elastic / cloudbeat

Analyzing Cloud Security Posture
Other
39 stars 43 forks source link

[AWS Orgs] CloudFormation fail to create multiple stacks for the same org #1319

Open uri-weisman opened 11 months ago

uri-weisman commented 11 months ago

Describe the bug In a situation where a user aims to evaluate misconfigurations in two distinct Organizational Units (OUs) within the same organization, they may establish two elastic agents through separate CloudFormation deployments. As a consequence, one of these stack creations is prone to fail due to the preexisting root role.

Preconditions 8.11.0 stack version

To Reproduce Write the exact actions one should perform in order to reproduce the bug. Steps to reproduce the behavior:

  1. Deploy AWS CSPM for organizations
  2. Evaluate an organization unit.
  3. Deploy another agent using Cloudformation and provide a different OU ID under the same organization.
  4. The second stack will fail to be created as we'll try to create an already existing role.

Both deployments should occur in the same AWS region

Expected behavior Even though the Cloudformation template supports a comma-separated list of OU IDs, the user might deploy several stacks to achieve the same, therefore, multiple stack creations in the same org should be possible.

orestisfl commented 11 months ago

I am re-tagging as enhancement since this is intentionally done this way and it is something we can improve on a future version by weighting the additional onboarding, configuration and code complexity

CC @tinnytintin10