Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
An IAM policy that prevents creating or updating CloudFormation stacks that contain specific resource types by using the cloudformation:ResourceTypes condition key (This policy uses IAM resources as the default example). This policy also provides the permissions necessary to complete this action on the console.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:UpdateStack",
"cloudformation:DeleteStack"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotEquals": {
"cloudformation:ResourceTypes": [
"AWS::IAM::*"
]
}
}
},
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:UpdateStack"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"Null": {
"cloudformation:ResourceTypes": "true"
}
}
}
]
}