Access Required by StackZone on AWS

StackZone IAM Role Permissions

Fernando Honig

Last Update 5 个月前

In order to push configurations and build your StackZone in your AWS Organization, StackZone needs to create an initial AWS IAM Role. This article describes the permissions / policies needed by the StackZoneLimitedRole and how this role is used.


Role Assumption

Who can assume this role?

  • This role can only be assumed by the StackZone Production Account using an ExternalId that belongs to you and you only as a StackZone Customer.
  • AWS Services like AWS CloudFormation, AWS Lambda, AWS Systems Manager and Amazon EventBridge.

Role Policies

What Policies does this role has?

We make a great effort in reducing permissions needed by StackZoneLimitedRole in each release. At this point in time these are the list of permissions required:


  • Role: StackZoneLimitedRole
    • Policy: StackZoneLimitedPolicy
      • account:GetAccountInformation
      • acm:AddTagsToCertificate
      • acm:ListCertificates
      • acm:ListTagsForCertificate
      • autoscaling:Describe*
      • billing:Get*
      • billing:List*
      • budgets:ModifyBudget
      • budgets:ViewBudget
      • ce:Describe*
      • ce:Get*
      • ce:List*
      • ce:StartCostAllocationTagBackfill
      • ce:UpdateCostAllocationTagsStatus
      • cloudformation:DescribeStackEvents
      • cloudformation:DescribeStackResources
      • cloudformation:DescribeStacks
      • cloudformation:GetTemplate
      • cloudformation:ListStackResources
      • cloudformation:ListStacks
      • cloudformation:ListStackSetOperations
      • cloudformation:ListStackSets
      • cloudfront:Get*
      • cloudfront:List*
      • cloudfront:TagResource
      • cloudtrail:DescribeTrails
      • cloudtrail:GetEventSelectors
      • cloudtrail:ListTags
      • cloudwatch:Describe*
      • cloudwatch:Get*
      • cloudwatch:List*
      • cloudwatch:TagResource
      • codepipeline:Get*
      • codepipeline:List*
      • codepipeline:RetryStageExecution
      • config:Deliver*
      • config:Describe*
      • config:Get*
      • config:List*
      • config:Select*
      • cost-optimization-hub:ListRecommendations
      • cur:Describe*
      • dms:Describe*
      • dms:List*
      • dynamodb:DescribeTable
      • dynamodb:List*
      • dynamodb:TagResource
      • ec2:AcceptReservedInstancesExchangeQuote
      • ec2:CreateTags
      • ec2:CreateTags
      • ec2:Describe*
      • ec2:DescribeReservedInstancesOfferings
      • ec2:GetReservedInstancesExchangeQuote
      • ec2:GetReservedInstancesExchangeQuote
      • ec2:ModifyReservedInstances
      • ec2:ModifyReservedInstances
      • ec2:PurchaseReservedInstancesOffering
      • ecr:DescribeRepositories
      • ecr:ListTagsForResource
      • ecr:TagResource
      • ecs:Describe*
      • ecs:List*
      • elasticache:AddTagsToResource
      • elasticache:Describe*
      • elasticache:ListTagsForResource
      • elasticbeanstalk:Check*
      • elasticbeanstalk:Describe*
      • elasticbeanstalk:List*
      • elasticbeanstalk:RequestEnvironmentInfo
      • elasticbeanstalk:RetrieveEnvironmentInfo
      • elasticfilesystem:Describe*
      • elasticloadbalancing:Describe*
      • elasticmapreduce:Describe*
      • elasticmapreduce:List*
      • es:Describe*
      • es:List*
      • firehose:DescribeDeliveryStream
      • firehose:ListDeliveryStreams
      • iam:GenerateCredentialReport
      • iam:Get*
      • iam:List*
      • kinesis:Describe*
      • kinesis:List*
      • kinesis:TagResource
      • kms:DescribeKey
      • kms:GetKeyRotationStatus
      • kms:ListKeys
      • lambda:GetFunction
      • lambda:InvokeFunction
      • lambda:List*
      • lambda:TagResource
      • logs:Describe*
      • logs:GetLogEvents
      • organizations:DescribeAccount
      • organizations:DescribeCreateAccountStatus
      • organizations:DescribeOrganization
      • organizations:DescribeOrganizationalUnit
      • organizations:DescribePolicy
      • organizations:List*
      • organizations:ListAccountsForParent
      • organizations:ListOrganizationalUnitsForParent
      • pricing:GetProducts
      • rds:AddTagsToResource
      • rds:Describe*
      • rds:ListTagsForResource
      • rds:PurchaseReservedDBInstancesOffering
      • redshift:Describe*
      • redshift:TagResource
      • resource-groups:*
      • route53:Get*
      • route53:List*
      • s3:Get* (s3:::stackzone-${AWS::AccountId}-${AWS::Region})
      • s3:GetAccountPublicAccessBlock
      • s3:GetBucketAcl
      • s3:GetBucketLocation
      • s3:GetBucketLogging
      • s3:GetBucketPolicy
      • s3:GetBucketPolicyStatus
      • s3:GetBucketPublicAccessBlock
      • s3:GetBucketTagging
      • s3:GetBucketVersioning
      • s3:GetBucketWebsite
      • s3:List*
      • s3:List* (s3:::stackzone-${AWS::AccountId}-${AWS::Region})
      • s3:Put* (s3:::stackzone-${AWS::AccountId}-${AWS::Region})
      • s3:PutBucketTagging
      • sagemaker:Describe*
      • sagemaker:List*
      • savingsplans:CreateSavingsPlan
      • savingsplans:Describe*
      • savingsplans:ReturnSavingsPlan
      • sdb:GetAttributes
      • sdb:List*
      • secretsmanager:DescribeSecret
      • secretsmanager:ListSecrets
      • secretsmanager:TagResource
      • servicecatalog:DescribeProduct
      • servicecatalog:DescribeProvisionedProduct
      • servicecatalog:DescribeProvisioningArtifact
      • servicecatalog:GetProvisionedProductOutputs
      • servicecatalog:ProvisionProduct
      • servicecatalog:SearchProducts
      • servicecatalog:SearchProvisionedProducts
      • servicecatalog:TerminateProvisionedProduct
      • ses:Get*
      • ses:List*
      • sfn:ListStateMachines
      • sfn:ListTagsForResource
      • sns:Get*
      • sns:List*
      • sns:TagResource
      • sqs:GetQueueAttributes
      • sqs:GetQueueUrl
      • sqs:ListQueues
      • sqs:ListQueueTags
      • sqs:TagQueue
      • ssm:AddTagsToResource (lz-configuration*, org* & stackzone*)
      • ssm:DeleteParameter (lz-configuration*, org* & stackzone*)
      • ssm:DescribeAutomationExecutions
      • ssm:DescribeParameters
      • ssm:GetParameter* (lz-configuration*, org* & stackzone*)
      • ssm:GetServiceSetting
      • ssm:ListDocuments
      • ssm:PutParameter (lz-configuration*, org* & stackzone*)
      • ssm:RemoveTagsFromResource (lz-configuration*, org* & stackzone*)
      • ssm:UpdateServiceSetting (ssm:${AWS::Region}:${AWS::AccountId}:servicesetting/ssm/parameter-store/high-throughput-enabled)
      • states:TagResource
      • storagegateway:Describe*
      • storagegateway:List*
      • sts:GetFederationToken
      • tag:GetTagValues
      • tag:TagResources
      • workspaces:Describe*


  • Role: StackZoneSupportRole
    • Policy: StackZoneSupportPolicy
      • account:GetAccountInformation
      • autoscaling:Describe*
      • aws-portal:ViewBilling
      • billing:Get*
      • billing:List*
      • budgets:ModifyBudget
      • budgets:ViewBudget
      • ce:Describe*
      • ce:Get*
      • ce:List*
      • cloudformation:ContinueUpdateRollback
      • cloudformation:CreateStackInstances
      • cloudformation:DescribeStackEvents
      • cloudformation:DescribeStackResources
      • cloudformation:DescribeStacks
      • cloudformation:DescribeStackSet
      • cloudformation:GetStackPolicy
      • cloudformation:GetTemplate
      • cloudformation:GetTemplateSummary
      • cloudformation:ListStackInstances
      • cloudformation:ListStackResources
      • cloudformation:ListStacks
      • cloudformation:ListStackSetOperationResults
      • cloudformation:ListStackSetOperations
      • cloudformation:ListStackSets
      • cloudformation:RollbackStack
      • cloudfront:Get*
      • cloudfront:List*
      • cloudtrail:DescribeTrails
      • cloudtrail:GetEventSelectors
      • cloudtrail:ListTags
      • cloudwatch:Describe*
      • cloudwatch:Get*
      • cloudwatch:List*
      • codebuild:BatchGetBuilds
      • codebuild:BatchGetProjects
      • codebuild:ListBuildsForProject
      • codebuild:ListProjects
      • codecommit:ListRepositories
      • codepipeline:Get*
      • codepipeline:List*
      • codepipeline:RetryStageExecution
      • codepipeline:StopPipelineExecution
      • config:Deliver*
      • config:Describe*
      • config:Get*
      • config:List*
      • config:Select*
      • cur:Describe*
      • dms:Describe*
      • dms:List*
      • dynamodb:DescribeTable
      • dynamodb:List*
      • ec2:Describe*
      • ec2:DescribeReservedInstancesOfferings
      • ec2:GetReservedInstancesExchangeQuote
      • ec2:GetReservedInstancesExchangeQuote
      • ecs:Describe*
      • ecs:List*
      • elasticache:Describe*
      • elasticache:ListTagsForResource
      • elasticbeanstalk:Check*
      • elasticbeanstalk:Describe*
      • elasticbeanstalk:List*
      • elasticbeanstalk:RequestEnvironmentInfo
      • elasticbeanstalk:RetrieveEnvironmentInfo
      • elasticfilesystem:Describe*
      • elasticloadbalancing:Describe*
      • elasticmapreduce:Describe*
      • elasticmapreduce:List*
      • es:Describe*
      • es:List*
      • events:DescribeEventBus
      • events:ListRules
      • firehose:DescribeDeliveryStream
      • firehose:ListDeliveryStreams
      • iam:GenerateCredentialReport
      • iam:Get*
      • iam:List*
      • kinesis:Describe*
      • kinesis:List*
      • kms:DescribeKey
      • kms:GetKeyRotationStatus
      • kms:ListAliases
      • kms:ListKeys
      • lambda:Get*
      • lambda:List*
      • logs:DeleteLogGroup (log-group:/aws/lambda/StackZone-*)
      • logs:Describe*
      • logs:FilterLogEvents
      • logs:GetLogEvents
      • organizations:DescribeAccount
      • organizations:DescribeCreateAccountStatus
      • organizations:DescribeOrganization
      • organizations:DescribeOrganizationalUnit
      • organizations:DescribePolicy
      • organizations:List*
      • organizations:ListAccountsForParent
      • organizations:ListOrganizationalUnitsForParent
      • rds:Describe*
      • rds:ListTagsForResource
      • redshift:Describe*
      • route53:Get*
      • route53:List*
      • s3:Get* (s3:::stackzone-${AWS::AccountId}-${AWS::Region}/*")
      • s3:GetAccountPublicAccessBlock
      • s3:GetAnalyticsConfiguration
      • s3:GetBucketAcl
      • s3:GetBucketLocation
      • s3:GetBucketLogging
      • s3:GetBucketNotification
      • s3:GetBucketObjectLockConfiguration
      • s3:GetBucketPolicy
      • s3:GetBucketPolicyStatus
      • s3:GetBucketPublicAccessBlock
      • s3:GetBucketTagging
      • s3:GetBucketVersioning
      • s3:GetBucketWebsite
      • s3:GetEncryptionConfiguration
      • s3:GetIntelligentTieringConfiguration
      • s3:GetInventoryConfiguration
      • s3:GetLifecycleConfiguration
      • s3:GetReplicationConfiguration
      • s3:List*
      • s3:List* (s3:::stackzone-${AWS::AccountId}-${AWS::Region}/*")
      • sagemaker:Describe*
      • sagemaker:List*
      • savingsplans:DescribeSavingsPlans
      • schemas:ListDiscoverers
      • sdb:GetAttributes
      • sdb:List*
      • servicecatalog:DescribeProduct
      • servicecatalog:DescribeProvisionedProduct
      • servicecatalog:DescribeRecord
      • servicecatalog:SearchProducts
      • servicecatalog:SearchProvisionedProducts
      • servicecatalog:TerminateProvisionedProduct (servicecatalog:${AWS::Region}:${AWS::AccountId}:stack/lz_*)
      • servicequotas:Get*
      • servicequotas:List*
      • ses:Get*
      • ses:List*
      • sns:Get*
      • sns:List*
      • sqs:GetQueueAttributes
      • sqs:ListQueues
      • ssm:DeleteParameter (lz-configuration*, org* & stackzone*)
      • ssm:DescribeAutomationExecutions
      • ssm:DescribeParameters
      • ssm:GetAutomationExecution
      • ssm:GetParameter* (lz-configuration*, org* & stackzone*)
      • ssm:GetServiceSetting
      • ssm:ListDocuments
      • ssm:ListTagsForResource (lz-configuration*, org* & stackzone*)
      • ssm:PutParameter (lz-configuration*, org* & stackzone*)
      • states:DescribeActivity
      • states:DescribeExecution
      • states:DescribeStateMachine
      • states:DescribeStateMachineForExecution
      • states:GetExecutionHistory
      • states:ListExecutions
      • states:ListStateMachines
      • states:StartExecution
      • states:StopExecution
      • storagegateway:Describe*
      • storagegateway:List*
      • sts:GetFederationToken
      • wellarchitected:Get*
      • wellarchitected:List*
      • workspaces:Describe*


  • Role: StackZoneRole
    • Policy: StackZoneRoleManagedPolicy
      • ce:*
      • cloudformation:*
      • codebuild:*
      • codepipeline:*
      • ec2:CreateTags
      • events:*
      • iam:AttachRolePolicy
      • iam:CreatePolicy
      • iam:CreatePolicyVersion
      • iam:CreateRole
      • iam:CreateServiceLinkedRole
      • iam:DeletePolicy
      • iam:DeletePolicyVersion
      • iam:DeleteRole
      • iam:DeleteRolePolicy
      • iam:DetachRolePolicy
      • iam:GetPolicy
      • iam:GetRole
      • iam:GetRolePolicy
      • iam:ListPolicyVersions
      • iam:ListRoleTags
      • iam:PassRole
      • iam:PutRolePolicy
      • iam:TagRole
      • iam:UpdateAssumeRolePolicy
      • kms:*
      • lambda:AddLayerVersionPermission
      • lambda:AddPermission
      • lambda:CreateFunction
      • lambda:DeleteFunction
      • lambda:DeleteFunctionConcurrency
      • lambda:DeleteLayerVersion
      • lambda:GetFunction
      • lambda:GetFunctionCodeSigningConfig
      • lambda:GetFunctionConfiguration
      • lambda:GetLayerVersion
      • lambda:InvokeFunction
      • lambda:ListTags
      • lambda:PublishLayerVersion
      • lambda:PutFunctionConcurrency
      • lambda:RemoveLayerVersionPermission
      • lambda:RemovePermission
      • lambda:TagResource
      • lambda:UntagResource
      • lambda:UpdateFunctionCode
      • lambda:UpdateFunctionConfiguration
      • logs:CreateLogGroup
      • logs:CreateLogStream
      • logs:DeleteLogGroup
      • logs:ListTagsForResource
      • logs:ListTagsLogGroup
      • logs:PutLogEvents
      • logs:PutRetentionPolicy
      • logs:TagLogGroup
      • logs:TagResource
      • logs:UntagLogGroup
      • logs:UntagResource
      • organizations:*
      • resource-groups:*
      • s3:CreateBucket
      • s3:DeleteBucket
      • s3:DeleteBucket
      • s3:DeleteBucketPolicy
      • s3:DeleteObject
      • s3:DeleteObjectVersion
      • s3:GetBucketPolicy
      • s3:GetBucketVersioning
      • s3:GetObject
      • s3:ListAllMyBuckets
      • s3:ListBucket
      • s3:ListBucketVersions
      • s3:PutBucketLogging
      • s3:PutBucketNotification
      • s3:PutBucketPolicy
      • s3:PutBucketPublicAccessBlock
      • s3:PutBucketTagging
      • s3:PutBucketVersioning
      • s3:PutEncryptionConfiguration
      • s3:PutLifecycleConfiguration
      • sqs:*
      • ssm:*
      • states:*sts:AssumeRole (role/AWSCloudFormationStackSetExecutionRole)
      • tag:TagResources
    • Policy: StackZoneIdentityPolicy
      • access-analyzer:GetFinding
      • access-analyzer:ListFindings
      • access-analyzer:UpdateFindings
      • ds:DescribeDirectories
      • iam:AttachRolePolicy (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
      • iam:CreateRole (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
      • iam:CreateSAMLProvider (saml-provider/AWSSSO_*")
      • iam:DeleteRole (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
      • iam:DetachRolePolicy (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
      • iam:GetRole (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
      • iam:ListAttachedRolePolicies (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
      • iam:ListRolePolicies (role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*)
      • identitystore:CreateGroup
      • identitystore:CreateGroupMembership
      • identitystore:CreateUser
      • identitystore:DeleteGroup
      • identitystore:DeleteGroupMembership
      • identitystore:DeleteUser
      • identitystore:DescribeGroup
      • identitystore:DescribeUser
      • identitystore:ListGroupMemberships
      • identitystore:ListGroupMembershipsForMember
      • identitystore:ListGroups
      • identitystore:ListUsers
      • sso:AttachManagedPolicyToPermissionSet
      • sso:CreateAccountAssignment
      • sso:CreatePermissionSet
      • sso:DeleteAccountAssignment
      • sso:DeletePermissionSet
      • sso:DescribeAccountAssignmentCreationStatus
      • sso:DescribeAccountAssignmentDeletionStatus
      • sso:DescribePermissionSet
      • sso:ListAccountAssignments
      • sso:ListAccountAssignmentsForPrincipal
      • sso:ListInstances
      • sso:ListPermissionSets
      • sso:ListPermissionSetsProvisionedToAccount
      • sso:ProvisionPermissionSet
      • sso:SearchGroups
      • sso:SearchUsers
    • Policy: StackZoneSustainabilityPolicy
      • sustainability:*
    • Policy: StackZoneContactCenterPolicy
      • connect:*
      • connect:CreateInstance
      • connect:ListInstances
      • ds:AuthorizeApplication
      • ds:CheckAlias
      • ds:CheckAlias
      • ds:CreateAlias
      • ds:CreateAlias
      • ds:CreateIdentityPoolDirectory
      • ds:DeleteDirectory
      • ds:DescribeDirectories
      • ds:UnauthorizeApplication
      • firehose:DescribeDeliveryStream
      • firehose:ListDeliveryStreams
      • iam:CreateServiceLinkedRole
      • iam:CreateServiceLinkedRole (role/aws-service-role/profile.amazonaws.com/*)
      • iam:DeleteServiceLinkedRole (iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*)
      • iam:PutRolePolicy (iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*")
      • kinesis:DescribeStream
      • kinesis:ListStreams
      • kms:DescribeKey
      • kms:ListAliases
      • lambda:ListFunctions
      • lex:GetBots
      • lex:ListBotAliases
      • lex:ListBots
      • logs:CreateLogGroup
      • profile:AddProfileKey (domains/amazon-connect-*)
      • profile:CreateDomain (domains/amazon-connect-*)
      • profile:CreateProfile (domains/amazon-connect-*)
      • profile:DeleteDomain (domains/amazon-connect-*)
      • profile:DeleteIntegration (domains/amazon-connect-*)
      • profile:DeleteProfile (domains/amazon-connect-*)
      • profile:DeleteProfileKey (domains/amazon-connect-*)
      • profile:DeleteProfileObject (domains/amazon-connect-*)
      • profile:DeleteProfileObjectType (domains/amazon-connect-*)
      • profile:GetDomain
      • profile:GetIntegration (domains/amazon-connect-*)
      • profile:GetMatches (domains/amazon-connect-*)
      • profile:GetProfileObjectType
      • profile:GetProfileObjectType (domains/amazon-connect-*)
      • profile:ListAccountIntegrations
      • profile:ListDomains
      • profile:ListIntegrations (domains/amazon-connect-*)
      • profile:ListProfileObjects (domains/amazon-connect-*)
      • profile:ListProfileObjectTypes (domains/amazon-connect-*)
      • profile:ListProfileObjectTypeTemplates
      • profile:ListTagsForResource (domains/amazon-connect-*)
      • profile:MergeProfiles (domains/amazon-connect-*)
      • profile:PutIntegration (domains/amazon-connect-*)
      • profile:PutProfileObject (domains/amazon-connect-*)
      • profile:PutProfileObjectType (domains/amazon-connect-*)
      • profile:SearchProfiles (domains/amazon-connect-*)
      • profile:TagResource (domains/amazon-connect-*)
      • profile:UntagResource (domains/amazon-connect-*)
      • profile:UpdateDomain (domains/amazon-connect-*)
      • profile:UpdateProfile (domains/amazon-connect-*)
      • s3:CreateBucket (s3:::amazon-connect-*)
      • s3:GetBucketAcl (s3:::amazon-connect-*)
      • s3:GetBucketLocation
      • s3:GetObject (s3:::amazon-connect-*)
      • s3:GetObjectAcl (s3:::amazon-connect-*)
      • s3:ListAllMyBuckets
      • s3:PutBucketAcl (s3:::amazon-connect-*)
      • s3:PutBucketOwnershipControls (s3:::amazon-connect-*)
      • s3:PutObject (s3:::amazon-connect-*)
      • s3:PutObjectAcl (s3:::amazon-connect-*)
      • servicequotas:GetServiceQuota (servicequotas:*:*:connect/*)
    • Policy: StackZoneOperationsPolicy
      • acm:AddTagsToCertificate
      • acm:DeleteCertificate
      • acm:ListCertificates
      • acm:ListTagsForCertificate
      • autoscaling:DeleteAutoScalingGroup
      • backup:ListBackupJobs
      • backup:ListRestoreJobs
      • backup:StartBackupJob
      • cloudformation:UpdateTerminationProtection
      • cloudfront:ListTagsForResource
      • cloudfront:TagResource
      • cloudwatch:ListTagsForResource
      • cloudwatch:TagResource
      • config:StartRemediationExecution
      • dynamodb:CreateBackup
      • dynamodb:DeleteTable
      • dynamodb:TagResource
      • dynamodb:UpdateTable
      • ec2:AssociateVpcCidrBlock
      • ec2:AttachVolume
      • ec2:CreateSnapshot
      • ec2:CreateTags
      • ec2:DeleteInternetGateway
      • ec2:DeleteRouteTable
      • ec2:DeleteSecurityGroup
      • ec2:DeleteSnapshot
      • ec2:DeleteSubnet
      • ec2:DeleteVolume
      • ec2:DeleteVpc
      • ec2:DeleteVpcEndpoints
      • ec2:DescribeInternetGateways
      • ec2:DescribeRouteTables
      • ec2:DescribeSecurityGroups
      • ec2:DescribeSubnets
      • ec2:DescribeVolumes
      • ec2:DetachInternetGateway
      • ec2:DetachVolume
      • ec2:ModifyInstanceAttribute
      • ec2:ModifySnapshotAttribute
      • ec2:ModifyVolume
      • ec2:ModifyVpcAttribute
      • ec2:RebootInstances
      • ec2:ReleaseAddress
      • ec2:StartInstances
      • ec2:StopInstances
      • ec2:TerminateInstances
      • ecr:DescribeRepositories
      • ecr:ListTagsForResource
      • ecr:TagResource
      • ecs:DeleteCluster
      • ecs:DeleteService
      • eks:DeleteCluster
      • eks:DescribeAddonVersions
      • eks:UpdateClusterVersion
      • elasticache:AddTagsToResource
      • elasticache:CreateSnapshot
      • elasticache:DeleteCacheCluster
      • elasticache:DescribeCacheClusters
      • elasticache:ListTagsForResource
      • elasticache:ModifyCacheCluster
      • elasticache:RebootCacheCluster
      • elasticfilesystem:DeleteFileSystem
      • elasticfilesystem:PutBackupPolicy
      • elasticloadbalancing:DeleteLoadBalancer
      • elasticloadbalancing:ModifyLoadBalancerAttributes
      • guardduty:ArchiveFindings
      • guardduty:DescribeMalwareScans
      • guardduty:GetFindings
      • guardduty:ListDetectors
      • guardduty:ListFindings
      • guardduty:StartMalwareScan
      • guardduty:UnarchiveFindings
      • iam:CreateServiceLinkedRole (StringLike: iam:AWSServiceName: malware-protection.guardduty.amazonaws.com)
      • iam:DeleteGroup
      • iam:DeleteRole
      • iam:DeleteUser
      • iam:PassRole (iam:PassedToService: backup.amazonaws.com)
      • iam:PassRole (iam:PassedToService: ssm.amazonaws.com)
      • kinesis:AddTagsToStream
      • kinesis:ListTagsForStream
      • kms:CancelKeyDeletion
      • kms:DisableKey
      • kms:DisableKeyRotation
      • kms:EnableKey
      • kms:EnableKeyRotation
      • kms:GetKeyRotationStatus
      • kms:ScheduleKeyDeletion
      • lambda:DeleteFunction
      • lambda:GetFunction
      • lambda:GetFunctionConfiguration
      • lambda:ListTags
      • lambda:TagResource
      • lambda:UpdateFunctionConfiguration
      • logs:ListTagsLogGroup
      • logs:TagLogGroup
      • organizations:CloseAccount
      • organizations:CreateAccount
      • organizations:InviteAccountToOrganization
      • organizations:MoveAccount
      • organizations:RemoveAccountFromOrganization
      • organizations:TagResource
      • rds:AddTagsToResource
      • rds:CreateDBClusterSnapshot
      • rds:CreateDBSnapshot
      • rds:DeleteDBCluster
      • rds:DeleteDBInstance
      • rds:ModifyDBCluster
      • rds:ModifyDBInstance
      • rds:RebootDBCluster
      • rds:RebootDBInstance
      • rds:StartDBCluster
      • rds:StartDBInstance
      • rds:StopDBCluster
      • rds:StopDBInstance
      • redshift:CreateClusterSnapshot
      • redshift:CreateTags
      • redshift:DeleteCluster
      • redshift:DescribeClusters
      • redshift:DescribeTags
      • redshift:ModifyCluster
      • redshift:PauseCluster
      • redshift:RebootCluster
      • redshift:ResumeCluster
      • resource-explorer-2:Search
      • route53:DeleteHostedZone
      • s3:DeleteBucket
      • s3:DeleteObject
      • s3:DeleteObjectVersion
      • s3:GetBucketTagging
      • s3:PutBucketTagging
      • s3:PutBucketVersioning
      • s3:PutEncryptionConfiguration
      • secretsmanager:DeleteSecret
      • secretsmanager:DescribeSecret
      • secretsmanager:ListSecrets
      • secretsmanager:RestoreSecret
      • secretsmanager:TagResource
      • sns:DeleteTopic
      • sns:ListSubscriptionsByTopic
      • sns:SetTopicAttributes
      • sns:Subscribe
      • sns:TagResource
      • sns:Unsubscribe
      • sqs:DeleteQueue
      • sqs:GetQueueAttributes
      • sqs:GetQueueUrl
      • sqs:ListQueues
      • sqs:listqueuetags
      • sqs:PurgeQueue
      • sqs:SetQueueAttributes
      • sqs:TagQueue
      • ssm:DeleteDocument
      • ssm:DescribeOpsItems
      • ssm:GetDocument
      • ssm:StartAutomationExecution
      • ssm:StartSession
      • ssm:TerminateSession
      • states:ListStateMachines
      • states:ListTagsForResource
      • states:TagResource
      • support:DescribeCases
      • tag:GetResources
      • tag:GetTagKeys
      • tag:GetTagValues
      • tag:TagResources
      • tag:UntagResources
      • wellarchitected:AssociateLenses
      • wellarchitected:CreateMilestone
      • wellarchitected:CreateWorkload
      • wellarchitected:DeleteWorkload
      • wellarchitected:DisassociateLenses
      • wellarchitected:GetAnswer
      • wellarchitected:GetLens
      • wellarchitected:GetLensReview
      • wellarchitected:GetMilestone
      • wellarchitected:GetWorkload
      • wellarchitected:ListAnswers
      • wellarchitected:ListLenses
      • wellarchitected:ListMilestones
      • wellarchitected:ListWorkloads
      • wellarchitected:UpdateAnswer
      • wellarchitected:UpdateWorkload
      • workspaces:RebootWorkspaces
      • workspaces:StartWorkspaces
      • workspaces:StopWorkspaces
      • workspaces:TerminateWorkspaces
      • (Deny) iam:DeleteGroup (iam::*:role/StackZone*, iam::*:user/StackZone* & iam::*:group/StackZone*)
      • (Deny) iam:DeleteRole (iam::*:role/StackZone*, iam::*:user/StackZone* & iam::*:group/StackZone*)
      • (Deny) iam:DeleteUser (iam::*:role/StackZone*, iam::*:user/StackZone* & iam::*:group/StackZone*


  • Role: AWSCloudFormationStackSetExecutionRole
    • Policy: Assume Role Policy
      • Allowed principals:
        • ${AWSCloudFormationStackSetAdministrationRole.Arn}
        • ${StateMachineLambdaRole.Arn}
        • ${LandingZoneLambdaRole.Arn}
      • sts:AssumeRole (iam::aws:policy/AdministratorAccess)


Note that the effect for all of the actions is Allow and the resource is "*" unless the opposite is indicated in brackets.

How do you protect your StackZone Prod Account?

  • We eat our own dog food! Which means, we are protected by more than 100+ Config Rules and GuardRails, in short, we have StackZone enabled in our own cloud accounts.
  • We follow the principle of least privilege, so only team members that have an actual business need can access to that account.
  • All of our team requires MFA to login to our production environment.


If you have any question or concern regarding this, please feel free to contact us via our Live Chat Support or by email to [email protected]


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us