AWSTemplateFormatVersion: '2010-09-09' Metadata: License: Apache-2.0 Description: 'AWS CloudFormation Sample Template IAM_Users_Groups_and_Policies: Sample template showing how to create IAM users, groups and policies. It creates a single user that is a member of a users group and an admin group. The groups each have different IAM policies associated with them. Note: This example also creates an AWSAccessKeyId/AWSSecretKey pair associated with the new user. The example is somewhat contrived since it creates all of the users and groups, typically you would be creating policies, users and/or groups that contain references to existing users or groups in your environment. Note that you will need to specify the CAPABILITY_IAM flag when you create the stack to allow this template to execute. You can do this through the AWS management console by clicking on the check box acknowledging that you understand this template creates IAM resources or by specifying the CAPABILITY_IAM flag to the cfn-create-stack command line tool or CreateStack API call.' Parameters: Password: NoEcho: 'true' Type: String Description: New account password MinLength: '1' MaxLength: '41' ConstraintDescription: the password must be between 1 and 41 characters Resources: CFNUser: Type: AWS::IAM::User Properties: LoginProfile: Password: !Ref 'Password' CFNUserGroup: Type: AWS::IAM::Group CFNAdminGroup: Type: AWS::IAM::Group Users: Type: AWS::IAM::UserToGroupAddition Properties: GroupName: !Ref 'CFNUserGroup' Users: [!Ref 'CFNUser'] Admins: Type: AWS::IAM::UserToGroupAddition Properties: GroupName: !Ref 'CFNAdminGroup' Users: [!Ref 'CFNUser'] CFNUserPolicies: Type: AWS::IAM::Policy Properties: PolicyName: CFNUsers PolicyDocument: Statement: - Effect: Allow Action: ['cloudformation:Describe*', 'cloudformation:List*', 'cloudformation:Get*'] Resource: '*' Groups: [!Ref 'CFNUserGroup'] CFNAdminPolicies: Type: AWS::IAM::Policy Properties: PolicyName: CFNAdmins PolicyDocument: Statement: - Effect: Allow Action: cloudformation:* Resource: '*' Groups: [!Ref 'CFNAdminGroup'] CFNKeys: Type: AWS::IAM::AccessKey Properties: UserName: !Ref 'CFNUser' Outputs: AccessKey: Value: !Ref 'CFNKeys' Description: AWSAccessKeyId of new user SecretKey: Value: !GetAtt [CFNKeys, SecretAccessKey] Description: AWSSecretAccessKey of new user