IAM Policies: Prevent Users from Updating or Deleting Specific CloudFormation Stacks

My Saved Presets

An IAM policy that allows all CloudFormation APIs access, but denies UpdateStack and DeleteStack APIs access on a specific stack (e.g. a production stack). This policy also provides the permissions necessary to complete this action on the console.

Missing Parameters

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudformation:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudformation:UpdateStack",
                "cloudformation:DeleteStack"
            ],
            "Resource": [
                "arn:aws:cloudformation:us-east-1:123456789012:stack//*"
            ],
            "Effect": "Deny"
        }
    ]
}

* Required field

Loading Library ...

Prevent Users from Updating or Deleting Specific CloudFormation Stacks

Actions

Customize Template

Policy Parameters