From 87dc4c52fb00373c984f2d24dfa44e3d6f1df024 Mon Sep 17 00:00:00 2001 From: Guillaume Charest <1690085+gcharest@users.noreply.github.com> Date: Tue, 23 Jul 2024 15:49:15 -0400 Subject: [PATCH] feat: setup narrower guardrails against aws Nuke (#300) * feat: setup narrower guardrails against aws Nuke * fix: prevent detach role policy from AWS CT roles * fix: revert duplicate detach statement * fix: add deny detach role policy again --- .../org_account/organization/organizations.tf | 5 ++ terragrunt/org_account/organization/scp.tf | 89 +++++++++++++++++++ 2 files changed, 94 insertions(+) diff --git a/terragrunt/org_account/organization/organizations.tf b/terragrunt/org_account/organization/organizations.tf index 58787e57..54ca9bac 100644 --- a/terragrunt/org_account/organization/organizations.tf +++ b/terragrunt/org_account/organization/organizations.tf @@ -112,6 +112,11 @@ resource "aws_organizations_policy_attachment" "Test-cds_snc_universal_guardrail target_id = aws_organizations_organizational_unit.Test.id } +resource "aws_organizations_policy_attachment" "Test-aws_nuke_guardrails" { + policy_id = aws_organizations_policy.aws_nuke_guardrails.id + target_id = aws_organizations_organizational_unit.Test.id +} + resource "aws_organizations_policy_attachment" "DumpsterFire-qurantine_deny_all_policy" { policy_id = aws_organizations_policy.qurantine_deny_all_policy.id target_id = aws_organizations_organizational_unit.DumpsterFire.id diff --git a/terragrunt/org_account/organization/scp.tf b/terragrunt/org_account/organization/scp.tf index 865e45f5..1d4baa83 100644 --- a/terragrunt/org_account/organization/scp.tf +++ b/terragrunt/org_account/organization/scp.tf @@ -180,3 +180,92 @@ resource "aws_organizations_policy" "qurantine_deny_all_policy" { type = "SERVICE_CONTROL_POLICY" content = data.aws_iam_policy_document.qurantine_deny_all_policy.json } + + +data "aws_iam_policy_document" "aws_nuke_guardrails" { + statement { + + sid = "ProtectAWSControlTowerRoles" + effect = "Deny" + actions = [ + "iam:DeleteRole", + "iam:DetachRolePolicy", + "iam:DeleteRolePolicy" + ] + resources = [ + "arn:aws:iam::*:role/AWSControlTower*", + "arn:aws:iam::*:role/aws-service-role/*" + ] + condition { + test = "ArnNotLike" + variable = "aws:PrincipalArn" + values = [ + "arn:aws:iam::*:role/AWSAFTExecution", + ] + } + } + + statement { + sid = "ProtectSAMLProvider" + effect = "Deny" + actions = [ + "iam:DeleteSAMLProvider" + ] + resources = [ + "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE" + ] + condition { + test = "ArnNotLike" + variable = "aws:PrincipalArn" + values = [ + "arn:aws:iam::*:role/AWSAFTExecution", + ] + } + } + + + statement { + sid = "ProtectSSORoles" + effect = "Deny" + actions = [ + "iam:DeleteRole", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy" + ] + resources = [ + "arn:aws:iam::*:role/AWSReservedSSO_*" + ] + condition { + test = "ArnNotLike" + variable = "aws:PrincipalArn" + values = [ + "arn:aws:iam::*:role/AWSAFTExecution", + ] + } + } + + statement { + sid = "ProtectSSORolePolicies" + effect = "Deny" + actions = [ + "iam:DetachRolePolicy", + "iam:DeletePolicy" + ] + resources = [ + "arn:aws:iam::*:policy/AWSReservedSSO_*" + ] + condition { + test = "ArnNotLike" + variable = "aws:PrincipalArn" + values = [ + "arn:aws:iam::*:role/AWSAFTExecution", + ] + } + } +} + +resource "aws_organizations_policy" "aws_nuke_guardrails" { + name = "Control Tower Guardrails" + type = "SERVICE_CONTROL_POLICY" + content = data.aws_iam_policy_document.aws_nuke_guardrails.json +} \ No newline at end of file