CloudFormation Service Role

Purpose

• An IAM role that CloudFormation assumes to create, update, or delete stack resources on your behalf.

Benefits

• Lets users deploy infrastructure without having direct permissions to manage each AWS service.

• Supports least privilege by centralizing permissions in the service role.

Example Use Case

• Allow a developer to deploy stacks without giving them direct access to EC2, S3, or RDS.

Requirements

• User needs the iam:PassRole permission to pass the service role to CloudFormation.

• Service role must have permissions for all actions CloudFormation will perform, e.g.:
• cloudformation:*
• s3:*
• And permissions for other AWS services defined in the stack.