- AWS Administration Cookbook
- Lucas Chan Rowan Udell
- 222字
- 2021-07-09 18:18:28
Permissions and service roles
One important thing to remember about CloudFormation is that it's more or less just making API calls on your behalf. This means that CloudFormation will assume the very same permissions or role you use to execute your template. If you don't have permission to create a new hosted zone in Route 53, for example, any template you try to run that contains a new Route 53-hosted zone will fail.
On the flip side, this has created a somewhat tricky situation where anyone developing CloudFormation typically has a very elevated level of privileges, and these privileges are somewhat unnecessarily granted to CloudFormation each time a template is executed.
If my CloudFormation template contains only one resource, which is a Route 53-hosted zone, it doesn't make sense for that template to be executed with full admin privileges to my AWS account. It makes much more sense to give CloudFormation a very slim set of permissions to execute the template with, thus limiting the blast radius if a bad template were to be executed (that is, a bad copy-and-paste operation resulting in deleted resources).
Thankfully, service roles have recently been introduced, and you can now define an IAM role and tell CloudFormation to use this role when your stack is being executed, giving you a much safer space to play in.
- 現(xiàn)代測控系統(tǒng)典型應(yīng)用實(shí)例
- Hands-On Graph Analytics with Neo4j
- 數(shù)據(jù)展現(xiàn)的藝術(shù)
- PPT,要你好看
- 樂高機(jī)器人EV3設(shè)計(jì)指南:創(chuàng)造者的搭建邏輯
- 程序設(shè)計(jì)缺陷分析與實(shí)踐
- 21天學(xué)通C語言
- Python:Data Analytics and Visualization
- 筆記本電腦維修90個(gè)精選實(shí)例
- 網(wǎng)絡(luò)服務(wù)搭建、配置與管理大全(Linux版)
- 單片機(jī)技能與實(shí)訓(xùn)
- LMMS:A Complete Guide to Dance Music Production Beginner's Guide
- INSTANT Adobe Story Starter
- 算法設(shè)計(jì)與分析
- Apache Spark Machine Learning Blueprints