Add IAM permissions boundary support to CloudFormation templates

Bob Strahan · Bob Strahan · commit 29f6c76507da · 2025-07-25T21:31:30.000Z
diff --git a/patterns/pattern-3/sagemaker_classifier_endpoint.yaml b/patterns/pattern-3/sagemaker_classifier_endpoint.yaml
@@ -61,10 +61,25 @@ Parameters:
     Default: 60
     MinValue: 0
 
+  PermissionsBoundaryArn:
+    Type: String
+    Default: ""
+    Description: >-
+      (Optional) ARN of an existing IAM Permissions Boundary policy to attach to all IAM roles.
+      Required by some organizations with Service Control Policies (SCPs).
+      Format: arn:aws:iam::account-id:policy/policy-name
+      Leave blank if no Permissions Boundary is required.
+    AllowedPattern: "^(|arn:aws:iam::[0-9]{12}:policy/.+)$"
+    ConstraintDescription: Must be empty or a valid IAM policy ARN
+
+Conditions:
+  HasPermissionsBoundary: !Not [!Equals [!Ref PermissionsBoundaryArn, ""]]
+
 Resources:
   UDOPExecutionRole:
     Type: AWS::IAM::Role
     Properties:
+      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
@@ -176,4 +191,4 @@ Outputs:
 
   ModelName:
     Description: Name of the created SageMaker model
-    Value: !GetAtt UDOPModel.ModelName
+    Value: !GetAtt UDOPModel.ModelName
diff --git a/patterns/pattern-3/template.yaml b/patterns/pattern-3/template.yaml
@@ -128,6 +128,7 @@ Resources:
         UDOPModelArtifactPath: !Ref UDOPModelArtifactPath
         S3Bucket: !Ref OutputBucket
         CustomerManagedEncryptionKeyArn: !Ref CustomerManagedEncryptionKeyArn
+        PermissionsBoundaryArn: !Ref PermissionsBoundaryArn
 
   # JSON Schema which defines the structure of the pattern configuration settings
   # used by the UI to allow the configuration to be inspected and customized.
diff --git a/template.yaml b/template.yaml
@@ -3896,6 +3896,7 @@ Resources:
             Action: sts:AssumeRole
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
       Policies:
         - PolicyName: SageMakerA2IAccess
           PolicyDocument:
@@ -5390,6 +5391,7 @@ Resources:
             Effect: Allow
             Principal:
               Service: codebuild.amazonaws.com
+      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
       Policies:
         - PolicyName: ecs-service
           PolicyDocument:
@@ -5535,6 +5537,7 @@ Resources:
             Action:
               - sts:AssumeRole
       Path: "/"
+      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
       Policies:
         - PolicyName: root
           PolicyDocument:
