CloudFormation StackSets with service-managed permissions - service role blocked by SCP?

1

I have a StackSet using service-managed permissions in order to utilize automatic deployments to accounts that you add to the organisation in the future. However I have SCPs for that organisation and no way to exclude the service roles that the StackSet creates from the SCP. The problem is I don't have the any way to know what these roles' arn or names are - they are created by CFN runtime. They all start with stacksets-exec-* and then some random id. I tried to check member accounts cloudtrail events when those roles get a denied access error, but the event doesn't even carry information about which stackset started it in member account and assumed the service role. I don't see any way to exclude the service roles from SCP except for : "Condition": { "StringNotLike": { "aws:PrincipalArn": [ "arn:aws:iam:::role/stacksets-exec-" ]} } That however would allow any random stackset to bypass my SCP.

3 Risposte
0
Risposta accettata

Prohibit member accounts to access stackset-exec-* roles via SCP, with exception for arn:aws:iam::*:role/OrganizationAccountAccessRole, which shall also be protected via SCP.

See: https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-controls.html#control-update-hotfix . Specifically check "#this line is new" lines.

ubombi
con risposta 5 mesi fa
0

Hi Martin, just to confirm, you're able to see the CFN stack being deployed when you check the CloudFormation console in the Organizations root account? How about in the Member account?

Also, why do you need to block these roles?

profile pictureAWS
Thiru A
con risposta 10 mesi fa
  • Hey Thiru, The CFN stackset is in root account, however when stackset is deploying the individual stack instances in member accounts the service role that is created from stackset to deploy the stack doesn't have enough permissions to do all necessary steps. It is restricted from a SCP. My problem is I cannot modify the SCP to unrestrict a role which does not exists before the stackset is deployed and it's name is not in any way specific and also the events this role triggers don't carry any info about the stackset it is part of.

0

Hey Martin,

It seems like it is a chicken and egg situation where the role is created with that prefix, but its restricted by SCP, and the SCP can't be pre-unrestricted prior to the role being created. I hope I got it :)

Let me check and get back to you on this.

T

profile pictureAWS
Thiru A
con risposta 10 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande