EC2 Role Policy

Variables to change

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CopyToS3",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::certgenbucket/*"
            ]
        },
        {
            "Sid": "CopyToACM",
            "Effect": "Allow",
            "Action": [
                "acm:ImportCertificate"
            ],
            "Resource": [
                "arn:aws:acm:us-east-1:123456789012:certificate/*"
            ]
        },
        {
            "Sid": "SendNotification",
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "Resource": [
                "arn:aws:sns:us-east-1:123456789012:certgen"
            ]
        },
        {
            "Sid": "SaveEncryptedPassword",
            "Effect": "Allow",
            "Action": [
                "ssm:PutParameter"
            ],
            "Resource": [
                "arn:aws:ssm:us-east-1:123456789012:parameter/certgen/*/p12password"
            ]
        },
        {
            "Sid": "Getcloudflaretoken",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:ssm:us-east-1:123456789012:parameter/certgen/*/cloudflare"
            ]
        },
        {
            "Sid": "DNSValidation",
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/Z1111111111111",
                "arn:aws:route53:::hostedzone/Z2222222222222"
            ]
        },
        {
            "Sid": "DNS",
            "Effect": "Allow",
            "Action": [
                "route53:GetChange"
            ],
            "Resource": [
                "arn:aws:route53:::change/*"
            ]
        },
        {
            "Sid": "LocateACMCertificate",
            "Effect": "Allow",
            "Action": [
                "acm:ListCertificates"
            ],
            "Resource": "*"
        },
        {
            "Sid": "LocateDNS",
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones"
            ],
            "Resource": "*"
        }
    ]
}