Create a CloudFormation only AWS policy
Question
I want to create a policy and role in AWS that will allow creating resources only through CloudFormation and not through console. What is the best possible way to achieve this?
1 answers
solution1
0 ACCPTED 2018-03-27 02:32:39
The easiest way to achieve what you're looking to do would be to create a CloudFormation Service role, and grant your users the ability to pass this role to CloudFormation, and perform CloudFormation Creates, Updates, etc.
I've created a CloudFormation template with starting point roles and groups with policies that should do what you're looking for.
-
CloudFormationServiceRole: The actual role used by CloudFormation with permissions to perform actions in AWS -
UsersGroup: The Group to add yours users to. It has permission to perform actions in CloudFormation and pass theCloudFormationServiceRole, and nothing else.
AWSTemplateFormatVersion: 2010-09-09
Resources:
CloudFormationServiceRole:
# This Role will actually do all of the heavy lifting and resouce
# creation
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Principal:
Service:
- cloudformation.amazonaws.com
Action:
- sts:AssumeRole
Policies:
-
PolicyName: CloudformationAccess
PolicyDocument:
# This policy defines what the users can actually do
# With Cloudformation
Version: 2012-10-17
Statement:
-
Effect: Allow
Action: "*"
Resource: "*"
UsersGroup:
# The users will use the role, but do nothing themselves
Type: AWS::IAM::Group
Properties:
Policies:
-
PolicyName: UsersCloudformationAccess
PolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Action:
- cloudformation:*
Resource: "*"
-
Effect: Allow
Action:
- iam:GetRole
- iam:PassRole
Resource: !GetAtt CloudFormationServiceRole.Arn
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.