WIP

cezudas · cezudas · commit 8843c32212ed · 2026-03-18T11:11:04.000+02:00
diff --git a/cloud-access/aws-cf-role-stack.mdx b/cloud-access/aws-cf-role-stack.mdx
@@ -1,29 +1,64 @@
 ---
-title: 'OpenOpsApp AWS Role Stack'
-description: 'How to set up the OpenOpssApp on AWS CloudFormation'
-icon: 'aws'
+title: ‘AWS CloudFormation Role Stacks’
+description: ‘How to set up AWS roles for OpenOps using CloudFormation’
+icon: ‘aws’
 ---
 
-import JoinCommunity from '/snippets/join-community.mdx'
+import JoinCommunity from ‘/snippets/join-community.mdx’
 
-The OpenOpsApp role stack for [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) is used to create the `OpenOpsApp` role in your AWS account. This will in turn provide the OpenOps platform with the necessary permissions to connect to your AWS resources.
+OpenOps provides [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) templates to create IAM roles in your AWS account with the necessary permissions to connect to your AWS resources.
+
+## OpenOpsApp Role Stack
+
+The OpenOpsApp role stack creates the `OpenOpsApp` role with permissions to run workflows from the OpenOps template catalog.
 
 When creating the stack, you have the option to enable or disable certain permission sets. While the read-only permission set is mandatory, the rest are completely optional. The sets can also be enabled or disabled later by updating the stack.
 
-## Installation
+### Installation
 
-1. Navigate to CloudFormation on your AWS account, in the North Virginia (`us-east-1`) region. You can do so [by clicking here](https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1). The stack **must** be created in the `us-east-1` region.
-2. Click **Create stack**, then select **With new resources**:
-    ![Creating a new stack](/images/cloud-cf-roles-create-stack.png)
-3. In the **Amazon S3 URL** field, insert the following URL: `https://openops.s3.us-east-2.amazonaws.com/OpenOpsAppRoleStack.yml`, then click **Next**.
-    ![Specifying a template](/images/cloud-cf-roles-template.png)
-4. Give a name to the stack, such as `OpenOpsApp`. Enter an AWS account ID that you want OpenOps to use. Modify the permission sets if you like, then click **Next**.
-5. Scroll down to the **Capabilities** section, acknowledge the creation of the necessary IAM roles, then click **Next**:
+1. **[Click here to create the stack](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=OpenOpsApp&templateURL=https://openops.s3.us-east-2.amazonaws.com/OpenOpsAppRoleStack.yml)** in the North Virginia (`us-east-1`) region. The stack **must** be created in the `us-east-1` region.
+2. On the **Specify stack details** page, enter an AWS account ID that you want OpenOps to use. Modify the permission sets if you like, then click **Next**.
+3. On the **Configure stack options** page, click **Next**.
+4. On the **Review and create** page, scroll down to the **Capabilities** section and acknowledge the creation of IAM roles:
     ![Capabilities](/images/cloud-cf-roles-capabilities.png)
-6. In the **Review and create** view, scroll down and click **Submit**. The stack will be created, including the `OpenOpsApp` role and the requested permissions.
+5. Click **Submit**. The stack will be created, including the `OpenOpsApp` role and the requested permissions.
 
-## Modification
+### Modification
 
 You’re welcome to [download the stack](https://openops.s3.us-east-2.amazonaws.com/OpenOpsAppRoleStack.yml) and modify specific permissions according to your needs. Notice that some AWS components in the OpenOps workflows may not function properly as a result.
 
+## Benchmark Role Stack
+
+The Benchmark role stack creates a read-only `OpenOpsBenchmarkRole` specifically for running AWS cost optimization benchmarks. This stack includes:
+
+- **Compute Optimizer permissions** - Access to EC2, EBS, RDS, Lambda, ECS, and Auto Scaling Group recommendations
+- **Resource read access** - Read-only access to EC2, RDS, ELB, DynamoDB, CloudWatch, Cost Explorer, and CloudTrail
+- **Pricing API access** - Access to AWS pricing information
+
+### Installation
+
+1. **[Click here to create the stack](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=OpenOpsBenchmark&templateURL=https://openops.s3.us-east-2.amazonaws.com/OpenOpsBenchmarkRoleStack.yml)** in the North Virginia (`us-east-1`) region.
+2. On the **Specify stack details** page, enter the required parameters:
+   - **TrustedAccountId** - AWS Account ID that will assume this role
+   - **ExternalId** - (Optional but recommended) A unique identifier for security
+3. Click **Next** twice to reach the **Review and create** page.
+4. Scroll down to the **Capabilities** section and acknowledge the creation of IAM roles.
+5. Click **Submit**. The stack will create the `OpenOpsBenchmarkRole` with read-only permissions.
+
+### Usage with OpenOps
+
+After deploying the stack:
+1. Get the Role ARN from the CloudFormation outputs
+2. In OpenOps, go to Settings → Connections
+3. Create or edit an AWS connection and configure it to assume the role
+4. Run benchmark workflows from the template catalog
+
+### Security Considerations
+
+- This stack provides **read-only access only** - no write, modify, or delete permissions
+- An External ID is highly recommended to prevent the "confused deputy problem"
+- Follows the principle of least privilege, scoped only to services needed for benchmarking
+
+You can [download the Benchmark stack](https://openops.s3.us-east-2.amazonaws.com/OpenOpsBenchmarkRoleStack.yml) to review or modify the permissions. See the [CloudFormation example](https://github.com/openops-cloud/cloudformation-examples/tree/main/aws-benchmark-permissions) for more details.
+
 <JoinCommunity />
