Reputation: 3631
Restrict an AWS action unless two people confirm it. Is it possible?
I am setting up a Disaster Recovery architecture for our AWS infrastructure and modelling all of it on Cloud Formation.
All the devs have power-user privileges to the infrastructure and make frequent changes depending on their needs. Naturally this messes up my Cloud Formation template.
Is there a way to restrict an action [eg add a new TCP rule in a sec group] so that must be approved by another person [me] before it takes effect ?
That way I could monitor the changes [that the devs forget to notify me about] and the Cloud Formation template would be always up to date and depicting the real thing.
Note1:
I have set up some event subscriptions [for RDS for starters] but I am not sure if they are the best/complete solution.
Note2:
The confirmation for an action could be useful for critical actions like modifying / deleting / terminating EC2 and/or RDS instances.
Upvotes: 0
Views: 43
Answers (1)
Reputation: 34367
Disable direct access to altering your AWS infrastructure under normal circumstances
Allow the devs to alter the cloudformation templates but have a push/go live process for them that requires approval. For example you could set up gitolite to block changes to a "master" branch but allow changes to a "dev-changes" branch and then merge after checking it
In an emergency allow them to make the change and catch up with the templates afterwards
Upvotes: 1
Related Questions
- AWS Cloudformation - reverse engineer an existing resource
- How to restrict AWS access based on region?
- Restrict AWS DynamoDB access from particular AWS VPC
- Restrict permission for AWS ECS RegisterTaskDefinition
- AWS S3 bucket restrict accss
- AWS Policy Restrict Permission Based On Service
- AWS IAM: How to restrict PowerUser permissions
- Restrict AWS Tag Names