Open ShahradR opened 3 years ago
As a test, the CodePipeline role was granted an administrative role. Once the resourced defined by the CloudFormation stack have been deployed, we can pull the CloudTrail logs and see which API calls were made during the creation process. The IAM role assumed by the pipeline will need the same roles to deploy the stack.
User name | Event time | Event source | Event name | AWS region | Source IP address | User agent | Error code | Resources | Read-only | Event type | Event category |
---|---|---|---|---|---|---|---|---|---|---|---|
AWSCloudFormation | 2020-12-28T18:17:43Z | servicecatalog.amazonaws.com | AssociateProductWithPortfolio | ca-central-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [] | FALSE | AwsApiCall | Management | |
AWSCloudFormation | 2020-12-28T18:17:43Z | servicecatalog.amazonaws.com | CreateConstraint | ca-central-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [] | FALSE | AwsApiCall | Management | |
AWSCloudFormation | 2020-12-28T18:17:25Z | servicecatalog.amazonaws.com | CreateProduct | ca-central-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [] | FALSE | AwsApiCall | Management | |
AWSCloudFormation | 2020-12-28T18:17:23Z | iam.amazonaws.com | AttachRolePolicy | us-east-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [{"resourceType":"AWS::IAM::Policy","resourceName":"arn:aws:iam::aws:policy/AmazonS3FullAccess"},{"resourceType":"AWS::IAM::Role","resourceName":"SCS3LaunchRole"}] | FALSE | AwsApiCall | Management | |
AWSCloudFormation | 2020-12-28T18:17:23Z | iam.amazonaws.com | PutRolePolicy | us-east-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [{"resourceType":"AWS::IAM::Policy","resourceName":"SCLaunchPolicy"},{"resourceType":"AWS::IAM::Role","resourceName":"SCS3LaunchRole"}] | FALSE | AwsApiCall | Management | |
AWSCloudFormation | 2020-12-28T18:17:22Z | iam.amazonaws.com | CreateRole | us-east-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [{"resourceType":"AWS::IAM::Role","resourceName":"SCS3LaunchRole"},{"resourceType":"AWS::IAM::Role","resourceName":"arn:aws:iam::***:role/SCS3LaunchRole"},{"resourceType":"AWS::IAM::Role","resourceName":"***"}] | FALSE | AwsApiCall | Management | |
AWSCloudFormation | 2020-12-28T18:17:20Z | servicecatalog.amazonaws.com | CreatePortfolio | ca-central-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [] | FALSE | AwsApiCall | Management |
Additional IAM roles also need to be added when deleting the CloudFormation stack. From the CloudTrail logs, these are the API calls triggered when deleting the stack. | User name | Event time | Event source | Event name | AWS region | Source IP address | User agent | Error code | Resources |
---|---|---|---|---|---|---|---|---|---|
AWSCloudFormation | 2020-12-29T03:54:55Z | servicecatalog.amazonaws.com | DeleteProduct | ca-central-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [] | ||
AWSCloudFormation | 2020-12-29T03:54:54Z | iam.amazonaws.com | DetachRolePolicy | us-east-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [{"resourceType":"AWS::IAM::Policy","resourceName":"arn:aws:iam::aws:policy/AmazonS3FullAccess"},{"resourceType":"AWS::IAM::Role","resourceName":"SCS3LaunchRole"}] | ||
AWSCloudFormation | 2020-12-29T03:54:54Z | iam.amazonaws.com | DeleteRole | us-east-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [{"resourceType":"AWS::IAM::Role","resourceName":"SCS3LaunchRole"}] | ||
AWSCloudFormation | 2020-12-29T03:54:54Z | iam.amazonaws.com | DeleteRolePolicy | us-east-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [{"resourceType":"AWS::IAM::Policy","resourceName":"SCLaunchPolicy"},{"resourceType":"AWS::IAM::Role","resourceName":"SCS3LaunchRole"}] | ||
AWSCloudFormation | 2020-12-29T03:54:53Z | servicecatalog.amazonaws.com | DeletePortfolio | ca-central-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [] | ||
AWSCloudFormation | 2020-12-29T03:54:51Z | servicecatalog.amazonaws.com | DisassociateProductFromPortfolio | ca-central-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [] | ||
AWSCloudFormation | 2020-12-29T03:54:51Z | servicecatalog.amazonaws.com | DeleteConstraint | ca-central-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | ResourceNotFoundException | [] |
In addition to the permissions identified in the CloudTrail logs, the Release action role additionally requires the iam:GetRole
and iam:CreateRole
permissions against the SCS3LaunchRole role, as shown in the CloudFormation logs below.
In addition to the permissions listed above, the Release action role additionally requires the iam:GetRolePolicy
permission, as shown in the CloudFormation logs below.
By removing the "ReadOnly" filter in the CloudTrail logs, we can reveal additional logs, detailing API calls which were only querying information.
https://user-images.githubusercontent.com/5815058/103463548-2b2ffe80-4cfb-11eb-8552-cf0fadf3558d.mp4
Comparing the logs generated when creating the S3 product with our IAM role versus an IAM role with the administrative policy attached, we see that the invalid parameters error is caused by a failed CloudFormation ValidateTemplate
API call. Adding the cloudformation:ValidateTemplate
permission to our role resolves the InvalidParametersException
thrown by Service Catalog.
User name | Event time | Event source | Event name | AWS region | Source IP address | User agent | Error code | Resources | Read-only |
---|---|---|---|---|---|---|---|---|---|
AWSCloudFormation | 2021-01-02T02:19:51Z | cloudformation.amazonaws.com | ValidateTemplate | ca-central-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | AccessDenied | [] | TRUE |
AWSCloudFormation | 2021-01-02T02:19:51Z | servicecatalog.amazonaws.com | CreateProduct | ca-central-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | InvalidParametersException | [] | FALSE |
User name | Event time | Event source | Event name | AWS region | Source IP address | User agent | Error code | Resources | Read-only |
---|---|---|---|---|---|---|---|---|---|
AWSCloudFormation | 2021-01-02T15:50:14Z | servicecatalog.amazonaws.com | CreateProduct | ca-central-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [] | FALSE | |
AWSCloudFormation | 2021-01-02T15:50:13Z | cloudformation.amazonaws.com | ValidateTemplate | ca-central-1 | cloudformation.amazonaws.com | cloudformation.amazonaws.com | [] | TRUE |
In addition to the permissions listed above, the Release action role additionally requires the servicecatalog:DescribeProductAsAdmin
permission, as shown in the CloudFormation logs below.
In addition to the permissions listed above, the Release action role additionally requires the iam:PassRole
permission, as shown in the CloudFormation logs below.
Create an IAM role for AWS CodePipeline to assume when creating resources defined in CloudFormation templates.
For this specific use case, the AWS CodePipeline pipeline is hardcoded to deploy the CloudFormation template created in the ShahradR/sc-s3-portfolio repository. The project's CloudFormation templates create AWS resources of the following types:
AWS::ServiceCatalog::Portfolio
AWS::ServiceCatalog::LaunchRoleConstraint
AWS::ServiceCatalog::PortfolioProductAssociation
AWS::IAM::Role
AWS::ServiceCatalog::CloudFormationProduct
AWS::S3::Bucket
AWS::S3::BucketPolicy
The IAM role assumed by CodePipline in the Release action should support the creation of all those resources.