By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can ExternalId be used to forbid changes via AWS Management Console?

0

I want to forbid infrastructure changes made via AWS Management Console to enforce Infrastructure-as-Code.

I know it is impossible to switch to a role which requires ExternalId. So my solution is to have IAM users that are allowed read operations and role assumption. IAM role which provides write access will require ExternalId forcing the users to rely on AWS API.

Are there any potential drawbacks of this solution?

Topics
Security, Identity, & ComplianceManagement & GovernanceInfrastructure as Code
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS Management ConsoleInfrastructure as CodeIAM Policies
Language
English
Chernetskyi
asked a year ago259 views
3 Answers
1

You can apply read-only for resources, and one of CreateStack for the AWS CloudFormation service, in the same role. I understand that this mode is easier to manage. You will only have one role to manage.

profile picture
Alberto Fernandes
answered a year ago
1

One drawback I can think of would be using the Console to Deploy CloudFormation if that is needed. You will need to create a CloudFormation role that the users could also assume in the CFN wizard. That is an easy fix. Other than that, I don't see any issues with this method. There are however may ways to accomplish this. Off the top of my head, this seems to be the absolute most restrictive.

profile picture
Ross Wickman
answered a year ago
0
Accepted Answer

Apparently, using aws:UserAgent condition context key is a better solution to the problem. Reference values for the userAgent can be taken from CloudTrail documentation.

Chernetskyi
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content