AWS AWSCloudFormation documentation change
Summary
Updated terminology capitalization from 'stack set' to 'StackSet' throughout the document for consistency. Minor grammatical adjustments to improve clarity.
Security assessment
The changes are purely terminological (capitalization of 'StackSet') and grammatical. No new security content was added, and there is no evidence of addressing a specific security vulnerability or weakness. The updates maintain existing security guidance about IAM roles and permissions without altering their substance.
Diff
diff --git a/AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.md b/AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.md index e99a6dbd1..cdd654f30 100644 --- a//AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.md +++ b//AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.md @@ -5 +5 @@ -Self-managed permissions overviewGive all users of the administrator account permissions to manage stacks in all target accountsSet up advanced permissions options for stack set operationsConfused deputy prevention +Self-managed permissions overviewGive all users of the administrator account permissions to manage stacks in all target accountsSet up advanced permissions options for StackSet operationsConfused deputy prevention @@ -9 +9 @@ Self-managed permissions overviewGive all users of the administrator account per -This topic provides instructions on how to create the IAM service roles required by StackSets to deploy across accounts and AWS Regions with _self-managed_ permissions. These roles are necessary to establish a trusted relationship between the account you're administering the stack set from and the account you're deploying stack instances to. Using this permissions model, StackSets can deploy to any AWS account in which you have permissions to create an IAM role. +This topic provides instructions on how to create the IAM service roles required by StackSets to deploy across accounts and AWS Regions with _self-managed_ permissions. These roles are necessary to establish a trusted relationship between the account you're administering the StackSet from and the account you're deploying stack instances to. Using this permissions model, StackSets can deploy to any AWS account in which you have permissions to create an IAM role. @@ -19 +19 @@ To use _service-managed_ permissions, see [Activate trusted access](./stacksets- - * Set up advanced permissions options for stack set operations + * Set up advanced permissions options for StackSet operations @@ -28 +28 @@ To use _service-managed_ permissions, see [Activate trusted access](./stacksets- -Before you create a stack set with self-managed permissions, you must have created IAM service roles in each account. +Before you create a StackSet with self-managed permissions, you must have created IAM service roles in each account. @@ -34 +34 @@ The basic steps are: -Stack sets are created in this administrator account. A _target account_ is the account in which you create individual stacks that belong to a stack set. +StackSets are created in this administrator account. A _target account_ is the account in which you create individual stacks that belong to a StackSet. @@ -36 +36 @@ Stack sets are created in this administrator account. A _target account_ is the - 2. Determine how you want to structure permissions for the stack set. + 2. Determine how you want to structure permissions for the StackSet. @@ -38 +38 @@ Stack sets are created in this administrator account. A _target account_ is the -The simplest (and most permissive) permissions configuration is where you give _all_ users and groups in the administrator account the ability to create and update _all_ the stack sets managed through that account. If you need finer-grained control, you can set up permissions to specify: +The simplest (and most permissive) permissions configuration is where you give _all_ users and groups in the administrator account the ability to create and update _all_ the StackSets managed through that account. If you need finer-grained control, you can set up permissions to specify: @@ -40 +40 @@ The simplest (and most permissive) permissions configuration is where you give _ - * Which users and groups can perform stack set operations in which target accounts. + * Which users and groups can perform StackSet operations in which target accounts. @@ -42 +42 @@ The simplest (and most permissive) permissions configuration is where you give _ - * Which resources users and groups can include in their stack sets. + * Which resources users and groups can include in their StackSets. @@ -44 +44 @@ The simplest (and most permissive) permissions configuration is where you give _ - * Which stack set operations specific users and groups can perform. + * Which StackSet operations specific users and groups can perform. @@ -59 +59 @@ Specifically, the two required roles are: -This section shows you how to set up permissions to allow all users and groups of the administrator account to perform stack set operations in all target accounts. It guides you through creating the required IAM service roles in your administrator and target accounts. Anyone in the administrator account can then create, update, or delete any stacks across any of the target accounts. +This section shows you how to set up permissions to allow all users and groups of the administrator account to perform StackSet operations in all target accounts. It guides you through creating the required IAM service roles in your administrator and target accounts. Anyone in the administrator account can then create, update, or delete any stacks across any of the target accounts. @@ -61 +61 @@ This section shows you how to set up permissions to allow all users and groups o -By structuring permissions in this manner, users don't pass an administration role when creating or updating a stack set. +By structuring permissions in this manner, users don't pass an administration role when creating or updating a StackSet. @@ -63 +63 @@ By structuring permissions in this manner, users don't pass an administration ro - + @@ -133 +133 @@ The following example trust policy grants the service permission to use the admi -For more information, see [Prepare to perform stack set operations in AWS Regions that are disabled by default](./stacksets-opt-in-regions.html). For a list of Region codes, see [Regional endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints) in the _AWS General Reference Guide_. +For more information, see [Prepare to perform StackSet operations in AWS Regions that are disabled by default](./stacksets-opt-in-regions.html). For a list of Region codes, see [Regional endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints) in the _AWS General Reference Guide_. @@ -200 +200 @@ You can configure the trust relationship of an existing target account execution -## Set up advanced permissions options for stack set operations +## Set up advanced permissions options for StackSet operations @@ -202 +202 @@ You can configure the trust relationship of an existing target account execution -If you require finer-grained control over the stack sets that users and groups are creating through a single administrator account, you can use IAM roles to specify: +If you require finer-grained control over the StackSets that users and groups are creating through a single administrator account, you can use IAM roles to specify: @@ -204 +204 @@ If you require finer-grained control over the stack sets that users and groups a - * Which users and groups can perform stack set operations in which target accounts. + * Which users and groups can perform StackSet operations in which target accounts. @@ -206 +206 @@ If you require finer-grained control over the stack sets that users and groups a - * Which resources users and groups can include in their stack sets. + * Which resources users and groups can include in their StackSets. @@ -208 +208 @@ If you require finer-grained control over the stack sets that users and groups a - * Which stack set operations specific users and groups can perform. + * Which StackSet operations specific users and groups can perform. @@ -213 +213 @@ If you require finer-grained control over the stack sets that users and groups a -### Control which users can perform stack set operations in specific target accounts +### Control which users can perform StackSet operations in specific target accounts @@ -215 +215 @@ If you require finer-grained control over the stack sets that users and groups a -Use customized administration roles to control which users and groups can perform stack set operations in which target accounts. You might want to control which users of the administrator account can perform stack set operations in which target accounts. To do this, you create a trust relationship between each target account and a specific customized administration role, rather than creating the **AWSCloudFormationStackSetAdministrationRole** service role in the administrator account itself. You then activate specific users and groups to use the customized administration role when performing stack set operations in a specific target account. +Use customized administration roles to control which users and groups can perform StackSet operations in which target accounts. You might want to control which users of the administrator account can perform StackSet operations in which target accounts. To do this, you create a trust relationship between each target account and a specific customized administration role, rather than creating the **AWSCloudFormationStackSetAdministrationRole** service role in the administrator account itself. You then activate specific users and groups to use the customized administration role when performing StackSet operations in a specific target account. @@ -219 +219 @@ For example, you can create Role A and Role B within your administrator account. - + @@ -221 +221 @@ For example, you can create Role A and Role B within your administrator account. -Setting up the necessary permissions involves defining a customized administration role, creating a service role for the target account, and granting users permission to pass the customized administration role when performing stack set operations. +Setting up the necessary permissions involves defining a customized administration role, creating a service role for the target account, and granting users permission to pass the customized administration role when performing StackSet operations. @@ -223 +223 @@ Setting up the necessary permissions involves defining a customized administrati -In general, here's how it works once you have the necessary permissions in place: When creating a stack set, the user must specify a customized administration role. The user must have permission to pass the role to CloudFormation. In addition, the customized administration role must have a trust relationship with the target accounts specified for the stack set. CloudFormation creates the stack set and associates the customized administration role with it. When updating a stack set, the user must explicitly specify a customized administration role, even if it's the same customized administration role used with this stack set previously. CloudFormation uses that role to update the stack, subject to the requirements above. +In general, here's how it works once you have the necessary permissions in place: When creating a StackSet, the user must specify a customized administration role. The user must have permission to pass the role to CloudFormation. In addition, the customized administration role must have a trust relationship with the target accounts specified for the StackSet. CloudFormation creates the StackSet and associates the customized administration role with it. When updating a StackSet, the user must explicitly specify a customized administration role, even if it's the same customized administration role used with this StackSet previously. CloudFormation uses that role to update the stack, subject to the requirements above. @@ -230 +230 @@ Administrator account -For each stack set, create a customized administration role with permissions to assume the target account execution role. +For each StackSet, create a customized administration role with permissions to assume the target account execution role. @@ -232 +232 @@ For each stack set, create a customized administration role with permissions to -The target account execution role name must be the same in every target account. If the role name is **AWSCloudFormationStackSetExecutionRole** , StackSets uses it automatically when creating a stack set. If you specify a custom role name, users must provide the execution role name when creating a stack set. +The target account execution role name must be the same in every target account. If the role name is **AWSCloudFormationStackSetExecutionRole** , StackSets uses it automatically when creating a StackSet. If you specify a custom role name, users must provide the execution role name when creating a StackSet. @@ -308 +308 @@ The following example trust policy grants the service permission to use the admi -For more information, see [Prepare to perform stack set operations in AWS Regions that are disabled by default](./stacksets-opt-in-regions.html). For a list of Region codes, see [Regional endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints) in the _AWS General Reference Guide_. +For more information, see [Prepare to perform StackSet operations in AWS Regions that are disabled by default](./stacksets-opt-in-regions.html). For a list of Region codes, see [Regional endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints) in the _AWS General Reference Guide_. @@ -312 +312 @@ For more information, see [Prepare to perform stack set operations in AWS Region -You also need an IAM permissions policy for your IAM users that allows the user to pass the customized administration role when performing stack set operations. For more information, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html). +You also need an IAM permissions policy for your IAM users that allows the user to pass the customized administration role when performing StackSet operations. For more information, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html). @@ -338 +338 @@ The target account role requires permissions to perform any operations that are -The target account role name must be the same in every target account. If the role name is **AWSCloudFormationStackSetExecutionRole** , StackSets uses it automatically when creating a stack set. If you specify a custom role name, users must provide the execution role name when creating a stack set. +The target account role name must be the same in every target account. If the role name is **AWSCloudFormationStackSetExecutionRole** , StackSets uses it automatically when creating a StackSet. If you specify a custom role name, users must provide the execution role name when creating a StackSet. @@ -376 +376 @@ You must provide the following trust policy when you create the role to define t -### Control the resources that users can include in specific stack sets +### Control the resources that users can include in specific StackSets @@ -378 +378 @@ You must provide the following trust policy when you create the role to define t -Use customized execution roles to control which stack resources users and groups can include in their stack sets. For example, you might want to set up a group that can only include Amazon S3-related resources in the stack sets they create, while another team can only include DynamoDB resources. To do this, you create a trust relationship between the customized administration role for each group and a customized execution role for each set of resources. The customized execution role defines which stack resources can be included in stack sets. The customized administration role resides in the administrator account, while the customized execution role resides in each target account in which you want to create stack sets using the defined resources. You then activate specific users and groups to use the customized administration role when performing stack set operations. +Use customized execution roles to control which stack resources users and groups can include in their StackSets. For example, you might want to set up a group that can only include Amazon S3-related resources in the StackSets they create, while another team can only include DynamoDB resources. To do this, you create a trust relationship between the customized administration role for each group and a customized execution role for each set of resources. The customized execution role defines which stack resources can be included in StackSets. The customized administration role resides in the administrator account, while the customized execution role resides in each target account in which you want to create StackSets using the defined resources. You then activate specific users and groups to use the customized administration role when performing StackSets operations. @@ -380 +380 @@ Use customized execution roles to control which stack resources users and groups -For example you can create customized administration roles A, B, and C in the administrator account. Users and groups with permission to use Role A can create stack sets containing the stack resources specifically listed in customized execution role X, but not those in roles Y or Z, or resource not included in any execution role. +For example you can create customized administration roles A, B, and C in the administrator account. Users and groups with permission to use Role A can create StackSets containing the stack resources specifically listed in customized execution role X, but not those in roles Y or Z, or resource not included in any execution role. @@ -382 +382 @@ For example you can create customized administration roles A, B, and C in the ad - + @@ -384 +384 @@ For example you can create customized administration roles A, B, and C in the ad -When updating a stack set, the user must explicitly specify a customized administration role, even if it's the same customized administration role used with this stack set previously. CloudFormation performs the update using the customized administration role specified, so long as the user has permissions to perform operations on that stack set. +When updating a StackSet, the user must explicitly specify a customized administration role, even if it's the same customized administration role used with this StackSet previously. CloudFormation performs the update using the customized administration role specified, so long as the user has permissions to perform operations on that StackSet. @@ -386 +386 @@ When updating a stack set, the user must explicitly specify a customized adminis -Similarly, the user can also specify a customized execution role. If they specify a customized execution role, CloudFormation uses that role to update the stack, subject to the requirements above. If the user doesn't specify a customized execution role, CloudFormation performs the update using the customized execution role previously associated with the stack set, so long as the user has permissions to perform operations on that stack set. +Similarly, the user can also specify a customized execution role. If they specify a customized execution role, CloudFormation uses that role to update the stack, subject to the requirements above. If the user doesn't specify a customized execution role, CloudFormation performs the update using the customized execution role previously associated with the StackSet, so long as the user has permissions to perform operations on that StackSet. @@ -391 +391 @@ Administrator account -Create a customized administration role in your administrator account, as detailed in Control which users can perform stack set operations in specific target accounts. Include a trust relationship between the customized administration role and the customized execution roles that you want it to use. +Create a customized administration role in your administrator account, as detailed in Control which users can perform StackSet operations in specific target accounts. Include a trust relationship between the customized administration role and the customized execution roles that you want it to use. @@ -418 +418 @@ Target accounts -In the target accounts in which you want to create your stack sets, create a customized execution role that grants permissions to the services and resources that you want users and groups to be able to include in the stack sets. +In the target accounts in which you want to create your StackSets, create a customized execution role that grants permissions to the services and resources that you want users and groups to be able to include in the StackSets. @@ -422 +422 @@ In the target accounts in which you want to create your stack sets, create a cus -The following example provides the minimum permissions for stack sets, along with permission to create Amazon DynamoDB tables. +The following example provides the minimum permissions for StackSets, along with permission to create Amazon DynamoDB tables. @@ -463 +463 @@ You must provide the following trust policy when you create the role to define t -### Set up permissions for specific stack set operations +### Set up permissions for specific StackSet operations @@ -465 +465 @@ You must provide the following trust policy when you create the role to define t -In addition, you can set up permissions for which user and groups can perform specific stack set operations, such as creating, updating, or deleting stack sets or stack instances. For more information, see [Actions, resources, and condition keys for CloudFormation](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html) in the _Service Authorization Reference_. +In addition, you can set up permissions for which user and groups can perform specific StackSet operations, such as creating, updating, or deleting StackSets or stack instances. For more information, see [Actions, resources, and condition keys for CloudFormation](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html) in the _Service Authorization Reference_.