search

aws-samples / scp-alternative-solution

The alternative solution for AWS Organizations SCP feature which is not available in AWS China yet.
MIT No Attribution
14 stars 6 forks source link

Event pattern for IAM CreateRole/CreateUser does not work #14

Open daftkid opened 2 years ago

daftkid commented 2 years ago

Hello, just deployed this solution today within China (Ningxia)cn-northwest-1 and everything is OK except triggering lambda on IAM "CreateRole" & "CreateUser" event.

I can see these events in CloudTrail but event rule is not capturing them.

Could you please help me to investigate this issue? I've spent about 4 hours playing around this problem but with no luck.

daftkid commented 2 years ago

I do not know if it matters but I have enrolled new account via service catalog without creating dedicated CloudTrail trail as centralized Cloudtrail is already enabled for this target account.

Also, I have found this notice in Event Bridge troubleshooting guide - https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-troubleshooting.html#eb-rule-did-not-trigger-iam . Not sure if it makes sense to worry about the region in China AWS :)

daftkid commented 2 years ago

Well, finally deployed the solution into Beijing region and it seems to be working now. I suppose it's make sense to add information about region to the docs. Please let me know if you want me to prepare PR

ganhuang commented 2 years ago

Also, I have found this notice in Event Bridge troubleshooting guide - https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-troubleshooting.html#eb-rule-did-not-trigger-iam . Not sure if it makes sense to worry about the region in China AWS :)

That's true, that's why the region is hardcoded in the scripts.

I suppose it's make sense to add information about region to the docs. Please let me know if you want me to prepare PR

Agreed, thanks for raising it up and feel free to post a PR to update it :-)

daftkid commented 2 years ago

Thanks for the clarification, just posted the PR :)

ganhuang commented 2 years ago

Thanks for your contribution.

daftkid commented 2 years ago

Just reviewed the Lambda code for account registration and REGION_NAME is really passed to the function which creates sts client for the management account, however, this region value is not used... and the region is not passed into the function for creation of STS client for event rules in target account... If I not mistaken, I tried to deploy it into Ningxia region first and event rules in enrolled accounts were created in Ningxia instead of Beijing. I'm not sure that this REGION value pinned to cn-north-1 does really make sense.

ganhuang commented 2 years ago

oh, you're right, re-opening this issue...