We have a business requirement wherein the deletion of resources in AWS account should require approval of 2 users - may be an admin and the manager.
There doesn't seem to be a straightforward, out-of-the-box way to do this.
We can manage the problem by several manual process approaches
- The permission to delete resources will be provided to the manager only - who doesn't technically know how to delete resource. The manager will share screen with admin who will delete the resource.
- Superadmin gives temporary time-based permission to delete resource to admin
Other than that is it possible to automatically enforce that 2 users are required to delete a resource?
Specifically, can we use iam condition keys to require mfa of 2 users in a policy?