CloudFormation stacks should have associated service roles

cloudformation

Description

CloudFormation stacks should use service roles (IAM roles) instead of user credentials. Using a service role allows you to specify which actions CloudFormation can perform, following the principle of least privilege. This provides better security control and auditability for stack operations.

Remediation

Associate an IAM service role with your CloudFormation stack.

From the console

  1. Open the AWS CloudFormation console.
  2. Select the stack you want to update.
  3. Choose Stack actions, then Update stack.
  4. In the Permissions section, select an existing IAM role or create a new one.
  5. Complete the stack update wizard.

From the command line

aws cloudformation update-stack \
    --stack-name <stack-name> \
    --role-arn arn:aws:iam::123456789012:role/CloudFormationServiceRole \
    --use-previous-template