Create a policy like this, substituting your AWS account number, then attach it to all groups and roles. It will prevent deletion of RDS instances containing the string "prod" in their name.
Note: This is intended to prevent accidental deletion, and is easily sidestepped.
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "rds:DeleteDBInstance" | |
| ], | |
| "Effect": "Deny", | |
| "Resource": "arn:aws:rds:*:123456789012:*prod*" | |
| } | |
| ] | |
| } |
This worked perfectly! Thank you!
Also just to note for others because I was a little confused about how to attach this policy. I went to IAM > Groups and attached to the relevant group (in this case our SuperUsers group).
Fantastic !
Will try it out, thanks