Add more automation role iam requirements

keithduncan · keithduncan · commit 624ea72209ff · 2021-11-23T13:43:12.000+10:00
diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml
@@ -1161,10 +1161,15 @@ Resources:
                 Resource: "*"
               - Effect: Allow
                 Action: ssm:SendCommand
-                Resource: !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:document/AWS-RunShellScript
+                Resource: !Sub arn:${AWS::Partition}:ssm:${AWS::Region}::document/AWS-RunShellScript
               - Effect: Allow
                 Action: ssm:SendCommand
                 Resource: !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*
+              - Effect: Allow
+                Action:
+                  - ssm:ListCommands
+                  - ssm:ListCommandInvocations
+                Resource: "*"
         - PolicyName: CompleteLifecycleActions
           PolicyDocument:
             Version: '2012-10-17'
