AWS CloudFormation Service Role | Overview & Hands-On.

AWS CloudFormation Service Role - Overview & Hands-On.

Scope:

• Intro,
• Key Concepts,
• The concept: CloudFormation Service Role,
• Why Use a Service Role (Top Use Cases),
• How CloudFormation Uses the Service Role,
• How to Set a Service Role (Step-by-Step),

• Option-1: Creating stack AWS CLI,

• Option-2:  creating Stack through AWS Console,

• Sample IAM Policy Required for CloudFormation Service Role,
• Key Behavior Differences between Execution Role vs. Service Role,
• Advanced Topics & Edge Cases,
• CloudFormation Service Role (Sample Interview Questions & Answers),
• Final thoughts,
• Project: Hands-On.

Intro:

•  A CloudFormation service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to:
• Create, 
• Update, 
• Delete stack resources on twtech behalf (AssumeRole).

Key Concepts

Permissions:

•  When a service role is specified during stack operations, CloudFormation uses the permissions defined in that role's policies instead of the permissions of the individual IAM principal (user or role) who initiated the operation.

Trust Policy:

•  The service role must have a trust policy that allows the cloudformation.amazonaws.com service principal to assume the role.

Least Privilege: 

• Following the principle of least privilege is a best practice. 
• The service role should only have the minimum permissions necessary to manage the resources defined in twtech CloudFormation template.

Privilege Escalation:

• Caution must be exercised to prevent privilege escalation. 
• Any user with permissions to perform operations on a stack associated with a service role can use that role's permissions, even if they don't have explicit iam:PassRole permissions.

Specifying a Role:

• twtech can specify the Amazon Resource Name (ARN) of the service role when it creates or update a stack using the AWS Management Console, AWS CLI, or APIs.

StackSets:

•  Service roles are crucial for managing AWS CloudFormation StackSets, which enable the deployment of a common set of resources across multiple accounts and regions. 
• By using a service role, twtech can centralize permission management and enforce consistent access control for its infrastructure deployments via CloudFormation
• CloudFormation normally, therefore uses the AWS account's permissions (IAM user/role executing the stack) to:
• Create, 
• Update, 
• Delete resources.

NB:

• However, this  execution can create issues if:

• The deploying user has restricted permissions.
• twtech might want CloudFormation to operate with least privilege.
• twtech may require stricter security boundaries and audit tracking.
• twtech wants CI/CD pipelines to deploy safely without granting them too many permissions.

• To solve the above issues, CloudFormation supports the template with service role.

 The concept of CloudFormation Service Role

• A CloudFormation Service Role is an IAM Role that CloudFormation assumes during stack operations to provision AWS resources on twtech behalf.

CloudFormation uses this role to:

•  Create resources
•  Modify/update resources
•  Delete or rollback resources
•  Perform drift detection
•  Validate changes

Key Attribute

• The service role must allow the CloudFormation service principal cloudformation.amazonaws.com to assume it.

 Why Use a Service Role (Top Use Cases)

Use Case	Explanation
Least-privilege deployments	Restrict CloudFormation to only the permissions required by the stack.
CI/CD pipelines	Teams can deploy templates without needing full admin rights.
Separation of duties	Dev teams write templates; CloudFormation service role enforces what can/cannot be created.
Stronger governance & compliance	Prevent CloudFormation from provisioning unauthorized resources.
Automated rollback control	Ensure CloudFormation always has the permissions to rollback failures.
Multi-account deployments	Each account has its own scoped CloudFormation role.

 How CloudFormation Uses the Service Role

A. User/CI/CD triggers a stack operation

• CloudFormation checks for a specified service role (--role-arn).

B. CloudFormation assumes the role

Using STS → obtains temporary credentials.

C. CloudFormation provisions resources

All API calls use the role’s permissions, not the user’s.

D. Audit logging (CloudTrail logs show):

userIdentity.type = "AWSService"

userIdentity.invokedBy = "cloudformation.amazonaws.com"

NB:

• This allows full traceability.

 How to Set a Service Role (Step-by-Step)

Option-1: Creating stack AWS CLI,

# bash

aws cloudformation create-stack \

  --stack-name twtechStack \

  --template-body file://template.yaml \

  --role-arn arn:aws:iam::accountID:role/CfnServiceRole

Option-2:  creating Stack through AWS Console

Stack → “Configure stack options” → "Permissions" section → "IAM role".

Sample IAM Policy Required for CloudFormation Service Role

1. Trust Policy (Role Assumption Policy)

# json

{

  "Version": "2012-10-17",

  "Statement": [{

    "Effect": "Allow",

    "Principal": {

      "Service": "cloudformation.amazonaws.com"

    },

    "Action": "sts:AssumeRole"

  }]

}

2. Permissions Policy (sample Least Privilege)

# Here is a sample focused on EC2, S3, IAM:

#json

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": [

        "ec2:*",

        "s3:*",

        "iam:CreateRole",

        "iam:AttachRolePolicy",

        "iam:PutRolePolicy",

        "iam:PassRole"

      ],

      "Resource": "*"

    }

  ]

}

# NB:

•  Least privilege is essential.
• Least privilege only provide permissions needed for the template.

 Key Behavior Differences betweeen Execution Role vs. Service Role

Feature	Execution Role (Lambda/EC2)	Service Role (CloudFormation)
Used by	Individual resource (e.g., Lambda)	CloudFormation engine
Purpose	API permissions for the resource	Provision/update/delete resources
Requirement	Often template-created	Must pre-exist or be managed outside

 Advanced Topics & Edge Cases

1. Cross-Account CloudFormation Deployment

NB:

• Service Role must trust CloudFormation and allow STS from the deploying account.

Use cases:

•  AWS Control Tower
•  Service Catalog
•  CI/CD multi-account pipelines

2. Using a Service Role with Drift Detection

CloudFormation assumes the same service role for:

• Drift detection
• Change sets
• Stack updates

NB:

• If the role lacks Describe* permissions → drift detection fails.

3. Restricting CloudFormation From Creating IAM Roles

• Use service role + permissions boundaries:

Sample: Block resources of type AWS::IAM::*

#json

{

  "Effect": "Deny",

  "Action": "iam:*",

  "Resource": "*"

}

NB:

• This above permission is common in enterprises to prevent IAM privilege escalations.

4. StackSets and Service Roles (TWO roles):

Role	Description
Administration Role	In the management account
Execution Role	In target account

NB:

• CloudFormation Service Role is separate, but it can be used inside StackSets per-stack.

CloudFormation Service Role (Sample Interview Questions & Answers)

1. Why use a CloudFormation service role?

• To provide CloudFormation least-privilege, centralized, auditable permissions to deploy resources.

2. Does CloudFormation require a service role?

• No—optional. 
• If not provided, CloudFormation uses the caller’s identity.

3. What happens if the service role lacks permissions?

• Stack update/create/rollback fails with AccessDenied errors.

4. How is the service role different from the execution role?

• Execution roles are used by AWS resources (Lambda/ECS), while the service role is used by CloudFormation to operate on resources.

5. Can CloudFormation pass IAM roles?

• Yes, 
• but only if the service role includes:
• iam:PassRole

Final thoughts

• AWS CloudFormation Service Role helps enforce:
• ✔    Least-privilege deployments
• ✔    CI/CD security
• ✔    Better governance
• ✔    Isolated permissions
• ✔    Secure multi-account deployments
• ✔    Clean audit trail via CloudTrail

NB:

• Service role is a must-use feature for enterprise-grade CloudFormation deployments.

Project: Hands-On

• How twtech uses CloudFormation Service Role to define stack resources that CloudFormation can create, update, or delete on its behalf (AssumeRole).

Step-1:

Search for AWS Service: IAM

Navigate to roles under iAM:

Step-2:

Create role for an:  AWS service

twtech wants to give CloudFormation full access (AssumeRole) for: S3

Name, review, and create

Create role:

Step-3:

• Attached the role created (twtech-s3-cf-role) to cloudFormation template during stack creation.