I want to create a policy and role in AWS that will allow creating resources only through CloudFormation and not through console. What is the best possible way to achieve this?
The easiest way to achieve what you're looking to do would be to create a CloudFormation Service role, and grant your users the ability to pass this role to CloudFormation, and perform CloudFormation Creates, Updates, etc.
I've created a CloudFormation template with starting point roles and groups with policies that should do what you're looking for.
CloudFormationServiceRole
: The actual role used by CloudFormation with permissions to perform actions in AWS UsersGroup
: The Group to add yours users to. It has permission to perform actions in CloudFormation and pass the CloudFormationServiceRole
, and nothing else. AWSTemplateFormatVersion: 2010-09-09
Resources:
CloudFormationServiceRole:
# This Role will actually do all of the heavy lifting and resouce
# creation
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Principal:
Service:
- cloudformation.amazonaws.com
Action:
- sts:AssumeRole
Policies:
-
PolicyName: CloudformationAccess
PolicyDocument:
# This policy defines what the users can actually do
# With Cloudformation
Version: 2012-10-17
Statement:
-
Effect: Allow
Action: "*"
Resource: "*"
UsersGroup:
# The users will use the role, but do nothing themselves
Type: AWS::IAM::Group
Properties:
Policies:
-
PolicyName: UsersCloudformationAccess
PolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Action:
- cloudformation:*
Resource: "*"
-
Effect: Allow
Action:
- iam:GetRole
- iam:PassRole
Resource: !GetAtt CloudFormationServiceRole.Arn
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.