===== EC2 Role Policy ===== Variables to change * Region ''us-east-1'' * AWS account ''123456789012'' * S3 bucket ''certgenbucket'' * Hosted zone IDs ''Z1111111111111'' and ''Z2222222222222'' * Name ''certgen'' * SNS topic name used for notifications * Parameter name for P12 password { "Version": "2012-10-17", "Statement": [ { "Sid": "CopyToS3", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::certgenbucket/*" ] }, { "Sid": "CopyToACM", "Effect": "Allow", "Action": [ "acm:ImportCertificate" ], "Resource": [ "arn:aws:acm:us-east-1:123456789012:certificate/*" ] }, { "Sid": "SendNotification", "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": [ "arn:aws:sns:us-east-1:123456789012:certgen" ] }, { "Sid": "SaveEncryptedPassword", "Effect": "Allow", "Action": [ "ssm:PutParameter" ], "Resource": [ "arn:aws:ssm:us-east-1:123456789012:parameter/certgen/*/p12password" ] }, { "Sid": "Getcloudflaretoken", "Effect": "Allow", "Action": [ "ssm:GetParameter" ], "Resource": [ "arn:aws:ssm:us-east-1:123456789012:parameter/certgen/*/cloudflare" ] }, { "Sid": "DNSValidation", "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/Z1111111111111", "arn:aws:route53:::hostedzone/Z2222222222222" ] }, { "Sid": "DNS", "Effect": "Allow", "Action": [ "route53:GetChange" ], "Resource": [ "arn:aws:route53:::change/*" ] }, { "Sid": "LocateACMCertificate", "Effect": "Allow", "Action": [ "acm:ListCertificates" ], "Resource": "*" }, { "Sid": "LocateDNS", "Effect": "Allow", "Action": [ "route53:ListHostedZones" ], "Resource": "*" } ] }