we have someAWSAccount
assuming someaccountrole
with instance profile name p
in AWS.
Managed policy by name some-permission-boundary
is created in this account(someAWSAccount
). Purpose of creating this boundary policy in this account is mentioned below.
Requirement is,
Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: hello-world/
Handler: app.LambdaHandler
Runtime: nodejs8.10
Events:
MySQSEvent:
Type: SQS
Properties:
Queue: !GetAtt SomeQueue.Arn
BatchSize: 10
PermissionsBoundary: "arn:aws:iam::${AWS::AccountId}:policy/some-permission-boundary"
SomeQueue:
Type: AWS::SQS::Queue
to enforce some rules to AWS resources generated from above SAM template, by enforcing SAM template to have PermissionsBoundary: "arn:aws:iam::${AWS::AccountId}:policy/some-permission-boundary"
as part of Properties
list,
so that any AWS resource type( like Lambda, SQS, roles, policies etc...) that are created amidst
sam deploy --template-file above-SAM-template --stack-name somestack --profile p
should be in compliance with rules mentioned in arn:aws:iam::${AWS::AccountId}:policy/some-permission-boundary
Developers write these SAM tempates and security team need to make sure that sam deploy
does not work until this PermissionsBoundary
property is part of the Properties
list of SAM template.
So, for this, we are thinking to design another managed policy in someAWSAaccount
that make sure sam deploy
fails if SAM template does not have this entry: sam deploy --template-file above-SAM-template --profile p
What should the deployer policy(managed policy) look like, to enforce this rule? Which Principal
should get assigned with this deployer policy?
or
Do you suggest an alternate approach?