We are using a permission boundary for our non-admin roles, to prevent users from screwing with vital infrastructure. However Im having a hard time preventing change if the VPC attribute “Edit DHCP option set”, as all the policy formulations ive tried didnt work for some reason. The other actions in the policy works, and am as expected unable to change things like DNS or CIDR blocks for the given VPC. Why cant i prevent DHCP change as well?
My current policy:
statement {
sid = "VPC"
effect = "Allow"
actions = [
"ec2:AttachClassicLinkVpc",
"ec2:DetachClassicLinkVpc",
"ec2:DisableVpcClassicLink",
"ec2:DisableVpcClassicLinkDnsSupport",
"ec2:EnableVpcClassicLink",
"ec2:EnableVpcClassicLinkDnsSupport",
"ec2:MoveAddressToVpc",
"ec2:RestoreAddressToClassic",
"ec2:DeleteDhcpOptions",
"ec2:ModifyVpcAttribute",
"ec2:AssociateDhcpOption",
"ec2:DisassociateVpcCidrBlock",
"ec2:AssociateVpcCidrBlock",
]
not_resources = ["*the vpc arn here*"]
}