Higher governance by means of a safe baseline and automatic account provisioning with Management Tower and Account Manufacturing facility
For those who heard my presentation on Underrated AWS Safety Controls on the AWS Atlanta Summit I spoke about how AWS Management Tower can assist you automate provisioning of accounts with a safe baseline and implement governance.
With out going into an excessive amount of extra element on that right here, I’m offering pattern code to create an account utilizing an AWS Lambda perform utilizing AWS Management Tower Account Manufacturing facility. Through the use of AWS Account Manufacturing facility, this account will likely be provisioned with the log, safety, and coverage settings you’ve outlined in your group in AWS Management Tower.
You’ll need to take a look at this completely earlier than utilizing it in manufacturing, after all, however I didn’t discover a easy instance of this elsewhere. Generally I believe folks make issues means too difficult.
There are are two values you’ll want right here that are the product ID and provisioning artifact id, the latter of which is an overly-complicated means of claiming “model.”
import json
import boto3def get_parameter(occasion, parameter_name):
parameter_value=str(occasion[parameter_name])
if parameter_value is None or parameter_value == "":
increase Exception("Should move in " + parameter_name)
return parameter_valuedef get_json_parameter(identify, worth):
return '{"Key": "' + identify + '", "Worth": "' + worth + '"}'def lambda_handler(occasion, context):
account_name=get_parameter(occasion, "account_name")
account_email_domain=get_parameter(occasion,
"account_email_domain")
account_email=account_name + "@" + account_email_domain
ou=get_parameter(occasion, "ou")
sso_user_email=get_parameter(occasion, "sso_user_email")
sso_user_first_name=get_parameter(occasion, "sso_user_first_name")
sso_user_last_name=get_parameter(occasion, "sso_user_last_name")servicecatalog=boto3.consumer('servicecatalog')
#todo: these are hard-coded however ought to move in or lookup
product_id="xxxxxxxxxx"
prov_artifact_id='xxxxxxxxxx'str_params= '['
+ get_json_parameter("SSOUserEmail",
sso_user_email)
+ ', ' + get_json_parameter("SSOUserFirstName",
sso_user_first_name)
+ ', ' + get_json_parameter("SSOUserLastName",
sso_user_last_name)
+ ', ' + get_json_parameter("ManagedOrganizationalUnit",
ou)
+ ', ' + get_json_parameter("AccountName",
account_name)
+ ', ' + get_json_parameter("AccountEmail",
account_email)
+ ']'params=json.hundreds(str_params)
servicecatalog.provision_product(
ProductId=product_id,
ProvisioningArtifactId=prov_artifact_id,
ProvisionedProductName=account_name,
ProvisioningParameters=params
)return {
'statusCode': 200
}
You’ll find the product ID and Product Artifact ID by going to Service Catalog, click on on Merchandise on the left, after which click on on a product. You then’ll see the Product Provisioning IDs (the display truly says “variations”) related to the product. Use the energetic ID.
Now that appears easy sufficient, proper? It wasn’t easy to return to that and I hit quite a few error messages alongside the best way which can be slowing groups down when making an attempt to be taught and use this gorgeous superior idea. It took a number of matches and begins with restricted time and a few days to do what ought to have been easy if the error messages and documentation had been clearer.
I haven’t but utterly completed defining zero belief permissions for this perform. My associated weblog posts clarify why and go about doing that. You’ll need Service Catalog, Management Tower, Cloud Formation, and CloudWatch Logs permissions to run this code. You shouldn’t want any capabilities associated to delete, setting permissions, and plenty of different potential permissions that may very well be excluded. Because of the time I needed to wade by means of so many deceptive error messages and dig for documentation to get up to now, I’m leaving that as an train for the reader.
I made a decision to start out running a blog about all these bugs, error messages, UI, efficiency, and documentation challenges in a separate non-security weblog — like my current Azure assist diary publish the place it took me 4 weeks to persuade Azure that an error message was a bug. I’ve now received my husband utilizing down detector to determine when his music supply is down resulting from my current challenges with AWS, Comcast, LinkedIn, and TV streaming service outages. I need to write about these issues to assist different folks remedy and troubleshoot issues, however preserve this weblog centered on safety.
In case you are within the different weblog, which is primarily simply error messages, troubleshooting, and fixes, you possibly can test it out right here:
Teri Radichel — Observe me @teriradichel on Twitter
© 2nd Sight Lab 2022
____________________________________________
Wish to be taught extra about Cybersecurity and Cloud Safety? Try: Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, displays, and podcasts