In a recent project, I was tasked with deploying an IAM policy through CloudFormation. As IAM policies have the potential to grant permissions to other accounts, they can pose a significant threat to our own account. To mitigate this risk, I researched ways to proactively check IAM policies before they are deployed. This led me to discover the IAM Access Analyzer API, which can be integrated into a CI/CD pipeline to catch potential security issues before they become a problem.
IAM Policy Validator for AWS CloudFormation
The IAM Policy Validator for AWS CloudFormation (cfn-policy-validator) is a command-line tool that parses resource-based and identity-based IAM policies from CloudFormation templates and executes the IAM Access Analyzer API. This tool is designed to run in CI/CD pipelines deploying CloudFormation templates and prevent deployments when certain IAM Access Analyzer findings are detected. This ensures that the IAM policies of the CloudFormation template pass validation before deployment.
- Create an AWS CodeCommit repository to store your CloudFormation template.
- open code commit in management console
- Click create repository
- fill the repository name and discription of why we are creating this repository
- Click create
we can use any IDE for this time i am using Cloud9 as it write, run, and debug your code with just a browser
Connecting CodeCommit with Cloud9
- Set the initial default branch to main
git config --global init.defaultBranch main
- now use git clone to copy all the files and history from the repository. we can get the https link from codecommit as shown in the picture
git clone https://git-codecommit.your .amazonaws.com/v1/repos/xxxxxxxxxxxx
- lest push some code to codecommit
- create a file with text
- echo "trying Access analyzer" > readme.md
- adding the file in the repository
- git add .
- commit all the staged changes to the repository
- git commit -m "initial commit"
- pushing this repository to codecommit
- git push
- validate the changes in code commit
- Set the initial default branch to main
- Create one CodeBuild projects, cfn-policy-validator. The projects should have the necessary permissions to access the CodeCommit repository.
- Select Create build project.
- In the Create a build project page, provide a name for the project, and select the repository provider as AWS CodeCommit.
- Select the CodeCommit repository that contains your CloudFormation template.
- In the Environment section, choose the runtime environment for your project. You'll need to install cfn-lint and cfn-policy-validator as part of your buildspec.yml file
version: 0.2 phases: install: commands: - pip3 install cfn-lint build: commands: - cfn-lint template.json
- In the Service role section, choose Use an existing service role, and select the IAM role that you created for the CodeBuild projects. This role should have permissions to access the CodeCommit repository and the S3 bucket
- In the Artifacts section, choose No artifacts.
- In the Logs section, choose a log group
- Click on Create build project
- Create an IAM role for the pipeline that has permissions to access the CodeCommit repository and the CodeBuild projects.
- Create an IAM role for deploying the CloudFormation template that has the necessary permissions.
- Create a CodePipeline and configure it to use the CodeCommit repository as the source, the two CodeBuild projects as the build stage, and CloudFormation as the deploy stage.
- In the CodePipeline configuration, specify the branch [main] to be used, the path of the template and configuration files, and the name of the CloudFormation stack to be deployed.
- Add the IAM role created in step 5 as the pipeline role and the IAM role created in step 6 as the CloudFormation role.
- Test the pipeline by making changes to the CloudFormation template in the CodeCommit repository and observing the pipeline stages
- Open the code build to see the finding.
- We can then fix our template This allows us to confidently and securely deploy our CloudFormation templates.
The workshop was a bit complex and required some troubleshooting, but it was worth the effort as it will save time in the future by automatically checking IAM policies before deploying new CloudFormation templates. I plan to write a blog post about this informative workshop, and in the meantime, I'll continue to explore the innovative capabilities of AWS.