How can i give an aws lambda in a cloudformation template the necessary permissions to allow it to manage alarms (create / delete) them, i'm struggling to understand the policies and how they work
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
{
'Version': '2012-10-17',
'Statement':
[
{
'Effect': 'Allow',
'Principal': { 'Service': ['lambda.amazonaws.com'] },
'Action': ['sts:AssumeRole'],
},
],
}
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
- 'arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess'
- 'arn:aws:iam::aws:policy/AWSLambdaReadOnlyAccess'
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
Lambda:
Type: 'AWS::Lambda::Function'
Properties:
PackageType: Zip
Handler: index.handler
Runtime: nodejs12.x
MemorySize: 512
Timeout: 30
Role:
Fn::GetAtt:
- Role
- Arn
Code:
ZipFile: |
const AWS = require('aws-sdk')
AWS.config.update({region: 'us-east-2'});
const cw = new AWS.CloudWatch({apiVersion: '2010-08-01'});
//
You could assign the CloudWatchFullAccess policy (arn:aws:iam::aws:policy/CloudWatchFullAccess), but that is probably providing excessive access.
If you are okay with writing your own policy, you could grant:
cloudwatch:PutMetricAlarmcloduwatch:DeleteAlarmsFor details, see: Actions, resources, and condition keys for Amazon CloudWatch - Service Authorization Reference