How to import SCPs and RCPs from current AWS organizations into Cloud Formation infrastructure as a code generator (IaC generator).
When setting up their environments, many AWS Organizations customers start by manually establishing and implementing resource control policies (RCPs) and service control policies (SCPs) using the AWS Management Console or AWS Command Line Interface (AWS CLI).
However, this manual method may become laborious as the organisation expands and the number of policies rises. It may lead to restricted visibility into all SCPs and RCPs that have been implemented, the targets to which they are linked and the capacity to efficiently handle updates. It becomes difficult to monitor who is making modifications and how they are being made in the absence of clear visibility and appropriate access constraints.
By enabling rollback capabilities, policy validation via CloudFormation Hooks, and history keeping, CloudFormation may simplify the administration of your rules. Git sync can also be used to synchronise stacks with source code kept in a Git repository. Git sync allows you to deploy, configure, and update your CloudFormation stacks from a single location using pull requests and version tracking. CloudFormation automatically updates the stack whenever you make changes to the deployment file or template.
CloudFormation infrastructure as a code generator (IaC generator)
In this article, we will learn how to use the CloudFormation infrastructure as a code generator (IaC generator) to import pre-existing SCPs and RCPs into AWS CloudFormation templates. You can automate the management of your SCPs and RCPs at scale by utilising the IaC generator.
Important: Policies are not recreated; only existing policies are imported into CloudFormation.
Learn more on AWS Reference Information Service: Making Policy Automation
Solution overview
A command-line tool for identifying SCPs and RCPs within your company and automating policy import into CloudFormation templates is part of this post’s solution. The end-to-end flow is depicted in the following figure:
The previous graphic depicts the end-to-end flow, which consists of:
- Launch the tool: Both the management account and the designated administrator account can be used to execute the utility, which automates the subsequent procedures.
- Determine the company’s SCPs and RCPs: To retrieve the policies in your environment, the tool first makes API requests to the Organizations service. The total number of SCPs and RCPs present is then counted.
- Determine the AWS Control Tower RCPs, SCPs, and targetless policies:
- AWS Control Tower SCPs and RCPs: The tool looks for SCPs and RCPs that AWS Control Tower has produced and provides you with a list of them in the output.
- The prefix “aws-guardrails-” in the titles of their policies identifies SCPs.
- The AWS Control Tower-Controls- prefix in the policy names of RCPs identifies them.
- Policies without targets: The tool also finds and lists SCPs and RCPs that aren’t linked to an account, root, or organizational unit (OU). These policies may need to be reassigned or are duplicate.
- CloudFormation IaC generator scan: At this point, you will be asked if you wish to use the CloudFormation resource scan to import the policies into the CloudFormation templates. If you choose “yes,” the tool will use the IaC generator to start a CloudFormation resource scan in order to obtain information about the policies, such as the policy name, targets, policy tags, and so on.
- Using scanned policy resources, create a template: The utility uses the policy resources to create a CloudFormation template. The policies without targets (if any) will be included in the template.
- Review procedure: It is advised that you use the IaC generator from the CloudFormation interface to preview the template after it has been generated.
- Utilize the produced templates to create CloudFormation stacks: Once the templates have been reviewed, import them into CloudFormation stacks in order to deploy them. It’s crucial to remember that CloudFormation policies are not recreated; only current policies are imported. The current policies and their attributes are reflected in the templates.
Learn more on AWS Verified Permissions Blog For fine-grained Authorisation
Consideration before implementing the solution
Before putting the answer into practice, there are a few things to think about.
- You should use the delegated administrator account to run this solution if you have enabled the policy management delegation feature for AWS Organizations. If not, you can use the management account to run the solution.
- Note: It is advised that a delegated administrator member account be given control over the organization’s policies.
- Since they should be controlled with AWS Control Tower, SCPs and RCPs (with or without targets) will not be imported into the CloudFormation templates. Drift and unpredictable effects on AWS Control Tower functioning can result from modifications made to AWS Control Tower resources outside of AWS Control Tower.
- AWS Access SCP and RCP in fullSince CloudFormation stacks do not permit the import of AWS managed resources, FullAWSAccess RCP are AWS managed policies that cannot be imported into CloudFormation.
- If you exceed the CloudFormation template size quotas, you may find that numerous CloudFormation templates are created. The tool’s ability to automatically divide information into numerous templates when needed helps to maintain a seamless creation process, enabling you to adhere to quotas while yet allowing for imported content.
- Keep in mind that the following properties are automatically set in the created templates.
- Policy for deletion: Retain. This makes it possible to keep the policies in place even if the stack they are associated with is removed.
- Change the Replace policy to Delete. When the policy is revised, this makes it possible to remove the physical ID linked to it.
Learn more on What Is AWS Automated Reasoning? And Tools Explained
Recommended next steps
The following figure illustrates the two suggested next steps.
Experts advise keeping your CloudFormation templates in a private Git repository after importing the current policies into a CloudFormation stack. To effectively manage the imported policies, you can install a continuous integration and delivery (CI/CD) pipeline and use the Policies folder that the tool automatically creates in the current local directory where the generated templates were downloaded.
You can access version control capabilities like pull requests, branch management, and history tracking by utilising a Git repository. With improved cooperation and control, this method enables your team to review, update, and implement policies more effectively. To assist guarantee regular and dependable updates, you can also automate the deployment of changes to your CloudFormation stacks by setting up a CI/CD pipeline.
Adding CloudFormation Hooks to your environment is something else one can advise. Policies can be validated against best practices using CloudFormation Hooks to make sure they follow security best practices, minimize potential vulnerabilities, and use the correct syntax.
In conclusion
Managing and automating your AWS governance may be done effectively and scalablely by importing your current AWS Organization’s resource control policies (RCPs) and service control policies (SCPs) into CloudFormation. To assist guarantee uniformity and version control throughout your company, you may manage and update policies directly in CloudFormation after they have been imported. Additionally, a Policies folder is created in your current directory by the tool, which houses downloaded templates for usage as a central repository and interaction with a continuous integration/continuous delivery pipeline.
You may further enhance your policy management by using CloudFormation Hooks to validate SCPs and RCPs against policy grammar and best practices. By centralising your policy updates, this method lowers the possibility of misconfiguration while increasing automation and efficiency in governance.
