You can now allow AWS CloudFormation to assume service roles which determine what CloudFormation is allowed to do with your stack. A service role is an AWS Identity and Access Management (IAM) role which can be assigned permissions that determine which AWS resources CloudFormation can create, update, or delete. For example, you could create a service role that only allows CloudFormation to perform actions with Amazon EC2. Previously, CloudFormation would use the default permissions from the user credentials you used to access CloudFormation. Using service roles with CloudFormation, you can now more easily set granular permissions to CloudFormation for different AWS accounts or IAM users. To get started, you can set a service role when creating, updating, or deleting a stack. You will also need permission to pass the role to CloudFormation. Learn more about this feature in the documentation.