search

tomwwright / littleorange

Minimalist AWS multi-account cloud leveraging CloudFormation and Lambda.
GNU General Public License v3.0
4 stars 1 forks source link

Securing CloudFormation Custom Resource access from workload accounts relies on securing "stacksets-exec-*" IAM Roles #19

Closed tomwwright closed 3 years ago

tomwwright commented 3 years ago

When using service-managed permissions for CloudFormation Stack Sets, the following occurs:

  1. When first configured, this service role is configured in the master account: arn:aws:iam::xxx:role/aws-service-role/stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgAdmin and this service role is created in the member accounts: arn:aws:iam::xxx:role/aws-service-role/member.org.stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgMember

  2. When a stack is created via a stack set the AWSServiceRoleForCloudFormationStackSetsOrgMember role is assumed by member.org.stacksets.cloudformation.amazonaws.com in a SS-Bootstrap-* session and used to create a role with name pattern stacksets-exec-*. The trust policy on this stacksets-exec-* role allows only the AWSServiceRoleForCloudFormationStackSetsOrgAdmin service role to assume it

  3. The AWSServiceRoleForCloudFormationStackSetsOrgAdmin service role assumes the stacksets-exec-* role and it is used to provision resources as part of the stack

This is an issue specifically for Little Orange because it leverages Lambda-backed Custom Resources in the master account that need to be securely invoked from all accounts in the Organization.

The issue here is that if you are attempting to secure resources via IAM so they can only be accessed by the service-managed permissions of CloudFormation Stack Sets you are limited to targeting the stacksets-exec-* roles via aws:PrincipalArn in an IAM Condition. If a user created a role called stacksets-exec-my-malicious-role it could invoke the Custom Resources and therefore modify sensitive state of the Organization.

One (partial) resolution here is to introduce an SCP across the Organization that limits the creation and management of these stacksets-exec-* roles to the AWSServiceRoleForCloudFormationStackSetsOrgMember service roles

tomwwright commented 3 years ago

Resolved in https://github.com/tomwwright/littleorange/commit/3111e35f25d71510e846addb0cec582800fa7072

SCP attached to Main OU now enforces that only the specific service-managed Stack Sets role can manage the stacksets-exec-* roles