CloudFormation StackSets with service-managed permissions - service role blocked by SCP?

1

I have a StackSet using service-managed permissions in order to utilize automatic deployments to accounts that you add to the organisation in the future. However I have SCPs for that organisation and no way to exclude the service roles that the StackSet creates from the SCP. The problem is I don't have the any way to know what these roles' arn or names are - they are created by CFN runtime. They all start with stacksets-exec-* and then some random id. I tried to check member accounts cloudtrail events when those roles get a denied access error, but the event doesn't even carry information about which stackset started it in member account and assumed the service role. I don't see any way to exclude the service roles from SCP except for : "Condition": { "StringNotLike": { "aws:PrincipalArn": [ "arn:aws:iam:::role/stacksets-exec-" ]} } That however would allow any random stackset to bypass my SCP.

3 回答
0
已接受的回答

Prohibit member accounts to access stackset-exec-* roles via SCP, with exception for arn:aws:iam::*:role/OrganizationAccountAccessRole, which shall also be protected via SCP.

See: https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-controls.html#control-update-hotfix . Specifically check "#this line is new" lines.

ubombi
已回答 5 个月前
0

Hi Martin, just to confirm, you're able to see the CFN stack being deployed when you check the CloudFormation console in the Organizations root account? How about in the Member account?

Also, why do you need to block these roles?

profile pictureAWS
Thiru A
已回答 10 个月前
  • Hey Thiru, The CFN stackset is in root account, however when stackset is deploying the individual stack instances in member accounts the service role that is created from stackset to deploy the stack doesn't have enough permissions to do all necessary steps. It is restricted from a SCP. My problem is I cannot modify the SCP to unrestrict a role which does not exists before the stackset is deployed and it's name is not in any way specific and also the events this role triggers don't carry any info about the stackset it is part of.

0

Hey Martin,

It seems like it is a chicken and egg situation where the role is created with that prefix, but its restricted by SCP, and the SCP can't be pre-unrestricted prior to the role being created. I hope I got it :)

Let me check and get back to you on this.

T

profile pictureAWS
Thiru A
已回答 10 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则