gabanox/systems-manager-role.yml

## systems-manager-role.yml
Resources:
  SSMInstanceRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: !Sub "SystemsManagerRole-${AWS::AccountId}"
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
              - ec2.amazonaws.com
              - ssm.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Description: "A SSM role for use by EC2 Instances to be managed."
      ManagedPolicyArns: [
        "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
        "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM",
        "arn:aws:iam::aws:policy/AmazonSSMFullAccess",
        "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
    ]
  SSMInstanceProfile:
    Type: "AWS::IAM::InstanceProfile"
    Properties:
      InstanceProfileName: !Sub "SystemsManagerInstanceRole-${AWS::AccountId}"
      Roles:
        - !Ref SSMInstanceRole
	Resources:
	SSMInstanceRole:
	Type: "AWS::IAM::Role"
	Properties:
	RoleName: !Sub "SystemsManagerRole-${AWS::AccountId}"
	AssumeRolePolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- ec2.amazonaws.com
	- ssm.amazonaws.com
	Action:
	- 'sts:AssumeRole'
	Description: "A SSM role for use by EC2 Instances to be managed."
	ManagedPolicyArns: [
	"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
	"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM",
	"arn:aws:iam::aws:policy/AmazonSSMFullAccess",
	"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
	]
	SSMInstanceProfile:
	Type: "AWS::IAM::InstanceProfile"
	Properties:
	InstanceProfileName: !Sub "SystemsManagerInstanceRole-${AWS::AccountId}"
	Roles:
	- !Ref SSMInstanceRole