By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Prevent function deletion

0

Hello, I was looking to prevent certain functions from being deleted unless the user is in a specific group. Would some form of an SCP or IAM policy be best here?

Topics
ServerlessCompute
Tags
AWS Lambda
Language
English
branney
asked 9 months ago233 views
1 Answer
1

Hello.
As you recognize, the guardrails at SCP are effective.
You can limit Lambda deletion by configuring SCP to allow only specific IAM users, groups, roles, and SSO permission sets.
For example, the following condition would allow only a specific set of SSO permissions to operate.

      "Condition": {
        "ArnNotLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/ap-northeast-1/AWSReservedSSO_Access permission set_*"
          ]
        }
      }
profile picture
EXPERT
Riku_Kobayashi
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content