Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Stack Policy to prevent accidental deletion by users

0

I want to create a stack policy that allows only few roles to make any changes to the resources created by the cloudformation stack. Not even the IAM users via console can update or modify or delete resources. Only by assuming few allowed roles, the stack resources can be modified. Can I use stack policy for this? Can you provide me with the right stack policy for this.

Topics
DevOpsManagement & GovernanceSecurity, Identity, & Compliance
Tags
DevOpsAWS Identity and Access ManagementIAM PoliciesAWS CloudFormation
Language
English
asked a year ago463 views
2 Answers
3

Hi,

This very detailled guidance will provide you all details (and code) to do what you want: https://docs.aws.amazon.com/prescriptive-guidance/latest/least-privilege-cloudformation/cloudformation-stack-policies.html

When you read it, you'll find this page with multiple sample policies to create the limits that you wwant: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html#stack-policy-samples

Best,

Didier

EXPERT
answered a year ago
EXPERT
reviewed a year ago
2

Yes, you can use a Stack Policy in AWS CloudFormation to control which roles are allowed to make changes to the resources created by the stack. A Stack Policy defines rules that determine what actions are allowed or denied when updating stack resources. This can help prevent accidental deletions or modifications by unauthorized users.

Below is a sample Stack Policy that allows only specific IAM roles to make changes to the stack's resources:

Example Stack Policy

{
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "Update:*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::123456789012:role/AllowedRole1",
            "arn:aws:iam::123456789012:role/AllowedRole2"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:role/AllowedRole1",
          "arn:aws:iam::123456789012:role/AllowedRole2"
        ]
      },
      "Action": "Update:*",
      "Resource": "*"
    }
  ]
}

Explanation:

**Deny Statement: **The first statement denies all Update actions on the stack's resources for all users (Principal: "*") except for those assuming the specified roles (AllowedRole1 and AllowedRole2). This ensures that no one else can modify the stack, even IAM users via the console or CLI.

Allow Statement: The second statement explicitly allows the Update actions only for the specified roles. This means that only the users assuming these roles can perform updates on the stack.

How to Use the Stack Policy: When creating a new stack:

You can apply the stack policy directly when creating the stack using the AWS Management Console, CLI, or CloudFormation template. For an existing stack:

You can update the stack policy using the AWS Management Console, AWS CLI, or API.

aws cloudformation set-stack-policy --stack-name your-stack-name --stack-policy-body file://stack-policy.json

Replace your-stack-name with the name of your stack, and ensure stack-policy.json contains the policy as shown above.

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content