简体繁体 English

仅通过删除 CloudFormation 堆栈来允许删除 AWS 资源

[英]Allow AWS resources deletion only by delete CloudFormation stack

原文 2021-11-04 11:28:55 9 1 amazon-web-services/ amazon-cloudformation/ amazon-iam

Please help with this case:请帮忙解决这个案例：

There is a CF stack that creates some AWS resources (created by admin account).有一个 CF 堆栈可以创建一些 AWS 资源（由管理员帐户创建）。 There is a AWS user (power user) that allowed to delete CF stack.有一个 AWS 用户（高级用户）允许删除 CF 堆栈。

My goal:我的目标：

Allow the user to delete CF stack and all created resources via CF stack deletion.允许用户通过 CF 堆栈删除来删除 CF 堆栈和所有创建的资源。 Deny the user to delete (and modify) resources from the resource console.拒绝用户从资源控制台删除（和修改）资源。

The problem:问题：

If the user has permission cloudformation:DeleteStack only, he can only initiate deletion, as he have no permissions for resources deletion (for example, lambda:DeleteFunction) If he has these permissions he can delete resources from the resource console (for example, Lambda console), not only by CF stack deletion.如果用户只有 cloudformation:DeleteStack 权限，他只能发起删除，因为他没有资源删除权限（例如 lambda:DeleteFunction）如果他有这些权限，他可以从资源控制台删除资源（例如 Lambda控制台），而不仅仅是通过 CF 堆栈删除。

Any ideas?有任何想法吗？

1 个解决方案

CloudFormation can assume a role to do its work: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html CloudFormation 可以承担一个角色来完成它的工作： https : //docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

So create a role that has all permissions needed to deploy the stack, and make sure that it is only assumable by CloudFormation.因此，创建一个具有部署堆栈所需的所有权限的角色，并确保它只能由 CloudFormation 承担。 Then grant that user the permission to create and delete the stack, as well as list roles and whatever else is needed to do the create/delete (you'll have to experiment a bit, as some of the required permissions are non-obvious).然后授予该用户创建和删除堆栈的权限，以及列出角色和执行创建/删除所需的任何其他内容（您必须尝试一下，因为某些所需的权限并不明显） .