- Newest
- Most votes
- Most comments
Apparently, using aws:UserAgent
condition context key is a better solution to the problem. Reference values for the userAgent can be taken from CloudTrail documentation.
You can apply read-only for resources, and one of CreateStack for the AWS CloudFormation service, in the same role. I understand that this mode is easier to manage. You will only have one role to manage.
One drawback I can think of would be using the Console to Deploy CloudFormation if that is needed. You will need to create a CloudFormation role that the users could also assume in the CFN wizard. That is an easy fix. Other than that, I don't see any issues with this method. There are however may ways to accomplish this. Off the top of my head, this seems to be the absolute most restrictive.
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 2 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 8 months ago