IAM service role should be associated with the Amazon CloudFormation stack in order to adhere to the principle of least privilege and to avoid unwanted privilege escalation, as users with privileges within the AWS CloudFormation scope implicitly inherit the stack role’s permissions. When an IAM service role is associated with a stack, AWS CloudFormation service uses this role for all operations that are performed on that stack. Other users that have permissions to perform operations on the stack will be able to utilize this role, even if they don’t have permission to pass it. If the IAM role includes permissions that other users shouldn’t have, you can unintentionally escalate their permissions, therefore you need to make sure that the role adheres to the principle of least privilege by giving it the minimal set of actions required to perform its tasks.
1. Navigate to IAM dashboard.
2. In the left navigation panel, choose Roles.
3. Click Create role button from the dashboard top menu to create a new IAM role that will replace the existing service role within your CloudFormation stack configuration. If you don’t create a new IAM service role, AWS CloudFormation uses the role that was previously associated with the stack, during the update process.
4. On Trust panel, select AWS service category and choose CloudFormation from Choose the service that will use this role list. Click Next: Permissions to continue.
5. On Permissions panel, perform one of the following actions:<ol style=list-style-type: lower-alpha