does anyone have a pattern in pulumi to block acce...
# general
g
does anyone have a pattern in pulumi to block access to an aws account console and only allow API management of the account as a security restriction?
m
Block access to who or what?
To oversimplify without any more context, it sounds like you want to create a role that can only manage API Gateway resources that you give your users access to. How you go about that differs depending on how you've configured AWS. 1. https://docs.aws.amazon.com/apigateway/latest/developerguide/security-iam.html 2. https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_id-based-policy-examples.html 3. https://www.pulumi.com/registry/packages/aws/api-docs/iam/role/ 4. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html
g
my apologize. I want to disallow any console administration of aws account resources, strictly only allowing pulumi.
m
The complexity of the answer differs based on the complexity of your AWS environments, but the general advice above applies. https://docs.aws.amazon.com/IAM/latest/UserGuide/console_controlling-access.html
g
something like this but automating and enforcing it the pulumi way with a policy or iac:
l
It is not possible to forbid access to the console. The root user will always have access, and this is an important safety feature that won't ever be disabled. It is very easy to ensure that users have no console. A user with no password has no console access (https://docs.aws.amazon.com/IAM/latest/UserGuide/console_controlling-access.html). You can also ensure that there are no IAM users (most managed accounts don't need any), and you can ensure that all roles can only be assumed by trusted roles, OIDC or similar. It's not a full guarantee, but business process should fill in the gaps.
g
My apologize. I am terrible at communicating today. forbidding access for everyone except root.
l
Just have no one else in the system 🙂 Unfortunately roles can't be blocked from the console, so the solution is to block access to all the roles.