Continuous Delivery applied to Authorization with IAM Identity Center and AWS IAM Access Analyzer – Part 2

level: 300

According to part 1 let’s continue with the pipeline creation. In this scenario, CDK pipelines will be the preferred tool to make this possible. But in the third part, you can explore this with Terraform and Codecatalyst project.

Solution Overview

Requirements

validate-aws-policies
Python >= 3.10.4
CDK >= 2.158.0
cdk_nag >= 2.28.195

AWS Services

• AWS IAM Access Analyzer: AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM provides the infrastructure necessary to control authentication and authorization for your AWS accounts.

• AWS Cloud Development Kit (CDK): is an open-source software development framework to define your cloud application resources using familiar programming languages.

• AWS Identity and Access Management (IAM): Securely manage identities and access to AWS services and resources.

• AWS IAM Identity Center (Successor to AWS Single Sign-On): helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications.

• AWS CodeBuild: fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy.

• AWS CodePipeline: fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates.

• AWS Key Management Service (AWS KMS): lets you create, manage, and control cryptographic keys across your applications and more than 100 AWS services.

• AWS CloudFormation: Speed up cloud provisioning with infrastructure as code as code.

• AWS Lambda: A serverless compute service that lets you run code without provisioning or managing servers, build workload-based cluster scaling logic, maintain event integrations, or manage runtimes.

• AWS Chatbot: Monitor, operate, and troubleshoot your AWS resources with interactive ChatOps.

The Figure 1 depicts the solution architecture according to best practices:

Figure 1. Continuous authorization using AWS Developer Tools

1- The IaC is hosted in github private repository.
2- The first stage for CDK pipelines synth and apply self mutation.
3- The policies are scanned by validate_aws_policies tool and push the reports into S3 bucket.
4- After the DevSecOps Adm, SecOps Engineer review the findings accept or reject the changes.
5- The permissions sets changes are provisioned in both accounts. You can modify to only apply the changes to one account but keep in mind that in this case the same team manage both accounts.

Keep in mind:

• The IAM Identity Center could be delegated administration to an administrator account. https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html
• The delegated administrator can’t modify or alter permissions set provisioned in the management account.
• You must manage IAM Identity Center for both account instances. (Delegated and management Account).

Hands On

It’s time to create some code. 😃

First, delegate the IAM Identity Center administration using the AWS console or through the API.

1. Sign in to the AWS Management Console using the credentials of your management account in AWS Organizations. Management account credentials are required to run the RegisterDelegatedAdministrator API.
2. Select the Region where IAM Identity Center is enabled, and then open the IAM Identity Center console.
3. Choose Settings, and then select the Management tab.
4. In the Delegated administrator section, choose Register account.
5. On the Register delegated administrator page, select the AWS account you want to register, and then choose Register account.

Now, parametrize the project properties according to template as a follow:

1. Get the values from IAM Identity Center settings, you need the instance ID and the instance ARN.

Figure 2. SSO instance information.

1. Get the group’s principal ID from the console or run a tool like reverse_diagrams to get this information. For example:

$ reverse_diagrams -o -i --profile labvel-master --region us-east-2

The json output for the reverse_diagrams cli in file diagrams/json/groups.json:

...
{
    "AWSLogArchiveAdmins": {
        "group_id": "9a672b3314-c481fbee-8062-432a-8b87-xxxx36b763a8",
        "group_name": "AWSLogArchiveAdmins",
        "members": []
    }, 
...

1. Now, parametrize the project properties according to your environment, create the permission set block in project properties according to the manage or custom policies for permissions set, for example:

…
permissions_set:
  - name: 'AWSLogArchiveAdmins'
    description: 'Permissions Set for DevSecOps Admins'
    policies_file: 'policies/policy_allow_all_access_dev_sandbox_users.json'
    managed_policies: [ 'arn:aws:iam::aws:policy/AdministratorAccess' ]
    session_duration: '8'
    assing_to:
      - name: 'Grp-AWS-DevSecOps-Productos'
        principal_id: "9a672b3314-c481fbee-8062-432a-8b87-xxxx36b763a8"
        principal_type: "GROUP"
        target_ids:
          - "123462754109"

        target_type: "AWS_ACCOUNT"

…

For deploying, run:

cdk deploy -e ManageIAMIdentityCenterPipelineStack --profile labvel-devsecops

⚠️ The Github connection is disable by default, you must enable through the console.

Figure 3. Github connection in AWS Console.

1. Finally push the changes and wait for approving the pipeline.

Here an example for failed execution:

Figure 4. Failed execution in Code Pipeline.

Figure 5. Execution Notification in Microsoft Teams.

The Figure 4. Depicts the failed execution due case a custom policy is malformed and has a wildcard without like operator.

After clean up the repository and pass the correct policies the Figure 6. depicts the outputs in Microsoft Teams and the pipeline steps.

Figure 6. Successful execution.

You can find the example code for this pipeline.

velez94 / cdkv2_manage_identity_center_template

Template example for manage identity center authorization using aws cdk and validate_aws_policies cli

Welcome to Manage Identity Center Authorization with AWS Developer tools.

This is a project for CDK development with Python.

Architecture Diagram

Please read: Continuous Delivery applied to Authorization with IAM Identity Center and AWS IAM Access Analyzer – Part 2

The CDK instructions

The cdk.json file tells the CDK Toolkit how to execute your app.

This project is set up like a standard Python project. The initialization process also creates a virtualenv within this project, stored under the .venv directory. To create the virtualenv it assumes that there is a python3 (or python for Windows) executable in your path with access to the venv package. If for any reason the automatic creation of the virtualenv fails, you can create the virtualenv manually.

To manually create a virtualenv on MacOS and Linux:

$ python3 -m venv .venv

After the init process completes and the virtualenv is created, you can use the…

View on GitHub

Thanks for reading and sharing. 💻 👽