Upcoming Features

Overview

An IAM policy that prevents creating or updating CloudFormation stacks that contain specific resource types by using the cloudformation:ResourceTypes condition key (This policy uses IAM resources as the default example). This policy also provides the permissions necessary to complete this action on the console.

Configuration Templates

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudformation:UpdateStack",
                "cloudformation:DeleteStack"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotEquals": {
                    "cloudformation:ResourceTypes": [
                        "AWS::IAM::*"
                    ]
                }
            }
        },
        {
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "Null": {
                    "cloudformation:ResourceTypes": "true"
                }
            }
        }
    ]
}

Actions



Customize Template

Policy Parameters

* Required field

Sources and Documentation

Configuration Source: AWS Blog: CloudFormation Security Best Practices

Additional Documentation: