How to define a policy/role/permission in AWS which only allows to create stack with a predefined template

Question

Is there a way to define a permission/policy/role in AWS which allows to create a CloudFormation Stack using only a specific template (which is updated on S3)?

I've seen AWS Service Roles but I think it's not what I'm looking for. In fact I don't see which is the benefit (in terms of security) of using it. If a user can not create a resource directly, but the same user can create the resource through the CloudFormation where is the benefit?

However, if there were a way to limit the templates which can be use it, it would add a benefit in terms of security, because you could define what resources can be created without need to have specific roles defining permission by permission all the resources of the Stack.

score 0 · Accepted Answer · answered Jun 11 '20 at 14:59

You should take a look at service catalog.

By using this service you can define and hook up the templates that can be used to generate CloudFormation stacks without the need to give team members the permission to create a CloudFormation stack.

Without this there is not a direct solution to restrict access to CloudFormation creation from only specific sources.

How to define a policy/role/permission in AWS which only allows to create stack with a predefined template

1 Answers1