👀 Views: 34 💬 Answers: 1 📅 Created: 2025-06-09

aws cloudformation iam policy YAML

I'm testing a new approach and I'm running into an scenario where my CloudFormation stack does not seem to reflect updates to an IAM policy even after I modify the template and try to update the stack... I've confirmed that the IAM policy is defined in the template like this: ```yaml Resources: MyIAMPolicy: Type: AWS::IAM::Policy Properties: PolicyName: MyPolicy Roles: - !Ref MyIAMRole PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - s3:PutObject Resource: arn:aws:s3:::mybucket/* ``` Initially, this policy allowed `s3:PutObject`, but I changed it to also allow `s3:GetObject` by updating the `Statement` to: ```yaml - Effect: Allow Action: - s3:PutObject - s3:GetObject Resource: arn:aws:s3:::mybucket/* ``` After running `aws cloudformation update-stack` with the modified template, I checked the IAM policy attached to the role, but it still only shows the `s3:PutObject` action. I've tried to delete the stack and recreate it from scratch, but the same scenario continues. My AWS CLI version is 2.3.0, and I’ve validated that there aren’t any explicit deny policies that might be overriding these actions. I also checked the stack events, and it doesn’t show any errors during the update process. Has anyone faced a similar scenario with CloudFormation not updating IAM policies? What could I be missing? Thanks for any insights! I'm coming from a different tech stack and learning Yaml. How would you solve this? Any ideas what could be causing this?