json code need to disallow Delete Domain by im user. "route53:DeleteDomain" ERROR

Question

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "route53domains:AcceptDomainTransferFromAnotherAwsAccount",
                "route53domains:CancelDomainTransferToAnotherAwsAccount",
                "route53domains:CheckDomainTransferability",
                "route53domains:DisableDomainTransferLock",
                "route53domains:EnableDomainTransferLock",
                "route53domains:RejectDomainTransferFromAnotherAwsAccount",
                "route53domains:TransferDomain",
                "route53domains:TransferDomainToAnotherAwsAccount",
                "route53:DeleteHostedZone"
                "route53:DeleteDomain"   (IT STATED ERROR JSON FOR THIS CODE) 
            ],
            "Resource": "*"
        }
    ]
}

Accepted Answer

Hello.

I made the same comment at the URL below.  
https://repost.aws/questions/QUsHc9DBQXSraeueBCkOsuGw/admin-access-exception-of-domain-delete-transfer-and-closure-of-aws-account#ANOkus2jozRxa7FnFTwSBztA

There is no action called "route53:DeleteDomain".  
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html

You can control domain deletion with the action "route53domains:DeleteDomain".  
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53domains.html
```
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": "*",
          "Resource": "*"
      },
      {
          "Effect": "Deny",
          "Action": [
              "route53domains:AcceptDomainTransferFromAnotherAwsAccount",
              "route53domains:CancelDomainTransferToAnotherAwsAccount",
              "route53domains:CheckDomainTransferability",
              "route53domains:DisableDomainTransferLock",
              "route53domains:DeleteDomain",
              "route53domains:EnableDomainTransferLock",
              "route53domains:RejectDomainTransferFromAnotherAwsAccount",
              "route53domains:TransferDomain",
              "route53domains:TransferDomainToAnotherAwsAccount",
              "route53:DeleteHostedZone"
          ],
          "Resource": "*"
      }
  ]
}
```

Answer

If you would like to prevent an IAM user (or any other principal - such as a role) from being able to make the `deleteDomain` call then you can attach this policy to them:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": "route53domains:DeleteDomain",
            "Resource": "*"
        }
    ]
}
```

As for the policy you have - it isn't correctly formatted - and is not valid JSON. It should be formatted as follows:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "route53domains:AcceptDomainTransferFromAnotherAwsAccount",
                "route53domains:CancelDomainTransferToAnotherAwsAccount",
                "route53domains:CheckDomainTransferability",
                "route53domains:DisableDomainTransferLock",
                "route53domains:EnableDomainTransferLock",
                "route53domains:RejectDomainTransferFromAnotherAwsAccount",
                "route53domains:TransferDomain",
                "route53domains:TransferDomainToAnotherAwsAccount",
                "route53:DeleteHostedZone",
                "route53domains:DeleteDomain"
            ],
            "Resource": "*"
        }
    ]
}
```

You have `],` at the wrong location - it should be in front of the `"Resource": "*"` clause. Obviously, these are only deny rules - you should also provide the corresponding allowed actions, either here, or in a different policy.

Deny always wins.

json code need to disallow Delete Domain by im user. "route53:DeleteDomain" ERROR

Contenuto pertinente