By using AWS re:Post, you agree to the Terms of Use

Questions tagged with DevOps

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

1
answers
0
votes
36
views
profile picture
asked a month ago

Approach to prevent out-of-band (clickops) updates to CloudFormation created resources

At one of my client organisation we have deployed almost all the AWS resources via CloudFormation/DevOps. On some occasions, users made updates to some of the resources directly via AWS console resulting in drift and other challenges. Thus, I am looking to see if there is any option to prevent users from making “updates” to all CloudFormation created resources. I can think of an option of deploying an SCP like below but not clear about all all actions need to be included in the SCP to prevent updates to many of the AWS resources which are deployed currently. Moreover this may result in a very long list of actions which may hit SCP policy limits as well. In this example I have only included ec2:RebootInstances for testing purpose but in reality I want to prevent all update/delete actions across all the resources. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": "ec2:RebootInstances", "Resource": "*", "Condition": { "StringNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::xxxxxxxx:user/devopsuser", "" ] }, "StringEquals": { "ec2:ResourceTag/DeploymentType": [ "CloudFormation", "Terraform" ] } } } ] } ``` Is there any option available for this requirement?
4
answers
1
votes
29
views
asked a month ago