By using AWS re:Post, you agree to the Terms of Use

Restriction on CloudFormation StackSet with IAM condition cloudformation:TemplateUrl

0

I'm trying to restrict the S3 bucket used for StackSet templates with the IAM condition cloudformation:TemplateUrl, but it's does not work as expected: the IAM Policy applied always deny the CreateStackSet. See below the tested policy.

The doc page explains that you can use the condition as usual, but there is a Note that is not clear for me:

Enter image description here

For allowed CreateStackSet calls, the CloudTrail event included the TemplateUrl in the context, so I don't understand why the condition does not work with Stack Set. Thank for your help!

{
    "eventVersion": "1.08",
[...]
    "eventTime": "2022-08-09T15:42:50Z",
    "eventSource": "cloudformation.amazonaws.com",
    "eventName": "CreateStackSet",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "AWS Internal",
    "userAgent": "AWS Internal",
    "requestParameters": {
        "stackSetName": "test-deny1",
       "templateURL": "https://s3.amazonaws.com/trusted-bucket/EnableAWSCloudtrail.yml",
        "description": "Enable AWS CloudTrail. This template creates a CloudTrail trail, an Amazon S3 bucket where logs are published, and an Amazon SNS topic where notifications are sent.",
        "clientRequestToken": "1bd60a6d-f9dc-76a9-020a-f5a45f1bdf1e",
        "capabilities": [
            "CAPABILITY_IAM"
        ]
    },
    "responseElements": {
        "stackSetId": "test-deny1:97054f39-3925-47eb-92fd-09779f32bcf6"
    },
[...]
}

For reference my IAM Policy:

{
    "Sid": "TemplateFromTrustedBucket",
    "Effect": "Allow",
    "Action": [
                "cloudformation:CreateStackSet",
                "cloudformation:UpdateStackSet"
    ],
    "Resource": "*",
    "Condition": {
        "StringLike": {
            "cloudformation:TemplateURL": "https://s3.amazonaws.com/trusted-bucket/*"
        }
    }
}
  • Not sure that it matters, but can you remove the array [ ] brackets in the StringLike statement? "Condition": {"StringLike": {"cloudformation:TemplateURL": "https://s3.amazonaws.com/trusted-bucket/*"}}

  • Good spot Kentrad, I just tried, but it's not successful. I also tested on Stack creation and the condition works as expected. I'm convinced that the condition is not compatible with the 'recent' StackSet feature. (Policy updated in my initial post)

  • I think you are correct, even though TemplateUrl is listed a validate condition for CreateStackSet, it looks like it is actually not supported there. I ran this policy in the Policy Simulator and that interface did not allow me to set the TemplateUrl for CreateStackSet but did allow me to set it for UpdateStackSet. Please open a support ticket for this issue.

  • Should this question be closed then?

  • Thank for for your test Kentrad. I already submitted a feedback on the doc, but I will share this issue with our Solution Architect.