nakada0907/daisuke-iam-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add CloudFormation write IAM role, managed policy, and repository README

Browse source
This commit is contained in:
Daisuke Nakahara 2025-12-31 19:52:14 +09:00
commit ef8bceff67
3 changed files with 111 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
README.md Normal file
View file

@ -0,0 +1,11 @@
# CloudFormation Write IAM Definitions
This repository defines IAM roles and policies for safely executing AWS CloudFormation operations via `AssumeRole`.
- `roles/cloudformation-write-role.yaml`
IAM role for CloudFormation execution, including ECR import permissions.
Assumable by specified IAM Identity Center roles.
- `policies/cloudformation-write-policy.yaml`
Managed policy granting minimal CloudFormation write access.
Intended for use via the execution role, not attached directly to users.

42
policies/cloudformation-write-policy.yaml Normal file
View file

@ -0,0 +1,42 @@
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation Write-Only Managed Policy for Deployment Operations
Resources:
CloudFormationWritePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: CloudFormationWrite
Description: Minimal CloudFormation write permissions for deployment operations. Intended for use via AssumeRole, not attached to Permission Sets.
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cloudformation:CreateStack
- cloudformation:UpdateStack
- cloudformation:DeleteStack
- cloudformation:CreateUploadBucket
- cloudformation:CreateChangeSet
- cloudformation:ExecuteChangeSet
- cloudformation:DescribeStacks
- cloudformation:DescribeStackEvents
- cloudformation:DescribeChangeSet
- cloudformation:ListStacks
- cloudformation:ListChangeSets
- cloudformation:DetectStackDrift
- cloudformation:DetectStackResourceDrift
- cloudformation:DescribeStackDriftDetectionStatus
- cloudformation:ImportStacksToStackSet
- cloudformation:ContinueUpdateRollback
Resource: "*"
- Effect: Allow
Action:
- tag:TagResources
- tag:UntagResources
Resource: "*"
- Effect: Allow
Action:
- s3:PutObject
Resource: "*"

58
roles/cloudformation-write-role.yaml Normal file
View file

@ -0,0 +1,58 @@
AWSTemplateFormatVersion: '2010-09-09'
Description: IAM Role for CloudFormation Write operations via AssumeRole
Parameters:
AdminPrincipalArns:
Type: List<String>
Description: List of IAM Identity Center Role ARNs allowed to assume this role.
Resources:
CloudFormationWriteRole:
Type: AWS::IAM::Role
Properties:
RoleName: CloudFormationWriteRole
Description: Role for performing CloudFormation write operations. Intended to be assumed manually or by CI/CD, not attached to Permission Sets.
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Ref AdminPrincipalArns
Action: sts:AssumeRole
Policies:
- PolicyName: ECRImport
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ecr:DescribeRepositories
- ecr:GetRepositoryPolicy
- ecr:DeleteRepositoryPolicy
- ecr:PutImageScanningConfiguration
Resource:
- !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*
- PolicyName: RoleWrite
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- iam:PutRolePolicy
- iam:DeleteRolePolicy
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:role/*
- PolicyName: PolicyWrite
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- iam:CreatePolicyVersion
- iam:DeletePolicyVersion
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:policy/*
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess
- !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite