- 최신
- 최다 투표
- 가장 많은 댓글
Hello.
I made the same comment at the URL below.
https://repost.aws/questions/QUsHc9DBQXSraeueBCkOsuGw/admin-access-exception-of-domain-delete-transfer-and-closure-of-aws-account#ANOkus2jozRxa7FnFTwSBztA
There is no action called "route53:DeleteDomain".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html
You can control domain deletion with the action "route53domains:DeleteDomain".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53domains.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"route53domains:AcceptDomainTransferFromAnotherAwsAccount",
"route53domains:CancelDomainTransferToAnotherAwsAccount",
"route53domains:CheckDomainTransferability",
"route53domains:DisableDomainTransferLock",
"route53domains:DeleteDomain",
"route53domains:EnableDomainTransferLock",
"route53domains:RejectDomainTransferFromAnotherAwsAccount",
"route53domains:TransferDomain",
"route53domains:TransferDomainToAnotherAwsAccount",
"route53:DeleteHostedZone"
],
"Resource": "*"
}
]
}
If you would like to prevent an IAM user (or any other principal - such as a role) from being able to make the deleteDomain call then you can attach this policy to them:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "route53domains:DeleteDomain",
"Resource": "*"
}
]
}
As for the policy you have - it isn't correctly formatted - and is not valid JSON. It should be formatted as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"route53domains:AcceptDomainTransferFromAnotherAwsAccount",
"route53domains:CancelDomainTransferToAnotherAwsAccount",
"route53domains:CheckDomainTransferability",
"route53domains:DisableDomainTransferLock",
"route53domains:EnableDomainTransferLock",
"route53domains:RejectDomainTransferFromAnotherAwsAccount",
"route53domains:TransferDomain",
"route53domains:TransferDomainToAnotherAwsAccount",
"route53:DeleteHostedZone",
"route53domains:DeleteDomain"
],
"Resource": "*"
}
]
}
You have ], at the wrong location - it should be in front of the "Resource": "*" clause. Obviously, these are only deny rules - you should also provide the corresponding allowed actions, either here, or in a different policy.
Deny always wins.
