The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
Is your feature request related to a problem? Please describe.
If we deploy any change using CfCT, our security team alerts that the Service Control Policies are always be redeployed/updated, regardless if no change was made to SCPs (e.g. changing CloudFormation resource)
We had initially designed one of our CloudTrail alert signals to detect changes to SCPs, but this is quite noisy during initial build phase, so might need to supress.
Describe the feature you'd like
Only deploy/update SCPs if a difference exists between the SCPs already deployed and those passed to the SCP state machine
Additional context
We use CfCT for:
deployment of Service Control Policies across all accounts in our Control Tower environment
deployment of any components within our Core OU (logging/audit)
deployment of common shared components or configuration that we'd expect to exist within any AWS account in our Organisation (e.g. SSM params for account numbers for use within Cloudformation scripts/Configuration of S3 bucket account policy/IAM policy etc)
We centralise all our CloudTrail activity to central logging account, and this is monitored by our security team for indicators of compromise.
We use CfCT as a deployment mechanism, with a CodeCommit repo that has a pipeline which publishes changes to the main branch to the bucket which will trigger CfCT.
Is your feature request related to a problem? Please describe. If we deploy any change using CfCT, our security team alerts that the Service Control Policies are always be redeployed/updated, regardless if no change was made to SCPs (e.g. changing CloudFormation resource)
We had initially designed one of our CloudTrail alert signals to detect changes to SCPs, but this is quite noisy during initial build phase, so might need to supress.
Describe the feature you'd like Only deploy/update SCPs if a difference exists between the SCPs already deployed and those passed to the SCP state machine
Additional context We use CfCT for:
We centralise all our CloudTrail activity to central logging account, and this is monitored by our security team for indicators of compromise.
We use CfCT as a deployment mechanism, with a CodeCommit repo that has a pipeline which publishes changes to the main branch to the bucket which will trigger CfCT.