ACM.139 Delegating governance through service management insurance policies to an AWS Governance account
It is a continuation of my sequence on Automating Cybersecurity Metrics.
As I discussed within the final put up, I’d just like the governance workforce to function out of a governance account and I wish to restrict actions within the root account. I created a separate account within the final put up.
Once I used AWS Management Tower to arrange my AWS Accounts for this explicit implementation it appeared to place a number of the issues it constructed within the root account. I’m undecided if there’s a method round that and it’s a moot level for the time being. What AWS Organizations does provide is a method to delegate sure actions to different accounts. However what does that apply to and what does that imply precisely?
Delegated Admin Account
Once I searched round for data on this characteristic, this web page with the time period “delegated admin” appeared in search outcomes. As you possibly can see there’s one thing known as a Delegated Admin Account and it’s associated to AWS organizations.
As you possibly can see above, you can not carry out this motion from the AWS console. You should utilize the AWS CLI or SDKs.
The account quantity is the one to which you wish to delegate this authority. The “service-principal” title is complicated to me but it surely refers back to the actions you wish to give the account permission to handle.
The documentation (which is sparse) states:
A delegated admin account can name the AWS Account Administration API operations for different member accounts within the group.
and
After you specify a delegated admin account on your group, customers and roles in that account can name the AWS CLI and AWS SDK operations within the
accountnamespace that may work within the Organizations mode by supporting an optionally availableAccountIdparameter.
What are “AWS Account Administration API operations”? and what’s the “account namespace”?
We are able to parse by means of another documentation to attempt to type this out.
One web page has a reference to an account API:
It hyperlinks to the next actions.
Which may come in useful, but it surely doesn’t embrace Service Management Insurance policies, which I wrote about right here, and is what I need my governance workforce to handle.
I most likely need the billing workforce to deal with the above operations. By the way in which, AWS simply introduced a change to AWS Billing which I haven’t absolutely explored but:
In any case, I wish to segregate the actions my billing workforce can take from these of the governance workforce and this isn’t what I’m looking for. That is also a problem I’ve with AWS Management Tower and AWS Organizations, which appear to attempt to merge these two features into one. They’re distinct operations with organizational boundaries that don’t at all times align.
Delegated Administrator for AWS Organizations
To not be complicated or something, AWS additionally has a separate hyperlink within the documentation known as an AWS Administrator for Organizations.
AWS introduced this performance pretty not too long ago — final November concerning the time of the final AWS re:Invent convention.
This documentation has a subtitle:
Create or replace a resource-based delegation coverage.
I wrote about useful resource vs. IAM insurance policies right here and sometimes useful resource insurance policies are utilized — to a useful resource. Which means you connect the coverage to the useful resource, such as you assault a coverage to an S3 bucket to outline who’s allowed to entry it.
What’s the useful resource to which we’re attaching these insurance policies? We’re attaching them to our AWS group, it appears.
What does this performance do?
The doc states:
You possibly can delegate coverage administration for AWS Organizations to specified member accounts to carry out coverage actions which can be by default accessible solely to the administration account.
That sounds fascinating. Maybe we will permit our governance account to replace SCPs. The one factor is, the documentation for SCPs nonetheless states that you must carry out these operations within the administration account, however that’s when utilizing the AWS Console. Maybe we will programmatically handle SCPs from our governance account.
What do we have to do to implement this coverage?
create or replace a resource-based delegation coverage on your group and add a press release that specifies which member accounts can carry out actions on insurance policies
Let’s see how we will create such a coverage for our new governance account.
Permissions to create the delegated administrator
As a way to create a delegated administrator you’ll want the next AWS Organizations permission, so that is doubtless one thing we’ll wish to watch out with and should wish to take away from the governance permissions I created the pseudo code for within the final put up. We could or could not need our governance workforce to have these capabilities. When you work for a small group with one or two individuals dealing with governance in your account, maybe you deny these permissions. If you’re in a big group the place the governance workforce delegates some responsibly for governance to people inside traces of enterprise, maybe your governance workforce has these permissions.
organizations:PutResourcePolicy
organizations:DescribeResourcePolicy
What actions will an account be capable to take while you make it a delegated administrator for organizational insurance policies?
Once you delegate permission to a different account utilizing a delegation coverage, you possibly can assign it the next permissions, or a subset of the next permissions. The documentation right here shouldn’t be actually clear. I figured that out by reviewing the pattern insurance policies.
These actions are within the AWS Organizations namespace:
Prerequisite: Granting permission to view the organizational construction
Earlier than you possibly can delegate permission to handle a sure sort of coverage, you must grant the account permission to see the organizational construction. AWS has a pattern coverage for that right here:
What organizational insurance policies can a delegated administrator handle?
The documentation shouldn’t be clear on this level. The documentation for the delegated administrator for AWS organizations doesn’t listing the group insurance policies that an administrator can handle.
It does, nonetheless, have a instance of delegating administrative permissions to a different account to handle backups:
This web page appears to handle this query:
As a result of this listing could change sooner or later, and for the sake of segregation of duties, we’ll most likely wish to create an permit listing and be express so far as what varieties of insurance policies our governance workforce can handle. For now, I simply need them to handle SCPs.
Nowhere can I discover the documentation itemizing all of the doable group coverage varieties that you need to use instead of “BACKUP_POLICY” within the instance under and /backup_policy/ within the useful resource ARN.
Irrespective of. We are able to carry out some actions and examine the logs to reverse-engineer what the coverage sort is within the corresponding CloudTrail Logs request (hopefully) after we create an SCP. I’ll do this in an upcoming put up.
Whether it is doable, the pseudo code can be just like the above code to delegate backup coverage permissions, however we’ll doubtless exchange ‘backup_policy’ with ‘service_control_policy’. I additionally wish to create a reusable block of code that can be utilized by any group reasonably than hard-coding in particular account numbers.
It took some time to sift by means of the documentation so I’ll attempt to implement this within the subsequent put up, which is able to embrace reverse-engineering coverage varieties and ARNs for the coverage above.
Observe for updates.
Teri Radichel
When you preferred this story ~ clap, comply with, tip, purchase me a espresso, or rent me 🙂
Medium: Teri Radichel
E mail Record: Teri Radichel
Twitter: @teriradichel
Twitter (firm): @2ndSightLab
Mastodon: @teriradichel@infosec.alternate
Publish: @teriradichel
Fb: 2nd Sight Lab
Slideshare: Displays by Teri Radichel
Speakerdeck: Displays by Teri Radichel
Books: Teri Radichel on Amazon
Recognition: SANS Distinction Makers Award, AWS Hero, IANS School
Certifications: SANS
Schooling: BA Enterprise, Grasp of Sofware Engineering, Grasp of Infosec
How I bought into safety: Lady in tech
Purchase me a espresso: Teri Radichel
Firm (Penetration Exams, Assessments, Coaching): 2nd Sight Lab
Request providers through LinkedIn: Teri Radichel or IANS Analysis
Request providers through LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2023
All of the posts on this sequence:
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, displays, and podcasts
