CloudFormation vs Engineers: How to protect your CloudFormation managed AWS account from human intervention
To eliminate human error as much as possible I advised you to follow the idea of Infrastructure as Code implemented by AWS CloudFormation. Changes to your infrastructure like launching a new virtual server or making changes to a firewall configuration are no longer done manually. Instead you change the description of your infrastructure and let CloudFormation apply the changes.
A common problem with CloudFormation are manual changes to resources managed by CloudFormation. A manual change to your AWS account can conflict with what CloudFormation has done before. If you apply the next update to your infrastructure with CloudFormation things can become worse because CloudFormation can no longer figure out what to do. To prevent human intervention at all I advised you to use
ReadOnlyAccess in an earlier post.
This may sound very restrictive to you but this post will show you how to implement the idea with ease.
Problems of the solution
ReadOnlyAccess comes with a problem: you can’t create or modify any resources. But most often your job is to solve problems so you will need to create or modify AWS resources. To create a stack based on a CloudFormation template you will need all those IAM permissions that are needed to create the resources described in the template. This will most likely include very sensitive resources like IAM roles.
I want to show you how you can follow the
ReadOnlyAccess principle without:
- slowing you down
Lambda functions run inside their own execution role
If you create a Lambda function that basically wraps the SDK call to create a CloudFormation stack you can allow the lambda function to do everything in your AWS account because you make sure that this function can only be modified by a handful of trusted people while everyone can invoke the function to create stacks they need. The supported API calls by the Lambda function are well defined. It is only possible to create (update or delete) CloudFormation stacks. The code of the lambda function looks as simple as this:
var AWS = require('aws-sdk');
ReadOnlyAccess of you normal users you can add the inline policy to allow your users to invoke the lambda functions that wrap calls to the CloudFormation service like this:
If you need a step-by-step instruction from setting up Lambda to adjusting your IAM role used by your users follow the detailed instruction on GitHub.
With the help of Lambda you can run code with an execution role that has nothing to do with the IAM permissions of the invoker of the Lambda function. The invoker only needs the access rights to invoke the Lambda function. With this technique you can wrap API calls that need most likely
AdministratorAccess to do their job. The wrapper function can than be called by less privileged users. With this trick you can use
ReadOnlyAccess to manage your AWS account with the exception to invoke a few Lambda functions.