How to create a CloudFormation only AWS policy

0 votes
I want to create a policy and role in AWS that will allow creating resources only through CloudFormation and not through console. What is the best possible way to achieve this?
Sep 26, 2018 in AWS by bug_seeker
• 15,350 points
180 views

1 answer to this question.

0 votes

The easiest way to achieve what you're looking to do would be to create a CloudFormation Service role, and grant your users the ability to pass this role to CloudFormation, and perform CloudFormation Creates, Updates, etc.

I've created a CloudFormation template with starting point roles and groups with policies that should do what you're looking for.

  • CloudFormationServiceRole: The actual role used by CloudFormation with permissions to perform actions in AWS
  • UsersGroup: The Group to add yours users to. It has permission to perform actions in CloudFormation and pass the CloudFormationServiceRole, and nothing else.

AWSTemplateFormatVersion: 2010-09-09
Resources:
  CloudFormationServiceRole:
    # This Role will actually do all of the heavy lifting and resouce
    # creation
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - cloudformation.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        -
          PolicyName: CloudformationAccess
          PolicyDocument:
            # This policy defines what the users can actually do
            # With Cloudformation
            Version: 2012-10-17
            Statement:
              - 
                Effect: Allow
                Action: "*"
                Resource: "*"
  UsersGroup:
    # The users will use the role, but do nothing themselves
    Type: AWS::IAM::Group
    Properties:
      Policies:
        -
          PolicyName: UsersCloudformationAccess
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - 
                Effect: Allow
                Action:
                  - cloudformation:*
                Resource: "*"
              -
                Effect: Allow
                Action:
                  - iam:GetRole
                  - iam:PassRole
                Resource: !GetAtt CloudFormationServiceRole.Arn
answered Sep 26, 2018 by Priyaj
• 56,920 points

Related Questions In AWS

0 votes
1 answer

How to set up a SPF(Sender Policy Framework) for AWS EC2 instance?

Setting up a SPF record is pretty ...READ MORE

answered Aug 16, 2018 in AWS by Archana
• 4,090 points
249 views
0 votes
2 answers

How to create a VPC in AWS?

There is another method i.e. creating an ...READ MORE

answered Feb 20 in AWS by Priyaj
• 56,920 points
66 views
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer

How to create new stack using create-change-set in AWS Cloudformation

The type of change set operation. To ...READ MORE

answered Sep 18, 2018 in AWS by Priyaj
• 56,920 points
489 views