Actions, Resources, and Condition Keys for AWS CloudFormation
AWS CloudFormation (service prefix: cloudformation
) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions Defined by AWS CloudFormation
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource
element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The Actions Table.
Actions | Description | Access Level | Resource Types (*required) | Condition Keys | Dependent Actions |
---|---|---|---|---|---|
CancelUpdateStack | Cancels an update on the specified stack. | Write | |||
ContinueUpdateRollback | For a specified stack that is in the UPDATE_ROLLBACK_FAILED state, continues rolling it back to the UPDATE_ROLLBACK_COMPLETE state. | Write | |||
CreateChangeSet | Creates a list of changes for a stack. | Write | |||
CreateStack | Creates a stack as specified in the template. | Write | |||
CreateStackInstances | Creates stack instances for the specified accounts, within the specified regions. | Write | |||
CreateStackSet | Creates a stackset as specified in the template. | Write | |||
CreateUploadBucket [permission only] | Write | ||||
DeleteChangeSet | Deletes the specified change set. Deleting change sets ensures that no one executes the wrong change set. | Write | |||
DeleteStack | Deletes a specified stack. | Write | |||
DeleteStackInstances | Deletes stack instances for the specified accounts, in the specified regions. | Write | |||
DeleteStackSet | Deletes a specified stackset. | Write | |||
DescribeAccountLimits | Retrieves your account's AWS CloudFormation limits. | Read | |||
DescribeChangeSet | Returns the description for the specified change set. | Read | |||
DescribeStackDriftDetectionStatus | Returns information about a stack drift detection operation. | Read | |||
DescribeStackEvents | Returns all stack related events for a specified stack. | Read | |||
DescribeStackInstance | Returns the stack instance that's associated with the specified stack set, AWS account, and region. | Read | |||
DescribeStackResource | Returns a description of the specified resource in the specified stack. | Read | |||
DescribeStackResourceDrifts | Returns drift information for the resources that have been checked for drift in the specified stack. | Read | |||
DescribeStackResources | Returns AWS resource descriptions for running and deleted stacks. | Read | |||
DescribeStackSet | Returns the description of the specified stack set. | Read | |||
DescribeStackSetOperation | Returns the description of the specified stack set operation. | Read | |||
DescribeStacks | Returns the description for the specified stack. | List | |||
DetectStackDrift | Detects whether a stack's actual configuration differs, or has drifted, from it's expected configuration, as defined in the stack template and any values specified as template parameters. | Read | |||
DetectStackResourceDrift | Returns information about whether a resource's actual configuration differs, or has drifted, from it's expected configuration, as defined in the stack template and any values specified as template parameters. | Read | |||
EstimateTemplateCost | Returns the estimated monthly cost of a template. | Read | |||
ExecuteChangeSet | Updates a stack using the input information that was provided when the specified change set was created. | Write | |||
GetStackPolicy | Returns the stack policy for a specified stack. | Read | |||
GetTemplate | Returns the template body for a specified stack. | Read | |||
GetTemplateSummary | Returns information about a new or existing template. | Read | |||
ListChangeSets | Returns the ID and status of each active change set for a stack. For example, AWS CloudFormation lists change sets that are in the CREATE_IN_PROGRESS or CREATE_PENDING state. | List | |||
ListExports | Lists all exported output values in the account and region in which you call this action. | List | |||
ListImports | Lists all stacks that are importing an exported output value. | List | |||
ListStackInstances | Returns summary information about stack instances that are associated with the specified stack set. | List | |||
ListStackResources | Returns descriptions of all resources of the specified stack. | List | |||
ListStackSetOperationResults | Returns summary information about the results of a stack set operation. | List | |||
ListStackSetOperations | Returns summary information about operations performed on a stack set. | List | |||
ListStackSets | Returns summary information about stack sets that are associated with the user. | List | |||
ListStacks | Returns the summary information for stacks whose status matches the specified StackStatusFilter. | List | |||
SetStackPolicy | Sets a stack policy for a specified stack. | Permissions management | |||
SignalResource | Sends a signal to the specified resource with a success or failure status. | Write | |||
StopStackSetOperation | Stops an in-progress operation on a stack set and its associated stack instances. | Write | |||
TagResource | Tagging cloudformation resources. | Tagging | |||
UntagResource | Untagging cloudformation resources. | Tagging | |||
UpdateStack | Updates a stack as specified in the template. | Write | |||
UpdateStackInstances | Updates the parameter values for stack instances for the specified accounts, within the specified regions. | Write | |||
UpdateStackSet | Updates a stackset as specified in the template. | Write | |||
UpdateTerminationProtection | Updates termination protection for the specified stack. | Write | |||
ValidateTemplate | Validates a specified template. | Write |
Resources Defined by AWS CloudFormation
The following resource types are defined by this service and can be used in the
Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The Resource Types Table.
Resource Types | ARN | Condition Keys |
---|---|---|
stack |
arn:${Partition}:cloudformation:${Region}:${Account}:stack/${StackName}/${Id}
|
|
stackset |
arn:${Partition}:cloudformation:${Region}:${Account}:stackset/${StackSetName}:${Id}
|
|
changeset |
arn:${Partition}:cloudformation:${Region}:${Account}:changeSet/${ChangeSetName}:${Id}
|
Condition Keys for AWS CloudFormation
AWS CloudFormation defines the following condition keys that can be used in the
Condition
element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see The Condition Keys Table.
To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.
Condition Keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | String | |
aws:ResourceTag/${TagKey} | String | |
aws:TagKeys | String | |
cloudformation:ChangeSetName | An AWS CloudFormation change set name. Use to control which change sets IAM users can execute or delete. | String |
cloudformation:ResourceTypes | The template resource types, such as <code>AWS::EC2::Instance</code>. Use to control which resource types IAM users can work with when they create or update a stack | String |
cloudformation:RoleArn | The ARN of an IAM service role. Use to control which service role IAM users can use to work with stacks or change sets. | ARN |
cloudformation:StackPolicyUrl | An Amazon S3 stack policy URL. Use to control which stack policies IAM users can associate with a stack during a create or update stack action. | String |
cloudformation:TemplateUrl | An Amazon S3 template URL. Use to control which templates IAM users can use when they create or update stacks. | String |