According to part 1 let’s continue with the pipeline creation. In this scenario, CDK pipelines will be the preferred tool to make this possible. But in the third part, you can explore this with Terraform and Codecatalyst project.
AWS IAM Access Analyzer: AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM provides the infrastructure necessary to control authentication and authorization for your AWS accounts.
AWS Cloud Development Kit (CDK): is an open-source software development framework to define your cloud application resources using familiar programming languages.
AWS CodeBuild: fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy.
AWS CodePipeline: fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates.
AWS Key Management Service (AWS KMS): lets you create, manage, and control cryptographic keys across your applications and more than 100 AWS services.
AWS CloudFormation: Speed up cloud provisioning with infrastructure as code as code.
AWS Lambda: A serverless compute service that lets you run code without provisioning or managing servers, build workload-based cluster scaling logic, maintain event integrations, or manage runtimes.
AWS Chatbot: Monitor, operate, and troubleshoot your AWS resources with interactive ChatOps.
The Figure 1 depicts the solution architecture according to best practices:
Figure 1. Continuous authorization using AWS Developer Tools
1- The IaC is hosted in github private repository.
2- The first stage for CDK pipelines synth and apply self mutation.
3- The policies are scanned by validate_aws_policies tool and push the reports into S3 bucket.
4- After the DevSecOps Adm, SecOps Engineer review the findings accept or reject the changes.
5- The permissions sets changes are provisioned in both accounts. You can modify to only apply the changes to one account but keep in mind that in this case the same team manage both accounts.
The delegated administrator can’t modify or alter permissions set provisioned in the management account.
You must manage IAM Identity Center for both account instances. (Delegated and management Account).
Hands On
It’s time to create some code. 😃
First, delegate the IAM Identity Center administration using the AWS console or through the API.
Sign in to the AWS Management Console using the credentials of your management account in AWS Organizations. Management account credentials are required to run the RegisterDelegatedAdministrator API.
Select the Region where IAM Identity Center is enabled, and then open the IAM Identity Center console.
Choose Settings, and then select the Management tab.
In the Delegated administrator section, choose Register account.
On the Register delegated administrator page, select the AWS account you want to register, and then choose Register account.
Now, parametrize the project properties according to template as a follow:
Get the values from IAM Identity Center settings, you need the instance ID and the instance ARN.
Figure 2. SSO instance information.
Get the group’s principal ID from the console or run a tool like reverse_diagrams to get this information. For example:
Now, parametrize the project properties according to your environment, create the permission set block in project properties according to the manage or custom policies for permissions set, for example:
The cdk.json file tells the CDK Toolkit how to execute your app.
This project is set up like a standard Python project. The initialization
process also creates a virtualenv within this project, stored under the .venv
directory. To create the virtualenv it assumes that there is a python3
(or python for Windows) executable in your path with access to the venv
package. If for any reason the automatic creation of the virtualenv fails,
you can create the virtualenv manually.
To manually create a virtualenv on MacOS and Linux:
$ python3 -m venv .venv
After the init process completes and the virtualenv is created, you can use the…