1

I am attempting to create an autoscaling group for my EC2 instances. These instances are encrypted by custom key, so I need to be able to inject a policy that allows the read of said key to the autoscaling group.

I decided to utilize the ServiceLinkedRoleARN: property of the AutoScalingGroup and create new autoscale role that would have all the necessary permissions.

Unfortunatelly, the properties of IAM::ServiceLinkedRole (SLR) do not offer policy inputs (unlike standard roles):

Type: AWS::IAM::ServiceLinkedRole
Properties: 
  AWSServiceName: String
  CustomSuffix: String
  Description: String

and so far I was unable to find a solution for this. If there is no way to modify the policies of SLR, I even fail to see a reason for allowing to create our own SLR so I imagine there has to be a reason for that.

Can you please help with how to resolve my problem? My company mandates that I use CloudFormation for that so no console adjustments are possible, but using the custom SLR is not necessary, it just felt like the cleanest solution for me.

cejkapa4
  • 13
  • 4

1 Answers1

1

You can't modify service-linked role for Auto Scaling:

With the AWSServiceRoleForAutoScalingPlans_EC2AutoScaling role created by AWS Auto Scaling, you can edit only its description and not its permissions.

However, the KMS permissions should be added to your instance role, not service-linked role for Auto Scaling. So you have to change the role associated with your AWS::IAM::InstanceProfile.

Marcin
  • 215,873
  • 14
  • 235
  • 294