Breaking AWS CloudFormation permissions changes impacting Amplify CLI?

[dthian]

Amplify CLI Version

12.8.2

Question

Hi, I just received an email from AWS CloudFormation regarding an API behaviour change that could cause disruptions.

Prior to January 31, 2024, CloudFormation actions on nested stacks were allowed if the action was part of a parent stack operation.

However, this is no longer true with the breaking change - If the user attempts to update a stack after adding a nested stack to the template, then the nested stack will also require CreateStack permissions for the operation to succeed. Similarly, if a nested stack is removed, the user will need DeleteStack permissions for the nested stack in order to successfully update the parent stack.

On April 5, 2024, AWS will remove my account from the allow-list, which will make this new behavior take effect. AWS strongly recommends that I modify or attach IAM Policies for the affected APIs by April 5, 2024, to avoid service disruption.

As it is mainly the Amplify CLI that is generating the CloudFormation templates (and therefore permissions) and deploying them, and since these permission behaviour are changing as per the AWS email - is there guidance on how to handle this CloudFormation change?

[ykethan]

Hey @dthian, thank you for reaching out. The default AdministratorAccess-Amplify includes the CFN permission to stacks that start with amplify-* with the following

{
            "Sid": "CLICloudformationPolicy",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateChangeSet",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeChangeSet",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStacks",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:GetTemplate",
                "cloudformation:UpdateStack",
                "cloudformation:ListStacks",
                "cloudformation:ListStackResources",
                "cloudformation:DeleteStackSet",
                "cloudformation:DescribeStackSet",
                "cloudformation:UpdateStackSet"
            ],
            "Resource": [
                "arn:aws:cloudformation:*:*:stack/amplify-*"
            ]
        },

But if you are using a custom policy for your deployments, you will need to update the policy .

[ykethan]

Closing the issue due to inactivity. Do reach out to us if you require any assistance.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.