How to create IAM Policy by using AWS CloudFormation

Managing permissions in AWS is a critical but often repetitive task. AWS CloudFormation offers a solution by enabling you to define and automate IAM policies as code. In this guide, you’ll learn how to use CloudFormation to set up IAM policies efficiently, ensuring security and scalability in your AWS environment.

Why Use CloudFormation for IAM?

Using CloudFormation for IAM policies offers several advantages:

1. Consistency: Avoid manual errors by defining policies in reusable templates.
2. Automation: Automate the deployment and management of policies across multiple accounts or environments.
3. Version Control: Store templates in a version control system to track changes and roll back if needed.

Prerequisites

Before starting, ensure you have:

1. An AWS account with permissions to create IAM roles and policies.
2. AWS CLI or AWS Management Console access.
3. A basic understanding of YAML/JSON syntax.

Step 1: Create a CloudFormation Template for IAM

1. Open a text editor and define your CloudFormation template in YAML format.
2. Start by creating the necessary structure for defining resources:

Here’s an example template to create an IAM policy that grants read-only S3 access:

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  S3ReadOnlyPolicy:
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyName: "S3ReadOnlyAccess"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action: "s3:Get*"
            Resource: "*"
      Roles:
        - !Ref MyIAMRole

  MyIAMRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "MyS3ReadOnlyRole"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service: "ec2.amazonaws.com"
            Action: "sts:AssumeRole"

Template Breakdown:

• S3ReadOnlyPolicy: Defines the policy granting read-only S3 access.
• MyIAMRole: Creates a role and attaches the policy to it. The role can be assumed by an EC2 instance.

Step 2: Deploy the Template Using AWS CloudFormation

1. Save the YAML file as iam-setup.yaml.
2. Use the AWS CLI or the AWS Management Console to deploy the stack.

Using AWS CLI:

Run the following command to deploy the stack:

aws cloudformation create-stack --stack-name IAMPolicyStack --template-body file://iam-setup.yaml

Using AWS Management Console:

1. Navigate to CloudFormation in the AWS Console.
2. Click Create Stack and upload your template.
3. Follow the prompts to deploy the stack.

Step 3: Verify the IAM Resources

Once the stack is created, verify the resources:

1. Go to the IAM Console.
2. Check for the newly created role (MyS3ReadOnlyRole).
3. Inspect the attached policy (S3ReadOnlyAccess) to confirm the permissions are correct.

Best Practices for CloudFormation and IAM

1. Use Parameterized Templates: Add parameters to make your templates reusable across environments.
2. Enable Stack Policies: Protect critical resources from accidental updates.
3. Validate Templates: Use the aws cloudformation validate-template command to catch errors before deployment.
4. Secure Sensitive Data: Avoid hardcoding secrets in templates; use AWS Secrets Manager instead.

Summary

AWS CloudFormation simplifies and automates IAM policy creation, ensuring consistency and scalability in managing permissions. By leveraging infrastructure-as-code, you can deploy secure, reusable IAM configurations with ease. Experiment with templates and customize them to suit your organizational needs.