What access is necessary to update a CloudFormation stack with nested stacks

1
votes

Using nested stacks is a best practice in AWS CloudFormation, and indeed they solve many problems (code reuse, stack limits, etc).

It's also generally a good idea to do any sort of updates with the minimal access necessary for that update (using the RoleARN of the UpdateStack command). I can't seem to find any documentation on exactly IAM access is necessary to update a stack that has nested stacks.

1
amazon-cloudformationnested-stack

1 Answers

2
votes

As described here, a stack update will always get the template for the nested stack again.

  1. (in addition to any rights necessary for the resources that are to be changed),s3:GetObject (or s3:GetObjectVersion if a versioned url is used) is necessary for the location where the template for the nested stack is hosted.
  2. In addition (and I'm not sure why), an iam:GetRole is necessary for role to self-inspect (so the Resource should be the Arn of the role itself).