如何在AWS中定义仅允许使用预定义模板创建堆栈的策略/角色/权限 [英] How to define a policy/role/permission in AWS which only allows to create stack with a predefined template

问题描述

是否有一种方法可以在AWS中定义权限/策略/角色，从而仅使用特定模板(在S3上已更新)创建 CloudFormation堆栈?

Is there a way to define a permission/policy/role in AWS which allows to create a CloudFormation Stack using only a specific template (which is updated on S3)?

我见过 AWS服务角色，但我认为这不是我想要的.实际上，我看不出使用它的好处(就安全性而言).如果用户不能直接创建资源，但是同一用户可以通过CloudFormation创建资源，那么好处在哪里?

I've seen AWS Service Roles but I think it's not what I'm looking for. In fact I don't see which is the benefit (in terms of security) of using it. If a user can not create a resource directly, but the same user can create the resource through the CloudFormation where is the benefit?

但是，如果有一种方法可以限制可以使用的模板，那么这将在安全性方面带来更多好处，因为您可以定义可以创建哪些资源，而无需具有特定角色来逐个权限地定义权限.堆栈的资源.

However, if there were a way to limit the templates which can be use it, it would add a benefit in terms of security, because you could define what resources can be created without need to have specific roles defining permission by permission all the resources of the Stack.

推荐答案

您应该查看通过使用此服务，您可以定义并连接可用于生成CloudFormation堆栈的模板，而无需授予团队成员创建CloudFormation堆栈的权限.

By using this service you can define and hook up the templates that can be used to generate CloudFormation stacks without the need to give team members the permission to create a CloudFormation stack.

没有这种方法，就没有直接的解决方案来限制仅特定来源对CloudFormation创建的访问.

Without this there is not a direct solution to restrict access to CloudFormation creation from only specific sources.

这篇关于如何在AWS中定义仅允许使用预定义模板创建堆栈的策略/角色/权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！