CODEWITHSUNDEEP
amazon-web-servicesaws-cloudformationamazon-iam
Sarang
Sarang

Reputation: 43

Create a CloudFormation only AWS policy

I want to create a policy and role in AWS that will allow creating resources only through CloudFormation and not through console. What is the best possible way to achieve this?

Upvotes: 1

Views: 414

Answers (1)

Jamie Starke
Jamie Starke

Reputation: 9234

The easiest way to achieve what you're looking to do would be to create a CloudFormation Service role, and grant your users the ability to pass this role to CloudFormation, and perform CloudFormation Creates, Updates, etc.

I've created a CloudFormation template with starting point roles and groups with policies that should do what you're looking for.

  • CloudFormationServiceRole: The actual role used by CloudFormation with permissions to perform actions in AWS
  • UsersGroup: The Group to add yours users to. It has permission to perform actions in CloudFormation and pass the CloudFormationServiceRole, and nothing else.
AWSTemplateFormatVersion: 2010-09-09
Resources:
  CloudFormationServiceRole:
    # This Role will actually do all of the heavy lifting and resouce
    # creation
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - cloudformation.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        -
          PolicyName: CloudformationAccess
          PolicyDocument:
            # This policy defines what the users can actually do
            # With Cloudformation
            Version: 2012-10-17
            Statement:
              - 
                Effect: Allow
                Action: "*"
                Resource: "*"
  UsersGroup:
    # The users will use the role, but do nothing themselves
    Type: AWS::IAM::Group
    Properties:
      Policies:
        -
          PolicyName: UsersCloudformationAccess
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - 
                Effect: Allow
                Action:
                  - cloudformation:*
                Resource: "*"
              -
                Effect: Allow
                Action:
                  - iam:GetRole
                  - iam:PassRole
                Resource: !GetAtt CloudFormationServiceRole.Arn

Upvotes: 1

Related Questions