The closest one that you've mentioned is AWSCloudFormationReadOnlyAccess, but obviously that's for readonly and you need cloudformation:CreateStack. Add the following as a user policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449904348000",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack"
],
"Resource": [
"*"
]
}
]
}
It's entirely possible you'll need more permissions- for instance, to launch an EC2 instance, to (re)configure security groups, etc.