官术网_书友最值得收藏!

  • AWS Administration Cookbook
  • Lucas Chan Rowan Udell
  • 222字
  • 2021-07-09 18:18:28

Permissions and service roles

One important thing to remember about CloudFormation is that it's more or less just making API calls on your behalf. This means that CloudFormation will assume the very same permissions or role you use to execute your template. If you don't have permission to create a new hosted zone in Route 53, for example, any template you try to run that contains a new Route 53-hosted zone will fail.

On the flip side, this has created a somewhat tricky situation where anyone developing CloudFormation typically has a very elevated level of privileges, and these privileges are somewhat unnecessarily granted to CloudFormation each time a template is executed.

If my CloudFormation template contains only one resource, which is a Route 53-hosted zone, it doesn't make sense for that template to be executed with full admin privileges to my AWS account. It makes much more sense to give CloudFormation a very slim set of permissions to execute the template with, thus limiting the blast radius if a bad template were to be executed (that is, a bad copy-and-paste operation resulting in deleted resources).

Thankfully, service roles have recently been introduced, and you can now define an IAM role and tell CloudFormation to use this role when your stack is being executed, giving you a much safer space to play in.

主站蜘蛛池模板: 台山市| 林芝县| 鸡泽县| 汝州市| 瑞安市| 阳泉市| 西盟| 洞口县| 鄂尔多斯市| 海林市| 栖霞市| 保定市| 钦州市| 延庆县| 宁乡县| 肃北| 聊城市| 锦州市| 同仁县| 夏津县| 静宁县| 三门县| 兴山县| 中卫市| 永济市| 满城县| 忻州市| 普陀区| 漳平市| 茌平县| 台山市| 日喀则市| 昌平区| 于田县| 侯马市| 淮南市| 海林市| 阿城市| 寿光市| 如皋市| 江北区|