How does CloudFormation Update policy works?

Question

I'm trying to setup my CI/CD with IAM in a way that only a specific IAM user can Update our Prod CloudFormation stack.

But we were confused as to how the Update policy on CloudFormation works.

If I have an IAM user who only has one policy : Update on Prod CloudFormation stack, will he be able to edit/change any resources in this stack even though he doesn't have those specific permissions?

For example I have a S3 bucket on this stack and I change it's name on a Update, will this user be able to do this even though he only has the Update policy?

Answer 1

If I have an IAM user who only has one policy : Update on Prod CloudFormation stack, will he be able to edit/change any resources in this stack even though he doesn't have those specific permissions?

No.

Ref:

In addition to AWS CloudFormation actions, you can manage what AWS services and resources are available to each user. That way, you can control which resources users can access when they use AWS CloudFormation. For example, you can specify which users can create Amazon EC2 instances, terminate database instances, or update VPCs. Those same permissions are applied anytime they use AWS CloudFormation to do those actions.