problem with suggested IAM role

[bkedryna]

On page 20 of the document ops-automator.pdf, it says that it's recommended to use a separate IAM role to launch the ops-automator template. However, that role does not work, for 2 reasons:

1. It's invalid JSON - there is an extra comma after the last item in the list (cloudformation:):
   "s3:GetLifecycleConfiguration",
   "s3:PutLifecycleConfiguration",
   "cloudformation:",
   ],
   "Resource": [
   "*"
    
2. There are A LOT of necessary permissions that are not in this role. It took me hours of deploying the template, finding the permission error, adding it to the role, then deploying it again, finding another permission error, adding it, etc.
   Here are the permissions that I ended up using. I'm not 100% sure that all of them are necessary because some of the permission errors did not say which permission was needed, so I had to guess, and I didn't feel like spending even more time to narrow it down:
   "sns:CreateTopic",
   "sns:DeleteTopic",
   "sns:ListTopics",
   "sns:GetTopicAttributes",
   "sns:SetTopicAttributes",
   "sns:Subscribe",
   "iam:CreateRole",
   "iam:UpdateRole",
   "iam:DeleteRole",
   "iam:AttachRolePolicy",
   "iam:DeleteRolePolicy",
   "iam:GetRole",
   "iam:PassRole",
   "iam:ListRoles",
   "iam:DetachRolePolicy",
   "iam:PutRolePolicy",
   "kms:CreateAlias",
   "kms:CreateGrant",
   "kms:CreateKey",
   "kms:DeleteAlias",
   "kms:Decrypt",
   "kms:DescribeKey",
   "kms:EnableKeyRotation",
   "kms:Encrypt",
   "kms:PutKeyPolicy",
   "kms:ReEncrypt",
   "kms:ScheduleKeyDeletion",
   "kms:TagResource",
   "dynamodb:CreateTable",
   "dynamodb:DeleteTable",
   "dynamodb:DescribeTable",
   "dynamodb:DescribeTimeToLive",
   "dynamodb:UpdateTable",
   "dynamodb:UpdateTimeToLive",
   "events:",
   "logs:",
   "lambda:",
   "s3:CreateBucket",
   "s3:DeleteBucket",
   "s3:GetObject",
   "s3:GetLifecycleConfiguration",
   "s3:ListBucket",
   "s3:PutLifecycleConfiguration",
   "s3:PutBucketAcl",
   "s3:PutBucketLogging",
   "s3:PutBucketPublicAccessBlock",
   "s3:PutBucketTagging",
   "s3:PutBucketVersioning",
   "s3:PutEncryptionConfiguration",
   "s3:PutLifecycleConfiguration",
   "s3:PutObject",
   "s3:PutObjectAcl",
   "sqs:CreateQueue",
   "sqs:DeleteQueue",
   "sqs:GetQueueAttributes",
   "sqs:SetQueueAttributes",
   "cloudformation:"

 
 
 

 
 

[rakshb]

@bkedryna Hello, we are looking into the issue. Which version of the solution are you using? Are you using this IAM role for a secondary account?

[bkedryna]

The latest one, 2.2.0. The PDF document is dated August 2020. I don't remember where I got it, but I see the same problem on https://docs.aws.amazon.com/solutions/latest/ops-automator/security.html