Posted On: Oct 6, 2016

You can now allow AWS CloudFormation to assume service roles which determine what CloudFormation is allowed to do with your stack. A service role is an AWS Identity and Access Management (IAM) role which can be assigned permissions that determine which AWS resources CloudFormation can create, update, or delete. For example, you could create a service role that only allows CloudFormation to perform actions with Amazon EC2. Previously, CloudFormation would use the default permissions from the user credentials you used to access CloudFormation. Using service roles with CloudFormation, you can now more easily set granular permissions to CloudFormation for different AWS accounts or IAM users. To get started, you can set a service role when creating, updating, or deleting a stack. You will also need permission to pass the role to CloudFormation. Learn more about this feature in the documentation.

CloudFormation has also enabled the ability to namespace your exports for cross-stack references. You can now use the Fn::Join, Fn::Sub and Ref functions to construct dynamic export names and Fn::ImportValue statements.

CloudFormation has also added new resource support. You can now provision the following with CloudFormation:

  • Amazon API Gateway usage plans: Configure a usage plan with API Gateway to allow specified customers access to selected APIs at agreed-upon request rates and quotas

CloudFormation has also updated support for several existing resources:

  • Amazon API Gateway
    o Use Amazon Cognito user pools as API authorizers with the ProviderARNs property
    o Specify the update behavior of APIs with the Mode property
    o You no longer need to specify a StageName property when you create an API Gateway deployment
  • Elastic Load Balancing
    o Use the GetAtt function to retrieve ARNs of load balancers that route traffic to the ELB target group
  • Amazon Relational Database Service (RDS)
    o Use Windows Authentication when users connect to an RDS instance with the Domain and DomainIAMRole name properties
  • Amazon EC2 Security Group Ingress/Egress Rules
    o Specify the AWS service prefix of an Amazon VPC endpoint

Please visit our website for more information on AWS CloudFormation: