Policy changes rule must only revert SCPs; not backup or tag policies (#1169)

Author: joshvmaws

src/deployments/runtime/src/ou-validation-events/policy-changes.ts

@@ -83,12 +83,25 @@ export const handler = async (input: ScheduledEvent) => {
     return 'INVALID_REQUEST';
   }
 
-  if (await isControlTowerSCP(policyId)) {
-    console.log('Policy Changes Performed by Control Tower, No operation required');
+  // describe policy
+  const policyResponse = await organizations.describePolicy(policyId);
+  const policy = policyResponse.Policy;
+  if (!policy) {
+    console.error(`Invalid PolicyId provided ${policyId}`);
+    return false;
+  }
+
+  if (!isServiceControlPolicy(policy)) {
+    console.log('The policy is NOT of type SERVICE_CONTROL_POLICY; No operation required');
+    return 'NO_OPERATION_REQUIRED';
+  }
+
+  if (isControlTowerSCP(policy)) {
+    console.log('Policy Changes Performed by Control Tower; No operation required');
     return 'NO_OPERATION_REQUIRED';
   }
   const eventName = requestDetail.eventName;
-  if (!['DeletePolicy', 'AttachPolicy'].includes(eventName) && !(await isAcceleratorScp(policyId, scpNames))) {
+  if (!['DeletePolicy', 'AttachPolicy'].includes(eventName) && !isAcceleratorScp(policy, scpNames)) {
     console.log(`SCP ${policyId} is not managed by Accelerator`);
     return 'SUCCESS';
   }
@@ -155,15 +168,15 @@ export const handler = async (input: ScheduledEvent) => {
     );
     console.log(`SCP Names for Target are :: ${acclScpNames}`);
     if (eventName === 'AttachPolicy') {
-      if (await isAcceleratorScp(policyId, acclScpNames)) {
+      if (isAcceleratorScp(policy, acclScpNames)) {
         console.log('Accelerator Managed policy is attached');
         return 'IGNORE';
       }
       // Detach target from policy
       console.log(`Detaching target "${targetId}" from policy "${policyId}"`);
       await organizations.detachPolicy(policyId, targetId);
     } else {
-      if (!(await isAcceleratorScp(policyId, acclScpNames))) {
+      if (!isAcceleratorScp(policy, acclScpNames)) {
         console.log('Non Accelerator Managed policy is detached');
         return 'IGNORE';
       }
@@ -236,35 +249,44 @@ export const handler = async (input: ScheduledEvent) => {
   return 'SUCCESS';
 };
 
-async function isAcceleratorScp(policyId: string, scpNames: string[]): Promise<boolean> {
-  const policyResponse = await organizations.describePolicy(policyId);
-  const policy = policyResponse.Policy;
-  if (!policy) {
-    console.error(`Invalid PolicyId provided ${policyId}`);
-    return false;
-  }
+function isAcceleratorScp(policy: any, scpNames: string[]): boolean {
   const policyName = policy.PolicySummary?.Name;
   if (!policyName) {
+    console.error(`isAcceleratorScp - Invalid policy name`);
     return false;
   }
-  if (policyName !== FULL_AWS_ACCESS_POLICY_NAME && !scpNames.includes(policy.PolicySummary?.Name!)) {
+  if (policyName !== FULL_AWS_ACCESS_POLICY_NAME && !scpNames.includes(policyName!)) {
     console.error(`Policy is not handled through Accelerator`);
     return false;
   }
   return true;
 }
 
-async function isControlTowerSCP(policyId: string): Promise<boolean> {
-  const policyResponse = await organizations.describePolicy(policyId);
-  const policy = policyResponse.Policy;
-
+function isControlTowerSCP(policy: any): boolean {
   const policyName = policy?.PolicySummary?.Name;
   if (policyName?.startsWith('aws-guardrails-')) {
     return true;
   }
   return false;
 }
 
+/**
+ * Checks if the policy type is SERVICE_CONTROL_POLICY.
+ * @see https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/organizations.html#Organizations.Client.describe_policy
+ */
+function isServiceControlPolicy(policy: any): boolean {
+  const policyType: string = policy?.PolicySummary?.Type;
+  if (!policyType) {
+    console.error(`isServiceControlPolicy - Invalid policy type`);
+    return false;
+  }
+  console.log(`isServiceControlPolicy - Policy type : ${policyType}`);
+  if (policyType === 'SERVICE_CONTROL_POLICY') {
+    return true;
+  }
+  return false;
+}
+
 async function loadAccountsAndOrganizationsFromConfig(
   config: AcceleratorConfig,
 ): Promise<{ organizationalUnits: OrganizationalUnit[]; accounts: ConfigurationAccount[] }> {