创建仅 CloudFormation AWS 策略

Create a CloudFormation only AWS policy

我想在 AWS 中创建一个策略和角色,允许仅通过 CloudFormation 而不是通过控制台创建资源。 实现此目标的最佳方法是什么?

实现您想要做的事情的最简单方法是创建 CloudFormation 服务角色,并授予您的用户将此角色传递给 CloudFormation 并执行 CloudFormation 创建、更新等的能力。

我已经创建了一个 CloudFormation 模板,其中包含起点角色和组以及应该满足您的需求的策略。

  • CloudFormationServiceRole:CloudFormation 使用的实际角色,有权在 AWS 中执行操作
  • UsersGroup:要将您的用户添加到的组。它有权在 CloudFormation 中执行操作并传递 CloudFormationServiceRole,仅此而已。

AWSTemplateFormatVersion: 2010-09-09
Resources:
  CloudFormationServiceRole:
    # This Role will actually do all of the heavy lifting and resouce
    # creation
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - cloudformation.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        -
          PolicyName: CloudformationAccess
          PolicyDocument:
            # This policy defines what the users can actually do
            # With Cloudformation
            Version: 2012-10-17
            Statement:
              - 
                Effect: Allow
                Action: "*"
                Resource: "*"
  UsersGroup:
    # The users will use the role, but do nothing themselves
    Type: AWS::IAM::Group
    Properties:
      Policies:
        -
          PolicyName: UsersCloudformationAccess
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - 
                Effect: Allow
                Action:
                  - cloudformation:*
                Resource: "*"
              -
                Effect: Allow
                Action:
                  - iam:GetRole
                  - iam:PassRole
                Resource: !GetAtt CloudFormationServiceRole.Arn