Enforce Infrastructure as Code (IaC) by limiting the ability to create and manage AWS cloud resources unless they are deployed via Amazon CloudFormation. With the introduction of a new, powerful IAM policy condition named "aws:CalledVia", you can now grant your IAM principals the ability to deploy cloud resources only through CloudFormation, without allowing direct access to specific AWS services.
This rule can help you work with the AWS Well-Architected Framework.
A best practice is to increase the access security to your cloud resources as you move towards production. With "aws:CalledVia" IAM policy condition, you can now limit user access to staging and production environments by forcing them to deploy resources using Amazon CloudFormation templates only (i.e. Infrastructure as Code), without granting them access to the AWS resources themselves. By enforcing the use of "aws:CalledVia" condition, you can be confident that your team members won't make changes outside CloudFormation to get your application to run properly in staging and production, but they can access application logs, stats, and double-check configurations. For example, using the new policy condition, you can grant your IAM users the ability to launch EC2 instances, but only through Amazon CloudFormation, without granting direct access to the Amazon EC2 service.
Audit
To determine if your IAM users are forced to deploy resources via AWS CloudFormation only in order to implement Infrastructure as Code (IaC), perform the following actions:
Remediation/Resolution
To enforce Infrastructure as Code (IaC) via Amazon IAM policies using "aws:CalledVia" condition element, perform the following actions:
Note: As an example, this conformity rule demonstrates how to enforce Infrastructure as Code by limiting the IAM user ability to create, modify, and delete Amazon EC2 resources unless they are deployed via AWS CloudFormation.References
- AWS Documentation
- AWS Identity and Access Management (IAM) FAQs
- Policies and permissions in IAM
- AWS global condition context keys
- IAM JSON policy elements: NotAction
- AWS Command Line Interface (CLI) Documentation
- iam/index
- list-users
- list-attached-user-policies
- get-policy-version
- list-user-policies
- get-user-policy
- create-policy
- attach-user-policy