AWS::VerifiedPermissions::PolicyTemplate - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Creates a policy template. A template can use placeholders for the principal and resource. A template must be instantiated into a policy by associating it with specific principals and resources to use for the placeholders. That instantiated policy can then be considered in authorization decisions. The instantiated policy works identically to any other policy, except that it is dynamically linked to the template. If the template changes, then any policies that are linked to that template are immediately updated as well.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::VerifiedPermissions::PolicyTemplate", "Properties" : { "Description" : String, "PolicyStoreId" : String, "Statement" : String } }


Type: AWS::VerifiedPermissions::PolicyTemplate Properties: Description: String PolicyStoreId: String Statement: String



The description to attach to the new or updated policy template.

Required: No

Type: String

Minimum: 0

Maximum: 150

Update requires: No interruption


The unique identifier of the policy store that contains the template.

Required: Yes

Type: String

Pattern: ^[a-zA-Z0-9-]*$

Minimum: 1

Maximum: 200

Update requires: Replacement


Specifies the content that you want to use for the new policy template, written in the Cedar policy language.

Required: Yes

Type: String

Minimum: 1

Maximum: 10000

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the unique id of the policy store followed by '|' and the unique id of the new or updated policy template. For example:

{ "Ref": "POLICYSTOREabcde111111|POLICYTEMPLATEab111111" }

For more information about using the Ref function, see Ref.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The unique identifier of the new or modified policy template.


Creating a policy template

The following example creates a policy template with the specified statement.


{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Amazon CloudFormation sample template for creating a policy template for Verified Permissions.", "Parameters": { "PolicyStoreId": { "Type": "String" }, "Description": { "Type": "String" }, "Statement": { "Type": "String" } }, "Resources": { "PolicyTemplate": { "Type": "AWS::VerifiedPermissions::PolicyTemplate", "Properties": { "PolicyStoreId": { "Ref": "PolicyStoreId" }, "Description": { "Ref": "Description" }, "Statement": { "Ref": "Statement" } } } }, "Outputs": { "PolicyTemplateId": { "Value": { "Fn::GetAtt": [ "PolicyTemplate", "PolicyTemplateId" ] } } } }


AWSTemplateFormatVersion: 2010-09-09 Description: >- Description": "Amazon CloudFormation sample template for creating a policy template for Verified Permissions." Parameters: PolicyStoreId: Type: String Description: Type: String Statement: Type: String Resources: PolicyTemplate: Type: AWS::VerifiedPermissions::PolicyTemplate Properties: PolicyStoreId: !Ref PolicyStoreId Description: !Ref Description Statement: !Ref Statement Outputs: PolicyTemplateId: Value: !GetAtt PolicyTemplate.PolicyTemplateId