I'm trying to set up some security resources like Palo Alto devices and Corelight in accounts that belong to different locations or branches, which I'm responsible for securing. My concern is whether I can prevent the account owners from deleting these resources after I deploy them. If those owners can delete anything in their account, what's the best way to control that?
5 Answers
You could investigate the Resource Control Policies (RCP) as well; there's a chance they could offer some level of safeguard for your situation.
Honestly, since you don’t own the accounts, stopping the owners from deleting resources might not be the best route. Maybe it would be more productive to have a conversation with the account owners about your concerns regarding resource management.
First off, be wary of using the root account at all. Also, make sure that any IAM users or roles you set up don’t have permissions that would allow them to delete your resources. Just don’t give them those permissions in the first place!
It's really about IAM at this point. Forget the account ownership for a sec—what matters is that you have the right IAM users and roles set up with policies that protect your resources.
One solution is to configure the Service Control Policies (SCP) on your organization's main account to prevent deletion of your resources. Pair that with CloudTrail to track any changes happening to them, and you'll have better visibility on what's going on.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures