We Keep Coding

Replace custom AWS IAM policies with managed ones

I am trying to replace a bunch of custom AWS IAM policies with managed versions. Currently, the template has:
Resources:
...
AutoScalingRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Join ['', [!Ref ServiceName, AutoScalingRole]]
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceAutoscaleRole'
ContainerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Join ['', [!Ref ServiceName, ContainerSecurityGroup]]
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: !Ref ContainerPort
ToPort: !Ref ContainerPort
SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription:
!Join ['', [!Ref ServiceName, LoadBalancerSecurityGroup]]
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: !Ref LoadBalancerPort
ToPort: !Ref LoadBalancerPort
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
...
CubeJsGroup:
Type: AWS::IAM::Group
Properties:
GroupName: staging-cubejs-group
Policies:
- PolicyName: staging-cubejs-s3-policy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:*
- s3-object-lambda:*
Resource: "*"
- PolicyName: staging-cubejs-athena-policy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- athena:*
Resource: "*"
- Effect: Allow
Action:
- glue:CreateDatabase
- glue:DeleteDatabase
- glue:GetDatabase
- glue:GetDatabases
- glue:UpdateDatabase
- glue:CreateTable
- glue:DeleteTable
- glue:BatchDeleteTable
- glue:UpdateTable
- glue:GetTable
- glue:GetTables
- glue:BatchCreatePartition
- glue:CreatePartition
- glue:DeletePartition
- glue:BatchDeletePartition
- glue:UpdatePartition
- glue:GetPartition
- glue:GetPartitions
- glue:BatchGetPartition
Resource: "*"
- Effect: Allow
Action:
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:ListMultipartUploadParts
- s3:AbortMultipartUpload
- s3:CreateBucket
- s3:PutObject
- s3:PutBucketPublicAccessBloc
Resource: "arn:aws:s3:::aws-athena-query-results-*"
- Effect: Allow
Action:
- cloudwatch:PutMetricAlarm
- cloudwatch:DescribeAlarms
- cloudwatch:DeleteAlarms
Resource: "*"
- Effect: Allow
Action:
- lakeformation:GetDataAccess
Resource: "*"
- Effect: Allow
Action:
- sns:ListTopics
- sns:GetTopicAttributes
Resource: "*"
CubeJsUser:
Type: AWS::IAM::User
Properties:
UserName: 'cubejsUser-staging'
Groups:
- !Ref CubeJsGroup
DependsOn:
- CubeJsGroup
CubeJsUserAccessKey:
Type: AWS::IAM::AccessKey
Properties:
Status: Active
UserName: !Ref CubeJsUser
DependsOn:
- CubeJsUser
Outputs:
Endpoint:
Description: Endpoint
Value: !Join ['', ['https://', !Ref DNSRecord]]
CubeJsUserAccessKey:
Description: "CubeJS user stagin access key id"
Value: !Ref CubeJsUserAccessKey
Export:
Name:
Fn::Sub: "${AWS::StackName}-cubejs-access-id"
CubeJsUserSecretAccessKey:
Description: "CubeJS user access key id"
Value: !GetAtt
- CubeJsUserAccessKey
- SecretAccessKey
Export:
Name:
Fn::Sub: "${AWS::StackName}-cubejs-access-secret"
I like how AutoScalingRole is defined using ManagedPolicyArns etc. To me, it seems like S3FullAccess and such could be used to replace at least some custom permissions. Plus, I would like to maybe drop CubeJsGroup altogether. The template defines all of that CubeJS -related things so that CubeJS had access to Athena and to export keys for CubeJS instance to access AWS. Seems like athena:* could be replaced with AmazonAthenaFullAccess managed policy. Right?
How could I re-write this with as few custom policies as possibly, without breaking anything?

SQS Timeout from Lambda in VPC Using VPC Endpoint

This is basically the same issue as in this question, but the answers there didn't get me to a solution.
My configuration is: 1 VPC, 1 subnet, 1 security group. My Lambda runs in the VPC/subnet/security group and tries to add a message to an SQS queue, but gets a timeout. I've double-checked the permissions granted to the lambda, the policy on the VPC Endpoint, the policy on the SQS queue, opened the rules on the Security Group, ensured the Network ACLs are open.
I successfully went through this tutorial, which sets up VPC/etc+EC2 with cloudformation, then demonstrates sending a message to SQS from EC2.
To reproduce my problem, I started with the cloudformation from that tutorial and added the following to it:
the VPC Endpoint (rather than creating it through console like in the tutorial)
a Lambda (plus IAM role+policy) in the same VPC that tries to send a message to the SQS queue
The resulting cloudformation template is below.
I can reproduce the problem like this:
Create the cloudformation template (see below) (note that I had to make one small change to the template in the tutorial to get it to work in us-west-2).
SSH to the EC2 and run the command to send an SQS message (see step 5 from the tutorial). This succeeds.
In the console, go to the Lambda, paste the URL of the SQS queue into the code, deploy, and run the lambda. It times out.
In the console, edit the Lambda configuration to set VPC=None, then rerun the lambda. It succeeds.
So the SQS queue is accessible by the lambda outside the VPC, and by EC2 inside the VPC/subnet/sg, but not the lambda inside the VPC/subnet/sg.
Any idea what could be missing?
Cloudformation (from tutorial + my additions):
# Copied from this tutorial: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-sending-messages-from-vpc.html
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation Template for SQS VPC Endpoints Tutorial
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
Type: 'AWS::EC2::KeyPair::KeyName'
ConstraintDescription: must be the name of an existing EC2 KeyPair.
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instance
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Conditions:
IsT3Supported: !Equals [!Ref 'AWS::Region', eu-north-1]
Mappings:
RegionMap:
us-east-1:
AMI: ami-428aa838
us-east-2:
AMI: ami-710e2414
us-west-1:
AMI: ami-4a787a2a
us-west-2:
AMI: ami-7f43f307
ap-northeast-1:
AMI: ami-c2680fa4
ap-northeast-2:
AMI: ami-3e04a450
ap-southeast-1:
AMI: ami-4f89f533
ap-southeast-2:
AMI: ami-38708c5a
ap-south-1:
AMI: ami-3b2f7954
ca-central-1:
AMI: ami-7549cc11
eu-central-1:
AMI: ami-1b2bb774
eu-west-1:
AMI: ami-db1688a2
eu-west-2:
AMI: ami-6d263d09
eu-north-1:
AMI: ami-87fe70f9
eu-west-3:
AMI: ami-5ce55321
sa-east-1:
AMI: ami-f1337e9d
Resources:
VPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
Tags:
- Key: Name
Value: SQS-VPCE-Tutorial-VPC
Subnet:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref VPC
# I had to add (uncomment) this line to avoid using us-west-2d, which doesn't support the instance type
# AvailabilityZone: us-west-2a
CidrBlock: 10.0.0.0/24
Tags:
- Key: Name
Value: SQS-VPCE-Tutorial-Subnet
InternetGateway:
Type: 'AWS::EC2::InternetGateway'
Properties:
Tags:
- Key: Name
Value: SQS-VPCE-Tutorial-InternetGateway
VPCGatewayAttachment:
Type: 'AWS::EC2::VPCGatewayAttachment'
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
RouteTable:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: SQS-VPCE-Tutorial-RouteTable
SubnetRouteTableAssociation:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet
InternetGatewayRoute:
Type: 'AWS::EC2::Route'
Properties:
RouteTableId: !Ref RouteTable
GatewayId: !Ref InternetGateway
DestinationCidrBlock: 0.0.0.0/0
SecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupName: SQS VPCE Tutorial Security Group
GroupDescription: Security group for SQS VPC endpoint tutorial
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: '-1'
CidrIp: 10.0.0.0/16
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: !Ref SSHLocation
SecurityGroupEgress:
- IpProtocol: '-1'
CidrIp: 10.0.0.0/16
Tags:
- Key: Name
Value: SQS-VPCE-Tutorial-SecurityGroup
EC2Instance:
Type: 'AWS::EC2::Instance'
Properties:
KeyName: !Ref KeyName
InstanceType: !If [IsT3Supported, t3.micro, t2.micro]
ImageId: !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- AMI
NetworkInterfaces:
- AssociatePublicIpAddress: 'true'
DeviceIndex: '0'
GroupSet:
- !Ref SecurityGroup
SubnetId: !Ref Subnet
IamInstanceProfile: !Ref EC2InstanceProfile
Tags:
- Key: Name
Value: SQS-VPCE-Tutorial-EC2Instance
EC2InstanceProfile:
Type: 'AWS::IAM::InstanceProfile'
Properties:
Roles:
- !Ref EC2InstanceRole
InstanceProfileName: !Sub 'EC2InstanceProfile-${AWS::Region}'
EC2InstanceRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Sub 'SQS-VPCE-Tutorial-EC2InstanceRole-${AWS::Region}'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonSQSFullAccess'
CFQueue:
Type: 'AWS::SQS::Queue'
Properties:
VisibilityTimeout: 60
# Stuff I added starting here:
VPCEndpointForSQS:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: 'Interface'
PolicyDocument:
Statement:
- Action: '*'
Effect: Allow
Resource: '*'
Principal: '*'
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.sqs'
VpcId: !Ref VPC
SubnetIds:
- !Ref Subnet
PrivateDnsEnabled: true
SecurityGroupIds:
- !Ref SecurityGroup
LambdaRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Sub 'SQS-VPCE-Tutorial-LambdaRole-${AWS::Region}'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonSQSFullAccess'
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
LambdaPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Sub 'SQS-VPCE-Tutorial-LambdaPolicy-${AWS::Region}'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
Resource: '*'
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvents
Resource: '*'
Roles:
- !Ref LambdaRole
LambdaFunction:
Type: 'AWS::Lambda::Function'
Properties:
FunctionName: 'SQS-VPCE-Tutorial-Lambda'
Role: !GetAtt LambdaRole.Arn
Runtime: 'python3.9'
Handler: 'index.lambda_handler'
Timeout: 20
VpcConfig:
SecurityGroupIds:
- !Ref SecurityGroup
SubnetIds:
- !Ref Subnet
Code:
ZipFile: |
import json
import boto3
from botocore.exceptions import ClientError
sqs = boto3.resource('sqs')
queue = sqs.Queue('<INSERT SQS QUEUE URL HERE>')
def lambda_handler(event, context):
print("before")
queue.send_message(MessageBody='Hello from Amazon SQS.')
print("after")

Of course, as soon as I posted this, I found this answer, that there is a bug in boto3 that prevents it from using VPC Endpoint for SQS by default. I tried the solution there and is solved the problem!

Cloudformation !Ref doesn't return the correct value for vpc endpoint

I have a vpc endpoint created with:
ExecuteApiVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: "*"
Action:
- "execute-api:*"
Resource:
- "*"
ServiceName: !Sub com.amazonaws.${AWS::Region}.execute-api
VpcId: !Ref MyVPC
VpcEndpointType: Interface
SubnetIds:
- !Ref privateSubnet01
- !Ref privateSubnet02
SecurityGroupIds:
- !Ref EndpointSG # has to allow traffic from your VPC
PrivateDnsEnabled: true
and a private API created with:
APIDefinition:
Type: 'AWS::Serverless::Api'
Properties:
StageName: {Ref: Stage}
EndpointConfiguration: PRIVATE
Auth:
ResourcePolicy:
CustomStatements:
- Action: ['execute-api:Invoke']
Effect: Allow
Principal: '*'
Resource: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:/*/*/*"
- Action: ['execute-api:Invoke']
Effect: Deny
Principal: '*'
Resource: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:/*/*/*"
Condition:
ForAllValues:StringNotEquals:
aws:sourceVpce:
- !Ref ExecuteApiVPCEndpoint
The stack was deployed with no error, but the vpce in the resource policy of the API doesn't match with the vpce being created. What's going wrong here? Thanks!

CloudWatch resource access policy error while creating Amazon Elasticsearch Service via Cloud Formation

I am trying to create an elastic search domain with enabled LogPublishingOptions. While enabling LogPublishingOptions ES says it does not sufficient permissions to create a LogStream on Cloudwatch.
I tried creating a policy with a role and attaching the policy to the LogGroup which is referred by ES but it ain't working. Following is my elastic search cloud formation template,
AWSTemplateFormatVersion: 2010-09-09
Resources:
MYLOGGROUP:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: index_slow
MYESROLE:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: es.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonESFullAccess'
- 'arn:aws:iam::aws:policy/CloudWatchFullAccess'
RoleName: !Join
- '-'
- - es
- !Ref 'AWS::Region'
PolicyDocESIndexSlow :
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:PutLogEvents
- logs:CreateLogStream
Resource: 'arn:aws:logs:*'
PolicyName: !Ref MYLOGGROUP
Roles:
- !Ref MYESROLE
MYESDOMAIN:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: 'es-domain'
ElasticsearchVersion: '7.4'
ElasticsearchClusterConfig:
DedicatedMasterCount: 3
DedicatedMasterEnabled: True
DedicatedMasterType: 'r5.large.elasticsearch'
InstanceCount: '2'
InstanceType: 'r5.large.elasticsearch'
EBSOptions:
EBSEnabled: True
VolumeSize: 10
VolumeType: 'gp2'
AccessPolicies:
Version: 2012-10-17
Statement:
- Effect: Deny
Principal:
AWS: '*'
Action: 'es:*'
Resource: '*'
AdvancedOptions:
rest.action.multi.allow_explicit_index: True
LogPublishingOptions:
INDEX_SLOW_LOGS:
CloudWatchLogsLogGroupArn: !GetAtt
- MYLOGGROUP
- Arn
Enabled: True
VPCOptions:
SubnetIds:
- !Ref MYSUBNET
SecurityGroupIds:
- !Ref MYSECURITYGROUP
MYVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
MYSUBNET:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MYVPC
CidrBlock: 10.0.0.0/16
MYSECURITYGROUP:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: security group for elastic search domain
VpcId: !Ref MYVPC
GroupName: 'SG for ES'
SecurityGroupIngress:
- FromPort: '443'
IpProtocol: tcp
ToPort: '443'
CidrIp: 0.0.0.0/0
Upon execution, it creates all resources except MYESDOMAIN. It says
The Resource Access Policy specified for the CloudWatch Logs log group index_slow does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream. Please check the Resource Access Policy. (Service: AWSElasticsearch; Status Code: 400; Error Code: ValidationException)
Any idea what's missing here?

Update 2021
There is a CloudFormation resource called AWS::Logs::ResourcePolicy which allows defining policies for CloudWatch Logs in CF. The main issue I found is that it only accepts a real string as the value. Trying to assemble a string using Ref, Join, etc kept being rejected. If anyone can make that work that would be fab.
Writing it in YAML is easier as JSON requires escaping all the " characters.
OSLogGroupPolicy:
Type: AWS::Logs::ResourcePolicy
Properties:
PolicyName: AllowES
PolicyDocument: '{"Version": "2012-10-17","Statement":[{"Effect":"Allow","Principal": {"Service": ["es.amazonaws.com"]},"Action":["logs:PutLogEvents","logs:CreateLogStream"],"Resource":"*"}]}'

I believe there is some confusion here about what policies should be updated/set to enable ES writing to a log group.
I think you should apply the PolicyDocESIndexSlow policy to CloudWatch Logs.
And this can't be done in CloudFormation from what I remember. You have to use put-resource-policy, corresponding API call, or console as shown in:
Viewing Amazon Elasticsearch Service Slow Logs

The final code would be something like this,
DeployES lambda_function.py
import logging
import time
import boto3
import json
from crhelper import CfnResource
logger = logging.getLogger(__name__)
helper = CfnResource(json_logging=False, log_level='DEBUG', boto_level='CRITICAL', sleep_on_delete=120)
try:
# Init code goes here
pass
except Exception as e:
helper.init_failure(e)
#helper.create
#helper.update
def create(event, _):
logger.info("Got Create/Update")
my_log_group_arn = event['ResourceProperties']['MYLOGGROUPArn']
client = boto3.client('logs')
policy_document = dict()
policy_document['Version'] = '2012-10-17'
policy_document['Statement'] = [{
'Sid': 'ESLogsToCloudWatchLogs',
'Effect': 'Allow',
'Principal': {
'Service': [
'es.amazonaws.com'
]
},
'Action': 'logs:*',
}]
policy_document['Statement'][0]['Resource'] = my_log_group_arn
client.put_resource_policy(policyName='ESIndexSlowPolicy', policyDocument=json.dumps(policy_document))
helper.Data['success'] = True
helper.Data['message'] = 'ES policy deployment successful'
# To return an error to Cloud Formation you raise an exception:
if not helper.Data["success"]:
raise Exception('Error message to cloud formation')
return "MYESIDDEFAULT"
#helper.delete
def delete(event, _):
logger.info("Got Delete")
# Delete never returns anything. Should not fail if the underlying resources are already deleted.
# Desired state.
try:
client = boto3.client('logs')
client.delete_resource_policy(policyName='ESIndexSlowPolicy')
except Exception as ex:
logger.critical(f'ES policy delete failed with error [{repr(ex)}]')
def lambda_handler(event, context):
helper(event, context)
And some additional components in CF template
MYLAMBDAROLE:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AWSLambdaFullAccess'
- 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
- 'arn:aws:iam::aws:policy/AmazonESFullAccess'
- 'arn:aws:iam::aws:policy/CloudWatchFullAccess'
RoleName: !Join
- '-'
- - lambda-role
- !Ref 'AWS::Region'
MYLAMBDADEPLOY:
Type: 'AWS::Lambda::Function'
Properties:
Code:
S3Bucket: es-bucket-for-lambda-ta86asdf596
S3Key: es.zip
FunctionName: deploy_es
Handler: lambda_function.lambda_handler
MemorySize: 128
Role: !GetAtt
- MYLAMBDAROLE
- Arn
Runtime: python3.8
Timeout: 60
MYESSETUP:
Type: 'Custom::MYESSETUP'
Properties:
ServiceToken: !GetAtt
- MYLAMBDADEPLOY
- Arn
MYLOGGROUPArn: !GetAtt
- MYLOGGROUP
- Arn
DependsOn:
- MYLAMBDADEPLOY
- MYLOGGROUP
And just add below DependsOn to MYESDOMAIN
DependsOn:
- MYESSETUP

Adding a DependsOn in the AWS::Elasticsearch::Domain resource for the AWS::Logs::ResourcePolicy fixed this for me.
Example code:
ESLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
LogGroupName: !Sub '/aws/OpenSearchService/domains/${NamePrefix}-es/application-logs'
RetentionInDays: 30
ESLogGroupPolicy:
Type: AWS::Logs::ResourcePolicy
DependsOn: ESLogGroup
Properties:
PolicyName: !Sub "es-logs-access-policy"
PolicyDocument: '{"Version": "2012-10-17","Statement":[{"Effect":"Allow","Principal": {"Service": ["es.amazonaws.com"]},"Action":["logs:PutLogEvents","logs:CreateLogStream"],"Resource":"*"}]}'
ESDomain:
Type: AWS::Elasticsearch::Domain
DependsOn: [ESLogGroupPolicy]
Properties:
DomainName: !Sub "${NamePrefix}-es"
...
LogPublishingOptions:
ES_APPLICATION_LOGS:
CloudWatchLogsLogGroupArn: !GetAtt ESLogGroup.Arn
Enabled: true

Attach IAM role using cloudformation

I am trying to create a webserver (Ec2 instance) with an IAM role of access to S3 bucket using ccloudformation. It creates the role but doesn't attach the role to ec2-instance.
webserver:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: sg-webserver
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
GroupDescription: Security Group for demo server
VpcId: !Ref VPC
EC2Instance:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: us-east-2a
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
DeleteOnTermination: "true"
VolumeSize: "8"
VolumeType: gp2
ImageId: ami-0bdcc6c05dec346bf
InstanceType: t2.micro
KeyName: key-webserver
NetworkInterfaces:
- Description: Primary network interface
DeviceIndex: 0
SubnetId: !Ref SubnetA
GroupSet:
- Ref: webserver
ListS3BucketsInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- Ref: S3FullAccess
ListS3BucketsPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: ListS3BucketsPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:List*
Resource: "*"
Roles:
- Ref: S3FullAccess
S3FullAccess:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
The yml file works fine. It creates an ec2-instance and security group but doesnot attach the IAM role to the ec2 Instance

You're not attaching it to the EC2 resource, it should instead add it via the IamInstanceProfile property of EC2.
The value should be !Ref ListS3BucketsInstanceProfile
The instance profile will never automatically attach to the instance.
webserver:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: sg-webserver
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
GroupDescription: Security Group for demo server
VpcId: !Ref VPC
EC2Instance:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: us-east-2a
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
DeleteOnTermination: "true"
VolumeSize: "8"
VolumeType: gp2
ImageId: ami-0bdcc6c05dec346bf
InstanceType: t2.micro
IamInstanceProfile: !Ref ListS3BucketsInstanceProfile
KeyName: key-webserver
NetworkInterfaces:
- Description: Primary network interface
DeviceIndex: 0
SubnetId: !Ref SubnetA
GroupSet:
- Ref: webserver
ListS3BucketsInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- Ref: S3FullAccess
ListS3BucketsPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: ListS3BucketsPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:List*
Resource: "*"
Roles:
- Ref: S3FullAccess
S3FullAccess:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
For more information over instance profiles take a look at this link.

The missing piece is the IamInstanceProfile parameter to EC2Instance. That should reference the instance profile ARN. Add the following to EC2Instance:
IamInstanceProfile: !GetAtt ListS3BucketsInstanceProfile.Arn