AWS CloudFormation (IAM)

aws devops

AWS CloudFormation is an infrastructure as code (IaC) service for modeling and provisioning AWS resources using templates.

Common permissions

cloudformation:ListStackscloudformation:DescribeStackscloudformation:CreateStackcloudformation:UpdateStackcloudformation:GetTemplatecloudformation:ListChangeSetscloudformation:DescribeChangeSetcloudformation:TagResource

Least-privilege example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:ListStacks",
        "cloudformation:DescribeStacks",
        "cloudformation:CreateStack",
        "cloudformation:UpdateStack",
        "cloudformation:GetTemplate",
        "cloudformation:ListChangeSets",
        "cloudformation:DescribeChangeSet",
        "cloudformation:TagResource"
      ],
      "Resource": "*"
    }
  ]
}

Warnings

Avoid cloudformation:* — grants full control including stack deletion and resource modification
Avoid cloudformation:DeleteStack unless needed — can delete entire stacks and all resources

Resources

AWS referenceservicereference.us-east-1.amazonaws.com/v1/cloudformation/cloudformation.json ↗

API

full doc /v1/iam/cloudformation