Access Required by StackZone on AWS
StackZone IAM Role Permissions
Fernando Honig
Last Update 5 个月前
In order to push configurations and build your StackZone in your AWS Organization, StackZone needs to create an initial AWS IAM Role. This article describes the permissions / policies needed by the StackZoneLimitedRole and how this role is used.
Role Assumption
Who can assume this role?
- This role can only be assumed by the StackZone Production Account using an ExternalId that belongs to you and you only as a StackZone Customer.
- AWS Services like AWS CloudFormation, AWS Lambda, AWS Systems Manager and Amazon EventBridge.
Role Policies
What Policies does this role has?
We make a great effort in reducing permissions needed by StackZoneLimitedRole in each release. At this point in time these are the list of permissions required:
- Role: StackZoneLimitedRole
- Policy: StackZoneLimitedPolicy
- account:GetAccountInformation
- acm:AddTagsToCertificate
- acm:ListCertificates
- acm:ListTagsForCertificate
- autoscaling:Describe*
- billing:Get*
- billing:List*
- budgets:ModifyBudget
- budgets:ViewBudget
- ce:Describe*
- ce:Get*
- ce:List*
- ce:StartCostAllocationTagBackfill
- ce:UpdateCostAllocationTagsStatus
- cloudformation:DescribeStackEvents
- cloudformation:DescribeStackResources
- cloudformation:DescribeStacks
- cloudformation:GetTemplate
- cloudformation:ListStackResources
- cloudformation:ListStacks
- cloudformation:ListStackSetOperations
- cloudformation:ListStackSets
- cloudfront:Get*
- cloudfront:List*
- cloudfront:TagResource
- cloudtrail:DescribeTrails
- cloudtrail:GetEventSelectors
- cloudtrail:ListTags
- cloudwatch:Describe*
- cloudwatch:Get*
- cloudwatch:List*
- cloudwatch:TagResource
- codepipeline:Get*
- codepipeline:List*
- codepipeline:RetryStageExecution
- config:Deliver*
- config:Describe*
- config:Get*
- config:List*
- config:Select*
- cost-optimization-hub:ListRecommendations
- cur:Describe*
- dms:Describe*
- dms:List*
- dynamodb:DescribeTable
- dynamodb:List*
- dynamodb:TagResource
- ec2:AcceptReservedInstancesExchangeQuote
- ec2:CreateTags
- ec2:CreateTags
- ec2:Describe*
- ec2:DescribeReservedInstancesOfferings
- ec2:GetReservedInstancesExchangeQuote
- ec2:GetReservedInstancesExchangeQuote
- ec2:ModifyReservedInstances
- ec2:ModifyReservedInstances
- ec2:PurchaseReservedInstancesOffering
- ecr:DescribeRepositories
- ecr:ListTagsForResource
- ecr:TagResource
- ecs:Describe*
- ecs:List*
- elasticache:AddTagsToResource
- elasticache:Describe*
- elasticache:ListTagsForResource
- elasticbeanstalk:Check*
- elasticbeanstalk:Describe*
- elasticbeanstalk:List*
- elasticbeanstalk:RequestEnvironmentInfo
- elasticbeanstalk:RetrieveEnvironmentInfo
- elasticfilesystem:Describe*
- elasticloadbalancing:Describe*
- elasticmapreduce:Describe*
- elasticmapreduce:List*
- es:Describe*
- es:List*
- firehose:DescribeDeliveryStream
- firehose:ListDeliveryStreams
- iam:GenerateCredentialReport
- iam:Get*
- iam:List*
- kinesis:Describe*
- kinesis:List*
- kinesis:TagResource
- kms:DescribeKey
- kms:GetKeyRotationStatus
- kms:ListKeys
- lambda:GetFunction
- lambda:InvokeFunction
- lambda:List*
- lambda:TagResource
- logs:Describe*
- logs:GetLogEvents
- organizations:DescribeAccount
- organizations:DescribeCreateAccountStatus
- organizations:DescribeOrganization
- organizations:DescribeOrganizationalUnit
- organizations:DescribePolicy
- organizations:List*
- organizations:ListAccountsForParent
- organizations:ListOrganizationalUnitsForParent
- pricing:GetProducts
- rds:AddTagsToResource
- rds:Describe*
- rds:ListTagsForResource
- rds:PurchaseReservedDBInstancesOffering
- redshift:Describe*
- redshift:TagResource
- resource-groups:*
- route53:Get*
- route53:List*
- s3:Get* (s3:::stackzone-${AWS::AccountId}-${AWS::Region})
- s3:GetAccountPublicAccessBlock
- s3:GetBucketAcl
- s3:GetBucketLocation
- s3:GetBucketLogging
- s3:GetBucketPolicy
- s3:GetBucketPolicyStatus
- s3:GetBucketPublicAccessBlock
- s3:GetBucketTagging
- s3:GetBucketVersioning
- s3:GetBucketWebsite
- s3:List*
- s3:List* (s3:::stackzone-${AWS::AccountId}-${AWS::Region})
- s3:Put* (s3:::stackzone-${AWS::AccountId}-${AWS::Region})
- s3:PutBucketTagging
- sagemaker:Describe*
- sagemaker:List*
- savingsplans:CreateSavingsPlan
- savingsplans:Describe*
- savingsplans:ReturnSavingsPlan
- sdb:GetAttributes
- sdb:List*
- secretsmanager:DescribeSecret
- secretsmanager:ListSecrets
- secretsmanager:TagResource
- servicecatalog:DescribeProduct
- servicecatalog:DescribeProvisionedProduct
- servicecatalog:DescribeProvisioningArtifact
- servicecatalog:GetProvisionedProductOutputs
- servicecatalog:ProvisionProduct
- servicecatalog:SearchProducts
- servicecatalog:SearchProvisionedProducts
- servicecatalog:TerminateProvisionedProduct
- ses:Get*
- ses:List*
- sfn:ListStateMachines
- sfn:ListTagsForResource
- sns:Get*
- sns:List*
- sns:TagResource
- sqs:GetQueueAttributes
- sqs:GetQueueUrl
- sqs:ListQueues
- sqs:ListQueueTags
- sqs:TagQueue
- ssm:AddTagsToResource (lz-configuration*, org* & stackzone*)
- ssm:DeleteParameter (lz-configuration*, org* & stackzone*)
- ssm:DescribeAutomationExecutions
- ssm:DescribeParameters
- ssm:GetParameter* (lz-configuration*, org* & stackzone*)
- ssm:GetServiceSetting
- ssm:ListDocuments
- ssm:PutParameter (lz-configuration*, org* & stackzone*)
- ssm:RemoveTagsFromResource (lz-configuration*, org* & stackzone*)
- ssm:UpdateServiceSetting (ssm:${AWS::Region}:${AWS::AccountId}:servicesetting/ssm/parameter-store/high-throughput-enabled)
- states:TagResource
- storagegateway:Describe*
- storagegateway:List*
- sts:GetFederationToken
- tag:GetTagValues
- tag:TagResources
- workspaces:Describe*
- Role: StackZoneSupportRole
- Policy: StackZoneSupportPolicy
- account:GetAccountInformation
- autoscaling:Describe*
- aws-portal:ViewBilling
- billing:Get*
- billing:List*
- budgets:ModifyBudget
- budgets:ViewBudget
- ce:Describe*
- ce:Get*
- ce:List*
- cloudformation:ContinueUpdateRollback
- cloudformation:CreateStackInstances
- cloudformation:DescribeStackEvents
- cloudformation:DescribeStackResources
- cloudformation:DescribeStacks
- cloudformation:DescribeStackSet
- cloudformation:GetStackPolicy
- cloudformation:GetTemplate
- cloudformation:GetTemplateSummary
- cloudformation:ListStackInstances
- cloudformation:ListStackResources
- cloudformation:ListStacks
- cloudformation:ListStackSetOperationResults
- cloudformation:ListStackSetOperations
- cloudformation:ListStackSets
- cloudformation:RollbackStack
- cloudfront:Get*
- cloudfront:List*
- cloudtrail:DescribeTrails
- cloudtrail:GetEventSelectors
- cloudtrail:ListTags
- cloudwatch:Describe*
- cloudwatch:Get*
- cloudwatch:List*
- codebuild:BatchGetBuilds
- codebuild:BatchGetProjects
- codebuild:ListBuildsForProject
- codebuild:ListProjects
- codecommit:ListRepositories
- codepipeline:Get*
- codepipeline:List*
- codepipeline:RetryStageExecution
- codepipeline:StopPipelineExecution
- config:Deliver*
- config:Describe*
- config:Get*
- config:List*
- config:Select*
- cur:Describe*
- dms:Describe*
- dms:List*
- dynamodb:DescribeTable
- dynamodb:List*
- ec2:Describe*
- ec2:DescribeReservedInstancesOfferings
- ec2:GetReservedInstancesExchangeQuote
- ec2:GetReservedInstancesExchangeQuote
- ecs:Describe*
- ecs:List*
- elasticache:Describe*
- elasticache:ListTagsForResource
- elasticbeanstalk:Check*
- elasticbeanstalk:Describe*
- elasticbeanstalk:List*
- elasticbeanstalk:RequestEnvironmentInfo
- elasticbeanstalk:RetrieveEnvironmentInfo
- elasticfilesystem:Describe*
- elasticloadbalancing:Describe*
- elasticmapreduce:Describe*
- elasticmapreduce:List*
- es:Describe*
- es:List*
- events:DescribeEventBus
- events:ListRules
- firehose:DescribeDeliveryStream
- firehose:ListDeliveryStreams
- iam:GenerateCredentialReport
- iam:Get*
- iam:List*
- kinesis:Describe*
- kinesis:List*
- kms:DescribeKey
- kms:GetKeyRotationStatus
- kms:ListAliases
- kms:ListKeys
- lambda:Get*
- lambda:List*
- logs:DeleteLogGroup (log-group:/aws/lambda/StackZone-*)
- logs:Describe*
- logs:FilterLogEvents
- logs:GetLogEvents
- organizations:DescribeAccount
- organizations:DescribeCreateAccountStatus
- organizations:DescribeOrganization
- organizations:DescribeOrganizationalUnit
- organizations:DescribePolicy
- organizations:List*
- organizations:ListAccountsForParent
- organizations:ListOrganizationalUnitsForParent
- rds:Describe*
- rds:ListTagsForResource
- redshift:Describe*
- route53:Get*
- route53:List*
- s3:Get* (s3:::stackzone-${AWS::AccountId}-${AWS::Region}/*")
- s3:GetAccountPublicAccessBlock
- s3:GetAnalyticsConfiguration
- s3:GetBucketAcl
- s3:GetBucketLocation
- s3:GetBucketLogging
- s3:GetBucketNotification
- s3:GetBucketObjectLockConfiguration
- s3:GetBucketPolicy
- s3:GetBucketPolicyStatus
- s3:GetBucketPublicAccessBlock
- s3:GetBucketTagging
- s3:GetBucketVersioning
- s3:GetBucketWebsite
- s3:GetEncryptionConfiguration
- s3:GetIntelligentTieringConfiguration
- s3:GetInventoryConfiguration
- s3:GetLifecycleConfiguration
- s3:GetReplicationConfiguration
- s3:List*
- s3:List* (s3:::stackzone-${AWS::AccountId}-${AWS::Region}/*")
- sagemaker:Describe*
- sagemaker:List*
- savingsplans:DescribeSavingsPlans
- schemas:ListDiscoverers
- sdb:GetAttributes
- sdb:List*
- servicecatalog:DescribeProduct
- servicecatalog:DescribeProvisionedProduct
- servicecatalog:DescribeRecord
- servicecatalog:SearchProducts
- servicecatalog:SearchProvisionedProducts
- servicecatalog:TerminateProvisionedProduct (servicecatalog:${AWS::Region}:${AWS::AccountId}:stack/lz_*)
- servicequotas:Get*
- servicequotas:List*
- ses:Get*
- ses:List*
- sns:Get*
- sns:List*
- sqs:GetQueueAttributes
- sqs:ListQueues
- ssm:DeleteParameter (lz-configuration*, org* & stackzone*)
- ssm:DescribeAutomationExecutions
- ssm:DescribeParameters
- ssm:GetAutomationExecution
- ssm:GetParameter* (lz-configuration*, org* & stackzone*)
- ssm:GetServiceSetting
- ssm:ListDocuments
- ssm:ListTagsForResource (lz-configuration*, org* & stackzone*)
- ssm:PutParameter (lz-configuration*, org* & stackzone*)
- states:DescribeActivity
- states:DescribeExecution
- states:DescribeStateMachine
- states:DescribeStateMachineForExecution
- states:GetExecutionHistory
- states:ListExecutions
- states:ListStateMachines
- states:StartExecution
- states:StopExecution
- storagegateway:Describe*
- storagegateway:List*
- sts:GetFederationToken
- wellarchitected:Get*
- wellarchitected:List*
- workspaces:Describe*
- Role: StackZoneRole
- Policy: StackZoneRoleManagedPolicy
- ce:*
- cloudformation:*
- codebuild:*
- codepipeline:*
- ec2:CreateTags
- events:*
- iam:AttachRolePolicy
- iam:CreatePolicy
- iam:CreatePolicyVersion
- iam:CreateRole
- iam:CreateServiceLinkedRole
- iam:DeletePolicy
- iam:DeletePolicyVersion
- iam:DeleteRole
- iam:DeleteRolePolicy
- iam:DetachRolePolicy
- iam:GetPolicy
- iam:GetRole
- iam:GetRolePolicy
- iam:ListPolicyVersions
- iam:ListRoleTags
- iam:PassRole
- iam:PutRolePolicy
- iam:TagRole
- iam:UpdateAssumeRolePolicy
- kms:*
- lambda:AddLayerVersionPermission
- lambda:AddPermission
- lambda:CreateFunction
- lambda:DeleteFunction
- lambda:DeleteFunctionConcurrency
- lambda:DeleteLayerVersion
- lambda:GetFunction
- lambda:GetFunctionCodeSigningConfig
- lambda:GetFunctionConfiguration
- lambda:GetLayerVersion
- lambda:InvokeFunction
- lambda:ListTags
- lambda:PublishLayerVersion
- lambda:PutFunctionConcurrency
- lambda:RemoveLayerVersionPermission
- lambda:RemovePermission
- lambda:TagResource
- lambda:UntagResource
- lambda:UpdateFunctionCode
- lambda:UpdateFunctionConfiguration
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DeleteLogGroup
- logs:ListTagsForResource
- logs:ListTagsLogGroup
- logs:PutLogEvents
- logs:PutRetentionPolicy
- logs:TagLogGroup
- logs:TagResource
- logs:UntagLogGroup
- logs:UntagResource
- organizations:*
- resource-groups:*
- s3:CreateBucket
- s3:DeleteBucket
- s3:DeleteBucket
- s3:DeleteBucketPolicy
- s3:DeleteObject
- s3:DeleteObjectVersion
- s3:GetBucketPolicy
- s3:GetBucketVersioning
- s3:GetObject
- s3:ListAllMyBuckets
- s3:ListBucket
- s3:ListBucketVersions
- s3:PutBucketLogging
- s3:PutBucketNotification
- s3:PutBucketPolicy
- s3:PutBucketPublicAccessBlock
- s3:PutBucketTagging
- s3:PutBucketVersioning
- s3:PutEncryptionConfiguration
- s3:PutLifecycleConfiguration
- sqs:*
- ssm:*
- states:*sts:AssumeRole (role/AWSCloudFormationStackSetExecutionRole)
- tag:TagResources
- Policy: StackZoneIdentityPolicy
- access-analyzer:GetFinding
- access-analyzer:ListFindings
- access-analyzer:UpdateFindings
- ds:DescribeDirectories
- iam:AttachRolePolicy (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
- iam:CreateRole (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
- iam:CreateSAMLProvider (saml-provider/AWSSSO_*")
- iam:DeleteRole (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
- iam:DetachRolePolicy (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
- iam:GetRole (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
- iam:ListAttachedRolePolicies (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
- iam:ListRolePolicies (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
- identitystore:CreateGroup
- identitystore:CreateGroupMembership
- identitystore:CreateUser
- identitystore:DeleteGroup
- identitystore:DeleteGroupMembership
- identitystore:DeleteUser
- identitystore:DescribeGroup
- identitystore:DescribeUser
- identitystore:ListGroupMemberships
- identitystore:ListGroupMembershipsForMember
- identitystore:ListGroups
- identitystore:ListUsers
- sso:AttachManagedPolicyToPermissionSet
- sso:CreateAccountAssignment
- sso:CreatePermissionSet
- sso:DeleteAccountAssignment
- sso:DeletePermissionSet
- sso:DescribeAccountAssignmentCreationStatus
- sso:DescribeAccountAssignmentDeletionStatus
- sso:DescribePermissionSet
- sso:ListAccountAssignments
- sso:ListAccountAssignmentsForPrincipal
- sso:ListInstances
- sso:ListPermissionSets
- sso:ListPermissionSetsProvisionedToAccount
- sso:ProvisionPermissionSet
- sso:SearchGroups
- sso:SearchUsers
- Policy: StackZoneSustainabilityPolicy
- sustainability:*
- Policy: StackZoneContactCenterPolicy
- connect:*
- connect:CreateInstance
- connect:ListInstances
- ds:AuthorizeApplication
- ds:CheckAlias
- ds:CheckAlias
- ds:CreateAlias
- ds:CreateAlias
- ds:CreateIdentityPoolDirectory
- ds:DeleteDirectory
- ds:DescribeDirectories
- ds:UnauthorizeApplication
- firehose:DescribeDeliveryStream
- firehose:ListDeliveryStreams
- iam:CreateServiceLinkedRole
- iam:CreateServiceLinkedRole (role/aws-service-role/profile.amazonaws.com/*)
- iam:DeleteServiceLinkedRole (iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*)
- iam:PutRolePolicy (iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*")
- kinesis:DescribeStream
- kinesis:ListStreams
- kms:DescribeKey
- kms:ListAliases
- lambda:ListFunctions
- lex:GetBots
- lex:ListBotAliases
- lex:ListBots
- logs:CreateLogGroup
- profile:AddProfileKey (domains/amazon-connect-*)
- profile:CreateDomain (domains/amazon-connect-*)
- profile:CreateProfile (domains/amazon-connect-*)
- profile:DeleteDomain (domains/amazon-connect-*)
- profile:DeleteIntegration (domains/amazon-connect-*)
- profile:DeleteProfile (domains/amazon-connect-*)
- profile:DeleteProfileKey (domains/amazon-connect-*)
- profile:DeleteProfileObject (domains/amazon-connect-*)
- profile:DeleteProfileObjectType (domains/amazon-connect-*)
- profile:GetDomain
- profile:GetIntegration (domains/amazon-connect-*)
- profile:GetMatches (domains/amazon-connect-*)
- profile:GetProfileObjectType
- profile:GetProfileObjectType (domains/amazon-connect-*)
- profile:ListAccountIntegrations
- profile:ListDomains
- profile:ListIntegrations (domains/amazon-connect-*)
- profile:ListProfileObjects (domains/amazon-connect-*)
- profile:ListProfileObjectTypes (domains/amazon-connect-*)
- profile:ListProfileObjectTypeTemplates
- profile:ListTagsForResource (domains/amazon-connect-*)
- profile:MergeProfiles (domains/amazon-connect-*)
- profile:PutIntegration (domains/amazon-connect-*)
- profile:PutProfileObject (domains/amazon-connect-*)
- profile:PutProfileObjectType (domains/amazon-connect-*)
- profile:SearchProfiles (domains/amazon-connect-*)
- profile:TagResource (domains/amazon-connect-*)
- profile:UntagResource (domains/amazon-connect-*)
- profile:UpdateDomain (domains/amazon-connect-*)
- profile:UpdateProfile (domains/amazon-connect-*)
- s3:CreateBucket (s3:::amazon-connect-*)
- s3:GetBucketAcl (s3:::amazon-connect-*)
- s3:GetBucketLocation
- s3:GetObject (s3:::amazon-connect-*)
- s3:GetObjectAcl (s3:::amazon-connect-*)
- s3:ListAllMyBuckets
- s3:PutBucketAcl (s3:::amazon-connect-*)
- s3:PutBucketOwnershipControls (s3:::amazon-connect-*)
- s3:PutObject (s3:::amazon-connect-*)
- s3:PutObjectAcl (s3:::amazon-connect-*)
- servicequotas:GetServiceQuota (servicequotas:*:*:connect/*)
- Policy: StackZoneOperationsPolicy
- acm:AddTagsToCertificate
- acm:DeleteCertificate
- acm:ListCertificates
- acm:ListTagsForCertificate
- autoscaling:DeleteAutoScalingGroup
- backup:ListBackupJobs
- backup:ListRestoreJobs
- backup:StartBackupJob
- cloudformation:UpdateTerminationProtection
- cloudfront:ListTagsForResource
- cloudfront:TagResource
- cloudwatch:ListTagsForResource
- cloudwatch:TagResource
- config:StartRemediationExecution
- dynamodb:CreateBackup
- dynamodb:DeleteTable
- dynamodb:TagResource
- dynamodb:UpdateTable
- ec2:AssociateVpcCidrBlock
- ec2:AttachVolume
- ec2:CreateSnapshot
- ec2:CreateTags
- ec2:DeleteInternetGateway
- ec2:DeleteRouteTable
- ec2:DeleteSecurityGroup
- ec2:DeleteSnapshot
- ec2:DeleteSubnet
- ec2:DeleteVolume
- ec2:DeleteVpc
- ec2:DeleteVpcEndpoints
- ec2:DescribeInternetGateways
- ec2:DescribeRouteTables
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
- ec2:DescribeVolumes
- ec2:DetachInternetGateway
- ec2:DetachVolume
- ec2:ModifyInstanceAttribute
- ec2:ModifySnapshotAttribute
- ec2:ModifyVolume
- ec2:ModifyVpcAttribute
- ec2:RebootInstances
- ec2:ReleaseAddress
- ec2:StartInstances
- ec2:StopInstances
- ec2:TerminateInstances
- ecr:DescribeRepositories
- ecr:ListTagsForResource
- ecr:TagResource
- ecs:DeleteCluster
- ecs:DeleteService
- eks:DeleteCluster
- eks:DescribeAddonVersions
- eks:UpdateClusterVersion
- elasticache:AddTagsToResource
- elasticache:CreateSnapshot
- elasticache:DeleteCacheCluster
- elasticache:DescribeCacheClusters
- elasticache:ListTagsForResource
- elasticache:ModifyCacheCluster
- elasticache:RebootCacheCluster
- elasticfilesystem:DeleteFileSystem
- elasticfilesystem:PutBackupPolicy
- elasticloadbalancing:DeleteLoadBalancer
- elasticloadbalancing:ModifyLoadBalancerAttributes
- guardduty:ArchiveFindings
- guardduty:DescribeMalwareScans
- guardduty:GetFindings
- guardduty:ListDetectors
- guardduty:ListFindings
- guardduty:StartMalwareScan
- guardduty:UnarchiveFindings
- iam:CreateServiceLinkedRole (StringLike: iam:AWSServiceName: malware-protection.guardduty.amazonaws.com)
- iam:DeleteGroup
- iam:DeleteRole
- iam:DeleteUser
- iam:PassRole (iam:PassedToService: backup.amazonaws.com)
- iam:PassRole (iam:PassedToService: ssm.amazonaws.com)
- kinesis:AddTagsToStream
- kinesis:ListTagsForStream
- kms:CancelKeyDeletion
- kms:DisableKey
- kms:DisableKeyRotation
- kms:EnableKey
- kms:EnableKeyRotation
- kms:GetKeyRotationStatus
- kms:ScheduleKeyDeletion
- lambda:DeleteFunction
- lambda:GetFunction
- lambda:GetFunctionConfiguration
- lambda:ListTags
- lambda:TagResource
- lambda:UpdateFunctionConfiguration
- logs:ListTagsLogGroup
- logs:TagLogGroup
- organizations:CloseAccount
- organizations:CreateAccount
- organizations:InviteAccountToOrganization
- organizations:MoveAccount
- organizations:RemoveAccountFromOrganization
- organizations:TagResource
- rds:AddTagsToResource
- rds:CreateDBClusterSnapshot
- rds:CreateDBSnapshot
- rds:DeleteDBCluster
- rds:DeleteDBInstance
- rds:ModifyDBCluster
- rds:ModifyDBInstance
- rds:RebootDBCluster
- rds:RebootDBInstance
- rds:StartDBCluster
- rds:StartDBInstance
- rds:StopDBCluster
- rds:StopDBInstance
- redshift:CreateClusterSnapshot
- redshift:CreateTags
- redshift:DeleteCluster
- redshift:DescribeClusters
- redshift:DescribeTags
- redshift:ModifyCluster
- redshift:PauseCluster
- redshift:RebootCluster
- redshift:ResumeCluster
- resource-explorer-2:Search
- route53:DeleteHostedZone
- s3:DeleteBucket
- s3:DeleteObject
- s3:DeleteObjectVersion
- s3:GetBucketTagging
- s3:PutBucketTagging
- s3:PutBucketVersioning
- s3:PutEncryptionConfiguration
- secretsmanager:DeleteSecret
- secretsmanager:DescribeSecret
- secretsmanager:ListSecrets
- secretsmanager:RestoreSecret
- secretsmanager:TagResource
- sns:DeleteTopic
- sns:ListSubscriptionsByTopic
- sns:SetTopicAttributes
- sns:Subscribe
- sns:TagResource
- sns:Unsubscribe
- sqs:DeleteQueue
- sqs:GetQueueAttributes
- sqs:GetQueueUrl
- sqs:ListQueues
- sqs:listqueuetags
- sqs:PurgeQueue
- sqs:SetQueueAttributes
- sqs:TagQueue
- ssm:DeleteDocument
- ssm:DescribeOpsItems
- ssm:GetDocument
- ssm:StartAutomationExecution
- ssm:StartSession
- ssm:TerminateSession
- states:ListStateMachines
- states:ListTagsForResource
- states:TagResource
- support:DescribeCases
- tag:GetResources
- tag:GetTagKeys
- tag:GetTagValues
- tag:TagResources
- tag:UntagResources
- wellarchitected:AssociateLenses
- wellarchitected:CreateMilestone
- wellarchitected:CreateWorkload
- wellarchitected:DeleteWorkload
- wellarchitected:DisassociateLenses
- wellarchitected:GetAnswer
- wellarchitected:GetLens
- wellarchitected:GetLensReview
- wellarchitected:GetMilestone
- wellarchitected:GetWorkload
- wellarchitected:ListAnswers
- wellarchitected:ListLenses
- wellarchitected:ListMilestones
- wellarchitected:ListWorkloads
- wellarchitected:UpdateAnswer
- wellarchitected:UpdateWorkload
- workspaces:RebootWorkspaces
- workspaces:StartWorkspaces
- workspaces:StopWorkspaces
- workspaces:TerminateWorkspaces
- (Deny) iam:DeleteGroup (iam::*:role/StackZone*, iam::*:user/StackZone* & iam::*:group/StackZone*)
- (Deny) iam:DeleteRole (iam::*:role/StackZone*, iam::*:user/StackZone* & iam::*:group/StackZone*)
- (Deny) iam:DeleteUser (iam::*:role/StackZone*, iam::*:user/StackZone* & iam::*:group/StackZone*
- Role: AWSCloudFormationStackSetExecutionRole
- Policy: Assume Role Policy
- Allowed principals:
- ${AWSCloudFormationStackSetAdministrationRole.Arn}
- ${StateMachineLambdaRole.Arn}
- ${LandingZoneLambdaRole.Arn}
- sts:AssumeRole (iam::aws:policy/AdministratorAccess)
Note that the effect for all of the actions is Allow and the resource is "*" unless the opposite is indicated in brackets.
How do you protect your StackZone Prod Account?
- We eat our own dog food! Which means, we are protected by more than 100+ Config Rules and GuardRails, in short, we have StackZone enabled in our own cloud accounts.
- We follow the principle of least privilege, so only team members that have an actual business need can access to that account.
- All of our team requires MFA to login to our production environment.
If you have any question or concern regarding this, please feel free to contact us via our Live Chat Support or by email to [email protected]
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here