Skip to content

Commit bcf2c13

Browse files
naveenkoppulaBrian969
naveenkoppula
and
Brian969
authored
Feat/config rem mission profile perm (#662)
* Initial Push for Custom Config Rule * pushing packages * Fixing tests * Creating CustomConfigRule from source in ref-artifacts * Dowloading Config-Rules and using them assets * Removing unused dependency * Removing dependency * Fixing construct names for iam role * Adding config rule lambda function for instance profile permission validation * Adding additional replacements * Fixing IAM Role creation for s3-copy-files * Reverting back S3-Copy-Files to older * Updating configuration files with respect to custom config-rules * Reverting using aws.Partition due to CDK allowing only qualifier, accountid and region overrides * removed unused import * Fixing rule param replacements * Fixing Empty value in request param * Updating config rule lambda function * Fixing remediation params replace * Supporting StringList Param for both config rule and remediation * Adding sample configuration * Fixing if policy doesn't exist in account * fix SCP Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com>
1 parent df93ddc commit bcf2c13

File tree

10 files changed

+435
-70
lines changed

10 files changed

+435
-70
lines changed

reference-artifacts/SAMPLE_CONFIGS/config.example.json

Lines changed: 37 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -536,6 +536,11 @@
536536
"name": "Attach-IAM-Instance-Profile",
537537
"description": "Attaches instance profiles to an EC2 instance",
538538
"template": "attach-iam-instance-profile.yaml"
539+
},
540+
{
541+
"name": "Attach-IAM-Role-Policy",
542+
"description": "Attachs Aws IAM Managed Policy to IAM Role.",
543+
"template": "attach-iam-role-policy.yaml"
539544
}
540545
]
541546
}
@@ -560,6 +565,26 @@
560565
"InstanceId": "RESOURCE_ID"
561566
}
562567
},
568+
{
569+
"name": "EC2-INSTANCE-PROFILE-PERMISSIONS",
570+
"type": "custom",
571+
"resource-types": [
572+
"AWS::IAM::Role"
573+
],
574+
"runtime": "nodejs12.x",
575+
"parameters": {
576+
"AWSManagedPolicies": "AmazonSSMManagedInstanceCore, AmazonSSMDirectoryServiceAccess, CloudWatchAgentServerPolicy",
577+
"CustomerManagedPolicies": "${SEA::EC2InstaceProfilePermissions}",
578+
"ResourceId": "RESOURCE_ID"
579+
},
580+
"remediation": true,
581+
"remediation-action": "Attach-IAM-Role-Policy",
582+
"remediation-params": {
583+
"AWSManagedPolicies": ["AmazonSSMManagedInstanceCore", "AmazonSSMDirectoryServiceAccess", "CloudWatchAgentServerPolicy"],
584+
"CustomerManagedPolicies": ["${SEA::EC2InstaceProfilePermissions}"],
585+
"ResourceId": "RESOURCE_ID"
586+
}
587+
},
563588
{
564589
"name": "ELB_LOGGING_ENABLED",
565590
"remediation-action": "SSM-ELB-Enable-Logging",
@@ -2053,14 +2078,15 @@
20532078
{
20542079
"account": "operations",
20552080
"regions": ["${HOME_REGION}"],
2056-
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile"]
2081+
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile", "Attach-IAM-Role-Policy"]
20572082
}
20582083
],
20592084
"aws-config": [
20602085
{
20612086
"excl-regions": [],
20622087
"rules": [
20632088
"EC2-INSTANCE-PROFILE",
2089+
"EC2-INSTANCE-PROFILE-PERMISSIONS",
20642090
"ELB_LOGGING_ENABLED",
20652091
"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
20662092
"ACCESS_KEYS_ROTATED",
@@ -2610,14 +2636,15 @@
26102636
{
26112637
"account": "operations",
26122638
"regions": ["${HOME_REGION}"],
2613-
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile"]
2639+
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile", "Attach-IAM-Role-Policy"]
26142640
}
26152641
],
26162642
"aws-config": [
26172643
{
26182644
"excl-regions": [],
26192645
"rules": [
26202646
"EC2-INSTANCE-PROFILE",
2647+
"EC2-INSTANCE-PROFILE-PERMISSIONS",
26212648
"ELB_LOGGING_ENABLED",
26222649
"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
26232650
"ACCESS_KEYS_ROTATED",
@@ -3194,14 +3221,15 @@
31943221
{
31953222
"account": "operations",
31963223
"regions": ["${HOME_REGION}"],
3197-
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile"]
3224+
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile", "Attach-IAM-Role-Policy"]
31983225
}
31993226
],
32003227
"aws-config": [
32013228
{
32023229
"excl-regions": [],
32033230
"rules": [
32043231
"EC2-INSTANCE-PROFILE",
3232+
"EC2-INSTANCE-PROFILE-PERMISSIONS",
32053233
"ELB_LOGGING_ENABLED",
32063234
"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
32073235
"ACCESS_KEYS_ROTATED",
@@ -3778,14 +3806,15 @@
37783806
{
37793807
"account": "operations",
37803808
"regions": ["${HOME_REGION}"],
3781-
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile"]
3809+
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile", "Attach-IAM-Role-Policy"]
37823810
}
37833811
],
37843812
"aws-config": [
37853813
{
37863814
"excl-regions": [],
37873815
"rules": [
37883816
"EC2-INSTANCE-PROFILE",
3817+
"EC2-INSTANCE-PROFILE-PERMISSIONS",
37893818
"ELB_LOGGING_ENABLED",
37903819
"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
37913820
"ACCESS_KEYS_ROTATED",
@@ -4362,14 +4391,15 @@
43624391
{
43634392
"account": "operations",
43644393
"regions": ["${HOME_REGION}"],
4365-
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile"]
4394+
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile", "Attach-IAM-Role-Policy"]
43664395
}
43674396
],
43684397
"aws-config": [
43694398
{
43704399
"excl-regions": [],
43714400
"rules": [
43724401
"EC2-INSTANCE-PROFILE",
4402+
"EC2-INSTANCE-PROFILE-PERMISSIONS",
43734403
"ELB_LOGGING_ENABLED",
43744404
"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
43754405
"ACCESS_KEYS_ROTATED",
@@ -4913,14 +4943,15 @@
49134943
{
49144944
"account": "operations",
49154945
"regions": ["${HOME_REGION}"],
4916-
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile"]
4946+
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile", "Attach-IAM-Role-Policy"]
49174947
}
49184948
],
49194949
"aws-config": [
49204950
{
49214951
"excl-regions": [],
49224952
"rules": [
49234953
"EC2-INSTANCE-PROFILE",
4954+
"EC2-INSTANCE-PROFILE-PERMISSIONS",
49244955
"ELB_LOGGING_ENABLED",
49254956
"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
49264957
"ACCESS_KEYS_ROTATED",

reference-artifacts/SAMPLE_CONFIGS/config.lite-example.json

Lines changed: 35 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -536,6 +536,11 @@
536536
"name": "Attach-IAM-Instance-Profile",
537537
"description": "Attaches instance profiles to an EC2 instance",
538538
"template": "attach-iam-instance-profile.yaml"
539+
},
540+
{
541+
"name": "Attach-IAM-Role-Policy",
542+
"description": "Attachs Aws IAM Managed Policy to IAM Role.",
543+
"template": "attach-iam-role-policy.yaml"
539544
}
540545
]
541546
}
@@ -560,6 +565,26 @@
560565
"InstanceId": "RESOURCE_ID"
561566
}
562567
},
568+
{
569+
"name": "EC2-INSTANCE-PROFILE-PERMISSIONS",
570+
"type": "custom",
571+
"resource-types": [
572+
"AWS::IAM::Role"
573+
],
574+
"runtime": "nodejs12.x",
575+
"parameters": {
576+
"AWSManagedPolicies": "AmazonSSMManagedInstanceCore, AmazonSSMDirectoryServiceAccess, CloudWatchAgentServerPolicy",
577+
"CustomerManagedPolicies": "${SEA::EC2InstaceProfilePermissions}",
578+
"ResourceId": "RESOURCE_ID"
579+
},
580+
"remediation": true,
581+
"remediation-action": "Attach-IAM-Role-Policy",
582+
"remediation-params": {
583+
"AWSManagedPolicies": ["AmazonSSMManagedInstanceCore", "AmazonSSMDirectoryServiceAccess", "CloudWatchAgentServerPolicy"],
584+
"CustomerManagedPolicies": ["${SEA::EC2InstaceProfilePermissions}"],
585+
"ResourceId": "RESOURCE_ID"
586+
}
587+
},
563588
{
564589
"name": "ELB_LOGGING_ENABLED",
565590
"remediation-action": "SSM-ELB-Enable-Logging",
@@ -1990,14 +2015,15 @@
19902015
{
19912016
"account": "operations",
19922017
"regions": ["${HOME_REGION}"],
1993-
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile"]
2018+
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile", "Attach-IAM-Role-Policy"]
19942019
}
19952020
],
19962021
"aws-config": [
19972022
{
19982023
"excl-regions": [],
19992024
"rules": [
20002025
"EC2-INSTANCE-PROFILE",
2026+
"EC2-INSTANCE-PROFILE-PERMISSIONS",
20012027
"ELB_LOGGING_ENABLED",
20022028
"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
20032029
"ACCESS_KEYS_ROTATED",
@@ -2547,14 +2573,15 @@
25472573
{
25482574
"account": "operations",
25492575
"regions": ["${HOME_REGION}"],
2550-
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile"]
2576+
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile", "Attach-IAM-Role-Policy"]
25512577
}
25522578
],
25532579
"aws-config": [
25542580
{
25552581
"excl-regions": [],
25562582
"rules": [
25572583
"EC2-INSTANCE-PROFILE",
2584+
"EC2-INSTANCE-PROFILE-PERMISSIONS",
25582585
"ELB_LOGGING_ENABLED",
25592586
"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
25602587
"ACCESS_KEYS_ROTATED",
@@ -3131,14 +3158,15 @@
31313158
{
31323159
"account": "operations",
31333160
"regions": ["${HOME_REGION}"],
3134-
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile"]
3161+
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile", "Attach-IAM-Role-Policy"]
31353162
}
31363163
],
31373164
"aws-config": [
31383165
{
31393166
"excl-regions": [],
31403167
"rules": [
31413168
"EC2-INSTANCE-PROFILE",
3169+
"EC2-INSTANCE-PROFILE-PERMISSIONS",
31423170
"ELB_LOGGING_ENABLED",
31433171
"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
31443172
"ACCESS_KEYS_ROTATED",
@@ -3715,14 +3743,15 @@
37153743
{
37163744
"account": "operations",
37173745
"regions": ["${HOME_REGION}"],
3718-
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile"]
3746+
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile", "Attach-IAM-Role-Policy"]
37193747
}
37203748
],
37213749
"aws-config": [
37223750
{
37233751
"excl-regions": [],
37243752
"rules": [
37253753
"EC2-INSTANCE-PROFILE",
3754+
"EC2-INSTANCE-PROFILE-PERMISSIONS",
37263755
"ELB_LOGGING_ENABLED",
37273756
"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
37283757
"ACCESS_KEYS_ROTATED",
@@ -4299,14 +4328,15 @@
42994328
{
43004329
"account": "operations",
43014330
"regions": ["${HOME_REGION}"],
4302-
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile"]
4331+
"documents": ["SSM-ELB-Enable-Logging", "Put-S3-Encryption", "Attach-IAM-Instance-Profile", "Attach-IAM-Role-Policy"]
43034332
}
43044333
],
43054334
"aws-config": [
43064335
{
43074336
"excl-regions": [],
43084337
"rules": [
43094338
"EC2-INSTANCE-PROFILE",
4339+
"EC2-INSTANCE-PROFILE-PERMISSIONS",
43104340
"ELB_LOGGING_ENABLED",
43114341
"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
43124342
"ACCESS_KEYS_ROTATED",

0 commit comments

Comments
 (0)