Open yawn opened 4 years ago
Hi @yawn
Indeed this is an area we could expand on, I think an SCP here that ships as part of ADF itself that handles locking down removal or alteration of base stacks would be a great addition.
A quick cat global.yml deployment/*.yml | grep Type | grep -Eo "AWS::[^\"']+" | cut -d ':' -f 3-5 | sort | uniq
shows the following:
CodeBuild::Project
CodeCommit::Repository
CodePipeline::Pipeline
Events::Rule
IAM::ManagedPolicy
IAM::Policy
IAM::Role
KMS::Alias
KMS::Key
Lambda::LayerVersionPermission
Lambda::Permission
S3::Bucket
S3::BucketPolicy
SNS::Topic
SNS::TopicPolicy
SSM::Parameter
Serverless::Function
Serverless::LayerVersion
StepFunctions::StateMachine
A couple of initial remarks:
policy_sentry
). Code*
services and I believe it will take some consideration & coordination on what the policy should express since these service are on the higher quantitive end of action size.I'll try to prepare an example SCP during the week but feedback on the points raised would be welcome.
Thanks @yawn - @thomasmcgannon + @kalleeh what are your thoughts on this? I'd like to get this into the 3.1 release with your guidance.
Please keep in mind that I based this evaluation on version 2.x.
Any update here on your internal planning? We can support here but I think we should consider changing naming conventions here to simplify the SCP. I'll do an ADF deploy today and double-check that my understanding is still up to (3.x) date.
We are happy users of ADF for organisational / baseline (partially together with CT) as well as workload setups. One thing that is currently missing is integrity protection (in the form of an SCP) for the ADF infrastructure itself. Would this be interesting for the project as well?
I understand that (depending on the approach taken, specific resources / prefixes / maybe even tags if the coverage allows it) this might might not extend well to baselines being rolled out via
regional
/global
but protecting the off-the-shelf ADF components would be enough for us initially (since we try to sail underneath the CT conventions for integrity protection for our customisations anyway).Since #146 was closed - are you interested in a contribution here?