Announcing Tag-Based Access Control for AWS CloudFormation
You can now control access to CloudFormation stacks and resources based on tag values.
CloudFormation allows you to model and provision cloud resources as code in a safe, predictable, and consistent manner. CloudFormation stacks are groups of AWS resources. You can therefore define and control access to CloudFormation-managed resources in an easier and more fine-grained manner. For example, you can now deny certain users deletion or update privileges to stacks with a "production" tag value, while allowing changes to stacks with a "development" tag value.
To get started, you can create or modify AWS Identity and Access Management (IAM) policies to control access based on tags. To learn more, see the documentation on tag-based access control. You can also add or change tags on stacks using the console or via the AWS CLI, using the CreateStack and UpdateStack Actions. More information is available in the stack options documentation.