Controlling access with Amazon Identity and Access Management
With Amazon Identity and Access Management (IAM), you can create IAM users to control who has access to which resources in your Amazon Web Services account. You can use IAM with Amazon CloudFormation to control what users can do with Amazon CloudFormation, such as whether they can view stack templates, create stacks, or delete stacks.
In addition to Amazon CloudFormation actions, you can manage what Amazon services and resources are available to each user. That way, you can control which resources users can access when they use Amazon CloudFormation. For example, you can specify which users can create Amazon EC2 instances, terminate database instances, or update VPCs. Those same permissions are applied anytime they use Amazon CloudFormation to do those actions.
For more information about all the services that you can control access to, see Amazon services that support IAM in IAM User Guide.
Topics
Amazon CloudFormation actions
When you create a group or a user in your Amazon Web Services account, you can associate an IAM
policy with that group or user, which specifies the permissions that you want to grant. For
example, imagine you have a group of entry-level developers. You can create a Junior
application developers group that includes all entry-level developers. Then, you
associate a policy with that group that allows users to only view Amazon CloudFormation stacks. In this
scenario, you might have a policy such as the following sample:
Example A sample policy that grants view stack permissions
{ "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":[ "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources" ], "Resource":"*" }] }
The policy grants permissions to all DescribeStack API actions listed in
the Action element.
Important
If you don't specify a stack name or ID in your statement, you must also grant the
permission to use all resources for the action using the * wildcard for the
Resource element.
In addition to Amazon CloudFormation actions, users who create or delete stacks require additional permissions that depend on the stack templates. For example, if you have a template that describes an Amazon SQS Queue, the user must have the corresponding permissions for Amazon SQS actions to successfully create the stack, as shown in the following sample policy:
Example A sample policy that grants create and view stack actions and all Amazon SQS actions
{ "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":[ "sqs:*", "cloudformation:CreateStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:ValidateTemplate" ], "Resource":"*" }] }
For a list of all Amazon CloudFormation actions that you can allow or deny, see the Amazon CloudFormation API Reference.
Amazon CloudFormation console-specific actions
Users who use the Amazon CloudFormation console require additional permissions that aren't required for using the Amazon Command Line Interface or Amazon CloudFormation APIs. Compared to the Amazon CLI and API, the console provides additional features that require additional permissions, such as template uploads to Amazon S3 buckets and drop-down lists for Amazon-specific parameter types.
For all the following actions, grant permissions to all resources; don't limit actions to specific stacks or buckets.
The following required action is used only by the Amazon CloudFormation console and is not documented in the API reference. The action allows users to upload templates to Amazon S3 buckets.
cloudformation:CreateUploadBucket
When users upload templates, they require the following Amazon S3 permissions:
s3:PutObject s3:ListBucket s3:GetObject s3:CreateBucket
For templates with Amazon-specific parameter types, users need
permissions to make the corresponding describe API calls. For example, if a template
includes the AWS::EC2::KeyPair::KeyName parameter type, users need
permission to call the EC2 DescribeKeyPairs action (this is how the console
gets values for the parameter drop-down list). The following examples are actions that
users need for other parameter types:
ec2:DescribeSecurityGroups (for the AWS::EC2::SecurityGroup::Id parameter type) ec2:DescribeSubnets (for the Subnet::Id parameter type) ec2:DescribeVpcs (for the AWS::EC2::VPC::Id parameter type)
Amazon CloudFormation resources
Amazon CloudFormation supports resource-level permissions, so you can specify actions for a specific stack, as shown in the following policy:
Example A sample policy that denies the delete and update stack actions for the MyProductionStack
{ "Version":"2012-10-17", "Statement":[{ "Effect":"Deny", "Action":[ "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Resource":"arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/*" }] }
The policy above uses a wild card at the end of the stack name so that delete stack and
update stack are denied on the full stack ID (such as
arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c)
and on the stack name (such as MyProductionStack).
To allow AWS::Serverless transforms to create a change set, the policy
should include the
arn:aws:cloudformation:<region>:aws:transform/Serverless-2016-10-31
resource-level permission, as shown in the following policy:
Example A sample policy that allows the create change set action for the transform
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "cloudformation:CreateChangeSet" ], "Resource": "arn:aws:cloudformation:us-west-2:aws:transform/Serverless-2016-10-31" }] }
Sample policy that grants service-managed stack set permissions
The following is a sample IAM policy that grants service-managed stack set
permissions to a principal entity (user, role, or group). A user with this policy can
only perform operations on stack sets with templates containing Amazon S3 resource types
(AWS::S3::*) or the AWS::SES::ConfigurationSet resource
type. If signed in to the organization management account with ID
123456789012, the user can also only perform operations on stack sets
that target the OU with ID ou-1fsfsrsdsfrewr, and can only
perform operations on the stack set with ID stack-set-id that targets the
Amazon Web Services account with ID 987654321012.
Stack set operations fail if the stack set template contains resource types other than those specified in the policy, or if the deployment targets are OU or account IDs other than those specified in the policy for the corresponding management accounts and stack sets.
These policy restrictions only apply when stack set operations target the
us-east-1, us-west-2, or eu-west-2
Amazon Web Services Regions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:*" ], "Resource": [ "arn:aws:cloudformation:*:*:stackset/*", "arn:aws:cloudformation:*:*:type/resource/AWS-S3-*", "arn:aws:cloudformation:us-west-2::type/resource/AWS-SES-ConfigurationSet", "arn:aws:cloudformation:*:123456789012:stackset-target/*/ou-1fsfsrsdsfrewr", "arn:aws:cloudformation:*:123456789012:stackset-target/stack-set-id/987654321012" ], "Condition": { "ForAllValues:StringEqualsIgnoreCase": { "cloudformation:TargetRegion": [ "us-east-1", "us-west-2", "eu-west-1" ] } } } ] }
Amazon CloudFormation conditions
In an IAM policy, you can optionally specify conditions that control when a policy is
in effect. For example, you can define a policy that allows users to create a stack
only when they specify a certain template URL. You can define Amazon CloudFormation-specific conditions and
Amazon-wide conditions, such as DateLessThan, which specifies when a policy stops
taking effect. For more information and a list of Amazon-wide conditions, see Condition in
IAM
policy elements reference in IAM User Guide.
Note
Don't use the aws:SourceIp Amazon-wide condition. Amazon CloudFormation provisions
resources by using its own IP address, not the IP address of the originating request.
For example, when you create a stack, Amazon CloudFormation makes requests from its IP address to launch
an Amazon EC2 instance or to create an Amazon S3 bucket, not from the IP address from the
CreateStack call or the aws cloudformation create-stack
command.
The following list describes the Amazon CloudFormation-specific conditions. These conditions are applied only when users create or update stacks:
cloudformation:ChangeSetName-
An Amazon CloudFormation change set name that you want to associate with a policy. Use this condition to control which change sets users can execute or delete.
cloudformation:ImportResourceTypes-
The template resource types that you want to associate with a policy, such as
AWS::EC2::Instance. Use this condition to control which resource types users can work with when they import resources into a stack. This condition is checked against the resource types that users declare in theResourcesToImportparameter, which is currently supported only for Amazon CLI and API requests. When using this parameter, you must specify all the resource types you want users to control during import operations. For more information about theResourcesToImportparameter, see theCreateChangeSetaction in the Amazon CloudFormation API Reference.For a list of possible
ResourcesToImport, see Resources that support import operations.Use the three-part resource naming convention to specify which resource types users can work with, from all resources across an organization, down to an individual resource type.
organization::*-
Specify all resource types for a given organization.
organization::service_name-
Specify all resource types for the specified service within a given organization.
organization::service_nameresource_type-
Specify a specific resource type.
For example:
AWS::*-
Specify all supported Amazon resource types.
AWS::service_name::*-
Specify all supported resources for a specific Amazon service.
AWS::service_name::resource_type-
Specify a specific Amazon resource type, such as
AWS::EC2::Instance(all EC2 instances).
cloudformation:ResourceTypes-
The template resource types, such as
AWS::EC2::Instance, that you want to associate with a policy. Use this condition to control which resource types users can work with when they create or update a stack. This condition is checked against the resource types that users declare in theResourceTypesparameter, which is currently supported only for Amazon CLI and API requests. When using this parameter, users must specify all the resource types that are in their template. For more information about theResourceTypesparameter, see theCreateStackaction in the Amazon CloudFormation API Reference.For a list of resource types, see Amazon resource and property types reference.
Use the three-part resource naming convention to specify which resource types users can work with, from all resources across an organization, down to an individual resource type.
organization::*-
Specify all resource types for a given organization.
organization::service_name-
Specify all resource types for the specified service within a given organization.
organization::service_nameresource_type-
Specify a specific resource type.
For example:
AWS::*-
Specify all supported Amazon resource types.
AWS::service_name::*-
Specify all supported resources for a specific Amazon service.
AWS::service_name::resource_type-
Specify a specific Amazon resource type, such as
AWS::EC2::Instance(all EC2 instances). Alexa::ASK::*-
Specify all resource types in the Alexa Skill Kit.
Alexa::ASK::Skill-
Specify the individual Skill resource type.
Custom::*-
Specify all custom resources.
For more information about custom resources, see Custom resources.
Custom::resource_type-
Specify a specific custom resource type.
For more information about custom resources, see Custom resources.
cloudformation:RoleARN-
The Amazon Resource Name (ARN) of an IAM service role that you want to associate with a policy. Use this condition to control which service role users can use when they work with stacks or change sets.
cloudformation:StackPolicyUrl-
An Amazon S3 stack policy URL that you want to associate with a policy. Use this condition to control which stack policies users can associate with a stack during a create or update stack action. For more information about stack policies, see Prevent updates to stack resources.
Note
To ensure that users can only create or update stacks with the stack policies that you uploaded, set the S3 bucket to
read onlyfor those users. cloudformation:TemplateUrl-
An Amazon S3 template URL that you want to associate with a policy. Use this condition to control which templates users can use when they create or update stacks.
Note
To ensure that users can only create or update stacks with the templates that you uploaded, set the S3 bucket to
read onlyfor those users.Note
The following Amazon CloudFormation-specific conditions apply to the API parameters of the same name:
-
cloudformation:ChangeSetName -
cloudformation:RoleARN -
cloudformation:StackPolicyUrl -
cloudformation:TemplateUrl
For example,
cloudformation:TemplateUrlonly applies to theTemplateUrlparameter forCreateStack,UpdateStack, andCreateChangeSetAPIs. -
Examples
The following example policy allows users to use only the
https://s3.amazonaws.com/testbucket/test.template template URL to create or
update a stack.
Example Template URL condition
{ "Version":"2012-10-17", "Statement":[ { "Effect" : "Allow", "Action" : [ "cloudformation:CreateStack", "cloudformation:UpdateStack" ], "Resource" : "*", "Condition" : { "StringEquals" : { "cloudformation:TemplateUrl" : [ "https://s3.amazonaws.com/testbucket/test.template" ] } } } ] }
The following example policy allows users to complete all Amazon CloudFormation operations except import operations.
Example Import resource types condition
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllStackOperations", "Effect": "Allow", "Action": "cloudformation:*", "Resource": "*" }, { "Sid": "DenyImport", "Effect": "Deny", "Action": "cloudformation:*", "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "cloudformation:ImportResourceTypes": [ "*" ] } } } ] }
The following example policy allows all stack operations, in addition to import
operations only on specified resources (in this example,
AWS::S3::Bucket.
Example Import resource types condition
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowImport", "Effect": "Allow", "Action": "cloudformation:*", "Resource": "*" "Condition": { "ForAllValues:StringEqualsIgnoreCase": { "cloudformation:ImportResourceTypes": [ "AWS::S3::Bucket" ] } } } ] }
The following example policy allows users to create stacks but denies requests if the
stack's template include any resource from the IAM service. The policy also requires
users to specify the ResourceTypes parameter, which is available only for
Amazon CLI and API requests. This policy uses explicit deny statements so that if any other
policy grants additional permissions, this policy always remain in effect (an explicit
deny statement always overrides an explicit allow statement).
Example Resource type condition
{ "Version":"2012-10-17", "Statement":[ { "Effect" : "Allow", "Action" : [ "cloudformation:CreateStack" ], "Resource" : "*" }, { "Effect" : "Deny", "Action" : [ "cloudformation:CreateStack" ], "Resource" : "*", "Condition" : { "ForAnyValue:StringLikeIfExists" : { "cloudformation:ResourceTypes" : [ "AWS::IAM::*" ] } } }, { "Effect": "Deny", "Action" : [ "cloudformation:CreateStack" ], "Resource": "*", "Condition": { "Null": { "cloudformation:ResourceTypes": "true" } } } ] }
The following example policy is similar to the preceding example. The policy allows
users to create a stack unless the stack's template includes any resource from the IAM
service. It also requires users to specify the ResourceTypes parameter,
which is available only for Amazon CLI and API requests. This policy is simpler, but it
doesn't use explicit deny statements. Other policies, granting additional permissions,
could override this policy.
Example Resource type condition
{ "Version":"2012-10-17", "Statement":[ { "Effect" : "Allow", "Action" : [ "cloudformation:CreateStack" ], "Resource" : "*", "Condition" : { "ForAllValues:StringNotLikeIfExists" : { "cloudformation:ResourceTypes" : [ "AWS::IAM::*" ] }, "Null":{ "cloudformation:ResourceTypes": "false" } } } ] }
Acknowledging IAM resources in Amazon CloudFormation templates
Before you can create a stack, Amazon CloudFormation validates your template. During validation, Amazon CloudFormation checks your template for IAM resources that it might create. IAM resources, such as a user with full access, can access and modify any resource in your Amazon Web Services account. Therefore, we suggest that you review the permissions associated with each IAM resource before proceeding so that you don't unintentionally create resources with escalated permissions. To ensure that you've done so, you must acknowledge that the template contains those resources, giving Amazon CloudFormation the specified capabilities before it creates the stack.
You can acknowledge the capabilities of Amazon CloudFormation templates by using the Amazon CloudFormation console, Amazon Command Line Interface (Amazon CLI), or API:
-
In the Amazon CloudFormation console, on the Review page of the Create Stack or Update Stack wizards, choose I acknowledge that this template may create IAM resources.
-
In the Amazon CLI, when you use the
aws cloudformation create-stackandaws cloudformation update-stackcommands, specify theCAPABILITY_IAMorCAPABILITY_NAMED_IAMvalue for the--capabilitiesparameter. If your template includes IAM resources, you can specify either capability. If your template includes custom names for IAM resources, you must specifyCAPABILITY_NAMED_IAM. -
In the API, when you use the
CreateStackandUpdateStackactions, specifyCapabilities.member.1=CAPABILITY_IAMorCapabilities.member.1=CAPABILITY_NAMED_IAM. If your template includes IAM resources, you can specify either capability. If your template includes custom names for IAM resources, you must specifyCAPABILITY_NAMED_IAM.
Important
If your template contains custom named IAM resources, don't create multiple stacks reusing the same template. IAM resources must be globally unique within your account. If you use the same template to create multiple stacks in different Regions, your stacks might share the same IAM resources, rather than each having a unique one. Shared resources among stacks can have unintended consequences from which you can't recover. For example, if you delete or update shared IAM resources in one stack, you will unintentionally modify the resources of other stacks.
Manage credentials for applications running on Amazon EC2 instances
If you have an application that runs on an Amazon EC2 instance and needs to make requests to Amazon resources such as Amazon S3 buckets or an DynamoDB table, the application requires Amazon security credentials. However, distributing and embedding long-term security credentials in every instance that you launch is a challenge and a potential security risk. Instead of using long-term credentials, like IAM user credentials, we recommend that you create an IAM role that is associated with an Amazon EC2 instance when the instance is launched. An application can then get temporary security credentials from the Amazon EC2 instance. You don't have to embed long-term credentials on the instance. Also, to make managing credentials easier, you can specify just a single role for multiple Amazon EC2 instances; you don't have to create unique credentials for each instance.
For a template snippet that shows how to launch an instance with a role, see IAM role template examples.
Note
Applications on instances that use temporary security credentials can call any Amazon CloudFormation actions. However, because Amazon CloudFormation interacts with many other Amazon services, you must verify that all the services that you want to use support temporary security credentials. For more information, see Amazon services that support Amazon STS.
Grant temporary access (federated access)
In some cases, you might want to grant users with no Amazon credentials temporary access to your Amazon Web Services account. Rather than creating and deleting long-term credentials whenever you want to grant temporary access, use Amazon Security Token Service (Amazon STS). For example, you can use IAM roles. From one IAM role, you can programmatically create and then distribute many temporary security credentials (which include an access key, secret access key, and security token). These credentials have a limited life, so they cannot be used to access your Amazon Web Services account after they expire. You can also create multiple IAM roles in order to grant individual users different levels of permissions. IAM roles are useful for scenarios like federated identities and single sign-on.
A federated identity is a distinct identity that you can use across multiple systems.
For enterprise users with an established on-premises identity system (such as LDAP or
Active Directory), you can handle all authentication with your on-premises identity system.
After a user has been authenticated, you provide temporary security credentials from the
appropriate IAM user or role. For example, you can create an administrators
role and a developers role, where administrators have full access to the Amazon
account and developers have permissions to work only with Amazon CloudFormation stacks. After an
administrator is authenticated, the administrator is authorized to obtain temporary
security credentials from the administrators role. However, for developers,
they can obtain temporary security credentials from only the developers
role.
You can also grant federated users access to the Amazon Web Services Management Console. After users authenticate with your on-premises identity system, you can programmatically construct a temporary URL that gives direct access to the Amazon Web Services Management Console. When users use the temporary URL, they won't need to sign in to Amazon because they have already been authenticated (single sign-on). Also, because the URL is constructed from the users' temporary security credentials, the permissions that are available with those credentials determine what permissions users have in the Amazon Web Services Management Console.
You can use several different Amazon STS APIs to generate temporary security credentials. For more information about which API to use, see Ways to get temporary security credentials in Using Temporary Security Credentials.
Important
You cannot work with IAM when you use temporary security credentials that were
generated from the GetFederationToken API. Instead, if you need to work
with IAM, use temporary security credentials from a role.
Amazon CloudFormation interacts with many other Amazon services. When you use temporary security credentials with Amazon CloudFormation, verify that all the services that you want to use support temporary security credentials. For more information, see Amazon services that support Amazon STS.
For more information, see the following related resources in Using Temporary Security Credentials: