Can ExternalId be used to forbid changes via AWS Management Console?

Question

I want to forbid infrastructure changes made via AWS Management Console to enforce Infrastructure-as-Code.

I know [it is impossible to switch to a role which requires ExternalId](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html). So my solution is to have IAM users that are allowed read operations and role assumption. IAM role which provides write access will require `ExternalId` forcing the users to rely on AWS API.

Are there any potential drawbacks of this solution?

Accepted Answer

Apparently, using [`aws:UserAgent` condition context key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-useragent) is a better solution to the problem. Reference values for the userAgent can be taken from [CloudTrail documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html).

Answer

You can apply read-only for resources, and one of CreateStack for the AWS CloudFormation service, in the same role. I understand that this mode is easier to manage.
You will only have one role to manage.

Answer

One drawback I can think of would be using the Console to Deploy CloudFormation if that is needed.
You will need to create a CloudFormation role that the users could also assume in the CFN wizard. That is an easy fix.
Other than that, I don't see any issues with this method. There are however may ways to accomplish this. Off the top of my head, this seems to be the absolute most restrictive.

Can ExternalId be used to forbid changes via AWS Management Console?

Conteúdo relevante