Denying Destructive Privileges in AWS
But if your environment is even moderately complex, there is a good chance this auditing will take some time. To minimize exposure in the interim, I decided to create a quick and dirty DenyDestructivePrivileges IAM group to which I assigned all service-based IAM users. This ensured that independent of the assigned privileges, these IAM users will never be able to perform destructive operations (e.g. terminate instances, delete S3 objects, etc...). While not a long term solution, it at least allowed me to sleep at night while awaiting the completion of the story for auditing our service accounts.
Below is a sample policy you can use to customize for your environment:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:Delete*",
"ec2:TerminateInstances",
"s3:Delete*",
"route53:Delete*",
"glacier:Delete*",
"rds:Delete*",
"cloudtrail:Delete*",
"iam:Delete*",
],
"Resource": [
"*"
]
}
]
}