Next steps

You can use the information and examples in this guide to start applying the principle of least privilege in your organization. We recommend that you review the additional resources in the Resources section, which contains documentation references and tools that can help you refine your policies.

This guide is intended to help you start implementing least-privilege access for AWS CloudFormation. However, there are additional types of policies that can help you strengthen the principle of least-privilege in your organization. Based on your environment and business requirements, you might want to implement additional controls that are not discussed in this guide. As a next step and for more information, we recommend that you review the following topics related to least privilege and configuring access and permissions:

The following tools can help you monitor least-privilege access and permissions for CloudFormation:

AWS Identity and Access Management Access Analyzer
You can use the Access Advisor tab in the AWS Identity and Access Management (IAM) console to identify excessive permissions for IAM identities. For an example, see Tighten S3 permissions for your IAM users and roles using access history of S3 actions (AWS blog post).
You can use a linting tool, such as cfn-policy-validator (GitHub), to help identify excessive permissions.

When you are comfortable with creating and managing CloudFormation permissions, it is recommended that you use continuous integration and continuous delivery (CI/CD) pipelines to deploy your CloudFormation templates. This reduces the risk of human errors and speeds up your deployment process.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Best practices

Resources