🐈 Schrodinger's Course 👨🏫 and Inventorying IAM Role Permissions
Run automation to get a make of all your IAM Policies attached to Roles
Great to be back. This is Unlimited Leave, the AWS Management and Governance Newsletter that is different the moment it is observed.
Credit: Kayla Mahoney
I’ve returned from a glorious vacation down south and as I had hoped, nothing blew up. I responded to one Slack message with a link to the documentation.
The rest of the 7-day trip I spent watching my kids jump in a pool. It was way more relaxing than it sounds.
I’m happy to be back and have some wonderful information to share.
This week's topics
Export a copy of all IAM Permissions Policies
AWS Announcements Blogs that caught my attention
Greenfield… is a GO!
Export (backup) IAM Policy Documents
In full transparency, ChatGPT 3.5 wrote most of this for me. In the
ReadMe.md of the repository is a brief rundown of the prompts and process I used to create it. I had to make a couple of tweaks but I’m fascinated more and more every day with how I can use ChatGPT to save me boatloads of time.
In the most basic description, this Python script exports the IAM Policy Documents in JSON format for every policy (Managed and Inline) Attached to every role in an AWS Account.
My specific use case: I’m about to engage in a large-scale migration of accounts from one AWS Organization to multiple others. In the process, previously staged resources are going to be removed. Enterprise federated access, security agents/monitoring, etc. It is possible roles and/or policies are going to go with those resources.
This script is just a low-impact way to make a copy of everything: Role Names, the names of attached inline, customer, or AWS-managed policies, as well as the content of those policies.
I haven’t done it yet, but I could see this as a Lambda or Scheduled SSM Run Doc to take a daily or weekly snapshot of permissions and store them in a version-enabled S3 Bucket in the account to just have a backup of permissions over time. If something stops working or throws
access denied errors you can go back and see what the permissions used to be.
Announcements & Blogs
There are quite a few updates that caught my eye these last 2 weeks. Here are the most impactful in my opinion regarding M&G.
AWS Service Catalog announces support for Terraform open source (via this post) - I’m pretty excited about this even though I deploy M&G primarily with CloudFormation for many different reasons. While I haven’t configured this yet, the process doesn’t actually seem trivial for multiple account configurations.
Amazon GuardDuty simplifies enforcement of threat detection across all accounts in an Organization - any time the multi-account functionality of delegated services is enhanced I’m paying attention. Instead of missing accounts where the service is not enabled, it can now be enforced by the organization.
AWS Systems Manager Incident Manager announces the launch of on-call schedules - more gee-wiz than anything but I like the ability for critical infrastructure teams to be able to get the notifications of issues right from the horse mouth. Think about responding to incident text messages with SSM Runbooks to reboot servers, etc. while you're getting your laptop booted up on the weekend. No integrations are required.
Helpful Blog Posts
AWS Organizations, moving an organization member account to another organization: Part 1 (of 3) - crazy this is a recent post as it is. For me, this is more relevant than ever with a pending large-scale migration. Definitely won’t hurt to review to make sure I’m not missing anything.
What happens when you leak AWS credentials and how AWS minimizes the damage - Great write-up of how AWS helps protect your leaked credentials. In order to pass an AWS MSP Audit, you have to trigger alerts on Trusted Advisor for this. I tested this almost 2 years ago. Here is my write-up.
How to govern your Multi-Region and Multi-account AWS Organization with Terraform - This is a post digging into the 2-year-old Account Factory for Terraform but expresses hangups with multi-region management. A beef I’ve had with TF for a while.
Greenfield Organizations Course is a go for 🚀
I’d be lying if I didn’t say pre-selling a product doesn’t feel a little sketchy to me. I polled this email list multiple times. Enough of you replied saying you would pay for this content.
Sales have never really been my thing. This process is all in an internet marketing playbook. I see it in action all of the time and for the most part, never bite. Being on the other end of it is a strange feeling.
So… I created a platform to support the content and deploy the resources and enough of you who said you wanted it put your money where your mouse is. I sincerely appreciate that. Beyond words.
I’ve updated the Course landing page with more value proposition information and a video better describing the content.
Like Schrodinger's Cat, the course exists. The question of whether there is quality content or not, or any content for that matter won’t be determined until the course is observed.
Because you’ve supported it, I’m full-throttle in the polishing of the content. To make sure I get the course to you promptly, I’m going to place my perfectionistic tendencies (which lead to procrastination) to the side and focus on iterating over time.
If at any time you feel like the value isn’t there or you are tired of waiting, I understand and would be more than happy to refund your purchase.
To show my continued appreciation for your support, pre-sale purchasers will get free access to a walk-through of how to deploy the AWS OIDC IAM Role/IDP Pair required to do the GitLab-CI automation I wrote about and provided a demo to in this previous issue.
As well as the identical process to deploy the OIDC IAM Role/IDP pair to support the deployment of AWS Resources using GitHub Workflow Actions.