案件で作る機会があったので、さっと

IAM.yml

AWSTemplateFormatVersion: "2010-09-09"
Description: "SampleApp - IAM"

Parameters:
  ProjectName:
    Description: "Project name"
    Type: "String"
    Default: "SampleApp"

Resources:

  IamSampleDeveloperRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ${ProjectName}SampleDeveloper
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess

  IamSampleDeveloperPolicies:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: IamSampleDeveloperPolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - dynamodb:List*
              - dynamodb:DescribeReservedCapacity*
              - dynamodb:DescribeLimits
              - dynamodb:DescribeTimeToLive
            Resource: '*'
          - Effect: Allow
            Action:
              - dynamodb:BatchGet*
              - dynamodb:DescribeStream
              - dynamodb:DescribeTable
              - dynamodb:Get*
              - dynamodb:Query
              - dynamodb:Scan
              - dynamodb:BatchWrite*
              - dynamodb:CreateTable
              - dynamodb:Delete*
              - dynamodb:Update*
              - dynamodb:PutItem
            Resource:
              - arn:aws:dynamodb:*:*:table/dev-*
          - Effect: Allow
            Action:
              - s3:ListAllMyBuckets
            Resource:
              - arn:aws:s3:::*
          - Effect: Allow
            Action:
              - s3:*
            Resource:
              - arn:aws:s3:::*dev*
      Roles:
        - Ref: IamSampleDeveloperRole

  IamSampleDevelopersGroup:
    Type: AWS::IAM::Group
    Properties:
      GroupName: !Sub ${ProjectName}SampleDevelopers
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSCodeCommitPowerUser
      Policies:
        - PolicyName: AllowAssumeRole
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - sts:AssumeRole
                Resource: !GetAtt IamSampleDeveloperRole.Arn

  IamUserSampleUser:
    Type: AWS::IAM::User
    Properties:
      UserName: test-frontend
      Groups:
        - !Ref IamSampleDeveloperRole
    DeletionPolicy: Delete

Makefile

REGION := ap-northeast-1

.DEFAULT_GOAL := apply

validate:
	aws cloudformation --region $(REGION) validate-template --template-body file://./IAM.yml
apply:
	aws cloudformation --region $(REGION) create-stack --template-body file://./IAM.yml --stack-name fronend-developer-test --capabilities CAPABILITY_NAMED_IAM
update:
	aws cloudformation --region $(REGION) update-stack --template-body file://./IAM.yml --stack-name fronend-developer-test --capabilities CAPABILITY_NAMED_IAM
list:
	aws cloudformation --region $(REGION) describe-stacks --stack-name fronend-developer-test
remove:
	aws cloudformation --region $(REGION) delete-stack --stack-name fronend-developer-test