davemackintosh/cdk-cloudformation-policy.json

## cdk-cloudformation-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/cdk-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:PutBucketPolicy",
                "s3:PutBucketVersioning",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutEncryptionConfiguration",
                "s3:GetEncryptionConfiguration"
            ],
            "Resource": [
                "arn:aws:s3::*:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:PutRolePolicy",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::*:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:SetRepositoryPolicy",
                "ecr:GetLifecyclePolicy",
                "ecr:CreateRepository",
                "ecr:PutImageTagMutability",
                "ecr:DescribeRepositories",
                "ecr:DeleteRepository",
                "ecr:ListTagsForResource",
                "ecr:PutImageScanningConfiguration"
            ],
            "Resource": [
                "arn:aws:ecr:*:*:repository/cdk-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:GetTemplate",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:DescribeStackEvents",
                "cloudformation:CreateChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:DescribeStacks",
                "cloudformation:DeleteChangeSet",
                "cloudformation:DeleteStack"
            ],
            "Resource": [
                "arn:aws:cloudformation:*:*:stack/CDKToolkit/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:PutParameter",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:DeleteParameter"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:parameter/cdk-bootstrap/*/*"
            ]
        }
    ]
}
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"sts:AssumeRole"
	],
	"Resource": [
	"arn:aws:iam:::role/cdk-"
	]
	},
	{
	"Effect": "Allow",
	"Action": [
	"s3:CreateBucket",
	"s3:DeleteBucket",
	"s3:PutBucketPolicy",
	"s3:PutBucketVersioning",
	"s3:PutBucketPublicAccessBlock",
	"s3:PutEncryptionConfiguration",
	"s3:GetEncryptionConfiguration"
	],
	"Resource": [
	"arn:aws:s3:::"
	]
	},
	{
	"Effect": "Allow",
	"Action": [
	"iam:GetRole",
	"iam:CreateRole",
	"iam:DeleteRole",
	"iam:PutRolePolicy",
	"iam:AttachRolePolicy",
	"iam:DetachRolePolicy",
	"iam:DeleteRolePolicy"
	],
	"Resource": [
	"arn:aws:iam:::"
	]
	},
	{
	"Effect": "Allow",
	"Action": [
	"ecr:SetRepositoryPolicy",
	"ecr:GetLifecyclePolicy",
	"ecr:CreateRepository",
	"ecr:PutImageTagMutability",
	"ecr:DescribeRepositories",
	"ecr:DeleteRepository",
	"ecr:ListTagsForResource",
	"ecr:PutImageScanningConfiguration"
	],
	"Resource": [
	"arn:aws:ecr:::repository/cdk-*"
	]
	},
	{
	"Effect": "Allow",
	"Action": [
	"cloudformation:GetTemplate",
	"cloudformation:ExecuteChangeSet",
	"cloudformation:DescribeStackEvents",
	"cloudformation:CreateChangeSet",
	"cloudformation:DescribeChangeSet",
	"cloudformation:DescribeStacks",
	"cloudformation:DeleteChangeSet",
	"cloudformation:DeleteStack"
	],
	"Resource": [
	"arn:aws:cloudformation:::stack/CDKToolkit/*"
	]
	},
	{
	"Effect": "Allow",
	"Action": [
	"ssm:PutParameter",
	"ssm:GetParameter",
	"ssm:GetParameters",
	"ssm:DeleteParameter"
	],
	"Resource": [
	"arn:aws:ssm:::parameter/cdk-bootstrap//"
	]
	}
	]
	}