If you have a busy AWS environment accessed by multiple developers, you will have someone modify your some aspect of your core infrastructure inadvertently.
In our case, we have our VPC-related infrastructure deployed using Cloudformation and maintained via CF stack updates. When devs modified VPC-related resources by circumventing CF stack updates, they rendered our infrastructure out-of-date and un-update-able by CF. Tracking these changes via CloudTrail and rolling them back manually was starting to cost us time and frustration.
Note: Our devs use SSO to login to AWS. Upon login, they assume cross-account roles attached with policies that determine what they can or cannot access.
Assuming that you have your developers sign-in in a similar fashion, below is a policy you can attach to that role to prevent them from modifying VPC-related resources.
Notice how, at the end of this policy, is a section that denies the deletion of this policy from the role? That is key to prevent devs from simply removing this policy from the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:CreateDhcpOptions",
"ec2:DeleteFlowLogs",
"ec2:DeleteSubnet",
"ec2:ReplaceRouteTableAssociation",
"ec2:DeleteVpcPeeringConnection",
"ec2:DeleteVpcEndpoints",
"ec2:AcceptVpcPeeringConnection",
"ec2:AttachInternetGateway",
"ec2:DisableVgwRoutePropagation",
"ec2:AssociateVpcCidrBlock",
"ec2:ReplaceRoute",
"ec2:AssociateRouteTable",
"ec2:DeleteRouteTable",
"ec2:DisassociateVpcCidrBlock",
"ec2:DeleteVpnGateway",
"ec2:ReplaceNetworkAclEntry",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:ModifyVpcPeeringConnectionOptions",
"ec2:CreateVpnGateway",
"ec2:DeleteInternetGateway",
"ec2:DeleteVpnConnection",
"ec2:CreateVpcPeeringConnection",
"ec2:EnableVpcClassicLink",
"ec2:CreateRouteTable",
"ec2:DetachInternetGateway",
"ec2:CreateCustomerGateway",
"ec2:DisassociateRouteTable",
"ec2:ReplaceNetworkAclAssociation",
"ec2:DetachVpnGateway",
"ec2:CreateDefaultVpc",
"ec2:DeleteDhcpOptions",
"ec2:AssociateSubnetCidrBlock",
"ec2:DeleteNatGateway",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DeleteNetworkAclEntry",
"ec2:ModifyVpcEndpoint",
"ec2:CreateVpnConnection",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ec2:ModifySubnetAttribute",
"ec2:CreateDefaultSubnet",
"ec2:CreateNetworkAcl",
"ec2:ModifyVpcAttribute",
"ec2:DeleteNetworkAcl",
"ec2:AttachClassicLinkVpc",
"ec2:AssociateDhcpOptions",
"ec2:AttachVpnGateway",
"ec2:DeleteRoute",
"ec2:CreateVpnConnectionRoute",
"ec2:DisassociateSubnetCidrBlock",
"ec2:DeleteVpnConnectionRoute",
"ec2:DeleteCustomerGateway",
"ec2:CreateVpcEndpoint",
"ec2:EnableVgwRoutePropagation",
"ec2:DisableVpcClassicLinkDnsSupport",
"ec2:DisableVpcClassicLink",
"ec2:ModifyVpcTenancy",
"ec2:EnableVpcClassicLinkDnsSupport",
"ec2:CreateNetworkAclEntry"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:DeleteRolePolicy",
"Resource": "arn:aws:iam::999999999999:role/Dev-Role-MBHPPM0DPW90"
}
]
}
