AWS::IAM::Policy for any user

Question

Is there any way to attach some policy for any user in cloudfromation? When you create a stack via aws js you can pass stack policy document with Principal as "*". But if you create a AWS::IAM::Policy inside cloudformation template, you must provide Role, User or Group, and "*" doesn't work. Or how can I attach policy document for nested stack?

Answer 1

Nested CloudFormation stacks use the same stack policy document as the parent stack, which you specify in the AWS Console or via the API when creating/updating a stack (e.g., using the AWS SDK for JS, as you mentioned). As documented, for stack policy documents the Principal element is required, but supports only the wild card (*).

You can further restrict actions on nested stacks by adding statements with a Condition where ResourceType equals AWS::CloudFormation::Stack, as outlined in the Prevent Updates to Nested Stacks example in the documentation:

{
  "Statement" : [
    {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*",
      "Condition" : {
        "StringEquals" : {
          "ResourceType" : ["AWS::CloudFormation::Stack"]
        }
      }
    },
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}

The AWS::IAM::Policy resource is unrelated to the specific use-case of specifying a policy for a nested stack, but for reference, AWS::IAM::Policy creates a Policy that you attach to Users or Groups, which do not allow the Principal element to be specified, as outlined in the documentation:

Do not use the Principal element in policies that you attach to IAM users and groups. Similarly, you do not specify a principal in the access policy for an IAM role. In those cases, the principal is implicitly the user that the policy is attached to (for IAM users) or the user who assumes the role (for role access policies). When the policy is attached to an IAM group, the principal is the IAM user in that group who is making the request.

Answer 2

What I do, is trust relationship policy to the same (or different) account. It says root but is actually applied to the whole account:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123ACCNO4567:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}