Ensure that the IAM service role associated with your Amazon CloudFormation stack adhere to the principle of least privilege in order avoid unwanted privilege escalation, as users with privileges within the AWS CloudFormation scope implicitly inherit the stack role's permissions. When an IAM service role is associated with a stack, AWS CloudFormation service uses this role for all operations that are performed on that stack. Other users that have permissions to perform operations on the stack will be able to utilize this role, even if they don't have permission to pass it. If the IAM role includes permissions that other users shouldn't have, you can unintentionally escalate their permissions, therefore you need to make sure that the role adhere to the principle of least privilege by giving it the minimal set of actions required to perform its tasks.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity solution
Providing the right permissions for the IAM service role associated with your Amazon CloudFormation stack will significantly reduce the risk of unauthorized access to the AWS resources within the stack.
To determine if your AWS CloudFormation stacks have IAM service roles that grant least privilege, perform the following:
To update the permissions of the IAM service roles associated with CloudFormation stacks to adhere to the principle of least privilege, perform the following actions: