ACM.44 Guarantee group names and coverage names are constant
This can be a continuation of my collection on Automating Cybersecurity Metrics.
In my final submit I defined learn how to create a reusable template and features to create IAM customers. We will use that very same concept to create a reusable operate to deploy a gaggle because the solely factor I actually need to fluctuate in my group template is the identify.
I can begin with a operate to deploy a gaggle.
I may also create an analogous operate for my group insurance policies with the identify of the coverage template file matching the identify of the coverage:
I’ve the three coverage templates within the Coverage subdirectory of my Teams/cfn folder:
Right here’s the nifty factor. If I at all times identify my CloudFormation coverage templates constantly I can simply deploy the coverage and the group with a pair further traces of code. I can calculate the group coverage template file identify utilizing the group identify and deploy it from throughout the create_group operate:
So if my group identify is IAMAdmins, then my coverage file identify shall be IAMAdminsGroupPolicy.yaml. I’m not making a generic coverage file as a result of insurance policies are one of the vital crucial features of CloudSecurity and sure every of those shall be distinctive. I add Group to each coverage identify so I do know the coverage is related to a gaggle when trying it up in my listing of insurance policies within the AWS console or within the listing of CloudFormation stacks.
I made a decision to maintain my group insurance policies in my group folder and this code will forestall group insurance policies from being utilized to another useful resource — if that is the one code we use to deploy teams and insurance policies. That’s one other instance of how a completely automated surroundings may help.
Now my deployment script is fairly easy:
Now I can add new teams in a short time and once I need to discover them within the CloudFormation console I can merely search on ‘IAM-Group’.
I can simply discover insurance policies for teams:
I can discover all my IAM administrator templates (although the username would most likely match an precise person in a manufacturing surroundings).
Subsequent I can create a generic operate so as to add a person to a gaggle:
To be able to take a look at a number of customers I’ve added yet one more person known as IAMAdmin2 so I can take a look at including a number of customers to a gaggle. Confer with this submit the place I add customers with comparable frequent features.
I simply added one line to IAM/stacks/Customers/deploy.sh:
deploy_user "IAMAdmin2" $profile
Now I can take a look at including two customers to a gaggle in my deploy script:
Verify to see that your group has the related customers after creating this stack:
Just a few caveats concerning the above deployment script:
Value
CloudFormation documentation specifies the next for prices:
AWS CloudFormation provides a simple and constant method to mannequin, provision, and handle a group of associated AWS and third-party sources by treating infrastructure as code. You solely pay for what you utilize, with no minimal charges and no required upfront commitments. When utilizing registry extensions with CloudFormation, you incur costs per handler operation. Handler operations are: CREATE, UPDATE, DELETE, READ, or LIST actions on a useful resource kind and CREATE, UPDATE or DELETE actions for a Hook kind. For extra details about handler operations and useful resource suppliers, please go to the CloudFormation documentation.
This isn’t precisely clear. What does “When utilizing registry extensions” imply? Properly first we will verify to see what the CloudForamtion registry is…
The CloudFormation registry permits you to handle extensions, each private and non-private
Are we utilizing an extension right here? Is CloudFormation free if we don’t use an extension?
Right here’s one other merchandise for the #AWSWishList ~ make this documentation clearer.
I don’t consider I’m utilizing extensions and CloudFormation was free. The simplest manner for me to reply this query is to take a look at my billing dashboard to see if I’ve been charged something for CloudFormation on this account. I can affirm that for what I’m doing to date on this repository I’m not getting charged any CloudFormation charges. I’ve been utilizing this account and CloudFormation in it for fairly a while. Up to now, CloudFormation was free, I used to be simply checking to see if that modified.
If you’re making use of some sort of extension along with what I’m doing right here, you may not need to re-run all of the stacks simply to replace one in every of them. I’m undecided should you would get charged for the execution if there are not any updates. The documentation doesn’t say. Up to now I’ve had points with unclear AWS documentation that ended up costing much more than preliminary estimates in a spreadsheet. Hopefully the AWS Calculator would provide you with extra correct estimates, however it’s nonetheless at all times a good suggestion to do a proof of idea (POC) and take a look at your invoice earlier than rolling out something at scale.
If I had pricing issues and I found that I used to be charged for a name to a stack even when no updates had been required, I’d create a method to solely deploy the particular sources I needed to alter.
Adjustments in parallel to CloudFormation templates and code
Identical as with pricing, it’s possible you’ll need to separate out every useful resource to have its personal deployment script when you’ve got numerous issues in a repository being up to date and also you don’t need to deploy unfinished modifications. I’m simply organising this repository for testing functions and the one particular person in it proper now’s me. If you happen to had a improvement workforce making numerous modifications directly you’d probably need to beak up the deployment script.
A change to the validation operate
Word that I modified the validation operate in stack_functions.sh barely to cross within the operate identify.
That manner once I report an error I can cross again the operate identify that had the lacking parameter worth:
It’s at all times a good suggestion to make your error messages as particular as potential to assist folks rapidly pinpoint the supply of an error.
Subsequent I added this line to my features to get the present operate identify:
operate=${FUNCNAME[0]}
Then I cross the operate identify into the validate_param operate.
Passing parameter values to a comma separated listing parameter
One different factor that it is best to know is that when passing comma separated lists to CloudFormation stacks you could be sure that there isn’t a house within the listing or you’ll get an error.
So as an alternative of this:
"IAMAdminUser, IAMAdminUser2"
Cross on this:
"IAMAdminUser,IAMAdminUser2"
Caveats Including and Eradicating Customers From Teams
I didn’t take a look at eradicating the IAMAdmin2 person from the group right here however I presume eradicating and redeploying would replace the group. What occurs if somebody removes a person from the group exterior the CloudFormation template? I presume redeploying will re-add the person to the group.
What if somebody manually provides a person to the group. Is it affected by this stack that provides particular customers to the group?
What if we need to output all of the customers added to the group and use that? Then we’ve to make sure that the one manner the group will be up to date is thru this automation stack.
On to IAM Roles…
Alright! Now we will very simply create new customers, teams, and group insurance policies. We’ve yet one more useful resource to see if we will refactor — IAM Roles. Comply with me or join the e-mail listing to get that subsequent submit.
Teri Radichel
If you happen to favored this story please clap and observe:
Medium: Teri Radichel or E-mail Listing: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies through LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2022
All of the posts on this collection:
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, displays, and podcasts