I have some roles in my Dev account that has not been used for over 90days and I would like to disable those role for now without deleting them.
please how do i write the policy that i can attach to those roles that will deny all actions to all resources in AWS account.
CodePudding user response:
To temporarily disable a user, you can go via 2 options which i'll outline below:
- Apply a restrictive IAM policy
- Disable their console and access keys to AWS
Option 1:
Explicit denies applied via AWS IAM policies overrides any allow permissions: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
Remember, an explicit deny in any of these policies overrides the allow.
So your newly attached policy should just include a deny all for all resources and actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllActions",
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}
]
}
Option 2:
Although another thing you can do is disable the IAM keys and remove console access so that you effectively disable the user without applying any restrictive permissions:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
To disable an active access key, choose Make inactive.
https://docs.aws.amazon.com/IAM/latest/UserGuide/console_controlling-access.html
You can disable user access to the AWS Management Console by removing their password. This prevents them from signing into the AWS Management Console using their user name and password