Closed tomwwright closed 3 years ago
Resolved in https://github.com/tomwwright/littleorange/commit/3111e35f25d71510e846addb0cec582800fa7072
SCP attached to Main OU now enforces that only the specific service-managed Stack Sets role can manage the stacksets-exec-*
roles
When using service-managed permissions for CloudFormation Stack Sets, the following occurs:
When first configured, this service role is configured in the master account:
arn:aws:iam::xxx:role/aws-service-role/stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgAdmin
and this service role is created in the member accounts:arn:aws:iam::xxx:role/aws-service-role/member.org.stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgMember
When a stack is created via a stack set the
AWSServiceRoleForCloudFormationStackSetsOrgMember
role is assumed bymember.org.stacksets.cloudformation.amazonaws.com
in aSS-Bootstrap-*
session and used to create a role with name patternstacksets-exec-*
. The trust policy on thisstacksets-exec-*
role allows only theAWSServiceRoleForCloudFormationStackSetsOrgAdmin
service role to assume itThe
AWSServiceRoleForCloudFormationStackSetsOrgAdmin
service role assumes thestacksets-exec-*
role and it is used to provision resources as part of the stackThis is an issue specifically for Little Orange because it leverages Lambda-backed Custom Resources in the master account that need to be securely invoked from all accounts in the Organization.
The issue here is that if you are attempting to secure resources via IAM so they can only be accessed by the service-managed permissions of CloudFormation Stack Sets you are limited to targeting the
stacksets-exec-*
roles viaaws:PrincipalArn
in an IAM Condition. If a user created a role calledstacksets-exec-my-malicious-role
it could invoke the Custom Resources and therefore modify sensitive state of the Organization.One (partial) resolution here is to introduce an SCP across the Organization that limits the creation and management of these
stacksets-exec-*
roles to theAWSServiceRoleForCloudFormationStackSetsOrgMember
service roles