IAM Policy Condition - Allow CLI access only


At my company we are following the "Infrastructure as Code" paradigm and have reflected (almost) all of our AWS setup via Terraform modules. To avoid someone is executing some specific actions (mainly for creating and especially deleting resources) via the Mgmt console, I am wondering whether there exists a condition I can add to my policy so a user via a specific role is only allowed to execute those actions via Terraform/CLI and deny using the Mgmt console for those.

We are using the IAM Identity Center SSO service for authenticating our users having OKTA setup as the IdP if that matters.

Thanks for your help guys!


2 Answers

I saw this article and provides an alternative:


Another option, I have seen implemented is via DevOps processes. We used Jenkins for all deployment and managed permissions on Jenkins jobs for user community. The Jenkins would then perform deployments for us into AWS.

answered a year ago

You could do a combination of the following:

profile picture
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions