deb-heat/etc/heat/policy.json

{
    "context_is_admin":  "role:admin",
    "deny_stack_user": "not role:heat_stack_user",

    "cloudformation:ListStacks": "rule:deny_stack_user",
    "cloudformation:CreateStack": "rule:deny_stack_user",
    "cloudformation:DescribeStacks": "rule:deny_stack_user",
    "cloudformation:DeleteStack": "rule:deny_stack_user",
    "cloudformation:UpdateStack": "rule:deny_stack_user",
    "cloudformation:DescribeStackEvents": "rule:deny_stack_user",
    "cloudformation:ValidateTemplate": "rule:deny_stack_user",
    "cloudformation:GetTemplate": "rule:deny_stack_user",
    "cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
    "cloudformation:DescribeStackResource": "",
    "cloudformation:DescribeStackResources": "rule:deny_stack_user",
    "cloudformation:ListStackResources": "rule:deny_stack_user",

    "cloudwatch:DeleteAlarms": "rule:deny_stack_user",
    "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
    "cloudwatch:DescribeAlarms": "rule:deny_stack_user",
    "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
    "cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
    "cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
    "cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
    "cloudwatch:ListMetrics": "rule:deny_stack_user",
    "cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
    "cloudwatch:PutMetricData": "",
    "cloudwatch:SetAlarmState": "rule:deny_stack_user",

    "actions:action": "rule:deny_stack_user",
    "build_info:build_info": "rule:deny_stack_user",
    "events:index": "rule:deny_stack_user",
    "events:show": "rule:deny_stack_user",
    "resource:index": "rule:deny_stack_user",
    "resource:metadata": "",
    "resource:show": "rule:deny_stack_user",
    "stacks:abandon": "rule:deny_stack_user",
    "stacks:create": "rule:deny_stack_user",
    "stacks:delete": "rule:deny_stack_user",
    "stacks:detail": "rule:deny_stack_user",
    "stacks:generate_template": "rule:deny_stack_user",
    "stacks:index": "rule:deny_stack_user",
    "stacks:list_resource_types": "rule:deny_stack_user",
    "stacks:lookup": "rule:deny_stack_user",
    "stacks:resource_schema": "rule:deny_stack_user",
    "stacks:show": "rule:deny_stack_user",
    "stacks:template": "rule:deny_stack_user",
    "stacks:update": "rule:deny_stack_user",
    "stacks:validate_template": "rule:deny_stack_user"
}