{"Resources":{"DoiTSupportGatewayRole":{"Properties":{"RoleName":"DoiT-Support-Gateway","Tags":[{"Value":"true","Key":"doit:support"},{"Key":"doit:version","Value":"20260223023550"}],"AssumeRolePolicyDocument":{"Statement":[{"Action":["sts:AssumeRoleWithWebIdentity","sts:TagSession"],"Condition":{"ForAllValues:StringEquals":{"sts:TransitiveTagKeys":["DoitEnvironment"]},"Null":{"sts:TransitiveTagKeys":false},"StringEquals":{"aws:RequestTag/DoitEnvironment":{"Fn::Sub":"${AWS::AccountId}"}},"StringEqualsIfExists":{"securetoken.google.com/doit-support:aud":"doit-support","support.cre.doit-intl.com:aud":{"Fn::Sub":"${AWS::AccountId}"}}},"Effect":"Allow","Principal":{"Federated":[{"Fn::Sub":"arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider/support.cre.doit-intl.com"},{"Fn::Sub":"arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider/securetoken.google.com/doit-support"}]}}],"Version":"2012-10-17"},"ManagedPolicyArns":[{"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AmazonOpenSearchIngestionReadOnlyAccess"},{"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AmazonRDSPerformanceInsightsReadOnly"},{"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AWSBillingReadOnlyAccess"},{"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AWSCloudShellFullAccess"},{"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AWSPartnerLedSupportReadOnlyAccess"},{"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AWSSupportAccess"},{"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/CloudWatchReadOnlyAccess"},{"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/job-function/ViewOnlyAccess"},{"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/SecurityAudit"}],"MaxSessionDuration":21600,"Policies":[{"PolicyDocument":{"Statement":[{"Effect":"Allow","Resource":"*","Sid":"custom","Action":["access-analyzer:ValidatePolicy","airflow:GetEnvironment","airflow:List*","amplify:Get*","amplify:List*","aoss:BatchGet*","aoss:Get*","aoss:List*","aps:Describe*","aps:Get*","aps:List*","backup:Describe*","backup:Get*","backup:List*","batch:Describe*","batch:Get*","batch:List*","bedrock:Get*","bedrock:List*","ce:Get*","ce:List*","ce:Describe*","codeartifact:List*","compute-optimizer:Get*","compute-optimizer:Describe*","ds:Get*","ds:List*","ds:Describe*","eks:AccessKubernetesApi","eks:Describe*","eks:List*","fms:Get*","fms:List*","identitystore-auth:BatchGetSession","identitystore-auth:ListSessions","lambda:GetCapacityProvider","mediapackage:Describe*","mediapackage:List*","mobiletargeting:List*","network-firewall:Describe*","network-firewall:List*","osis:Get*","osis:List*","redshift-serverless:List*","resource-groups:Get*","resource-groups:List*","s3:DescribeJob","s3:GetStorageLens*","s3:ListBucketVersions","s3:ListJobs","s3:ListStorageLens*","servicequotas:Get*","servicequotas:List*","servicequotas:RequestServiceQuotaIncrease","signin:ListTrustedIdentityPropagationApplicationsForConsole","sso-directory:Describe*","sso-directory:DescribeDirectory","sso-directory:Get*","sso-directory:List*","sso-directory:Search*","sso:Search*","ssm:Describe*","ssm:Get*","ssm:List*","support:*","workspaces:List*"]},{"Action":["kms:Decrypt"],"Condition":{"StringLike":{"kms:EncryptionContext:aws:sso:instance-arn":"*","kms:ViaService":"sso.*.amazonaws.com"}},"Effect":"Allow","Resource":"*","Sid":"AllowKMSKeyUseViaAWSIAMIdentityCenterService"},{"Resource":"*","Sid":"AllowKMSKeyUseViaAWSIdentityStoreService","Action":["kms:Decrypt"],"Condition":{"StringLike":{"kms:ViaService":"identitystore.*.amazonaws.com","kms:EncryptionContext:aws:identitystore:identitystore-arn":"*"}},"Effect":"Allow"},{"Effect":"Allow","Resource":"*","Sid":"AllowKMSKeyDiscovery","Action":["kms:ListAliases","kms:DescribeKey"]},{"Effect":"Allow","Resource":"arn:*:identity-sync:*:*:*/*","Sid":"AllowIdentitySyncAccess","Action":["identity-sync:GetSyncProfile","identity-sync:ListSyncFilters","identity-sync:GetSyncTarget"]},{"Action":["ssm:GetDocument","ssm:GetParameter*"],"Effect":"Deny","NotResource":["arn:aws:ssm:*::document/AWSPremiumSupport-TroubleshootEKSCluster","arn:aws:ssm:*::document/AWSSupport-TroubleshootEKSWorkerNode","arn:aws:ssm:*::parameter/aws/service/eks/optimized-ami/*","arn:aws:ssm:*::parameter/aws/service/ami-windows-latest/*"],"Sid":"DenyAccessToPotentiallySensitiveSSMDataButDoiTManaged"},{"Effect":"Deny","Resource":"*","Sid":"DenyAccessToPotentiallySensitiveData","Action":["ssm:GetDocument","ssm:GetParameter*"]},{"Fn::If":["AllowSupportRunbooksExecutions",{"Effect":"Allow","Resource":["arn:aws:ssm:*::document/AWSPremiumSupport-TroubleshootEKSCluster","arn:aws:ssm:*::document/AWSSupport-TroubleshootEKSWorkerNode","arn:aws:ssm:*::automation-definition/AWSPremiumSupport-TroubleshootEKSCluster:*","arn:aws:ssm:*::automation-definition/AWSSupport-TroubleshootEKSWorkerNode:*","arn:aws:ssm:*::parameter/aws/service/eks/optimized-ami/*","arn:aws:ssm:*::parameter/aws/service/ami-windows-latest/*"],"Sid":"EKSSSMTroubleshooting","Action":["ssm:GetDocument","ssm:GetParameter*","ssm:StartAutomationExecution"]},{"Ref":"AWS::NoValue"}]},{"Fn::If":["PartnerLedSupport",{"Action":"ts:*","Effect":"Allow","Resource":"*","Sid":"PartnerLedSupportDiagnosticsToolUser"},{"Ref":"AWS::NoValue"}]},{"Fn::If":["PartnerLedSupport",{"Resource":{"Fn::Sub":"arn:${AWS::Partition}:iam::${AWS::AccountId}:role/SupportDiagnostics"},"Sid":"PartnerLedSupportDiagnosticsToolPassRoleRequirement","Action":"iam:PassRole","Condition":{"StringEquals":{"iam:PassedToService":"ts.amazonaws.com"}},"Effect":"Allow"},{"Ref":"AWS::NoValue"}]}],"Version":"2012-10-17"},"PolicyName":"inline"}]},"Type":"AWS::IAM::Role"},"OpenIDConnectProvider1":{"Type":"AWS::IAM::OIDCProvider","Properties":{"ClientIdList":[{"Fn::Sub":"${AWS::AccountId}"}],"Tags":[{"Key":"doit:support","Value":"true"}],"ThumbprintList":["15c2b40aa2f322798666a6b332aaa03a6773019b","08745487e891c19e3078c1f2a07e452950ef36f6"],"Url":"https://support.cre.doit-intl.com"}},"OpenIDConnectProvider2":{"Properties":{"ClientIdList":["doit-support"],"Tags":[{"Key":"doit:support","Value":"true"}],"ThumbprintList":["08745487e891c19e3078c1f2a07e452950ef36f6"],"Url":"https://securetoken.google.com/doit-support"},"Type":"AWS::IAM::OIDCProvider"},"SupportDiagnosticsRole":{"Properties":{"AssumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"ts.amazonaws.com"},"Sid":"AWSDiagnosticToolsServiceOnly"}],"Version":"2012-10-17"},"ManagedPolicyArns":[{"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/AWSPartnerLedSupportReadOnlyAccess"}],"RoleName":"SupportDiagnostics","Tags":[{"Key":"doit:support","Value":"true"}]},"Type":"AWS::IAM::Role","Condition":"PartnerLedSupport"}},"Conditions":{"AllowSupportRunbooksExecutions":{"Fn::Equals":[{"Ref":"AllowSupportRunbooksExecutions"},"true"]},"PartnerLedSupport":{"Fn::Equals":[{"Ref":"GrantDiagnosticToolAccess"},"true"]}},"Parameters":{"AllowSupportRunbooksExecutions":{"Type":"String","AllowedValues":["true","false"],"ConstraintDescription":"Grant DoiT access to executing select, DoiT-provided SSM runbooks to help with troubleshooting.","Default":"false"},"GrantDiagnosticToolAccess":{"Default":"true","Type":"String","AllowedValues":["true","false"],"ConstraintDescription":"Grant DoiT access to the AWS diagnostic tool, available only if you have a partner-led support subscription. We recommend leaving this to 'true'. (https://docs.aws.amazon.com/ts/latest/diagnostic-tools/what-is-aws-diagnostic-tools.html)"}}}