IAM Policy Condition - Allow CLI access only

Question

At my company we are following the "Infrastructure as Code" paradigm and have reflected (almost) all of our AWS setup via Terraform modules. To avoid someone is executing some specific actions (mainly for creating and especially deleting resources) via the Mgmt console, I am wondering whether there exists a condition I can add to my policy so a user via a specific role is only allowed to execute those actions via Terraform/CLI and deny using the Mgmt console for those.

We are using the IAM Identity Center SSO service for authenticating our users having OKTA setup as the IdP if that matters.

Thanks for your help guys!

Jan

We are using the IAM Identity Center SSO service for authenticating our users having OKTA setup as the IdP if that matters.

Thanks for your help guys!

Jan

Answer

I saw this article and provides an alternative:

https://stackoverflow.com/questions/55135916/aws-iam-how-to-disable-users-from-making-changes-via-the-console-but-allow-ap

Another option, I have seen implemented is via DevOps processes. We used Jenkins for all deployment and managed permissions on Jenkins jobs for user community. The Jenkins would then perform deployments for us into AWS.

Answer

You could do a combination of the following:
* Centralize permissions check under AWS Organizations and SCPs: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html. You can then centrally deny actions and set permission boundaries.
* You could have a Terraform AWS User for the specific environment (e.g. Dev), so that that user is allowed to perform certain "admin-like" actions, while individual AWS users (your own Access/Secret keys) get "restricted".

IAM Policy Condition - Allow CLI access only

Contenido relevante