- AWS Administration Cookbook
- Lucas Chan Rowan Udell
- 222字
- 2021-07-09 18:18:28
Permissions and service roles
One important thing to remember about CloudFormation is that it's more or less just making API calls on your behalf. This means that CloudFormation will assume the very same permissions or role you use to execute your template. If you don't have permission to create a new hosted zone in Route 53, for example, any template you try to run that contains a new Route 53-hosted zone will fail.
On the flip side, this has created a somewhat tricky situation where anyone developing CloudFormation typically has a very elevated level of privileges, and these privileges are somewhat unnecessarily granted to CloudFormation each time a template is executed.
If my CloudFormation template contains only one resource, which is a Route 53-hosted zone, it doesn't make sense for that template to be executed with full admin privileges to my AWS account. It makes much more sense to give CloudFormation a very slim set of permissions to execute the template with, thus limiting the blast radius if a bad template were to be executed (that is, a bad copy-and-paste operation resulting in deleted resources).
Thankfully, service roles have recently been introduced, and you can now define an IAM role and tell CloudFormation to use this role when your stack is being executed, giving you a much safer space to play in.
- Instant Raspberry Pi Gaming
- Hadoop 2.x Administration Cookbook
- Learning Apache Spark 2
- 21天學(xué)通C++
- 模型制作
- SharePoint 2010開發(fā)最佳實踐
- 基于多目標(biāo)決策的數(shù)據(jù)挖掘方法評估與應(yīng)用
- 網(wǎng)絡(luò)安全與防護
- 生成對抗網(wǎng)絡(luò)項目實戰(zhàn)
- 電腦故障排除與維護終極技巧金典
- 渲染王3ds Max三維特效動畫技術(shù)
- 數(shù)字多媒體技術(shù)與應(yīng)用實例
- Python語言從入門到精通
- 智能控制技術(shù)及其應(yīng)用
- Learn SOLIDWORKS 2020