Prevent function deletion

Question

Hello, I was looking to prevent certain functions from being deleted unless the user is in a specific group. Would some form of an SCP or IAM policy be best here?

Answer

Hello.  
As you recognize, the guardrails at SCP are effective.  
You can limit Lambda deletion by configuring SCP to allow only specific IAM users, groups, roles, and SSO permission sets.  
For example, the following condition would allow only a specific set of SSO permissions to operate.  
```
      "Condition": {
        "ArnNotLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/ap-northeast-1/AWSReservedSSO_Access permission set_*"
          ]
        }
      }
```

Prevent function deletion

Conteúdo relevante