AWSQuickSetupPatchPolicyDeploymentRolePolicy
Description: Provides permissions that allow Quick Setup to create resources associated with a patch policy configuration.
AWSQuickSetupPatchPolicyDeploymentRolePolicy is an AWS managed policy.
Using this policy
You can attach AWSQuickSetupPatchPolicyDeploymentRolePolicy to your users, groups, and roles.
Policy
details
-
Type: AWS managed policy
-
Creation time: June 26, 2024, 09:57 UTC
-
Edited time: June 26, 2024, 09:57 UTC
-
ARN:
arn:aws:iam::aws:policy/AWSQuickSetupPatchPolicyDeploymentRolePolicy
Policy version
Policy version: v1 (default)
The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.
JSON policy document
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "CfnRead",
"Effect" : "Allow",
"Action" : [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackDriftDetectionStatus",
"cloudformation:ListStacks"
],
"Resource" : [
"*"
]
},
{
"Sid" : "CfnManage",
"Effect" : "Allow",
"Action" : [
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackResourceDrifts",
"cloudformation:DetectStackDrift",
"cloudformation:DetectStackResourceDrift"
],
"Resource" : [
"arn:aws:cloudformation:*:*:stack/StackSet-AWS-QuickSetup-*"
]
},
{
"Sid" : "RGroupsGet",
"Effect" : "Allow",
"Action" : [
"resource-groups:GetGroupQuery"
],
"Resource" : [
"*"
]
},
{
"Sid" : "S3BucketsList",
"Effect" : "Allow",
"Action" : [
"s3:ListAllMyBuckets"
],
"Resource" : [
"*"
]
},
{
"Sid" : "AccessLogsBucketManage",
"Effect" : "Allow",
"Action" : [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:Put*",
"s3:Get*",
"s3:List*"
],
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
},
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
},
"Resource" : [
"arn:aws:s3:::aws-quicksetup-patchpolicy-access-log-*"
]
},
{
"Sid" : "LambdaManage",
"Effect" : "Allow",
"Action" : [
"lambda:CreateFunction",
"lambda:UpdateFunction*",
"lambda:GetFunction",
"lambda:ListTags",
"lambda:TagResource",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:UntagResource"
],
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
},
"StringEquals" : {
"aws:ResourceAccount" : [
"${aws:PrincipalAccount}"
]
}
},
"Resource" : [
"arn:aws:lambda:*:*:function:baseline-overrides-*",
"arn:aws:lambda:*:*:function:delete-name-tags-*"
]
},
{
"Sid" : "LogGroupsDescribe",
"Effect" : "Allow",
"Action" : [
"logs:DescribeLogGroups"
],
"Resource" : "*"
},
{
"Sid" : "LogGroupsManage",
"Effect" : "Allow",
"Action" : [
"logs:CreateLogGroup",
"logs:TagResource",
"logs:PutRetentionPolicy",
"logs:DeleteLogGroup",
"logs:ListTagsForResource",
"logs:UntagResource"
],
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
}
},
"Resource" : [
"arn:aws:logs:*:*:log-group:/aws/lambda/baseline-overrides-*",
"arn:aws:logs:*:*:log-group:/aws/lambda/delete-name-tags-*"
]
},
{
"Sid" : "QSDocsManage",
"Effect" : "Allow",
"Action" : [
"ssm:CreateDocument",
"ssm:UpdateDocument",
"ssm:DescribeDocument",
"ssm:UpdateDocumentDefaultVersion",
"ssm:DeleteDocument",
"ssm:AddTagsToResource",
"ssm:RemoveTagsFromResource",
"ssm:ListTagsForResource"
],
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
}
},
"Resource" : [
"arn:aws:ssm:*:*:document/AWSQuickSetup-*",
"arn:aws:ssm:*:*:document/QuickSetup-*"
]
},
{
"Sid" : "QSDocsGet",
"Effect" : "Allow",
"Action" : [
"ssm:GetDocument"
],
"Resource" : [
"arn:aws:ssm:*:*:document/AWSQuickSetup-*",
"arn:aws:ssm:*:*:document/QuickSetup-*",
"arn:aws:ssm:*::document/AWS-EnableExplorer",
"arn:aws:ssm:*::document/AWS-RunPatchBaseline"
]
},
{
"Sid" : "QSAssociationsManage",
"Effect" : "Allow",
"Action" : [
"ssm:CreateAssociation",
"ssm:UpdateAssociation",
"ssm:DeleteAssociation",
"ssm:DescribeAssociation"
],
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
}
},
"Resource" : [
"arn:aws:ssm:*:*:document/AWSQuickSetup-*",
"arn:aws:ssm:*:*:document/QuickSetup-*",
"arn:aws:ssm:*::document/AWS-EnableExplorer",
"arn:aws:ssm:*::document/AWS-RunPatchBaseline",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:managed-instance/*",
"arn:aws:ssm:*:*:association/*"
]
},
{
"Sid" : "SSMSLRCreate",
"Effect" : "Allow",
"Action" : [
"iam:CreateServiceLinkedRole"
],
"Resource" : [
"arn:aws:iam::*:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM"
],
"Condition" : {
"StringEquals" : {
"iam:AWSServiceName" : "ssm.amazonaws.com"
}
}
},
{
"Sid" : "ConfigRoleManage",
"Effect" : "Allow",
"Action" : [
"iam:TagRole",
"iam:UntagRole",
"iam:GetRole",
"iam:UpdateRole",
"iam:DeleteRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoleTags"
],
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
}
},
"Resource" : [
"arn:aws:iam::*:role/AWS-QuickSetup-*"
]
},
{
"Sid" : "ConfigRolePassToSSM",
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : [
"arn:aws:iam::*:role/AWS-QuickSetup-*"
],
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : [
"ssm.amazonaws.com"
]
}
}
},
{
"Sid" : "ConfigRolePassToLambda",
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : [
"arn:aws:iam::*:role/AWS-QuickSetup-*"
],
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : [
"lambda.amazonaws.com"
]
}
}
},
{
"Sid" : "DocDescribe",
"Effect" : "Allow",
"Action" : [
"ssm:DescribeDocument"
],
"Resource" : "*"
},
{
"Sid" : "LegacyDocClean",
"Effect" : "Allow",
"Action" : [
"ssm:DeleteDocument"
],
"Resource" : "*",
"Condition" : {
"StringLike" : {
"aws:ResourceTag/QuickSetupID" : "*"
}
}
},
{
"Sid" : "LegacyIAMClean",
"Effect" : "Allow",
"Action" : [
"iam:DeleteRole",
"iam:DeleteRolePolicy"
],
"Resource" : "arn:aws:iam::*:role/*QuickSetup-*",
"Condition" : {
"StringLike" : {
"aws:ResourceTag/QuickSetupID" : "*"
}
}
},
{
"Sid" : "ConfigRoleBoundedManage",
"Effect" : "Allow",
"Action" : [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:PutRolePermissionsBoundary"
],
"Condition" : {
"StringEquals" : {
"iam:PermissionsBoundary" : "arn:aws:iam::aws:policy/AWSQuickSetupPatchPolicyPermissionsBoundary"
},
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
}
},
"Resource" : [
"arn:aws:iam::*:role/AWS-QuickSetup-*"
]
}
]
}Learn more
