Open JoyXinhongChen opened 1 year ago
Hi @JoyXinhongChen , I've had the exact same issue today. I've got a potential fix running through my pipeline as we speak, and I'm happy to share if it works. 🤞
I run into a similar issue with "ram:RequestedAllowsExternalPrincipals": "true"
in SCP to meet the customer requirement for resource sharing control via RAM, and the pipeline failed on the network stacks.
any fix available now?
I went to the same trouble after security went in. After we enable company wide scp, which contains PreventExternalSharing. The sharing of the subnet to the other workload accounts within the same Org failed in the network association steps. We have to disable the SCP manually to let the sharing happen. Which is not a best practice in the eye of the security. I would prefer that when shareTarget, there would be a property to define AllowExternalPrincipals value to "true" or "false"
Hi @joshuahigginson1 ,
How did your fix pan out in the end?
Hey there, any updates on this one? Still having to use workarounds at customers a year later.
Describe the bug Changing applied NFW rule group name in LZA in management account and getting the following error.
Customer: :x: Deployment failed: Error: Stack Deployments Failed: Error: The stack named AWSAccelerator-NetworkPrepStack-8xxxxx541-ap-southeast-2 failed to deploy: UPDATE_ROLLBACK_COMPLETE: User: arn:aws:sts::8xxxxx541:assumed-role/cdk-accel-cfn-exec-role-8xxxxx541-ap-southeast-2/AWSCloudFormation is not authorized to perform: ram:CreateResourceShare on resource: arn:aws:ram:ap-southeast-2:8xxxxx541:resource-share/* with an explicit deny (Service: AWSRAM; Status Code: 403; Error Code: AccessDeniedException; Request ID: 497ad1cc-dd90-499e-8930-87fdc98ec518; Proxy: null)
The SCP attached isSCP looks good to us, we have raised an aws support ticket to solve this https://support.console.aws.amazon.com/support/home?region=ap-southeast-2#/case/?displayId=13486042801&language=en Potential causes: Under the "AllowExternalPrincipals" property, the default value for this property is "true". This means that your CloudFormation template must set this property explicitly to "false" in order to not get denied by SCP.
Screenshots