By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Policy Condition - Allow CLI access only

1

At my company we are following the "Infrastructure as Code" paradigm and have reflected (almost) all of our AWS setup via Terraform modules. To avoid someone is executing some specific actions (mainly for creating and especially deleting resources) via the Mgmt console, I am wondering whether there exists a condition I can add to my policy so a user via a specific role is only allowed to execute those actions via Terraform/CLI and deny using the Mgmt console for those.

We are using the IAM Identity Center SSO service for authenticating our users having OKTA setup as the IdP if that matters.

Thanks for your help guys!

Jan

Topics
Security, Identity, & ComplianceInfrastructure as Code
Tags
AWS Identity and Access ManagementInfrastructure as CodeAWS IAM Identity CenterIAM Policies
Language
English
jclausen_Ratepay
asked 2 years ago1.2K views
2 Answers
3

I saw this article and provides an alternative:

https://stackoverflow.com/questions/55135916/aws-iam-how-to-disable-users-from-making-changes-via-the-console-but-allow-ap

Another option, I have seen implemented is via DevOps processes. We used Jenkins for all deployment and managed permissions on Jenkins jobs for user community. The Jenkins would then perform deployments for us into AWS.

AWS
AWS-User-4960174
answered 2 years ago
0

You could do a combination of the following:

profile picture
EXPERT
Antonio_Lagrotteria
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content