Best practices for least-privilege permissions for AWS CloudFormation

This guide reviews different approaches and some types of policies that you can use to configure least-privilege access to AWS CloudFormation and resources provisioned through CloudFormation. This guide focuses on configuring access to CloudFormation through IAM principals, service roles, and stack policies. The included recommendations and best practices are designed to help protect your accounts and stack resources from unintended actions by authorized users and from bad actors who might exploit excessive permissions.

The following is a summary of the best practices explained in this guide. These best practices can help you adhere to the principle of least privilege when configuring permissions to use CloudFormation and resources provisioned through CloudFormation:

Determine what level of access users and teams need to use the CloudFormation service, and grant only the minimum access required. For example, grant view access to interns and auditors, and do not allow these types of users to create, update, or delete stacks.
For IAM principals who need to provision multiple types of AWS resources through CloudFormation stacks, consider using service roles to allow CloudFormation to provision resources on the principal's behalf, instead of configuring access to those AWS services in the principal's identity-based policies.
In identity-based policies for IAM principals, use the cloudformation:RoleARN condition key to control which CloudFormation service roles can be passed.
To help prevent privilege escalation, do the following:
- Strictly monitor all the IAM principals that have access to the CloudFormation service and the levels of access they have.
- Strictly monitor which users can access these IAM principals.
- Monitor the activity of IAM principals that can pass a privileged service role to CloudFormation. Although they might not have permissions to create IAM resources through their identity-based policy, the service role they can pass could create IAM resources.
Specify a stack policy whenever you create a stack that has critical resources. This can help protect critical stack resources from unintentional updates that could cause those resources to be interrupted or replaced.
For resources provisioned through CloudFormation, refer to the access management recommendations and security best practices for that service.
To complement the recommendations in this guide for identity-based policies and resource-based policies, consider implementing additional security controls for least-privilege permissions, such as service control policies (SCPs) and permissions boundaries. For more information, see Next steps.

The CloudFormation documentation contains additional Best practices and Security best practices that can help you use CloudFormation more effectively and securely. In addition, see Best practices for configuring identity-based policies for least-privilege CloudFormation access in this guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Permissions for provisioned resources

Next steps