0

We have a business requirement wherein the deletion of resources in AWS account should require approval of 2 users - may be an admin and the manager.

There doesn't seem to be a straightforward, out-of-the-box way to do this.

We can manage the problem by several manual process approaches

  • The permission to delete resources will be provided to the manager only - who doesn't technically know how to delete resource. The manager will share screen with admin who will delete the resource.
  • Superadmin gives temporary time-based permission to delete resource to admin

Other than that is it possible to automatically enforce that 2 users are required to delete a resource?

Specifically, can we use iam condition keys to require mfa of 2 users in a policy?

amolkul
  • 111
  • 5
  • 9

1 Answers1

0

I don't know technical any way to achieve this in AWS "out of the box". You definitely can't enforce 2 MFA tokens for a single action, not in the way you mean. You might be able to cobble something together with assuming roles, but MFA is associated with a user not a role.

A practical way to do this might be to:

  • Users have no delete permission. Add them to an IAM group called "Users" or similar. The individual associated with the account knows the password and has the MFA token.
  • Admin users have rights to delete resources. This user must have have MFA enabled. One set of people know the password (e.g. administrators), another set of people hold a shared MFA token (e.g. authorisers)
  • To delete a resource a user with admin rights asks an authoriser to type in the MFA code for them, watch them do the authorised task, then watch them log out.
Tim
  • 30,383
  • 6
  • 47
  • 77