How can I prevent or restrict users from updating or deleting my Route 53 health checks?

2 minute read
0

I created several Amazon Route 53 health checks. I want to either prevent all other users from modifying these health checks, or control which users can modify them.

Resolution

Use AWS Identity and Access Management (IAM) policies to prevent changes to your Route 53 health checks. For more information, see Using identity-based policies (IAM policies) for Amazon Route 53.

Option 1: Explicitly deny other users from deleting or updating health checks

To restrict other users from running the delete and update commands on your health checks, use the following IAM policy :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "route53:DeleteHealthCheck",
        "route53:UpdateHealthCheck"
      ],
      "Resource": "*"
    }
  ]
}

Option 2: Require other users to perform multi-factor authentication (MFA) to delete or update health checks

To control which users can update health checks, use MFA to be sure that only MFA authenticated users can modify them. If a user isn't MFA authenticated, then any update or delete calls that they attempt fail.

The following statement specifies that any MFA unauthenticated user can't perform the listed actions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Deny",
      "Action": [
        "route53:UpdateHealthCheck",
        "route53:DeleteHealthCheck"
      ],
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

For more information, see How do I use an MFA token to authenticate access to my AWS resources through the AWS Command Line Interface (AWS CLI)?

AWS OFFICIAL
AWS OFFICIALUpdated 10 months ago