seanedwards/cloudformation.md

Last active June 27, 2019 23:34

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Select an option

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/seanedwards/1780fe6b230a7ad2a4e7a3c3c4ee320e.js"></script>
Save seanedwards/1780fe6b230a7ad2a4e7a3c3c4ee320e to your computer and use it in GitHub Desktop.

Download ZIP

Granting Permissions Via Cloudformation

Raw

cloudformation.md

This guide describes how to grant IAM permissions in an Amazon account, but only through CloudFormation.

First, create a role called cloudformation which has permission to do everything an engineer might need to do.
Give that role a trust policy which will allow only AWS CloudFormation to actually use it:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudformation.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create a separate IAM policy, which will allow users to invoke CloudFormation, and pass in the role which grants elevated permissions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::*:role/cloudformation"
    }
  ]
}

When engineers invoke Cloudformation, pass the --role-arn flag and specify the ARN of your cloudformation role. See the docs on cloudformation:CreateStack for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment