Managing CloudFormation IAM permissions
We already know that CloudFormation performs API calls when we create or update the stack. Now, the question is, does CloudFormation have the same powers as a root user?
When you work with production-grade AWS accounts, you need to control access to your environment for humans (yourself and your co-workers) and machines (build systems, other AWS services or resources, and so on). Ignoring the least privilege principle may lead to disastrous security breaches, which is why controlling access for CloudFormation is important.
By default, when the user runs stack creation, they invoke the cloudformation:CreateStack API method. CloudFormation will use that user’s permissions to invoke other API methods during stack creation.
This means that if our user has an IAM policy with an allowed action of ec2:* but attempts to create an RDS instance with CloudFormation, the stack will fail to create, with an error stating that the User is unauthorized...
