omahonyb
commented
2 months ago I found in the docs that it can be deployed to Organisational Units, so that pretty much answers my questions. I will give it a test run in a few days.
Open omahonyb opened 2 months ago
omahonyb
commented
2 months ago I found in the docs that it can be deployed to Organisational Units, so that pretty much answers my questions. I will give it a test run in a few days.
DNascimento99
commented
1 week ago Were you able to take the test? I'm interested in this solution
DNascimento99
commented
1 week ago I found a solution for this, the lambda policy remained like this
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "aws:PrincipalOrgID": "",##inform org id "aws:ResourceTag/environment": "dev" } }, "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::*:role/asa-iam-key-rotation-lambda-assumed-role" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:PrincipalOrgID": ""##inform org id } }, "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::*:role/asa-iam-key-rotation-list-accounts-role" ], "Effect": "Allow" }, { "Action": [ "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:us-east-1:{accountID}:function:ASA-Notifier", "Effect": "Allow" } ] }
in the assumed role, inform an environment dev tag
omahonyb
commented
1 week ago Hey mate, great work! I havent actually gotten around to implementing this as i had a million other things to do, but have a change request to start testing next week. I was looking at the doc and you can omit OU units which i was going to use [I have test, dev and prod OUs] but hopefully i can use this in conjunction as it will make final implementation easier as I can use Tag Editor to tag all accounts with "RotateKeys: False" and then enable on a case by case basis for teams to test.
omahonyb
commented
1 week ago After re-reading the document it seems the ommit OU doesnt actually exist, but i am sure i can edit the lambda function to do that I guess when i get to implement it. Or i might just use your one above from the begining and make it so much simpler :P
As per the title, I want to look into implementing this. I would like to apply it to some test accounts for POC, then Dev, then STG then Prod over a period of time. I don't want to have to go to 150+ accounts and create the "IAMKeyRotationExemptionGroup" and move everyone in there, as I wont get approval before the demo is complete and documented.
I am wondering if there is a way to set a tag on the accounts, or just supply a list of account numbers to the scan so i can do this in a controlled manner? Alternatively is it possible to supply a specific OU in the CTOrganisation?