Understanding AWS CloudFormation –capabilities parameter

Look at this command

aws cloudformation create-stack --stack-name cfniamrole --capabilities CAPABILITY_IAM --template-body file:////home/thuy/aws_devops/aws_cloudformation/CfnIamRole.yaml

Here are the content of the aws cloudformation template

Without –capbilities parameter , your command will encounter error.
AWS document specify that

In some cases, you must explicitly acknowledge that your stack template contains certain capabilities in order for CloudFormation to create the stack.

  • CAPABILITY_IAM and CAPABILITY_NAMED_IAM Some stack templates might include resources that can affect permissions in your Amazon Web Services account; for example, by creating new Identity and Access Management (IAM) users. For those stacks, you must explicitly acknowledge this by specifying one of these capabilities. The following IAM resources require you to specify either the CAPABILITY_IAM or CAPABILITY_NAMED_IAM capability.
    • If you have IAM resources, you can specify either capability.
    • If you have IAM resources with custom names, you must specify CAPABILITY_NAMED_IAM .
    • If you don’t specify either of these capabilities, CloudFormation returns an InsufficientCapabilities error.

If your stack template contains these resources, we recommend that you review all permissions associated with them and edit their permissions if necessary.

For more information, see Acknowledging IAM Resources in CloudFormation Templates .

  • CAPABILITY_AUTO_EXPAND Some template contain macros. Macros perform custom processing on templates; this can include simple actions like find-and-replace operations, all the way to extensive transformations of entire templates. Because of this, users typically create a change set from the processed template, so that they can review the changes resulting from the macros before actually creating the stack. If your stack template contains one or more macros, and you choose to create a stack directly from the processed template, without first reviewing the resulting changes in a change set, you must acknowledge this capability. This includes the AWS::Include and AWS::Serverless transforms, which are macros hosted by CloudFormation. If you want to create a stack from a stack template that contains macros and nested stacks, you must create the stack directly from the template using this capability.


You should only create stacks directly from a stack template that contains macros if you know what processing the macro performs. Each macro relies on an underlying Lambda service function for processing stack templates. Be aware that the Lambda function owner can update the function operation without CloudFormation being notified.

For more information, see Using CloudFormation macros to perform custom processing on templates .

Understanding CloudFormation IAM permissions

CloudFormation performs API calls during stack creation or update. However, it does not have the same powers as a root user in AWS. Controlling access for CloudFormation is crucial in production-grade AWS accounts for both humans and machines.

When a user initiates stack creation, they use the API method cloudformation:CreateStack. CloudFormation then leverages that user’s access to invoke other API methods while creating the stack. It’s essential to ensure that the user’s IAM policy grants the necessary permissions for the actions CloudFormation will perform during stack creation.

For instance, if a user has an IAM policy with an allowed action ec2:*, but they attempt to create an RDS instance using CloudFormation, the stack creation will fail with an error message indicating that the user is unauthorized to perform the action.

Scroll to Top