Allow AWS resources deletion only by delete CloudFormation stack
Question
Please help with this case:
There is a CF stack that creates some AWS resources (created by admin account). There is a AWS user (power user) that allowed to delete CF stack.
My goal:
Allow the user to delete CF stack and all created resources via CF stack deletion. Deny the user to delete (and modify) resources from the resource console.
The problem:
If the user has permission cloudformation:DeleteStack only, he can only initiate deletion, as he have no permissions for resources deletion (for example, lambda:DeleteFunction) If he has these permissions he can delete resources from the resource console (for example, Lambda console), not only by CF stack deletion.
Any ideas?
1 answers
solution1
0 2021-11-04 11:59:45
CloudFormation can assume a role to do its work: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html
So create a role that has all permissions needed to deploy the stack, and make sure that it is only assumable by CloudFormation. Then grant that user the permission to create and delete the stack, as well as list roles and whatever else is needed to do the create/delete (you'll have to experiment a bit, as some of the required permissions are non-obvious).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.