internal

Requiring a CloudFormation service role is an implementation preference, not a reliable compliance control. A stack can be securely managed without a dedicated service role, while the mere presence of a service role does not prove least privilege or good access governance. In some cases, it can even increase risk: the stack runs with the service role's permissions, so a user who can operate the stack may indirectly use privileges that they do not have as a user.