By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Are CloudFormation stack-based permission boundaries possible?

0

Is it possible to create an IAM service role for CloudFormation that is allowed to basically do anything, but only for resources within the stack that's currently being updated?

I know I can use aws:CalledViaFirst: cloudformation.amazonaws.com to limit a role to only operating through CFN, but that still grants allowed actions to all stacks.

I'm trying to have a single, multi-purpose IAM role that has */* permissions, but only in regards to a single stack at a time. So for example, if the role is used to execute a changeset for the FooApp stack, it could do anything it wants against resources within that stack, or create any new resources. But while being used as the service role for that stack, it would be denied permission for any existing resource not managed by that stack.

The same role could also be a service role for the BarApp stack, but again it would only be allowed to create new resources or updated existing resources in the BarApp stack.

I think maybe there's a way to do it with request tags or resource tags, but I haven't been able to come up with a reliable implementation of that yet.

Maybe there's some other nonobvious condition key that be useful?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS CloudFormationIAM Policies
Language
English
profile picture
Farski
asked a year ago392 views
1 Answer
0

Did you try something like this:

        {
          "Version": "2012-10-17",
         "Statement": [
          {
           "Effect": "Allow",
           "Action": "cloudformation:*",
          "Resource": "*",
          "Condition": {
          "StringEquals": {
                  "aws:RequestTag/StackName": "${aws:StackName}"
                       }
                    }
                }
           ]
        }

Also refer this AWS CloudFormation service role, if it helps.

Comment here if you have additional questions, happy to assist.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered a year ago
profile picture
EXPERT
Adeleke Adebowale Julius
reviewed a year ago
  • Farski
    a year ago

    Sorry, I'm a bit confused. Is aws:StackName a policy variable? I'm not seeing that documented anywhere, and it doesn't seem to match any global or CloudFormation-specific single-valued condition keys.

  • secondabhi_aws EXPERT
    a year ago

    aws:StackName is pseudo parameter, which you can use in condition. Refer https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html. Let me know if you have additional questions.

  • Farski
    a year ago

    @secondabhi_aws I don't this pseudo parameters will do what I'm looking for. I'm looking to create a service role to pass to CreateStack/UpdateStack, which needs to be able to do things like manage EC2 instance or SNS topics. A policy like the one in the example only deal with operations on the stack itself. It would also be unusual to create a service role for a stack within the stack itself, since that introduces a bit of a circular dependency.

    I could be misunderstanding the intended implementation of this solution, though.

  • secondabhi_aws EXPERT
    a year ago

    You are absolutely correct, all I am trying to indicate is, you could possibly use this pseudo parameter in your policy condition/boundary, wherever is required.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content