search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
536 stars 425 forks source link

Default AllowExternalPrincipals value is true in LZA cfn stack #230

Open JoyXinhongChen opened 1 year ago

JoyXinhongChen commented 1 year ago

Describe the bug Changing applied NFW rule group name in LZA in management account and getting the following error. Customer: :x: Deployment failed: Error: Stack Deployments Failed: Error: The stack named AWSAccelerator-NetworkPrepStack-8xxxxx541-ap-southeast-2 failed to deploy: UPDATE_ROLLBACK_COMPLETE: User: arn:aws:sts::8xxxxx541:assumed-role/cdk-accel-cfn-exec-role-8xxxxx541-ap-southeast-2/AWSCloudFormation is not authorized to perform: ram:CreateResourceShare on resource: arn:aws:ram:ap-southeast-2:8xxxxx541:resource-share/* with an explicit deny (Service: AWSRAM; Status Code: 403; Error Code: AccessDeniedException; Request ID: 497ad1cc-dd90-499e-8930-87fdc98ec518; Proxy: null) The SCP attached is 

{
            "Sid": "PreventExternalSharing",
            "Effect": "Deny",
            "Action": [
                "ram:CreateResourceShare",
                "ram:UpdateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "ram:RequestedAllowsExternalPrincipals": "true"
                }
            }
        }

SCP looks good to us, we have raised an aws support ticket to solve this https://support.console.aws.amazon.com/support/home?region=ap-southeast-2#/case/?displayId=13486042801&language=en Potential causes: Under the "AllowExternalPrincipals" property, the default value for this property is "true". This means that your CloudFormation template must set this property explicitly to "false" in order to not get denied by SCP.

Screenshots

image
joshuahigginson1 commented 1 year ago

Hi @JoyXinhongChen , I've had the exact same issue today. I've got a potential fix running through my pipeline as we speak, and I'm happy to share if it works. 🤞

lawliangfcc commented 1 year ago

I run into a similar issue with "ram:RequestedAllowsExternalPrincipals": "true" in SCP to meet the customer requirement for resource sharing control via RAM, and the pipeline failed on the network stacks.

any fix available now?

xp-versent commented 6 months ago

I went to the same trouble after security went in. After we enable company wide scp, which contains PreventExternalSharing. The sharing of the subnet to the other workload accounts within the same Org failed in the network association steps. We have to disable the SCP manually to let the sharing happen. Which is not a best practice in the eye of the security. I would prefer that when shareTarget, there would be a property to define AllowExternalPrincipals value to "true" or "false"

richardkeit commented 6 months ago

Hi @joshuahigginson1 ,

How did your fix pan out in the end?

msntx commented 1 month ago

Hey there, any updates on this one? Still having to use workarounds at customers a year later.