The AWS Secure Environment Accelerator is a tool designed to help deploy and operate secure multi-account, multi-region AWS environments on an ongoing basis. The power of the solution is the configuration file which enables the completely automated deployment of customizable architectures within AWS without changing a single line of code.
Apache License 2.0
725
stars
233
forks
source link
[BUG][OTHER] SEA apply the wrong version of SCP Quarantine and block Cloud Formation StackSet #1186
Upgrade from version: 1.2.5 (first version installed)
Which State did the Main State Machine Fail in: NA
The SCP "PBMMAccel-Quarantine-New-Object" block the CFN Stacksets role. The state machine apply twice the SCP, ignoring on the first apply the customized version.
Cloud Formation Stack set role get an explicit deny when creating the stack in a new account :
User: arn:aws:sts::accountID:assumed-role/stacksets-exec-*/ is not authorized to perform: iam:GetRole on resource: role nameOfTheStackSet with an explicit deny in a service control policy
Deploying the stack set on older account does not have this problem, because the SCP Quarantine is not attached.
We customized the SCP to allow the stack set role as the other issue recommanded :
New accounts still have the problem after the adjustment. Older account does not have the problem event if we attached the Quarantine SCP.
We opened an AWS case about this problem and here's what they found : the state machine apply twice the Quarantine SCP during the state machine execution, once with the default version without the stack set role, and one with the customized version. The error occure after the first attachment to the default SCP.
AWS Case about this problem : 13652761591
Steps To Reproduce :
Create stack set in Cloud Formation deployed as AWS Managed
Deploy stack set on the organisation
In SEA, create new account
See the error in Cloud Formation on the stack set for the new account stack
Expected behavior :
Step Function is not supposed to apply the default version of SCP Quarantine, causing issue to Stack set and possibly other services
The SCP "PBMMAccel-Quarantine-New-Object" block the CFN Stacksets role. The state machine apply twice the SCP, ignoring on the first apply the customized version.
Cloud Formation Stack set role get an explicit deny when creating the stack in a new account :
Deploying the stack set on older account does not have this problem, because the SCP Quarantine is not attached.
We customized the SCP to allow the stack set role as the other issue recommanded :
New accounts still have the problem after the adjustment. Older account does not have the problem event if we attached the Quarantine SCP.
We opened an AWS case about this problem and here's what they found : the state machine apply twice the Quarantine SCP during the state machine execution, once with the default version without the stack set role, and one with the customized version. The error occure after the first attachment to the default SCP.
AWS Case about this problem : 13652761591
Steps To Reproduce :
Expected behavior :