Ensure that the IAM service role associated with your Amazon CloudFormation stack grants least privilege access in order avoid unwanted privilege escalation as users with privileges within the CloudFormation scope implicitly inherit the stack role's permissions. When an IAM service role is associated with a stack, Amazon CloudFormation uses this role for all operations that are performed on that stack, therefore you need to make sure that the IAM role adhere to the Principle of Least Privilege (POLP) by giving it the minimal set of actions required to perform its tasks.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity solution.
Providing the right permissions for the IAM service role associated with your Amazon CloudFormation stack will significantly reduce the risk of unauthorized access to the cloud resources running within the stack.
Audit
To determine if your CloudFormation stacks have IAM service roles that grant least privilege, perform the following actions:
Remediation / Resolution
To update the permissions of the IAM service role associated with Amazon CloudFormation stack in order to adhere to the Principle of Least Privilege (POLP), perform the following actions:To enable the Termination Protection feature for your Amazon CloudFormation stacks, perform the following operations:
References
- AWS Documentation
- How Does AWS CloudFormation Work?
- Working with Stacks
- AWS CloudFormation Best Practices
- IAM Roles
- AWS CloudFormation Service Role
- AWS Command Line Interface (CLI) Documentation
- cloudformation
- list-attached-role-policies
- get-policy
- list-role-policies
- get-role-policy
- put-role-policy
- list-stacks