From 89ecb294e880b035e638de3fa4f967b01922f3fe Mon Sep 17 00:00:00 2001 From: Guillaume Charest Date: Tue, 23 Jul 2024 15:27:32 -0400 Subject: [PATCH 1/4] feat: setup narrower guardrails against aws Nuke --- .../org_account/organization/organizations.tf | 5 ++ terragrunt/org_account/organization/scp.tf | 88 +++++++++++++++++++ 2 files changed, 93 insertions(+) diff --git a/terragrunt/org_account/organization/organizations.tf b/terragrunt/org_account/organization/organizations.tf index 58787e57..54ca9bac 100644 --- a/terragrunt/org_account/organization/organizations.tf +++ b/terragrunt/org_account/organization/organizations.tf @@ -112,6 +112,11 @@ resource "aws_organizations_policy_attachment" "Test-cds_snc_universal_guardrail target_id = aws_organizations_organizational_unit.Test.id } +resource "aws_organizations_policy_attachment" "Test-aws_nuke_guardrails" { + policy_id = aws_organizations_policy.aws_nuke_guardrails.id + target_id = aws_organizations_organizational_unit.Test.id +} + resource "aws_organizations_policy_attachment" "DumpsterFire-qurantine_deny_all_policy" { policy_id = aws_organizations_policy.qurantine_deny_all_policy.id target_id = aws_organizations_organizational_unit.DumpsterFire.id diff --git a/terragrunt/org_account/organization/scp.tf b/terragrunt/org_account/organization/scp.tf index 865e45f5..fc622f37 100644 --- a/terragrunt/org_account/organization/scp.tf +++ b/terragrunt/org_account/organization/scp.tf @@ -180,3 +180,91 @@ resource "aws_organizations_policy" "qurantine_deny_all_policy" { type = "SERVICE_CONTROL_POLICY" content = data.aws_iam_policy_document.qurantine_deny_all_policy.json } + + +data "aws_iam_policy_document" "aws_nuke_guardrails" { + statement { + + sid = "ProtectAWSControlTowerRoles" + effect = "Deny" + actions = [ + "iam:DeleteRole", + "iam:DeleteRolePolicy" + ] + resources = [ + "arn:aws:iam::*:role/AWSControlTower*", + "arn:aws:iam::*:role/aws-service-role/*" + ] + condition { + test = "ArnNotLike" + variable = "aws:PrincipalArn" + values = [ + "arn:aws:iam::*:role/AWSAFTExecution", + ] + } + } + + statement { + sid = "ProtectSAMLProvider" + effect = "Deny" + actions = [ + "iam:DeleteSAMLProvider" + ] + resources = [ + "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE" + ] + condition { + test = "ArnNotLike" + variable = "aws:PrincipalArn" + values = [ + "arn:aws:iam::*:role/AWSAFTExecution", + ] + } + } + + + statement { + sid = "ProtectSSORoles" + effect = "Deny" + actions = [ + "iam:DeleteRole", + "iam:DetachRolePolicy", + "iam:DeleteRolePolicy" + ] + resources = [ + "arn:aws:iam::*:role/AWSReservedSSO_*" + ] + condition { + test = "ArnNotLike" + variable = "aws:PrincipalArn" + values = [ + "arn:aws:iam::*:role/AWSAFTExecution", + ] + } + } + + statement { + sid = "ProtectSSORolePolicies" + effect = "Deny" + actions = [ + "iam:DetachRolePolicy", + "iam:DeletePolicy" + ] + resources = [ + "arn:aws:iam::*:policy/AWSReservedSSO_*" + ] + condition { + test = "ArnNotLike" + variable = "aws:PrincipalArn" + values = [ + "arn:aws:iam::*:role/AWSAFTExecution", + ] + } + } +} + +resource "aws_organizations_policy" "aws_nuke_guardrails" { + name = "Control Tower Guardrails" + type = "SERVICE_CONTROL_POLICY" + content = data.aws_iam_policy_document.aws_nuke_guardrails.json +} \ No newline at end of file From d6ef2798bcc18331f4bd6e223be2930e9858dfce Mon Sep 17 00:00:00 2001 From: Guillaume Charest Date: Tue, 23 Jul 2024 15:34:14 -0400 Subject: [PATCH 2/4] fix: prevent detach role policy from AWS CT roles --- terragrunt/org_account/organization/scp.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terragrunt/org_account/organization/scp.tf b/terragrunt/org_account/organization/scp.tf index fc622f37..d6d7580d 100644 --- a/terragrunt/org_account/organization/scp.tf +++ b/terragrunt/org_account/organization/scp.tf @@ -189,6 +189,7 @@ data "aws_iam_policy_document" "aws_nuke_guardrails" { effect = "Deny" actions = [ "iam:DeleteRole", + "iam:DetachRolePolicy", "iam:DeleteRolePolicy" ] resources = [ From 2dd2b943aef2a3e935d7711df51a04ab013d146c Mon Sep 17 00:00:00 2001 From: Guillaume Charest Date: Tue, 23 Jul 2024 15:38:55 -0400 Subject: [PATCH 3/4] fix: revert duplicate detach statement --- terragrunt/org_account/organization/scp.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terragrunt/org_account/organization/scp.tf b/terragrunt/org_account/organization/scp.tf index d6d7580d..4378ef23 100644 --- a/terragrunt/org_account/organization/scp.tf +++ b/terragrunt/org_account/organization/scp.tf @@ -229,7 +229,6 @@ data "aws_iam_policy_document" "aws_nuke_guardrails" { effect = "Deny" actions = [ "iam:DeleteRole", - "iam:DetachRolePolicy", "iam:DeleteRolePolicy" ] resources = [ From 7ce4f23055a75a75f62b2f71ac3c64fc138b25a2 Mon Sep 17 00:00:00 2001 From: Guillaume Charest Date: Tue, 23 Jul 2024 15:47:29 -0400 Subject: [PATCH 4/4] fix: add deny detach role policy again --- terragrunt/org_account/organization/scp.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terragrunt/org_account/organization/scp.tf b/terragrunt/org_account/organization/scp.tf index 4378ef23..1d4baa83 100644 --- a/terragrunt/org_account/organization/scp.tf +++ b/terragrunt/org_account/organization/scp.tf @@ -229,7 +229,8 @@ data "aws_iam_policy_document" "aws_nuke_guardrails" { effect = "Deny" actions = [ "iam:DeleteRole", - "iam:DeleteRolePolicy" + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy" ] resources = [ "arn:aws:iam::*:role/AWSReservedSSO_*"