Can ExternalId be used to forbid changes via AWS Management Console?

0

I want to forbid infrastructure changes made via AWS Management Console to enforce Infrastructure-as-Code.

I know it is impossible to switch to a role which requires ExternalId. So my solution is to have IAM users that are allowed read operations and role assumption. IAM role which provides write access will require ExternalId forcing the users to rely on AWS API.

Are there any potential drawbacks of this solution?

3 Answers
1
Accepted Answer

Apparently, using aws:UserAgent condition context key is a better solution to the problem. Reference values for the userAgent can be taken from CloudTrail documentation.

answered a year ago
profile picture
EXPERT
reviewed 10 days ago
1

You can apply read-only for resources, and one of CreateStack for the AWS CloudFormation service, in the same role. I understand that this mode is easier to manage. You will only have one role to manage.

profile picture
answered 2 years ago
1

One drawback I can think of would be using the Console to Deploy CloudFormation if that is needed. You will need to create a CloudFormation role that the users could also assume in the CFN wizard. That is an easy fix. Other than that, I don't see any issues with this method. There are however may ways to accomplish this. Off the top of my head, this seems to be the absolute most restrictive.

profile picture
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions