CtrlK
BlogDocsLog inGet started
Tessl Logo

giuseppe-trisciuoglio/developer-kit

Comprehensive developer toolkit providing reusable skills for Java/Spring Boot, TypeScript/NestJS/React/Next.js, Python, PHP, AWS CloudFormation, AI/RAG, DevOps, and more.

82

Quality

82%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

Validation failed for skills in this tile
One or more skills have errors that need to be fixed before they can move to Implementation and Discovery review.
Overview
Quality
Evals
Security
Files

reference.mdplugins/developer-kit-aws/skills/aws-cloudformation/aws-cloudformation-iam/references/

AWS CloudFormation IAM - Reference

This reference guide contains detailed information about AWS CloudFormation resources, intrinsic functions, and configurations for IAM infrastructure.

AWS::IAM::User

Creates an IAM user for your AWS account.

Properties

PropertyTypeRequiredDescription
UserNameStringYesThe name of the user
PathStringNoThe path for the user name
GroupsList of StringNoA list of group names to associate with the user
ManagedPolicyArnsList of StringNoA list of managed policy ARNs to attach to the user
PermissionsBoundaryStringNoThe ARN of the policy used to set the permissions boundary
PoliciesList of PolicyNoA list of embedded policies to attach to the user
TagsList of TagNoA list of tags to attach to the user

Policy Structure

Policy:
  PolicyName: String
  PolicyDocument: PolicyDocument

PolicyDocument Structure

PolicyDocument:
  Version: String
  Statement: List of Statement

Statement Structure

Statement:
  - Sid: String
    Effect: String
    Principal: Principal
    NotPrincipal: Principal
    Action: List of String or String
    NotAction: List of String or String
    Resource: List of String or String
    NotResource: List of String or String
    Condition: Condition

Example

Resources:
  AppUser:
    Type: AWS::IAM::User
    Properties:
      UserName: !Sub "${AWS::StackName}-app-user"
      Path: /applications/
      Groups:
        - !Ref AppUserGroup
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/ReadOnlyAccess
      Policies:
        - PolicyName: !Sub "${AWS::StackName}-custom-policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                  - s3:ListBucket
                Resource:
                  - !Ref DataBucketArn
                  - !Sub "${DataBucketArn}/*"
      Tags:
        - Key: Environment
          Value: !Ref Environment

Attributes

AttributeDescription
ArnThe ARN of the user
UserIdThe unique identifier for the user

AWS::IAM::Role

Creates an IAM role that you can assume to delegate permissions.

Properties

PropertyTypeRequiredDescription
RoleNameStringNoThe name of the role
AssumeRolePolicyDocumentPolicyDocumentYesThe policy that grants an entity permission to assume the role
ManagedPolicyArnsList of StringNoA list of managed policy ARNs to attach to the role
MaxSessionDurationIntegerNoThe maximum session duration in seconds (900-43200)
PermissionsBoundaryStringNoThe ARN of the policy used to set the permissions boundary
PoliciesList of PolicyNoA list of embedded policies to attach to the role
DescriptionStringNoA description for the role
TagsList of TagNoA list of tags to attach to the role

Principal Types

Principal:
  Service: List of String or String
  AWS: List of String or String
  Federated: List of String or String

Example with Service Principal

Resources:
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-lambda-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      MaxSessionDuration: 3600
      Policies:
        - PolicyName: !Sub "${AWS::StackName}-dynamodb-policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - dynamodb:GetItem
                  - dynamodb:PutItem
                Resource: !GetAtt DataTable.Arn

Example with AWS Principal

Resources:
  CrossAccountRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-crossaccount"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${SourceAccountId}:root"
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                sts:Externalid: !Ref ExternalId
      Policies:
        - PolicyName: ReadOnly
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                  - s3:ListBucket
                Resource: "*"

Attributes

AttributeDescription
ArnThe ARN of the role
RoleIdThe unique identifier for the role

AWS::IAM::Policy

Creates an IAM policy for an IAM user, group, or role.

Properties

PropertyTypeRequiredDescription
PolicyNameStringYesThe name of the policy
GroupsList of StringNoA list of group names to attach the policy to
RolesList of StringNoA list of role names to attach the policy to
UsersList of StringNoA list of user names to attach the policy to
ManagedPolicyArnsList of StringNoA list of additional managed policy ARNs to attach
PolicyDocumentPolicyDocumentYesThe policy document

Example

Resources:
  S3ReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: !Sub "${AWS::StackName}-s3-read"
      Groups:
        - !Ref ReadOnlyGroup
      Roles:
        - !Ref ReadOnlyRole
      Users:
        - !Ref ReadOnlyUser
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - s3:GetObject
              - s3:GetObjectVersion
              - s3:ListBucket
            Resource:
              - !Ref DataBucketArn
              - !Sub "${DataBucketArn}/*"

Attributes

AttributeDescription
ArnThe ARN of the policy

AWS::IAM::ManagedPolicy

Creates a managed policy that you can attach to multiple users, groups, or roles.

Properties

PropertyTypeRequiredDescription
ManagedPolicyNameStringNoThe name of the managed policy
DescriptionStringNoA description of the managed policy
PathStringNoThe path for the policy name
GroupsList of StringNoA list of group names to attach the policy to
RolesList of StringNoA list of role names to attach the policy to
UsersList of StringNoA list of user names to attach the policy to
PolicyDocumentPolicyDocumentYesThe policy document

Example

Resources:
  CustomReadOnlyPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: !Sub "${AWS::StackName}-custom-readonly"
      Description: Custom read-only access policy
      Path: /custom/
      Groups:
        - !Ref AppGroup
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - s3:Get*
              - s3:List*
            Resource: "*"
          - Effect: Allow
            Action:
              - dynamodb:Get*
              - dynamodb:Query
              - dynamodb:Scan
            Resource: "*"

Attributes

AttributeDescription
ArnThe ARN of the managed policy

AWS::IAM::UserLoginProfile

Creates a password for an IAM user. The password allows access to the AWS Management Console.

Properties

PropertyTypeRequiredDescription
UserNameStringYesThe name of the IAM user
PasswordStringNoThe password for the IAM user
PasswordResetRequiredBooleanNoWhether the user is required to reset their password

Example

Resources:
  ConsoleUser:
    Type: AWS::IAM::User
    Properties:
      UserName: !Sub "${AWS::StackName}-console-user"

  UserLoginProfile:
    Type: AWS::IAM::UserLoginProfile
    Properties:
      UserName: !Ref ConsoleUser
      Password: !Ref InitialPassword
      PasswordResetRequired: true

AWS::IAM::AccessKey

Creates an access key and secret key for an IAM user.

Properties

PropertyTypeRequiredDescription
UserNameStringYesThe name of the IAM user
StatusStringNoThe status of the access key (Active or Inactive)
SerialIntegerNoThe serial number for the access key

Example

Resources:
  AppUser:
    Type: AWS::IAM::User
    Properties:
      UserName: !Sub "${AWS::StackName}-app-user"

  UserAccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref AppUser
      Status: Active
      Serial: 1

  UserSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub "${AWS::StackName}/credentials"
      SecretString: !Sub |
        {
          "access_key": "${UserAccessKey.Ref}",
          "secret_key": "{{resolve:secretsmanager:${UserAccessKey.SecretAccessKey}}}"
        }

Attributes

AttributeDescription
SecretAccessKeyThe secret key for the access key
RefThe access key ID

AWS::IAM::InstanceProfile

Creates an instance profile that can be used to pass an IAM role to an EC2 instance.

Properties

PropertyTypeRequiredDescription
InstanceProfileNameStringNoThe name of the instance profile
RolesList of StringYesA list of role names to associate with the instance profile
PathStringNoThe path for the instance profile name

Example

Resources:
  EC2Role:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-ec2-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

  EC2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: !Sub "${AWS::StackName}-profile"
      Roles:
        - !Ref EC2Role

  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3.micro
      IamInstanceProfile: !Ref EC2InstanceProfile

Attributes

AttributeDescription
ArnThe ARN of the instance profile

AWS::IAM::UserToGroupAddition

Adds an IAM user to an IAM group.

Properties

PropertyTypeRequiredDescription
GroupNameStringYesThe name of the group
UsersList of StringYesA list of user names to add to the group

Example

Resources:
  DevelopersGroup:
    Type: AWS::IAM::Group
    Properties:
      GroupName: !Sub "${AWS::StackName}-developers"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/ReadOnlyAccess

  AppUser:
    Type: AWS::IAM::User
    Properties:
      UserName: !Sub "${AWS::StackName}-developer"

  UserGroupMembership:
    Type: AWS::IAM::UserToGroupAddition
    Properties:
      GroupName: !Ref DevelopersGroup
      Users:
        - !Ref AppUser
        - !Ref AnotherUser

AWS::IAM::ServerCertificate

Uploads a server certificate and saves it in IAM.

Properties

PropertyTypeRequiredDescription
ServerCertificateNameStringNoThe name for the server certificate
CertificateBodyStringYesThe certificate body
PrivateKeyStringYesThe private key
CertificateChainStringNoThe certificate chain
PathStringNoThe path for the server certificate

Example

Resources:
  SSLCertificate:
    Type: AWS::IAM::ServerCertificate
    Properties:
      ServerCertificateName: !Sub "${AWS::StackName}-ssl-cert"
      CertificateBody: |
        -----BEGIN CERTIFICATE-----
        MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiUMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
        BAYTAlVTMRUwEwYDVQQIDAxDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
        c2NvMRAwDgYDVQQKDAdFeGFtcGxlMRswGQYJKoZIhvcNAQkBFgx1c2VyQGV4YW1w
        bGUuY29tMB4XDTIzMDEwMTAwMDAwMFoXDTI0MDEwMTAwMDAwMFowRTELMAkGA1UE
        BhMCVVMxFTATBgNVBAgMDENhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lz
        Y28xEDAOBgNVBAoMB0V4YW1wbGUxGzAZBgkqhkiG9w0BCQEWDHVzZXJAZXhhbXBs
       ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7fRXEe2x0qJqx
        hE4GjKqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJ
        DeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG
        8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJ
        DeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG
        8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJ
        AgMBAAGjUzBRMB0GA1UdDgQWBBTBBXcvR1q3c1B1jZfYvLrYQ5GfAfGA8wDgYD
        VR0PAQH/BAQDAgeAMBMGA1UdIwQMMAoECE31k7i4q5+rMA0GCSqGSIb3DQEBCwUA
        A4IBAQCk0pHvp8pwh3hUBDqK3x2j5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5
        V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9
        w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w
        3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3
        d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d
        -----END CERTIFICATE-----
      PrivateKey: |
        -----BEGIN RSA PRIVATE KEY-----
        MIIEowIBAAKCAQEA0Z3VS5JJcds3xfn/ygWyF8h+3hY0J8dC4a4b4e8c9f0e1d2
        c3b4a5d6e7f8g9h0i1j2k3l4m5n6o7p8q9r0s1t2u3v4w5x6y7z8A9B0C1D2E3
        F4G5H6I7J8K9L0M1N2O3P4Q5R6S7T8U9V0W1X2Y3Z4A5B6C7D8E9F0G1H2I3J4
        K5L6M7N8O9P0Q1R2S3T4U5V6W7X8Y9Z0A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5
        P6Q7R8S9T0U1V2W3X4Y5Z6A7B8C9D0E1F2G3H4I5J6K7L8M9N0O1P2Q3R4S5T6
        U7V8W9X0Y1Z2A3B4C5D6E7F8G9H0I1J2K3L4M5N6O7P8Q9R0S1T2U3V4W5X6Y7
        Z8A9B0C1D2E3F4G5H6I7J8K9L0M1N2O3P4Q5R6S7T8U9V0W1X2Y3Z4A5B6C7D8
        E9F0G1H2I3J4K5L6M7N8O9P0Q1R2S3T4U5V6W7X8Y9Z0A1B2C3D4E5F6G7H8I9
        J0K1L2M3N4O5P6Q7R8S9T0U1V2W3X4Y5Z6A7B8C9D0E1F2G3H4I5J6K7L8M9N0
        O1P2Q3R4S5T6U7V8W9X0Y1Z2A3B4C5D6E7F8G9H0I1J2K3L4M5N6O7P8Q9R0S1
        -----END RSA PRIVATE KEY-----
      CertificateChain: |
        -----BEGIN CERTIFICATE-----
        MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiUMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
        BAYTAlVTMRUwEwYDVQQIDAxDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
        c2NvMRAwDgYDVQQKDAdFeGFtcGxlMRswGQYJKoZIhvcNAQkBFgx1c2VyQGV4YW1w
        bGUuY29tMB4XDTIzMDEwMTAwMDAwMFoXDTI0MDEwMTAwMDAwMFowRTELMAkGA1UE
        BhMCVVMxFTATBgNVBAgMDENhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lz
        Y28xEDAOBgNVBAoMB0V4YW1wbGUxGzAZBgkqhkiG9w0BCQEWDHVzZXJAZXhhbXBs
        ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7fRXEe2x0qJqx
        hE4GjKqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJ
        DeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG
        8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJ
        DeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG
        8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJDeU3Q8hZG8U8XjLqPJ
        AgMBAAGjUzBRMB0GA1UdDgQWBBTBBXcvR1q3c1B1jZfYvLrYQ5GfAfGA8wDgYD
        VR0PAQH/BAQDAgeAMBMGA1UdIwQMMAoECE31k7i4q5+rMA0GCSqGSIb3DQEBCwUA
        A4IBAQCk0pHvp8pwh3hUBDqK3x2j5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5
        V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9
        w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w
        3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3
        d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d5x3E5V9w3d
        -----END CERTIFICATE-----

Attributes

AttributeDescription
ArnThe ARN of the server certificate

AWS::Organizations::Policy

Creates a policy in an organization or in an organizational unit.

Properties

PropertyTypeRequiredDescription
NameStringYesThe name of the policy
DescriptionStringNoA description of the policy
TypeStringYesThe type of policy (SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AI_SERVICES_OPT_OUT_POLICY)
ContentJSONYesThe policy content as JSON
TargetIdsList of StringNoA list of organizational unit IDs or account IDs to attach the policy to

Example with SCP

Resources:
  RestrictiveSCP:
    Type: AWS::Organizations::Policy
    Properties:
      Name: !Sub "${AWS::StackName}-restrictive"
      Description: SCP to restrict dangerous operations
      Type: SERVICE_CONTROL_POLICY
      Content:
        Version: "2012-10-17"
        Statement:
          - Sid: DenyDeleteProduction
            Effect: Deny
            Action:
              - s3:DeleteBucket
              - dynamodb:DeleteTable
              - rds:DeleteDBInstance
            Resource: "*"
            Condition:
              StringEquals:
                aws:ResourceTag/environment: production
          - Sid: RequireEncryption
            Effect: Deny
            Action:
              - s3:PutObject
            Resource: "*"
            Condition:
              StringNotEquals:
                s3:x-amz-server-side-encryption: AES256

AWS::SSO::PermissionSet

Creates a permission set that you can assign to your workforce identities.

Properties

PropertyTypeRequiredDescription
InstanceArnStringYesThe ARN of the SSO instance
PermissionSetNameStringYesThe name of the permission set
DescriptionStringNoA description of the permission set
SessionDurationStringNoThe duration of the session (ISO 8601 duration format)
RelayStateTypeStringNoThe relay state URL
ManagedPoliciesList of StringNoA list of managed policy ARNs
InlinePolicyStringNoAn inline policy document

Example

Resources:
  AdminPermissionSet:
    Type: AWS::SSO::PermissionSet
    Properties:
      InstanceArn: !Ref SSOInstanceArn
      PermissionSetName: !Sub "${AWS::StackName}-admin"
      Description: Administrator access permission set
      SessionDuration: PT8H
      ManagedPolicies:
        - arn:aws:iam::aws:policy/AdministratorAccess
      InlinePolicy: |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": ["aws-portal:*Billing"],
              "Resource": "*"
            }
          ]
        }

Attributes

AttributeDescription
PermissionSetArnThe ARN of the permission set

AWS::SSO::AccountAssignment

Assigns access to a principal in a specific AWS account using a permission set.

Properties

PropertyTypeRequiredDescription
InstanceArnStringYesThe ARN of the SSO instance
PermissionSetArnStringYesThe ARN of the permission set
PrincipalIdStringYesThe ID of the principal
PrincipalTypeStringYesThe type of principal (USER or GROUP)
TargetIdStringYesThe ID of the AWS account
TargetTypeStringYesThe type of target (AWS_ACCOUNT)

Example

Resources:
  AdminPermissionSet:
    Type: AWS::SSO::PermissionSet
    Properties:
      InstanceArn: !Ref SSOInstanceArn
      PermissionSetName: !Sub "${AWS::StackName}-admin"
      ManagedPolicies:
        - arn:aws:iam::aws:policy/AdministratorAccess

  AdminAssignment:
    Type: AWS::SSO::AccountAssignment
    Properties:
      InstanceArn: !Ref SSOInstanceArn
      PermissionSetArn: !Ref AdminPermissionSet.PermissionSetArn
      PrincipalId: !Ref AdminGroupId
      PrincipalType: GROUP
      TargetId: !Ref TargetAccountId
      TargetType: AWS_ACCOUNT

AWS::IAM::ServiceLinkedRole

Creates an IAM service-linked role for an AWS service.

Properties

PropertyTypeRequiredDescription
AWSServiceNameStringYesThe service name for which the role is created
DescriptionStringNoA description of the role
CustomSuffixStringNoA custom suffix for the role name
SupportedServicesList of StringNoA list of services that can assume the role

Example

Resources:
  AutoScalingServiceRole:
    Type: AWS::IAM::ServiceLinkedRole
    Properties:
      AWSServiceName: autoscaling.amazonaws.com
      Description: Service-linked role for Auto Scaling
      CustomSuffix: auto-scaling

AWS::IAM::SAMLProvider

Creates an IAM SAML identity provider.

Properties

PropertyTypeRequiredDescription
SAMLMetadataDocumentStringYesThe XML metadata document
NameStringNoThe name of the SAML provider

Example

Resources:
  SAMLProvider:
    Type: AWS::IAM::SAMLProvider
    Properties:
      Name: !Sub "${AWS::StackName}-saml"
      SAMLMetadataDocument: !Ref MetadataDocument

Attributes

AttributeDescription
ArnThe ARN of the SAML provider

AWS::IAM::OIDCProvider

Creates an IAM OpenID Connect provider.

Properties

PropertyTypeRequiredDescription
UrlStringYesThe URL for the OIDC provider
ClientIdListList of StringNoA list of client IDs
ThumbprintListList of StringNoA list of thumbprints
TagsList of TagNoA list of tags to attach

Example

Resources:
  OIDCProvider:
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: !Sub "https://${OidcProviderEndpoint}"
      ClientIdList:
        - !Ref ClientId
      ThumbprintList:
        - !Ref Thumbprint

Condition Keys Reference

AWS-Specific Condition Keys

Condition KeyTypeDescription
aws:SourceIpIP addressSource IP address of the requester
aws:RequestedRegionStringAWS region requested
aws:ResourceTag/tag-keyStringTag value on the resource
aws:PrincipalTag/tag-keyStringTag value on the principal
aws:MultiFactorAuthPresentBooleanWhether MFA was used
aws:MultiFactorAuthAgeNumericAge of the MFA session
aws:EpochTimeNumericTime of the request
aws:CurrentTimeDateCurrent time
aws:SecureTransportBooleanWhether SSL was used

S3-Specific Condition Keys

Condition KeyTypeDescription
s3:prefixStringPrefix for ListBucket
s3:DelimiterStringDelimiter for ListBucket
s3:x-amz-server-side-encryptionStringServer-side encryption algorithm
s3:x-amz-aclStringAccess control list
s3:ExistingObjectTag/tag-keyStringTag on existing object
s3:RequestObjectTag/tag-keyStringTag on object being uploaded

DynamoDB-Specific Condition Keys

Condition KeyTypeDescription
dynamodb:TableNameStringName of the table
dynamodb:SelectStringSelect type
dynamodb:AttributesListAttributes to return
dynamodb:ReturnValuesStringReturn values type
dynamodb:QueryFilterMapQuery filter conditions

IAM-Specific Condition Keys

Condition KeyTypeDescription
iam:ResourceTag/tag-keyStringTag on IAM resource
iam:PrincipalTag/tag-keyStringTag on principal
iam:AWSServiceNameStringService name for service roles
sts:ExternalidStringExternal ID for role assumption
sts:SourceIdentityStringSource identity

KMS-Specific Condition Keys

Condition KeyTypeDescription
kms:EncryptionContext:keyStringEncryption context
kms:ViaServiceStringService that can use the key
kms:GrantConstraintTypeStringType of grant constraint
kms:GrantOperationsListOperations allowed by grant

Intrinsic Functions

Fn::GetAtt

Returns the value of an attribute from a resource.

RoleArn: !GetAtt MyRole.Arn
RoleId: !GetAtt MyRole.RoleId
UserArn: !GetAtt MyUser.Arn

Ref

Returns the value of the specified parameter or resource.

UserName: !Ref MyUser
RoleName: !Ref MyRole

Fn::Sub

Substitutes variables in an input string.

RoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${RoleName}"
PolicyDocument: !Sub |
  {
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::${BucketName}/*"
    }]
  }

Fn::Join

Concatenates values into a single string.

ResourceArns: !Join
  - ","
  - - !GetAtt Table1.Arn
    - !GetAtt Table2.Arn

Fn::Select

Returns a single object from a list.

FirstRoleArn: !Select [0, !Ref RoleArns]

Condition Functions

# Fn::If
PermissionsBoundary: !If
  - HasBoundary
  - !Ref BoundaryPolicyArn
  - !Ref AWS::NoValue

# Fn::Equals
IsProduction: !Equals [!Ref Environment, production]

# Fn::Not
IsNotDev: !Not [!Equals [!Ref Environment, dev]]

# Fn::And
IsProdAndLarge: !And
  - !Equals [!Ref Environment, production]
  - !Equals [!Ref InstanceSize, large]

# Fn::Or
IsDevOrStaging: !Or
  - !Equals [!Ref Environment, dev]
  - !Equals [!Ref Environment, staging]

Common AWS Managed Policies

Lambda Execution

Policy ARNDescription
arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleBasic Lambda execution with CloudWatch Logs
arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRoleLambda VPC network access
arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRoleLambda SQS polling
arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRoleLambda Kinesis streaming

EC2

Policy ARNDescription
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCoreSSM agent access
arn:aws:iam::aws:policy/AmazonSSMFullAccessFull SSM access
arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccessEC2 read-only access
arn:aws:iam::aws:policy/AmazonEC2FullAccessFull EC2 access

S3

Policy ARNDescription
arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccessS3 read-only access
arn:aws:iam::aws:policy/AmazonS3FullAccessFull S3 access
arn:aws:iam::aws:policy/AmazonS3ObjectReadOnlyAccessS3 object read-only

Database

Policy ARNDescription
arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccessDynamoDB read-only
arn:aws:iam::aws:policy/AmazonDynamoDBFullAccessFull DynamoDB
arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccessRDS read-only
arn:aws:iam::aws:policy/AmazonRDSFullAccessFull RDS

Read-Only and Security

Policy ARNDescription
arn:aws:iam::aws:policy/ReadOnlyAccessAll read-only access
arn:aws:iam::aws:policy/SecurityAuditSecurity audit access
arn:aws:iam::aws:policy/ViewBillingView billing information

Container

Policy ARNDescription
arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicyECS task execution
arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicyEKS worker nodes
arn:aws:iam::aws:policy/AmazonEKS_CNI_PolicyEKS CNI plugin
arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnlyECR read-only

Limits and Quotas

IAM Limits

ResourceDefault Limit
Users per account5000
Groups per account300
Roles per account1000
Policies per account1500
Access keys per user2
Managed policies attached to role/user/group10
Size of inline policy10240 characters
Size of managed policy6144 characters
Session duration (roles)1-12 hours

Policy Document Limits

ElementLimit
Statements per policy10
Characters per policy document10240
Actions per statement100
Resources per statement100
Condition keys per statement10

Error Handling

Common Errors

ErrorCauseSolution
AccessDeniedInsufficient permissionsAdd required actions to policy
MalformedPolicyDocumentInvalid policy syntaxValidate JSON syntax
ValidationErrorInvalid parameter valueCheck parameter constraints
LimitExceededResource limit reachedRequest increase or clean up
NoSuchEntityResource not foundVerify resource name/ARN
ServiceFailureAWS service errorRetry with backoff

Validation Tools

# Validate template
aws cloudformation validate-template --template-body file://template.yaml

# Check for IAM issues
aws iam get-account-password-policy
aws iam get-account-summary

Best Practices Reference

Policy Writing

  1. Use least privilege: Start restrictive, add permissions as needed
  2. Use wildcards sparingly: Prefer specific actions
  3. Use conditions: Restrict by IP, time, tags
  4. Use resource-level restrictions: Specify ARNs when possible
  5. Use separate policies: Easier to audit and modify
  6. Version policies: Use "2012-10-17" version

Role Configuration

  1. Trust relationships: Limit to required principals
  2. Session duration: Set based on use case
  3. Permissions boundary: Prevent privilege escalation
  4. External ID: Use for cross-account access
  5. Conditions: Add IP and MFA requirements

Security Recommendations

  1. Enable MFA for all users
  2. Rotate access keys regularly
  3. Use roles instead of long-term credentials
  4. Delete unused users and access keys
  5. Review policies quarterly
  6. Use CloudTrail for audit logging
  7. Enable IAM Access Analyzer

plugins

developer-kit-aws

skills

aws-cloudformation

aws-cloudformation-iam

references

examples.md

reference.md

SKILL.md

README.md

tile.json