Are CloudFormation stack-based permission boundaries possible?


Is it possible to create an IAM service role for CloudFormation that is allowed to basically do anything, but only for resources within the stack that's currently being updated?

I know I can use aws:CalledViaFirst: to limit a role to only operating through CFN, but that still grants allowed actions to all stacks.

I'm trying to have a single, multi-purpose IAM role that has */* permissions, but only in regards to a single stack at a time. So for example, if the role is used to execute a changeset for the FooApp stack, it could do anything it wants against resources within that stack, or create any new resources. But while being used as the service role for that stack, it would be denied permission for any existing resource not managed by that stack.

The same role could also be a service role for the BarApp stack, but again it would only be allowed to create new resources or updated existing resources in the BarApp stack.

I think maybe there's a way to do it with request tags or resource tags, but I haven't been able to come up with a reliable implementation of that yet.

Maybe there's some other nonobvious condition key that be useful?

1 Answer

Did you try something like this:

          "Version": "2012-10-17",
         "Statement": [
           "Effect": "Allow",
           "Action": "cloudformation:*",
          "Resource": "*",
          "Condition": {
          "StringEquals": {
                  "aws:RequestTag/StackName": "${aws:StackName}"

Also refer this AWS CloudFormation service role, if it helps.

Comment here if you have additional questions, happy to assist.


profile pictureAWS
answered a month ago
profile picture
reviewed a month ago
  • Sorry, I'm a bit confused. Is aws:StackName a policy variable? I'm not seeing that documented anywhere, and it doesn't seem to match any global or CloudFormation-specific single-valued condition keys.

  • aws:StackName is pseudo parameter, which you can use in condition. Refer Let me know if you have additional questions.

  • @secondabhi_aws I don't this pseudo parameters will do what I'm looking for. I'm looking to create a service role to pass to CreateStack/UpdateStack, which needs to be able to do things like manage EC2 instance or SNS topics. A policy like the one in the example only deal with operations on the stack itself. It would also be unusual to create a service role for a stack within the stack itself, since that introduces a bit of a circular dependency.

    I could be misunderstanding the intended implementation of this solution, though.

  • You are absolutely correct, all I am trying to indicate is, you could possibly use this pseudo parameter in your policy condition/boundary, wherever is required.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions