An Overview of AWS
CloudFormation Service Role.
Scope:
- Architecture,
- Use
cases,
- Best
practices,
- IAM
policies,
- Advanced
scenarios,
- Interview-level
details.
Breakdown:
- Intro,
- The concept: CloudFormation Service Role,
- Why Use a Service Role (Top Use Cases),
- How CloudFormation Uses the Service Role,
- How to Set a Service Role,
- IAM Policy Required for CloudFormation Service Role,
- Key Behavior Differences: Execution Role vs. Service Role,
- Advanced
Topics & Edge Cases,
- CloudFormation Service Role – Interview Questions & Answers,
- Final
thoughts.
Intro:
- A
CloudFormation service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to create,
update, or delete stack resources on twtech behalf (AssumeRole).
Key
Concepts
Permissions:
- When a service role is specified during stack operations, CloudFormation uses the permissions defined in that role's policies instead of the permissions of the individual IAM principal (user or role) who initiated the operation.
- The service role must have a trust policy that allows the
cloudformation.amazonaws.comservice principal to assume the role.
Least
Privilege:
- Following the principle of least privilege is a best practice. The service role should only have the minimum permissions necessary to manage the resources defined in twtech CloudFormation template.
Privilege
Escalation:
- Caution
must be exercised to prevent privilege escalation. Any user with permissions to
perform operations on a stack associated with a service role can use that role's
permissions, even if they don't have explicit
iam:PassRolepermissions.
Specifying a Role:
- twtech can specify the Amazon Resource Name (ARN) of the service role when it creates or update a stack using the AWS Management Console, AWS CLI, or APIs.
StackSets:
- Service roles are crucial for managing AWS CloudFormation StackSets, which enable the deployment of a common set of resources across multiple accounts and regions.
- By using a service role, twtech can centralize permission management and enforce consistent access control for its infrastructure deployments via CloudFormation
- CloudFormation normally, therefore uses the AWS
account's permissions (IAM
user/role executing the stack) to
create, update, or delete resources.
However, this execution can create issues if:
However, this execution can create issues if:
- The deploying user might have restricted permissions.
- twtech might want CloudFormation to operate with least
privilege.
- twtech may require stricter security boundaries and audit
tracking.
- twtech wants CI/CD pipelines to deploy
safely without granting them too many permissions.
NB:
- To solve the above issues, CloudFormation supports the template with service role.
The concept: CloudFormation Service Role
- A CloudFormation
Service Role is an IAM Role that
CloudFormation assumes during stack operations to provision AWS resources on twtech behalf.
CloudFormation
uses this role to:
- Create
resources
- Modify/update
resources
- Delete or
rollback resources
- Perform drift
detection
- Validate
changes
Key Attribute
- The
service role must allow the CloudFormation service principal
cloudformation.amazonaws.com to assume
it.
cloudformation.amazonaws.com to assume
it. Why Use a Service Role (Top Use Cases)
|
Use Case |
Explanation |
|
Least-privilege deployments |
Restrict CloudFormation to only the permissions required by the
stack. |
|
CI/CD pipelines |
Teams can deploy templates without needing full admin rights. |
|
Separation of duties |
Dev teams write templates; CloudFormation service role enforces
what can/cannot be created. |
|
Stronger governance &
compliance |
Prevent CloudFormation from provisioning unauthorized resources. |
|
Automated rollback control |
Ensure CloudFormation always has the permissions to rollback
failures. |
|
Multi-account deployments |
Each account has its own scoped CloudFormation role. |
How CloudFormation Uses the Service Role
1. User/CI/CD
triggers a stack operation
CloudFormation
checks for a specified service role (--role-arn).
2.
CloudFormation assumes the role
Using STS →
obtains temporary credentials.
3.
CloudFormation provisions resources
All API calls
use the role’s permissions, not the
user’s.
4. Audit
logging
CloudTrail logs show:
userIdentity.type = "AWSService"userIdentity.invokedBy = "cloudformation.amazonaws.com"NB:
This allows full traceability.
How to Set a Service Role
Option 1 — When creating stack (CLI)
# bashaws cloudformation create-stack \ --stack-name twtechStack \ --template-body file://template.yaml \ --role-arn arn:aws:iam::accountID:role/CfnServiceRoleOption 2 — Through AWS Console
Stack → “Configure stack options” → "Permissions" section → "IAM role".
IAM Policy Required for CloudFormation Service Role
1. Trust Policy (Role Assumption Policy)
# json{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "cloudformation.amazonaws.com" }, "Action": "sts:AssumeRole" }]}2. Permissions Policy (Example
Least Privilege)
Here is a sample focused on EC2, S3, IAM:
#json{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:*", "s3:*", "iam:CreateRole", "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:PassRole" ], "Resource": "*" } ]}# NB:
- Least privilege is essential—only provide permissions needed for the
template.
Key Behavior Differences: Execution Role vs. Service Role
|
Feature |
Execution
Role (Lambda/EC2) |
Service
Role (CloudFormation) |
|
Used
by |
Individual resource (e.g.,
Lambda) |
CloudFormation engine |
|
Purpose |
API permissions for the resource |
Provision/update/delete resources |
|
Requirement |
Often template-created |
Must pre-exist or be managed outside |
Advanced
Topics & Edge Cases
1. Cross-Account CloudFormation Deployment
NB:
- Service Role must trust CloudFormation and
allow STS from the deploying account.
Use cases:
- AWS Control
Tower
- Service
Catalog
- CI/CD multi-account pipelines
2. Using a Service Role with Drift Detection
CloudFormation assumes the same service role for:
- Drift detection
- Change sets
- Stack updates
If the role
lacks Describe* permissions
→ drift detection fails.
3. Restricting CloudFormation From Creating IAM Roles
Use service role +
permissions
boundaries:
Example: Block
resources of type AWS::IAM::*
#json{ "Effect": "Deny", "Action": "iam:*", "Resource": "*"}NB:
- This above permission is common in enterprises to prevent IAM privilege escalations.
4. StackSets and Service Roles
StackSets use TWO roles:
|
Role |
Description |
|
Administration Role |
In the management account |
|
Execution Role |
In target account |
NB:
- CloudFormation Service Role is separate, but can be used inside StackSets per-stack.
CloudFormation Service Role – Interview Questions & Answers
1.
Why use a CloudFormation service role?
To provide
CloudFormation least-privilege, centralized, auditable permissions to deploy
resources.
2.
Does CloudFormation require a service role?
No—optional.
If not provided, CloudFormation uses the caller’s identity.
3.
What happens if the service role lacks permissions?
Stack
update/create/rollback fails with AccessDenied errors.
4.
How is the service role different from the execution role?
Execution
roles are used by AWS resources (Lambda/ECS), while the service role is used by
CloudFormation to operate on resources.
5.
Can CloudFormation pass IAM roles?
Yes, but only
if the service role includes:
iam:PassRoleFinal thoughts
AWS CloudFormation Service Role helps enforce:
✔ Least-privilege deployments
✔ CI/CD security
✔ Better governance
✔ Isolated permissions
✔ Secure multi-account deployments
✔ Clean audit trail via CloudTrail
NB:
Service role is a must-use feature for enterprise-grade CloudFormation deployments.
Project: Hands-On
How twtech uses CloudFormation Service Role to define stack resources that CloudFormation can create, update, or delete on its behalf (AssumeRole).
Search for AWS Service: IAM
Navigate
to roles under iAM:
Create role for an:
AWS service
twtech wants to give CloudFormation full access (AssumeRole) for: S3
Name, review, and create
Create role:
Step-2:
Attached the role created (twtech-s3-cf-role) to cloudFormation template
during stack creation.
No comments:
Post a Comment