Create assumable role for Instance Scheduler Lambda in member accounts

[dms1981]

User Story

As a modernisation platform engineer I need an assumable IAM role in member accounts for the instance scheduler lambda function So that the instance scheduler can assume permissions on a least-privilege basis

User Type(s)

Value

Creating a new role that can be assumed by the Lambda instance scheduler function will ensure that the instance scheduler is not exposed to any unintended permissions. Current roles that the function could be allowed to assume would suit the functionality requirements, but would allow the potential for a much greater scope. Creating a new role will not require significant effort, and should not require further effort once it has been successfully implemented.

Permissions should include the following:

ec2:DescribeInstances
ec2:DescribeInstanceStatus
ec2:DescribeTags
ec2:StartInstances
ec2:StopInstances

Questions / Assumptions / Hypothesis

Hypothesis

If we create an IAM role with the minimum required permissions Then we will be able to safely use the instance scheduler function across accounts

Definition of done

• [ ] new assumable role, policy, and policy document with minimum permissions created in bootstrap/delegate-access/
• [ ] lambda policy document updated to allow assumption of new role
• [ ] another team member has reviewed
• [ ] lambda function has been tested to confirm that scheduler can assume role

Reference

How to write good user stories https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-error/

[gfou-al]

#2151