How to create a CloudFormation only AWS policy

0 votes
I want to create a policy and role in AWS that will allow creating resources only through CloudFormation and not through console. What is the best possible way to achieve this?
Sep 26, 2018 in AWS by bug_seeker
• 14,980 points
89 views

1 answer to this question.

Your answer

Your name to display (optional):
Privacy: Your email address will only be used for sending these notifications.
0 votes

The easiest way to achieve what you're looking to do would be to create a CloudFormation Service role, and grant your users the ability to pass this role to CloudFormation, and perform CloudFormation Creates, Updates, etc.

I've created a CloudFormation template with starting point roles and groups with policies that should do what you're looking for.

  • CloudFormationServiceRole: The actual role used by CloudFormation with permissions to perform actions in AWS
  • UsersGroup: The Group to add yours users to. It has permission to perform actions in CloudFormation and pass the CloudFormationServiceRole, and nothing else.

AWSTemplateFormatVersion: 2010-09-09
Resources:
  CloudFormationServiceRole:
    # This Role will actually do all of the heavy lifting and resouce
    # creation
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - cloudformation.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        -
          PolicyName: CloudformationAccess
          PolicyDocument:
            # This policy defines what the users can actually do
            # With Cloudformation
            Version: 2012-10-17
            Statement:
              - 
                Effect: Allow
                Action: "*"
                Resource: "*"
  UsersGroup:
    # The users will use the role, but do nothing themselves
    Type: AWS::IAM::Group
    Properties:
      Policies:
        -
          PolicyName: UsersCloudformationAccess
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - 
                Effect: Allow
                Action:
                  - cloudformation:*
                Resource: "*"
              -
                Effect: Allow
                Action:
                  - iam:GetRole
                  - iam:PassRole
                Resource: !GetAtt CloudFormationServiceRole.Arn
answered Sep 26, 2018 by Priyaj
• 56,140 points

Related Questions In AWS

0 votes
1 answer

How to set up a SPF(Sender Policy Framework) for AWS EC2 instance?

Setting up a SPF record is pretty ...READ MORE

answered Aug 16, 2018 in AWS by Archana
• 4,090 points
118 views
0 votes
2 answers

How to create a VPC in AWS?

There is another method i.e. creating an ...READ MORE

answered Feb 20 in AWS by Priyaj
• 56,140 points
46 views
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer

How to create new stack using create-change-set in AWS Cloudformation

The type of change set operation. To ...READ MORE

answered Sep 18, 2018 in AWS by Priyaj
• 56,140 points
167 views

© 2018 Brain4ce Education Solutions Pvt. Ltd. All rights Reserved.
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.