This set of CloudFormation templates and Python scripts will set up an auto-rotation function that will automatically rotate your AWS IAM User Access Keys every 90 days.
The runbook instructions seem to be rather inaccurate and out of order. Here are a few issues I've noticed so far
Deployment steps begins with uploading the files to S3 and deploying the assumed roles yaml template as a stack set. This will immediately fail as the execution role does not yet exist:
ResourceLogicalId:ASAIAMAssumedRole, ResourceType:AWS::IAM::Role, ResourceStatusReason:Invalid principal in policy: "AWS":"arn:aws:iam::999999999999:role/asa-iam-key-rotation-lambda-execution-role" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx; Proxy: null).
The role is created under the 'ASA-iam-key-auto-rotation-and-notifier-solution' stack - which according to these instructions is the last thing deployed.
4.2 Step 3: "You will need to enter the ‘Primary AWS Account ID’ and ‘AWS Organization ID’."
There is no parameter for providing an org id. The included screenshot shows only the account id is needed.
4.2 Step 4: Select ‘Service-managed permissions’
This option appears on the first page of the create stackset wizard, not the page after providing the parameters. The included screenshot has 'Self service permissions' selected - which is the correct option?
4.3 Step 3: Deploy the List Account Role in the Central/Management Account.
Says a stack needs to be deployed but does not say which. Immediately jumps to filling in the parameters.
I'm sure there are more issues, however the quality of this documentation for a solution advertised by AWS is rather poor and puts me off using it altogether.
The runbook instructions seem to be rather inaccurate and out of order. Here are a few issues I've noticed so far
Deployment steps begins with uploading the files to S3 and deploying the assumed roles yaml template as a stack set. This will immediately fail as the execution role does not yet exist:
The role is created under the 'ASA-iam-key-auto-rotation-and-notifier-solution' stack - which according to these instructions is the last thing deployed.
4.2 Step 3: "You will need to enter the ‘Primary AWS Account ID’ and ‘AWS Organization ID’."
There is no parameter for providing an org id. The included screenshot shows only the account id is needed.
4.2 Step 4: Select ‘Service-managed permissions’
This option appears on the first page of the create stackset wizard, not the page after providing the parameters. The included screenshot has 'Self service permissions' selected - which is the correct option?
4.3 Step 3: Deploy the List Account Role in the Central/Management Account.
Says a stack needs to be deployed but does not say which. Immediately jumps to filling in the parameters.
I'm sure there are more issues, however the quality of this documentation for a solution advertised by AWS is rather poor and puts me off using it altogether.