Deployer Permission Matrix
Last Updated: 2026-06-09
Template-derived mapping of CloudFormation® resources to AWS® services and typical deployer IAM actions. Use for enterprise IAM reviews and CloudTrail-based policy derivation.
Status: Template-derived (not CloudTrail-validated). When a validated deployer JSON is published for your release, it supersedes the action lists here.
See also: Identity and permissions · Deployment Guide · CloudTrail self-validation procedure
How to use this matrix
| Audience | Use |
|---|---|
| Security reviewers | Scope a deployer role before first production deploy |
| IAM engineers | Starting point for CloudTrail capture |
| Eval deployers | Optional — Tier 1 (AdministratorAccess) does not require this matrix |
Action columns list typical permissions CloudFormation needs when your IAM user/role is the stack principal. Exact actions may vary by account policy boundaries; prove with CloudTrail + scoped re-deploy.
Section A — Stack resources → AWS services → deployer actions
Launcher (parent) stack
| Resource category | CFN types | AWS services | Typical deployer actions |
|---|---|---|---|
| Staging bucket | AWS::S3::Bucket |
S3 | s3:CreateBucket, s3:PutEncryptionConfiguration, s3:PutBucketPublicAccessBlock, s3:PutObject, s3:GetObject, s3:DeleteObject |
| Template resolver | AWS::Lambda::Function, AWS::IAM::Role, AWS::CloudFormation::CustomResource |
Lambda, IAM, CloudFormation | lambda:CreateFunction, lambda:InvokeFunction, lambda:DeleteFunction, iam:CreateRole, iam:PutRolePolicy, iam:PassRole, iam:DeleteRole |
| Nested inner stack | AWS::CloudFormation::Stack |
CloudFormation | cloudformation:CreateStack, cloudformation:UpdateStack, cloudformation:DeleteStack, cloudformation:DescribeStacks, cloudformation:DescribeStackEvents, cloudformation:DescribeStackResources, cloudformation:GetTemplate, cloudformation:ValidateTemplate |
Inner (nested) stack — networking
| Resource category | CFN types | AWS services | Typical deployer actions |
|---|---|---|---|
| Security groups | AWS::EC2::SecurityGroup, AWS::EC2::SecurityGroupIngress |
EC2 | ec2:CreateSecurityGroup, ec2:AuthorizeSecurityGroupIngress, ec2:AuthorizeSecurityGroupEgress, ec2:RevokeSecurityGroupIngress, ec2:RevokeSecurityGroupEgress, ec2:DeleteSecurityGroup, ec2:DescribeVpcs, ec2:DescribeSubnets, ec2:DescribeSecurityGroups |
| Load balancer | AWS::ElasticLoadBalancingV2::LoadBalancer, Target groups, Listeners |
ELB (v2) | elasticloadbalancing:CreateLoadBalancer, elasticloadbalancing:CreateTargetGroup, elasticloadbalancing:CreateListener, elasticloadbalancing:ModifyListener, elasticloadbalancing:DeleteLoadBalancer, elasticloadbalancing:Describe*, elasticloadbalancing:RegisterTargets, elasticloadbalancing:DeregisterTargets |
Inner stack — storage
| Resource category | CFN types | AWS services | Typical deployer actions |
|---|---|---|---|
| EFS | AWS::EFS::FileSystem, AWS::EFS::MountTarget, AWS::EFS::AccessPoint |
EFS | elasticfilesystem:CreateFileSystem, elasticfilesystem:CreateMountTarget, elasticfilesystem:CreateAccessPoint, elasticfilesystem:DeleteFileSystem, elasticfilesystem:Describe*, elasticfilesystem:TagResource |
| DynamoDB® | AWS::DynamoDB::Table |
DynamoDB | dynamodb:CreateTable, dynamodb:DeleteTable, dynamodb:DescribeTable, dynamodb:TagResource, dynamodb:UpdateContinuousBackups |
Inner stack — compute (ECS on EC2)
| Resource category | CFN types | AWS services | Typical deployer actions |
|---|---|---|---|
| EC2 / ASG | AWS::EC2::LaunchTemplate, AWS::AutoScaling::AutoScalingGroup |
EC2, Auto Scaling | ec2:CreateLaunchTemplate, ec2:DeleteLaunchTemplate, ec2:RunInstances, ec2:Describe*, autoscaling:CreateAutoScalingGroup, autoscaling:UpdateAutoScalingGroup, autoscaling:DeleteAutoScalingGroup, autoscaling:Describe* |
| ECS | AWS::ECS::Cluster, AWS::ECS::CapacityProvider, AWS::ECS::TaskDefinition, AWS::ECS::Service |
ECS | ecs:CreateCluster, ecs:CreateCapacityProvider, ecs:RegisterTaskDefinition, ecs:DeregisterTaskDefinition, ecs:CreateService, ecs:UpdateService, ecs:DeleteService, ecs:Describe*, ecs:PutClusterCapacityProviders |
| IAM (runtime) | AWS::IAM::Role, AWS::IAM::InstanceProfile |
IAM | iam:CreateRole, iam:DeleteRole, iam:PutRolePolicy, iam:DeleteRolePolicy, iam:AttachRolePolicy, iam:DetachRolePolicy, iam:CreateInstanceProfile, iam:AddRoleToInstanceProfile, iam:RemoveRoleFromInstanceProfile, iam:DeleteInstanceProfile, iam:PassRole, iam:GetRole, iam:GetInstanceProfile |
Inner stack — supporting resources
| Resource category | CFN types | AWS services | Typical deployer actions |
|---|---|---|---|
| Custom resources | Lambda + CustomResource (VPC discovery, bootstrap, optional cert) | Lambda, IAM, EC2 (describe) | lambda:* (create/invoke/delete), iam:PassRole, ec2:DescribeSubnets, ec2:DescribeVpcs, ec2:DescribeRouteTables |
| Secrets | AWS::SecretsManager::Secret |
Secrets Manager | secretsmanager:CreateSecret, secretsmanager:PutSecretValue, secretsmanager:DeleteSecret, secretsmanager:TagResource, secretsmanager:GetResourcePolicy, secretsmanager:PutResourcePolicy |
| Logs | AWS::Logs::LogGroup |
CloudWatch Logs | logs:CreateLogGroup, logs:DeleteLogGroup, logs:PutRetentionPolicy, logs:TagResource, logs:DescribeLogGroups |
| Monitoring | AWS::CloudWatch::Alarm |
CloudWatch | cloudwatch:PutMetricAlarm, cloudwatch:DeleteAlarms, cloudwatch:DescribeAlarms |
| Certificates (optional) | Lambda-driven ACM | ACM, Lambda | acm:RequestCertificate, acm:DescribeCertificate, acm:DeleteCertificate, acm:AddTagsToCertificate |
Cross-cutting deployer actions
| Need | Typical actions |
|---|---|
| Marketplace subscribe (before deploy) | aws-marketplace:Subscribe, aws-marketplace:Unsubscribe, aws-marketplace:ViewSubscriptions (via AWSMarketplaceManageSubscriptions managed policy) |
| First Quick Launch deploy | iam:CreateServiceLinkedRole for marketplace.amazonaws.com / deployment SLR |
| PassRole to stack roles | iam:PassRole on TaskRole, TaskExecutionRole, InstanceRole, Lambda execution roles |
| Service quotas / AZ lookup | ec2:DescribeAvailabilityZones, ec2:DescribeAccountAttributes |
Section B — How permissions are used
CloudFormation
The deployer creates two stacks: launcher (parent) and inner (nested). Nested stacks require CAPABILITY_AUTO_EXPAND. Updates to cluster node count modify the parent stack; auto-update modifies the nested stack via the appliance TaskRole (runtime), not the original deployer.
IAM
The template creates runtime roles (task, execution, instance) and Lambda execution roles for custom resources. The deployer needs iam:CreateRole, iam:PutRolePolicy, and iam:PassRole so CloudFormation can assign roles to ECS tasks, EC2 instances, and Lambda functions.
EC2, ECS, EFS, and DynamoDB
Cluster nodes launch via launch template + ASG. ECS registers tasks with NLB target groups. EFS holds share data; DynamoDB stores ACL metadata and billing state. See Deployment Guide — Architecture.
Lambda custom resources
VPC subnet discovery, bootstrap secret creation, and optional certificate generation run as CloudFormation custom resources during stack create.
Section C — Runtime roles (not the deployer)
These roles are created by the stack and used by the appliance at runtime. Do not attach them to human deployer principals.
| Role | Used by | Key permissions (summary) |
|---|---|---|
| TaskExecutionRole | ECS agent (pull images) | ECR pull, CloudWatch Logs write, Secrets Manager read |
| TaskRole | RRSMB container | DynamoDB, EFS, cloudformation:UpdateStack (auto-update), aws-marketplace:MeterUsage |
| InstanceRole | EC2 host | ECS agent, SSM Session Manager |
Detail: Identity and permissions — Deployer vs runtime IAM.
Related documentation
| Topic | Document |
|---|---|
| Identity overview | Identity and permissions |
| CloudTrail procedure | Self-service CloudTrail capture |
| Deployment | Deployment Guide |
| Marketplace facts | AWS Marketplace deployment summary |
Footer: This matrix is template-derived from Roadrunner SMB™ Marketplace CloudFormation templates as of 2026-06-06. A CloudTrail-validated deployer policy JSON, when published for a specific release, is authoritative for that release.