How to Add CloudFormation:ListStacks Permission


On January 25, 2023, AWS updated their DescribeStacks API to ensure customers have granular control over the APIs they use. AWS CloudFormation now requires that customers have the cloudformation:ListStacks permission when calling DescribeStacks without a target stack. As a result, an update to the CloudFormation stack you are using is required. AWS has been contacting customers regarding an update to the CloudFormation stack you are using. You can use the steps below to add the permission to the stack you are using for CloudCheckr:

How to Add the Role

  1. Login to the AWS Console.
  2. Navigate to Identity and Access Management (IAM).
  3. Under Access Management, select Roles.
  4. In the search, search for the CloudCheckr IAM Stack. By default, CloudCheckr's stack name begins with "cc-iam-stack"
  5. Under Permission policies, expand the CloudCheckr-Inventory-Policy section.
    AWS console with the inventory policy expanded
  6. Click Edit, then when the visual editor opens, select the JSON tab.
  7. Add the cloudformation:ListStacks permission. All permissions are sorted alphabetically.
    IAM policy with the CloudFormation List Stacks role added
  8. Click Review Policy.
  9. Review the policy, and once completed, click Save Changes.

Once completed, you are all set. No further changes are needed and you do not need to do anything in CloudCheckr.

Frequently Asked Questions

Yes, however if you are using a single role then you will need to update one role's permission.

This role will specifically impact the CloudFormation Inventory report.

How did we do?