Revert "Fix for Issue# 1060: Cannot enforce an AWS Backup Policy (#1106)" (#1119)

This reverts commit 055c6a8.

Author: hickeydh-aws

reference-artifacts/SCPs/ASEA-Guardrails-Part0-CoreOUs.json

@@ -102,12 +102,9 @@
       "Action": [
         "acm:DeleteCert*",
         "acm:ExportCert*",
-        "acm:AddTagsToCert*",
         "acm:RemoveTagsFromCert*",
         "elasticloadbalancing:DeleteLoadBal*",
-        "elasticloadbalancing:DeleteTargetG*",
-        "elasticloadbalancing:AddTags",
-        "elasticloadbalancing:RemoveTags"
+        "elasticloadbalancing:DeleteTargetG*"
       ],
       "Resource": "*",
       "Condition": {

reference-artifacts/SCPs/ASEA-Guardrails-Part0-WkldOUs.json

@@ -102,12 +102,9 @@
       "Action": [
         "acm:DeleteCert*",
         "acm:ExportCert*",
-        "acm:AddTagsToCert*",
         "acm:RemoveTagsFromCert*",
         "elasticloadbalancing:DeleteLoadBal*",
-        "elasticloadbalancing:DeleteTargetG*",
-        "elasticloadbalancing:AddTags",
-        "elasticloadbalancing:RemoveTags"
+        "elasticloadbalancing:DeleteTargetG*"
       ],
       "Resource": "*",
       "Condition": {

reference-artifacts/SCPs/ASEA-Guardrails-Part1.json

@@ -8,8 +8,7 @@
         "ec2:DeleteSecurityGroup",
         "ec2:RevokeSecurityGroup*",
         "ec2:AuthorizeSecurityGroup*",
-        "ec2:CreateSecurityGroup",
-        "ec2:DeleteTags"
+        "ec2:CreateSecurityGroup"
       ],
       "Resource": "*",
       "Condition": {
@@ -222,8 +221,7 @@
         "ec2:DeleteSubnet",
         "ec2:DeleteRoute",
         "ec2:DetachInternetGateway",
-        "ec2:DisassociateRouteTable",
-        "ec2:DeleteTags"
+        "ec2:DisassociateRouteTable"
       ],
       "Resource": "*",
       "Condition": {

src/deployments/runtime/src/ou-validation-events/policy-changes.ts

@@ -83,25 +83,12 @@ export const handler = async (input: ScheduledEvent) => {
     return 'INVALID_REQUEST';
   }
 
-  // describe policy
-  const policyResponse = await organizations.describePolicy(policyId);
-  const policy = policyResponse.Policy;
-  if (!policy) {
-    console.error(`Invalid PolicyId provided ${policyId}`);
-    return false;
-  }
-
-  if (!isServiceControlPolicy(policy)) {
-    console.log('The policy is NOT of type SERVICE_CONTROL_POLICY; No operation required');
-    return 'NO_OPERATION_REQUIRED';
-  }
-
-  if (isControlTowerSCP(policy)) {
-    console.log('Policy Changes Performed by Control Tower; No operation required');
+  if (await isControlTowerSCP(policyId)) {
+    console.log('Policy Changes Performed by Control Tower, No operation required');
     return 'NO_OPERATION_REQUIRED';
   }
   const eventName = requestDetail.eventName;
-  if (!['DeletePolicy', 'AttachPolicy'].includes(eventName) && !isAcceleratorScp(policy, scpNames)) {
+  if (!['DeletePolicy', 'AttachPolicy'].includes(eventName) && !(await isAcceleratorScp(policyId, scpNames))) {
     console.log(`SCP ${policyId} is not managed by Accelerator`);
     return 'SUCCESS';
   }
@@ -168,15 +155,15 @@ export const handler = async (input: ScheduledEvent) => {
     );
     console.log(`SCP Names for Target are :: ${acclScpNames}`);
     if (eventName === 'AttachPolicy') {
-      if (isAcceleratorScp(policy, acclScpNames)) {
+      if (await isAcceleratorScp(policyId, acclScpNames)) {
         console.log('Accelerator Managed policy is attached');
         return 'IGNORE';
       }
       // Detach target from policy
       console.log(`Detaching target "${targetId}" from policy "${policyId}"`);
       await organizations.detachPolicy(policyId, targetId);
     } else {
-      if (!isAcceleratorScp(policy, acclScpNames)) {
+      if (!(await isAcceleratorScp(policyId, acclScpNames))) {
         console.log('Non Accelerator Managed policy is detached');
         return 'IGNORE';
       }
@@ -249,44 +236,35 @@ export const handler = async (input: ScheduledEvent) => {
   return 'SUCCESS';
 };
 
-function isAcceleratorScp(policy: any, scpNames: string[]): boolean {
+async function isAcceleratorScp(policyId: string, scpNames: string[]): Promise<boolean> {
+  const policyResponse = await organizations.describePolicy(policyId);
+  const policy = policyResponse.Policy;
+  if (!policy) {
+    console.error(`Invalid PolicyId provided ${policyId}`);
+    return false;
+  }
   const policyName = policy.PolicySummary?.Name;
   if (!policyName) {
-    console.error(`isAcceleratorScp - Invalid policy name`);
     return false;
   }
-  if (policyName !== FULL_AWS_ACCESS_POLICY_NAME && !scpNames.includes(policyName!)) {
+  if (policyName !== FULL_AWS_ACCESS_POLICY_NAME && !scpNames.includes(policy.PolicySummary?.Name!)) {
     console.error(`Policy is not handled through Accelerator`);
     return false;
   }
   return true;
 }
 
-function isControlTowerSCP(policy: any): boolean {
+async function isControlTowerSCP(policyId: string): Promise<boolean> {
+  const policyResponse = await organizations.describePolicy(policyId);
+  const policy = policyResponse.Policy;
+
   const policyName = policy?.PolicySummary?.Name;
   if (policyName?.startsWith('aws-guardrails-')) {
     return true;
   }
   return false;
 }
 
-/**
- * Checks if the policy type is SERVICE_CONTROL_POLICY.
- * @see https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/organizations.html#Organizations.Client.describe_policy
- */
-function isServiceControlPolicy(policy: any): boolean {
-  const policyType: string = policy?.PolicySummary?.Type;
-  if (!policyType) {
-    console.error(`isServiceControlPolicy - Invalid policy type`);
-    return false;
-  }
-  console.log(`isServiceControlPolicy - Policy type : ${policyType}`);
-  if (policyType === 'SERVICE_CONTROL_POLICY') {
-    return true;
-  }
-  return false;
-}
-
 async function loadAccountsAndOrganizationsFromConfig(
   config: AcceleratorConfig,
 ): Promise<{ organizationalUnits: OrganizationalUnit[]; accounts: ConfigurationAccount[] }> {