Can I make the CloudFormationExecutionRole have least privilege?

[pjxiao]

Describe your idea/feature/enhancement

I hope that the CloudFormationExecutionRole have least privilege.
Currently SAM-CLI attaches the following policy to the execution role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

This seems to allow CloudFormation to create/delete anything in an account including IAM resouces, even if I just wan't to deploy an API.

Proposal

I hope that there were policy templates for tipical usecases such as an API or an S3 event handler.

Additional Details

[hoffa]

CloudFormation assumes the execution role to deploy applications (which can consist of arbitrary resources). You can create an IAM role with reduced permissions and pass its ARN during the bootstrapping process (e.g. through sam pipeline init --bootstrap or sam pipeline bootstrap).

[pjxiao]

@hoffa
Yes, the bootstrap subcommand allows us to pass a role ARN. But we need to create an IAM role in advance by ourselves. I feel that writing an IAM policy is one of the hardest parts of deployment. So I hope that the bootstrap subcommand allowed us to chose more restrictive version of an exceution role policy.

Thanks,

[zhan9san]

I am working on this feature and will document them once it gets finalized.

It's almost done.

[Goblinlordx]

This seems a bit old. Can we at least consider denying IAM access to this role? It seems unsafe as it allows privilege escalation via creation of an administrative IAM role/user via cloudformation. I think if, at least, this is denied, it would provide a much more secure role. It might also be a good idea to maybe prevent allowing importing resources via cloudformation by default? Maybe this could be skipped but the IAM part seems almost necessary.

Edit: Actually, IAM permissions are needed, at least, to some extent. Creating roles and policies is definitely a need. I feel like there should still be a way to prevent allowing access to resources outside what is defined by a stack as well as preventing things like creating an administrative user/role/policy via the stack.