使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

json code need to disallow Delete Domain by im user. "route53:DeleteDomain" ERROR

0

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "", "Resource": "" }, { "Effect": "Deny", "Action": [ "route53domains:AcceptDomainTransferFromAnotherAwsAccount", "route53domains:CancelDomainTransferToAnotherAwsAccount", "route53domains:CheckDomainTransferability", "route53domains:DisableDomainTransferLock", "route53domains:EnableDomainTransferLock", "route53domains:RejectDomainTransferFromAnotherAwsAccount", "route53domains:TransferDomain", "route53domains:TransferDomainToAnotherAwsAccount", "route53:DeleteHostedZone" "route53:DeleteDomain" (IT STATED ERROR JSON FOR THIS CODE) ], "Resource": "*" } ] }

主题
安全、身份和合规性
标签
IAM 策略
语言
English
incomecare
已提问 1 个月前122 查看次数
2 回答
2
已接受的回答

Hello.

I made the same comment at the URL below.
https://repost.aws/questions/QUsHc9DBQXSraeueBCkOsuGw/admin-access-exception-of-domain-delete-transfer-and-closure-of-aws-account#ANOkus2jozRxa7FnFTwSBztA

There is no action called "route53:DeleteDomain".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html

You can control domain deletion with the action "route53domains:DeleteDomain".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53domains.html

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": "*",
          "Resource": "*"
      },
      {
          "Effect": "Deny",
          "Action": [
              "route53domains:AcceptDomainTransferFromAnotherAwsAccount",
              "route53domains:CancelDomainTransferToAnotherAwsAccount",
              "route53domains:CheckDomainTransferability",
              "route53domains:DisableDomainTransferLock",
              "route53domains:DeleteDomain",
              "route53domains:EnableDomainTransferLock",
              "route53domains:RejectDomainTransferFromAnotherAwsAccount",
              "route53domains:TransferDomain",
              "route53domains:TransferDomainToAnotherAwsAccount",
              "route53:DeleteHostedZone"
          ],
          "Resource": "*"
      }
  ]
}
profile picture
专家
Riku_Kobayashi
已回答 1 个月前
profile picture
专家
Oleksii Bebych
已审核 1 个月前
profile picture
专家
Gary Mclean
已审核 1 个月前
1

If you would like to prevent an IAM user (or any other principal - such as a role) from being able to make the deleteDomain call then you can attach this policy to them:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": "route53domains:DeleteDomain",
            "Resource": "*"
        }
    ]
}

As for the policy you have - it isn't correctly formatted - and is not valid JSON. It should be formatted as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "route53domains:AcceptDomainTransferFromAnotherAwsAccount",
                "route53domains:CancelDomainTransferToAnotherAwsAccount",
                "route53domains:CheckDomainTransferability",
                "route53domains:DisableDomainTransferLock",
                "route53domains:EnableDomainTransferLock",
                "route53domains:RejectDomainTransferFromAnotherAwsAccount",
                "route53domains:TransferDomain",
                "route53domains:TransferDomainToAnotherAwsAccount",
                "route53:DeleteHostedZone",
                "route53domains:DeleteDomain"
            ],
            "Resource": "*"
        }
    ]
}

You have ], at the wrong location - it should be in front of the "Resource": "*" clause. Obviously, these are only deny rules - you should also provide the corresponding allowed actions, either here, or in a different policy.

Deny always wins.

AWS
专家
Max Clements
已回答 1 个月前
profile picture
专家
Oleksii Bebych
已审核 1 个月前
profile picture
专家
Giovanni Lauria
已审核 1 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容