By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

CloudFormation StackSets with service-managed permissions - service role blocked by SCP?

0

I have a StackSet using service-managed permissions in order to utilize automatic deployments to accounts that you add to the organisation in the future. However I have SCPs for that organisation and no way to exclude the service roles that the StackSet creates from the SCP. The problem is I don't have the any way to know what these roles' arn or names are - they are created by CFN runtime. They all start with stacksets-exec-* and then some random id. I tried to check member accounts cloudtrail events when those roles get a denied access error, but the event doesn't even carry information about which stackset started it in member account and assumed the service role. I don't see any way to exclude the service roles from SCP except for : "Condition": { "StringNotLike": { "aws:PrincipalArn": [ "arn:aws:iam:::role/stacksets-exec-" ]} } That however would allow any random stackset to bypass my SCP.

Topics
Management & GovernanceAWS Well-Architected Framework
Tags
AWS CloudFormationSecurityAWS Account ManagementStackSetsService Control Policy
Language
English
Martin Lazarov
asked 2 days ago24 views
1 Answer
0

Hi Martin, just to confirm, you're able to see the CFN stack being deployed when you check the CloudFormation console in the Organizations root account? How about in the Member account?

Also, why do you need to block these roles?

profile pictureAWS
Thiru A
answered 2 days ago
  • Martin Lazarov
    2 days ago

    Hey Thiru, The CFN stackset is in root account, however when stackset is deploying the individual stack instances in member accounts the service role that is created from stackset to deploy the stack doesn't have enough permissions to do all necessary steps. It is restricted from a SCP. My problem is I cannot modify the SCP to unrestrict a role which does not exists before the stackset is deployed and it's name is not in any way specific and also the events this role triggers don't carry any info about the stackset it is part of.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content