Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security best practices for Amazon CloudFormation

Amazon CloudFormation provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

Use IAM to control access

IAM is an Amazon service that you can use to manage users and their permissions in Amazon. You can use IAM with Amazon CloudFormation to specify what Amazon CloudFormation actions users can perform, such as viewing stack templates, creating stacks, or deleting stacks. Furthermore, anyone managing Amazon CloudFormation stacks will require permissions to resources within those stacks. For example, if users want to use Amazon CloudFormation to launch, update, or terminate Amazon EC2 instances, they must have permission to call the relevant Amazon EC2 actions.

In most cases, users require full access to manage all of the resources in a template. Amazon CloudFormation makes calls to create, modify, and delete those resources on their behalf. To separate permissions between a user and the Amazon CloudFormation service, use a service role. Amazon CloudFormation uses the service role's policy to make calls instead of the user's policy. For more information, see Amazon CloudFormation service role.

Do not embed credentials in your templates

Rather than embedding sensitive information in your Amazon CloudFormation templates, we recommend you use dynamic references in your stack template.

Dynamic references provide a compact, powerful way for you to reference external values that are stored and managed in other services, such as the Amazon Systems Manager Parameter Store or Amazon Secrets Manager. When you use a dynamic reference, CloudFormation retrieves the value of the specified reference when necessary during stack and change set operations, and passes the value to the appropriate resource. However, CloudFormation never stores the actual reference value. For more information, see Using Dynamic References to Specify Template Values.

Amazon Secrets Manager helps you to securely encrypt, store, and retrieve credentials for your databases and other services. The Amazon Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management.

For more information on defining template parameters, see Parameters.

Use Amazon CloudTrail to log Amazon CloudFormation calls

Amazon CloudTrail tracks anyone making Amazon CloudFormation API calls in your Amazon account. API calls are logged whenever anyone uses the Amazon CloudFormation API, the Amazon CloudFormation console, a back-end console, or Amazon CloudFormation Amazon CLI commands. Enable logging and specify an Amazon S3 bucket to store the logs. That way, if you ever need to, you can audit who made what Amazon CloudFormation call in your account. For more information, see Logging Amazon CloudFormation API calls with Amazon CloudTrail.