I need to ensure that no more than one person in its Admin group has permanent permission to remove an Amazon EC2 resource. There should be no modifications to the current Admin group policy. What should I use? Managed policy? STS? Maybe Inline policy?
CodePudding user response:
you can create a new policy policy where you want include the ec2 action to terminate an instance and allow only one user to be able to do that by adding a condition.
Example :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1656720238220",
"Action": [
"ec2:TerminateInstances"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:*:*:* ",
"Condition": {
"StringNotEquals": {
"aws:username": "johndoe"
}
}
}
]
}
This this explicitly denies all but johndoe you wont have to edit the original admin policy even if it allows ec2 instances to terminate because of how AWS works through policies https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html