I have a problem that upon user deletion in QS, there is a option “delete orphaned resources” and this option might be dangerous in the setup we are currently using. May i ask if u could disable the feature/option in my account ? and if not what are the best practices to prevent orphaned resources from forming? I would like to just remove resources just manually but i am scared someone might check the window by mistake and delete something they shouldnt and we will have to manually restore. Should every account be owner/in principal of all the resources so that when users get deleted there is still no way for orphaned resources to form or should there be like an all owner account that is owner of all resources by default?
Thank you very much.
Hi,
May I get more details about your setup to understand the risk?
Disabling the option to delete orphaned assets is not available today. You can however use IAM policies to restrict who can delete users in your QuickSight account. So that, only certain admins have the capability of deleting users and lessen the risk of accidents. Reference links to setup IAM policy below:
The risk is when someone leaves our company and their account is to be deleted, upon account deletion if the deleting person checks this box they might delete some resources, that are important. In our guideline/workflow we have specified not to use this but earlier this month one more junior employee deleted account and used this option and we had to manually restore some of our resources. But its at least i think mistake of our architecture and we are working on it. Just wanted to know if the option could be hard disabled by AWS support. Thank you.
HI,
Makes sense. It’s not possible to disable the option to delete orphaned assets while deleting user. I will take this a feature request. In the meantime, I recommend using IAM policies top restrict delete user to certain admins only.