"Value": {
"Ref": "tflocks48A1C6E6"
}
},
"accountStackVersion": {
"Value": "2024-02-23"
},
"accsServiceRoleArn": {
"Value": {
"Fn::GetAtt": [
"accsServiceBF8E5156",
"Arn"
]
}
},
"accsHandlerJobsEventsRoleArn": {
"Value": {
"Fn::GetAtt": [
"accsHandlerJobsEventsFE945E0E",
"Arn"
]
}
},
"catalogServiceRoleArn": {
"Value": {
"Fn::GetAtt": [
"catalogServiceB080536D",
"Arn"
]
}
},
"catalogHandlerJobsEventsRoleArn": {
"Value": {
"Fn::GetAtt": [
"catalogHandlerJobsEventsDC2A7EC5",
"Arn"
]
}
},
"catalogHandlerInternalReplicationRoleArn": {
"Value": {
"Fn::GetAtt": [
"catalogHandlerInternalReplication624E7FA4",
"Arn"
]
}
},
"catalogHandlerObjectStorageReplicationRoleArn": {
"Value": {
"Fn::GetAtt": [
"catalogHandlerObjectStorageReplicationD05E3461",
"Arn"
]
}
},
"catalogHandlerSafetyLockRoleArn": {
"Value": {
"Fn::GetAtt": [
"catalogHandlerSafetyLock207B495D",
"Arn"
]
}
},
"catalogServiceTenantRoleArn": {
"Value": {
"Fn::GetAtt": [
"catalogServiceTenantFFDDDBC2",
"Arn"
]
}
},
"mishokServiceRoleArn": {
"Value": {
"Fn::GetAtt": [
"mishokServiceE09B6C9B",
"Arn"
]
}
},
"credsServiceRoleArn": {
"Value": {
"Fn::GetAtt": [
"credsService7F18E705",
"Arn"
]
}
},
"credsServiceTenantRoleArn": {
"Value": {
"Fn::GetAtt": [
"credsServiceTenant5318B514",
"Arn"
]
}
},
"cwpumpHandlerCloudwatchRoleArn": {
"Value": {
"Fn::GetAtt": [
"cwpumpHandlerCloudwatch16E2F27D",
"Arn"
]
}
},
"provisionerServiceWriteRoleArn": {
"Value": {
"Fn::GetAtt": [
"provisionerServiceWriteDA843106",
"Arn"
]
}
},
"provisionerServiceReadRoleArn": {
"Value": {
"Fn::GetAtt": [
"provisionerServiceReadBB149517",
"Arn"
]
}
},
"provisionerServiceDeleteRoleArn": {
"Value": {
"Fn::GetAtt": [
"provisionerServiceDeleteFF166939",
"Arn"
]
}
},
"provisionerHandlerLeaseGcRoleArn": {
"Value": {
"Fn::GetAtt": [
"provisionerHandlerLeaseGcA9F75DFC",
"Arn"
]
}
},
"provisionerServiceTenantRoleArn": {
"Value": {
"Fn::GetAtt": [
"provisionerServiceTenantF6F946DE",
"Arn"
]
}
},
"provisionerServiceLeaseLifecycleRoleArn": {
"Value": {
"Fn::GetAtt": [
"provisionerServiceLeaseLifecycle79E6B47C",
"Arn"
]
}
},
"jobsStatusServiceRoleArn": {
"Value": {
"Fn::GetAtt": [
"jobsStatusService1B791F9F",
"Arn"
]
}
},
"jobsStatusHandlerGcRoleArn": {
"Value": {
"Fn::GetAtt": [
"jobsStatusHandlerGcF2E0B9F2",
"Arn"
]
}
},
"jobsStatusHandlerAwsBatchRoleArn": {
"Value": {
"Fn::GetAtt": [
"jobsStatusHandlerAwsBatchA285B34F",
"Arn"
]
}
},
"jobsStatusServiceTenantRoleArn": {
"Value": {
"Fn::GetAtt": [
"jobsStatusServiceTenant2F30F6E9",
"Arn"
]
}
},
"jobsStatusServiceForceAbortJobsRoleArn": {
"Value": {
"Fn::GetAtt": [
"jobsStatusServiceForceAbortJobs28EAAE5E",
"Arn"
]
}
},
"statusDeliveryLoggingRoleArn": {
"Value": {
"Fn::GetAtt": [
"statusDeliveryLogging2C3AA828",
"Arn"
]
}
},
"bgJobsServiceAwsBackupIntegrationRoleArn": {
"Value": {
"Fn::GetAtt": [
"bgJobsServiceAwsBackupIntegrationB1EB624D",
"Arn"
]
}
},
"bgJobsServiceRoleArn": {
"Value": {
"Fn::GetAtt": [
"bgJobsService0B958966",
"Arn"
]
}
},
"bgJobsServiceTenantRoleArn": {
"Value": {
"Fn::GetAtt": [
"bgJobsServiceTenant061E763D",
"Arn"
]
}
},
"schedulerEventTargetRoleArn": {
"Value": {
"Fn::GetAtt": [
"schedulerEventTargetF951390A",
"Arn"
]
}
},
"awsSchedulerExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsSchedulerExecution92B03CD1",
"Arn"
]
}
},
"schedulerHandlerInventoryEventsStepFunctionRoleArn": {
"Value": {
"Fn::GetAtt": [
"schedulerHandlerInventoryEventsStepFunction5BF71A36",
"Arn"
]
}
},
"schedulerServiceRoleArn": {
"Value": {
"Fn::GetAtt": [
"schedulerService7518A0DF",
"Arn"
]
}
},
"schedulerServiceTenantRoleArn": {
"Value": {
"Fn::GetAtt": [
"schedulerServiceTenant9FDF09E4",
"Arn"
]
}
},
"retentionRoleArn": {
"Value": {
"Fn::GetAtt": [
"retention3837FEBD",
"Arn"
]
}
},
"schedulerHandlerCloudwatchRoleArn": {
"Value": {
"Fn::GetAtt": [
"schedulerHandlerCloudwatch8388F9CC",
"Arn"
]
}
},
"schedulerHandlerInventoryEventsRoleArn": {
"Value": {
"Fn::GetAtt": [
"schedulerHandlerInventoryEvents9FB2154E",
"Arn"
]
}
},
"iscanParamsServiceTenantRoleArn": {
"Value": {
"Fn::GetAtt": [
"iscanParamsServiceTenantA523EB2C",
"Arn"
]
}
},
"janitorGcRoleArn": {
"Value": {
"Fn::GetAtt": [
"janitorGc2DA9D15F",
"Arn"
]
}
},
"importedAssetsHandlerJobsRoleArn": {
"Value": {
"Fn::GetAtt": [
"importedAssetsHandlerJobs9E07406A",
"Arn"
]
}
},
"securityHubEventBusHandlerRoleArn": {
"Value": {
"Fn::GetAtt": [
"securityHubEventBusHandlerF53CFEE4",
"Arn"
]
}
},
"ecsTaskExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"ecsTaskExecutionC01B20C8",
"Arn"
]
}
},
"ebsBgJobsRoleArn": {
"Value": {
"Fn::GetAtt": [
"ebsBgJobsEFF6DE00",
"Arn"
]
}
},
"ec2BgJobsRoleArn": {
"Value": {
"Fn::GetAtt": [
"ec2BgJobs2074A844",
"Arn"
]
}
},
"awsBackupRpImportBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsBackupRpImportBgJobCA78582D",
"Arn"
]
}
},
"awsBackupRpIscanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsBackupRpIscanBgJobD24516F7",
"Arn"
]
}
},
"iscanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"iscanBgJobA77A4441",
"Arn"
]
}
},
"backupIntegrityBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"backupIntegrityBgJob78B2C215",
"Arn"
]
}
},
"fsCheckBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"fsCheckBgJobA3AE9B8B",
"Arn"
]
}
},
"postgresRecoveryTestBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"postgresRecoveryTestBgJob3026B28E",
"Arn"
]
}
},
"postgresBackupBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"postgresBackupBgJobA3D33357",
"Arn"
]
}
},
"postgresRestoreBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"postgresRestoreBgJob61395365",
"Arn"
]
}
},
"s3BackupBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"s3BackupBgJobECCD4BBE",
"Arn"
]
}
},
"s3RestoreBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"s3RestoreBgJobB7B3FB81",
"Arn"
]
}
},
"retentionBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"retentionBgJob1661509E",
"Arn"
]
}
},
"deployAssetRegionLevelStackBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"deployAssetRegionLevelStackBgJob9E30C25C",
"Arn"
]
}
},
"destroyAssetRegionLevelStackBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"destroyAssetRegionLevelStackBgJobF051217D",
"Arn"
]
}
},
"catalogRestoreBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"catalogRestoreBgJobBDFE1B5B",
"Arn"
]
}
},
"ecsScalezTaskRoleArn": {
"Value": {
"Fn::GetAtt": [
"ecsScalezTask48AD43DA",
"Arn"
]
}
},
"ec2SpotFleetRoleArn": {
"Value": {
"Fn::GetAtt": [
"ec2SpotFleet212519BE",
"Arn"
]
}
},
"ecsInstanceRoleArn": {
"Value": {
"Fn::GetAtt": [
"ecsInstanceB00E0026",
"Arn"
]
}
},
"ecsScalezInstanceProfile": {
"Value": {
"Fn::Join": [
"",
[
{
"Ref": "ecsInstanceB00E0026"
},
"-ecsScalezInstanceProfile"
]
]
}
},
"ecsScalezInstanceProfileRoleArn": {
"Value": {
"Fn::GetAtt": [
"ecsScalezInstanceProfileId",
"Arn"
]
}
},
"inventoryEventBridgeHandlerRoleArn": {
"Value": {
"Fn::GetAtt": [
"inventoryEventBridgeHandler60F51011",
"Arn"
]
}
},
"inventoryServiceTenantRoleArn": {
"Value": {
"Fn::GetAtt": [
"inventoryServiceTenant275E0E16",
"Arn"
]
}
},
"inventoryForceScanRoleArn": {
"Value": {
"Fn::GetAtt": [
"inventoryForceScan4BF914F0",
"Arn"
]
}
},
"awsBackupRpEc2ScanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsBackupRpEc2ScanBgJobEA3DD765",
"Arn"
]
}
},
"awsBackupRpEbsScanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsBackupRpEbsScanBgJob61C7541D",
"Arn"
]
}
},
"awsBackupRpEfsScanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsBackupRpEfsScanBgJobDE47317F",
"Arn"
]
}
},
"awsBackupRpFsxOntapScanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsBackupRpFsxOntapScanBgJob7A28B218",
"Arn"
]
}
},
"awsBackupRpS3ScanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsBackupRpS3ScanBgJob49427448",
"Arn"
]
}
},
"awsEc2ScanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsEc2ScanBgJobA7520807",
"Arn"
]
}
},
"awsEc2AmiScanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsEc2AmiScanBgJob5E82FC95",
"Arn"
]
}
},
"awsEbsScanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsEbsScanBgJob0959E957",
"Arn"
]
}
},
"awsEbsSnapshotScanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsEbsSnapshotScanBgJobEF36A0AB",
"Arn"
]
}
},
"awsEfsScanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsEfsScanBgJobBCC3DF58",
"Arn"
]
}
},
"awsFsxOntapScanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsFsxOntapScanBgJob75C57F57",
"Arn"
]
}
},
"awsS3ScanBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsS3ScanBgJob676E0619",
"Arn"
]
}
},
"awsBackupRpEc2ImportBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsBackupRpEc2ImportBgJob2AC3454B",
"Arn"
]
}
},
"awsBackupRpEbsImportBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsBackupRpEbsImportBgJob2B27E1E5",
"Arn"
]
}
},
"awsEc2AmiImportBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsEc2AmiImportBgJobFA7F1C71",
"Arn"
]
}
},
"awsBackupRpImportBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsBackupRpImportBgJobExecution8CBB537B",
"Arn"
]
}
},
"awsBackupRpIscanBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"awsBackupRpIscanBgJobExecutionB05D079C",
"Arn"
]
}
},
"ebsBgJobsExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"ebsBgJobsExecution2A2D5443",
"Arn"
]
}
},
"ec2BgJobsExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"ec2BgJobsExecution1ABC553A",
"Arn"
]
}
},
"s3BackupBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"s3BackupBgJobExecution79B9097D",
"Arn"
]
}
},
"s3RestoreBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"s3RestoreBgJobExecutionBE9B148D",
"Arn"
]
}
},
"iscanBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"iscanBgJobExecution8C33E938",
"Arn"
]
}
},
"backupIntegrityBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"backupIntegrityBgJobExecution1717A456",
"Arn"
]
}
},
"fsCheckBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"fsCheckBgJobExecutionF20471ED",
"Arn"
]
}
},
"postgresRecoveryTestBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"postgresRecoveryTestBgJobExecution9E3CEA53",
"Arn"
]
}
},
"postgresBackupBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"postgresBackupBgJobExecutionD550D0E9",
"Arn"
]
}
},
"postgresRestoreBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"postgresRestoreBgJobExecutionF27EB2BD",
"Arn"
]
}
},
"scalezMaintenanceBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"scalezMaintenanceBgJobExecution670F6AE3",
"Arn"
]
}
},
"retentionBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"retentionBgJobExecution5BDA31CC",
"Arn"
]
}
},
"replicationBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"replicationBgJobExecution61C7FC3D",
"Arn"
]
}
},
"deployAssetRegionLevelStackBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"deployAssetRegionLevelStackBgJobExecution8E73C515",
"Arn"
]
}
},
"destroyAssetRegionLevelStackBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"destroyAssetRegionLevelStackBgJobExecution9F707D3F",
"Arn"
]
}
},
"catalogRestoreBgJobExecutionRoleArn": {
"Value": {
"Fn::GetAtt": [
"catalogRestoreBgJobExecutionA09CCC80",
"Arn"
]
}
},
"replicationTargetRoleName": {
"Value": {
"Fn::Join": [
"",
[
"ElastioReplicationTarget",
{
"Ref": "replicationTargetRoleNameSuffix"
}
]
]
}
},
"replicationBgJobRoleArn": {
"Value": {
"Fn::GetAtt": [
"replicationBgJob425EAB61",
"Arn"
]
}
},
"cloudConnectorBastionRoleArn": {
"Value": {
"Fn::GetAtt": [
"cloudConnectorBastion5E6F318E",
"Arn"
]
}
}
},
"Conditions": {
"accountlevelstackassumeRoleCondition2064F09A": {
"Fn::Not": [
{
"Fn::Equals": [
{
"Ref": "tenantRoleArn"
},
""
]
}
]
},
"supportDeploySupportRole90788A97": {
"Fn::And": [
{
"Fn::Not": [
{
"Fn::Equals": [
{
"Ref": "supportRoleExpirationDate"
},
""
]
}
]
},
{
"Fn::Not": [
{
"Fn::Equals": [
{
"Ref": "tenantRoleArn"
},
""
]
}
]
}
]
},
"tenantRoleArnCondition": {
"Fn::Not": [
{
"Fn::Equals": [
{
"Ref": "tenantRoleArn"
},
""
]
}
]
},
"deploymentnotifiernotificationTopicArnCondition89AADD39": {
"Fn::Not": [
{
"Fn::Equals": [
{
"Ref": "deploymentNotificationTopicArn"
},
""
]
}
]
},
"vaultReplicationSourceAccountIdsIsEmpty": {
"Fn::Equals": [
{
"Fn::Join": [
"",
{
"Ref": "vaultReplicationSourceAccountIds"
}
]
},
""
]
}
},
"Mappings": {
"ServiceprincipalMap": {
"af-south-1": {
"states": "states.af-south-1.amazonaws.com"
},
"ap-east-1": {
"states": "states.ap-east-1.amazonaws.com"
},
"ap-northeast-1": {
"states": "states.ap-northeast-1.amazonaws.com"
},
"ap-northeast-2": {
"states": "states.ap-northeast-2.amazonaws.com"
},
"ap-northeast-3": {
"states": "states.ap-northeast-3.amazonaws.com"
},
"ap-south-1": {
"states": "states.ap-south-1.amazonaws.com"
},
"ap-south-2": {
"states": "states.ap-south-2.amazonaws.com"
},
"ap-southeast-1": {
"states": "states.ap-southeast-1.amazonaws.com"
},
"ap-southeast-2": {
"states": "states.ap-southeast-2.amazonaws.com"
},
"ap-southeast-3": {
"states": "states.ap-southeast-3.amazonaws.com"
},
"ca-central-1": {
"states": "states.ca-central-1.amazonaws.com"
},
"cn-north-1": {
"states": "states.cn-north-1.amazonaws.com"
},
"cn-northwest-1": {
"states": "states.cn-northwest-1.amazonaws.com"
},
"eu-central-1": {
"states": "states.eu-central-1.amazonaws.com"
},
"eu-central-2": {
"states": "states.eu-central-2.amazonaws.com"
},
"eu-north-1": {
"states": "states.eu-north-1.amazonaws.com"
},
"eu-south-1": {
"states": "states.eu-south-1.amazonaws.com"
},
"eu-south-2": {
"states": "states.eu-south-2.amazonaws.com"
},
"eu-west-1": {
"states": "states.eu-west-1.amazonaws.com"
},
"eu-west-2": {
"states": "states.eu-west-2.amazonaws.com"
},
"eu-west-3": {
"states": "states.eu-west-3.amazonaws.com"
},
"me-central-1": {
"states": "states.me-central-1.amazonaws.com"
},
"me-south-1": {
"states": "states.me-south-1.amazonaws.com"
},
"sa-east-1": {
"states": "states.sa-east-1.amazonaws.com"
},
"us-east-1": {
"states": "states.us-east-1.amazonaws.com"
},
"us-east-2": {
"states": "states.us-east-2.amazonaws.com"
},
"us-gov-east-1": {
"states": "states.us-gov-east-1.amazonaws.com"
},
"us-gov-west-1": {
"states": "states.us-gov-west-1.amazonaws.com"
},
"us-iso-east-1": {
"states": "states.amazonaws.com"
},
"us-iso-west-1": {
"states": "states.amazonaws.com"
},
"us-isob-east-1": {
"states": "states.amazonaws.com"
},
"us-west-1": {
"states": "states.us-west-1.amazonaws.com"
},
"us-west-2": {
"states": "states.us-west-2.amazonaws.com"
}
}
}
}