AWS solutions high security documentation change
Summary
Added IAM condition restricting role assumption to specific AcceleratorQualifier roles, included AdministratorAccess policy requirement, and added detailed instructions for external pipeline deployment including security recommendations for SCPs.
Security assessment
Added explicit IAM condition (StringLike) limiting role assumption to specific role patterns, reducing attack surface. Includes security recommendation for SCPs to protect pipeline roles. Directly addresses privilege escalation risks by restricting cross-account access.
Diff
diff --git a/solutions/latest/landing-zone-accelerator-on-aws/external-pipeline-deployment.md b/solutions/latest/landing-zone-accelerator-on-aws/external-pipeline-deployment.md index ec1bc0510..30188a621 100644 --- a//solutions/latest/landing-zone-accelerator-on-aws/external-pipeline-deployment.md +++ b//solutions/latest/landing-zone-accelerator-on-aws/external-pipeline-deployment.md @@ -7 +7 @@ -In a default Landing Zone Accelerator on AWS installation, the CodePipeline and S3 bucket deploys into the AWS Organizations management account. You may want to deploy and operate these components in a member AWS account to limit access to the management account. This solution supports this model with an optional pipeline deployment account. +In a default Landing Zone Accelerator on AWS installation, the CodePipeline and S3 bucket deploys into the AWS Organizations management account. You may want to deploy and operate these components in a member AWS account to limit access to the management account. This solution supports this model with an optional pipeline deployment account. In this model, the solution assumes a role in the AWS Organizations management account to deploy resources to workload accounts. @@ -31 +31,11 @@ Follow these instructions to implement this pattern: - "arn:aws:iam:: + "AWS": "arn:aws:iam::${PIPELINE_DEPLOYMENT_ACCOUNT_ID}:root" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringLike": { + "aws:PrincipalArn": "arn:aws:iam::${PIPELINE_DEPLOYMENT_ACCOUNT_ID}:role/${AcceleratorQualifier}-*" + } + } + } + ] + } @@ -32,0 +43 @@ Follow these instructions to implement this pattern: + 1. Attach the `AdministratorAccess` AWS managed IAM policy to the role. @@ -36,0 +48,38 @@ Follow these instructions to implement this pattern: +###### Note + +By default, AWS IAM roles with prefix AcceleratorQualifier in the pipeline account are used by AWS CodeBuild to assume role in the management account and deploy resources. To protect these roles, you should implement additional security measures, such as Service control policies (SCPs). + +After you create the IAM role in the management account, synthesize the Landing Zone Accelerator on AWS installer template configured for external deployments by following these instructions: + + 1. Clone or download the latest release of the Landing Zone Accelerator on AWS [source code](https://github.com/awslabs/landing-zone-accelerator-on-aws/tree/main/source). + + 2. Navigate to the `source` folder: + + cd landing-zone-accelerator-on-aws/source + + 3. Install dependencies and build the source code: + + yarn install && yarn build + + 4. Navigate to the installer folder: + + cd packages/\@aws-accelerator/installer/ + + 5. Synthesize the installer template by running: + + cdk synth --context use-external-pipeline-account=true + + 6. Retrieve the synthesize template named `AWSAccelerator-InstallerStack.template.json` from the `cdk.out` directory. + + 7. Use this template to create the `AWSAccelerator-Installer` CloudFormation stack in the external deployment account. + + 8. The deployment now follows the same process as the [standard deployment process](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/deployment-overview.html) with the addition of the following parameters: + + 1. **AcceleratorQualifier** \- Names the resources in the external deployment account. This must be unique for each Landing Zone Accelerator on AWS pipeline created in a single external deployment account, for example "env2" or "app1." Do not use "aws-accelerator" or a similar value that could be confused with the prefix. + + 2. **ManagementAccountId** \- This is the AWS account ID of the AWS Organizations management account. + + 3. **ManagementAccountRoleName** \- This is the name of the IAM role used to access the management account from the external deployment account. + + + @@ -46 +95 @@ Deployment options -Support for specific regions and industries +Source code location