An IAM policy that allows all CloudFormation APIs access, but denies UpdateStack and DeleteStack APIs access on a specific stack (e.g. a production stack). This policy also provides the permissions necessary to complete this action on the console.

Configuration Templates

Missing Parameters
    "Version": "2012-10-17",
    "Statement": [
            "Action": [
            "Resource": "*",
            "Effect": "Allow"
            "Action": [
            "Resource": [
            "Effect": "Deny"


Customize Template

Policy Parameters

* Required field

Sources and Documentation

Configuration Source: AWS Blog: CloudFormation Security Best Practices

Additional Documentation:


© 2020 asecurecloud Inc. All Rights Reserved.