omahonyb
commented
7 months ago I found in the docs that it can be deployed to Organisational Units, so that pretty much answers my questions. I will give it a test run in a few days.
Open omahonyb opened 7 months ago
omahonyb
commented
7 months ago I found in the docs that it can be deployed to Organisational Units, so that pretty much answers my questions. I will give it a test run in a few days.
DNascimento99
commented
4 months ago Were you able to take the test? I'm interested in this solution
DNascimento99
commented
4 months ago I found a solution for this, the lambda policy remained like this
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "aws:PrincipalOrgID": "",##inform org id "aws:ResourceTag/environment": "dev" } }, "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::*:role/asa-iam-key-rotation-lambda-assumed-role" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "aws:PrincipalOrgID": ""##inform org id } }, "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::*:role/asa-iam-key-rotation-list-accounts-role" ], "Effect": "Allow" }, { "Action": [ "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:us-east-1:{accountID}:function:ASA-Notifier", "Effect": "Allow" } ] }
in the assumed role, inform an environment dev tag
omahonyb
commented
4 months ago Hey mate, great work! I havent actually gotten around to implementing this as i had a million other things to do, but have a change request to start testing next week. I was looking at the doc and you can omit OU units which i was going to use [I have test, dev and prod OUs] but hopefully i can use this in conjunction as it will make final implementation easier as I can use Tag Editor to tag all accounts with "RotateKeys: False" and then enable on a case by case basis for teams to test.
omahonyb
commented
4 months ago After re-reading the document it seems the ommit OU doesnt actually exist, but i am sure i can edit the lambda function to do that I guess when i get to implement it. Or i might just use your one above from the begining and make it so much simpler :P
omahonyb
commented
4 months ago I found a solution for this, the lambda policy remained like this
in the assumed role, inform an environment dev tag
in the end i didnt want to do this via policy as I was worried it might bork stuff or throw stupid errors in the logs others may not understand.
i ended up modifying the function with the following in both places [You do need to give the role List Tags permissions]:
for page in page_iterator:
for acct in page['Accounts']:
#Account Tag Check
tags = org_client.list_tags_for_resource(ResourceId=acct['Id'])
tags = tags['Tags']
for tag in tags:
if tag['Key'] == 'IAMKeyRotate' and tag['Value'] == 'YES':
account_list.append(acct)
continue
# Tags stop Ill probably go back and variablize the value when i am done testing and go to clean up, but as this is internal use, it is fine for now.
Next step i have to go and figure out how to change the email in the notifier to a different tag, but that cant be too hard :P
As per the title, I want to look into implementing this. I would like to apply it to some test accounts for POC, then Dev, then STG then Prod over a period of time. I don't want to have to go to 150+ accounts and create the "IAMKeyRotationExemptionGroup" and move everyone in there, as I wont get approval before the demo is complete and documented.
I am wondering if there is a way to set a tag on the accounts, or just supply a list of account numbers to the scan so i can do this in a controlled manner? Alternatively is it possible to supply a specific OU in the CTOrganisation?