What is least privilege?Targeted business outcomes Intended audience

Implementing policies for least-privilege permissions for AWS CloudFormation

Nima Fotouhi and Moumita Saha, Amazon Web Services (AWS)

May 2023 (document history)

AWS CloudFormation is an infrastructure as code (IaC) service that helps you scale your cloud infrastructure development by provisioning AWS resources. It also helps you manage those resources throughout their lifecycle, across AWS accounts and AWS Regions. In CloudFormation, you define templates, which act as a blueprint for a set of resources. You then provision those resources by creating and deploying a stack, which is a group of related resources that you manage as a single unit. You can also use CloudFormation to deploy stack sets, which are groups of stacks that you can create, update, and delete across multiple accounts and AWS Regions with a single operation. This guide provides an overview of how you can implement least-privilege permissions for AWS CloudFormation and resources provisioned through CloudFormation.

You can deploy CloudFormation stacks or stack sets by doing one of the following:

Directly access the AWS environment through an AWS Identity and Access Management (IAM) principal and deploy CloudFormation stacks.
Push the CloudFormation stacks in a deployment pipeline and initiate stack deployment through the pipeline. The pipeline accesses the AWS environment through an IAM principal and deploys the stacks. This approach is a recommended best practice.

For either of these approaches, permissions are required to deploy CloudFormation stacks. For example, consider a user planning to use CloudFormation to create an Amazon Elastic Compute Cloud (Amazon EC2) instance. That instance would require an IAM instance profile to access other AWS services. The IAM principal used to deploy the CloudFormation stack would require the following permissions:

Permissions to access CloudFormation
Permissions to create stacks in CloudFormation
Permissions to create instances in Amazon EC2
Permissions to create the required IAM instance profiles

What is least privilege?

Least privilege is the security best practice of granting the minimum permissions required to perform a task. The principle of least privilege is part of the Security pillar in the AWS Well-Architected Framework. When you implement this best practice, it can help protect your AWS environment from privilege escalation risks, reduce the attack surface, improve data security, and prevent user error (such as misconfiguring or deleting a resource by mistake).

To implement least privilege for your AWS resources, you configure policies, such as identity-based policies in AWS Identity and Access Management (IAM). These policies define permissions and specify access conditions. Organizations might start with AWS managed policies, but then they typically create custom policies that limit the scope of permissions to only the actions required for the workload or use case.

Least-privilege permissions for the CloudFormation service is an important security consideration. Because users and developers who interact with CloudFormation can have the ability to rapidly create, modify, or delete resources at scale, least privilege is especially critical. However, CloudFormation requires the permissions necessary to create, update, and modify resources in your AWS accounts. You must balance the need for permissions to operate CloudFormation with the principle of least privilege.

When applying the principle of least privilege to CloudFormation, you need to consider the following:

Permissions for the CloudFormation service – Which users require access to CloudFormation, what level of access do they require, and what actions can they take to create, update, or delete stacks?
Permissions to provision resources – Which resources can users provision through CloudFormation?
Permissions for provisioned resources – How do you configure least-privilege permissions for the resources you provision through CloudFormation?

Targeted business outcomes

By following the best practices and recommendations in this guide, you can:

Determine which users in your organization require access to CloudFormation, and then configure least-privilege permissions for those users.
Use stack policies to help protect CloudFormation stacks from unintended updates.
Configure least-privilege permissions for CloudFormation users and resources to help prevent privilege escalation and the confused deputy problem.
Use AWS CloudFormation to provision AWS resources with least-privilege permissions. This helps your organization maintain a more robust security posture.
Proactively reduce the amount of time, energy, and money required to investigate and mitigate security incidents.

Intended audience

This guide is intended for Cloud Infrastructure Architects, DevOps engineers, and site reliability engineers (SREs) who manage and provision resources by using CloudFormation.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using access policies