How can I prevent or restrict users from updating or deleting my Route 53 health checks?

Last updated: 2020-06-11

I created several Amazon Route 53 health checks. I want to either prevent all other users from modifying these health checks, or control which users can modify them. How can I do this?

Resolution

You can use AWS Identity and Access Management (IAM) policies to prevent changes to your Route 53 health checks. For more information, see Using identity-based policies (IAM policies) for Amazon Route 53.

Option 1: Explicitly deny other users from deleting or updating health checks

Use the following IAM policy to restrict other users from executing the delete and update commands on your health checks:

{
    "Version": "2012-10-17",
    "Statement":[
        {
            "Effect":"Deny",
            "Action":[
                "route53:DeleteHealthCheck",
                "route53:UpdateHealthCheck"
            ],
            "Resource":"*"
        }
    ]                              
}

Option 2: Require other users to perform multi-factor authentication (MFA) to delete or update health checks

To control which users can update health checks, you can use MFA to be sure that only authenticated users can modify them. If a user isn't authenticated, any update or delete calls that they make will fail.

The following statement specifies that any unauthenticated user is unable to perform the listed actions:

   {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": [
                "route53:UpdateHealthCheck",
                "route53:DeleteHealthCheck"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
     ]
   }

Did this article help you?

Anything we could improve?


Need more help?