In the stack create an IAM policy and role.

The IAM policy should contain all permissions for read/write/list for the following resources (if they are included in stack)

• CloudFormationStack
• RootBucket
• WwwBucket
• HostedZone
• AcmCertificate
• CloudFrontDist

Additionally it should allow users to add a new policy to an IAM group (when they deploy a new stack)