AWS CloudFormation and IAM Service Roles
CloudFormation allows the use of service roles, which are IAM roles created specifically for CloudFormation to manage stack resources on your behalf.
Key Points:
- Service Roles: IAM roles dedicated to CloudFormation to create, update, and delete stack resources.
- Least Privilege Principle: Users can manage stack resources without having direct permissions on the resources themselves.
- IAM PassRole Permission: Users must have this permission to allow CloudFormation to assume the service role.
Use Case:
- To allow users to manage stack resources without granting them full access to the actual resources.
How to Create and Use an IAM Service Role with CloudFormation:
- Create a Service Role:
- Navigate to IAM and go to the roles section.
- Create a new role for the AWS service CloudFormation.
- Assign appropriate permissions (e.g., S3 full access for S3 resources).
- Naming the Role:
- Example name:
DemoRole for CFN with S3 capabilities.
- This role allows CloudFormation to manage Amazon S3 resources.
- Using the Role in CloudFormation:
- When creating a stack in CloudFormation, select the option to specify an IAM role.
- Choose the created service role (e.g.,
DemoRole for CFN with S3 capabilities).
- The role will be used for all operations on the stack.
Example Scenario:
- If the stack is designed to create an EC2 instance but the service role only has S3 permissions, the stack creation will fail due to insufficient permissions.
Conclusion:
- IAM roles for CloudFormation enable fine-grained access control and adherence to the least privilege principle for stack resource management.
- Users should ensure that the service role has all the necessary permissions for the resources that the CloudFormation stack will manage.
Extras:
The purpose of AWS CloudFormation capabilities (CAPABILITY_IAM, CAPABILITY_NAMED_IAM, and CAPABILITY_AUTO_EXPAND) is to ensure that the creation and management of AWS resources are done securely and explicitly