If you have a busy AWS environment accessed by multiple developers, you will have someone modify your some aspect of your core infrastructure inadvertently.
In our case, we have our VPC-related infrastructure deployed using Cloudformation and maintained via CF stack updates. When devs modified VPC-related resources by circumventing CF stack updates, they rendered our infrastructure out-of-date and un-update-able by CF. Tracking these changes via CloudTrail and rolling them back manually was starting to cost us time and frustration.
Note: Our devs use SSO to login to AWS. Upon login, they assume cross-account roles attached with policies that determine what they can or cannot access.
Assuming that you have your developers sign-in in a similar fashion, below is a policy you can attach to that role to prevent them from modifying VPC-related resources.
Notice how, at the end of this policy, is a section that denies the deletion of this policy from the role? That is key to prevent devs from simply removing this policy from the role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:CreateDhcpOptions", "ec2:DeleteFlowLogs", "ec2:DeleteSubnet", "ec2:ReplaceRouteTableAssociation", "ec2:DeleteVpcPeeringConnection", "ec2:DeleteVpcEndpoints", "ec2:AcceptVpcPeeringConnection", "ec2:AttachInternetGateway", "ec2:DisableVgwRoutePropagation", "ec2:AssociateVpcCidrBlock", "ec2:ReplaceRoute", "ec2:AssociateRouteTable", "ec2:DeleteRouteTable", "ec2:DisassociateVpcCidrBlock", "ec2:DeleteVpnGateway", "ec2:ReplaceNetworkAclEntry", "ec2:CreateRoute", "ec2:CreateInternetGateway", "ec2:ModifyVpcPeeringConnectionOptions", "ec2:CreateVpnGateway", "ec2:DeleteInternetGateway", "ec2:DeleteVpnConnection", "ec2:CreateVpcPeeringConnection", "ec2:EnableVpcClassicLink", "ec2:CreateRouteTable", "ec2:DetachInternetGateway", "ec2:CreateCustomerGateway", "ec2:DisassociateRouteTable", "ec2:ReplaceNetworkAclAssociation", "ec2:DetachVpnGateway", "ec2:CreateDefaultVpc", "ec2:DeleteDhcpOptions", "ec2:AssociateSubnetCidrBlock", "ec2:DeleteNatGateway", "ec2:DeleteVpc", "ec2:CreateSubnet", "ec2:DeleteNetworkAclEntry", "ec2:ModifyVpcEndpoint", "ec2:CreateVpnConnection", "ec2:CreateNatGateway", "ec2:CreateVpc", "ec2:ModifySubnetAttribute", "ec2:CreateDefaultSubnet", "ec2:CreateNetworkAcl", "ec2:ModifyVpcAttribute", "ec2:DeleteNetworkAcl", "ec2:AttachClassicLinkVpc", "ec2:AssociateDhcpOptions", "ec2:AttachVpnGateway", "ec2:DeleteRoute", "ec2:CreateVpnConnectionRoute", "ec2:DisassociateSubnetCidrBlock", "ec2:DeleteVpnConnectionRoute", "ec2:DeleteCustomerGateway", "ec2:CreateVpcEndpoint", "ec2:EnableVgwRoutePropagation", "ec2:DisableVpcClassicLinkDnsSupport", "ec2:DisableVpcClassicLink", "ec2:ModifyVpcTenancy", "ec2:EnableVpcClassicLinkDnsSupport", "ec2:CreateNetworkAclEntry" ], "Resource": "*" }, { "Effect": "Deny", "Action": "iam:DeleteRolePolicy", "Resource": "arn:aws:iam::999999999999:role/Dev-Role-MBHPPM0DPW90" } ] }