Service Role | Notion

CloudFormation allows the use of service roles, which are IAM roles created specifically for CloudFormation to manage stack resources on your behalf.

Service Roles: IAM roles dedicated to CloudFormation to create, update, and delete stack resources.
Least Privilege Principle: Users can manage stack resources without having direct permissions on the resources themselves.
IAM PassRole Permission: Users must have this permission to allow CloudFormation to assume the service role.

To allow users to manage stack resources without granting them full access to the actual resources.

Create a Service Role:
- Navigate to IAM and go to the roles section.
- Create a new role for the AWS service CloudFormation.
- Assign appropriate permissions (e.g., S3 full access for S3 resources).
Naming the Role:
- Example name: DemoRole for CFN with S3 capabilities.
- This role allows CloudFormation to manage Amazon S3 resources.
Using the Role in CloudFormation:
- When creating a stack in CloudFormation, select the option to specify an IAM role.
- Choose the created service role (e.g., DemoRole for CFN with S3 capabilities).
- The role will be used for all operations on the stack.

If the stack is designed to create an EC2 instance but the service role only has S3 permissions, the stack creation will fail due to insufficient permissions.

IAM roles for CloudFormation enable fine-grained access control and adherence to the least privilege principle for stack resource management.
Users should ensure that the service role has all the necessary permissions for the resources that the CloudFormation stack will manage.