IaC Generator To Import SCPs And RCPs Into CloudFormation

Import SCPs and RCPs from current AWS organisations into Cloud Formation architecture as a code generator. AWS Organisations customers often manually set up resource control policies (RCPs) and service control policies (SCPs) using the AWS Management Console or AWS CLI.

This manual process may become onerous as the company grows and adds policies. It may limit visibility into all SCPs and RCPs, their targets, and update efficiency. Without visibility and access limits, it's hard to track who's making changes and how. CloudFormation can simplify rule management with rollback, policy validation via Hooks, and history preserving. Git sync may also synchronise stacks with Git repository source code. Git sync lets you deploy, configure, and update CloudFormation stacks using pull requests and version tracking. When you alter the deployment file or template, CloudFormation updates the stack.

CloudFormation IaC generator

This article shows how to import SCPs and RCPs into AWS CloudFormation templates using the CloudFormation infrastructure as a code generator (IaC generator). The IaC generator automates SCP and RCP administration at scale. Important: CloudFormation imports current policies, not recreates them.

Solution overview This article provides a command-line tool to locate SCPs and RCPs in your firm and automate policy import into CloudFormation templates.

The end-to-end flow is shown in the previous graphic:

Start the tool: Both the management account and the administrator account can run the software, automating following steps. Determine corporate SCPs and RCPs: The tool initially requests policies from the Organisations service via API. Total SCPs and RCPs are tallied. Determine AWS Control Tower RCPs, SCPs, and targetless policies: The utility finds AWS Control Tower SCPs and RCPs and outputs a list. Their policy titles begin with “aws-guardrails-” to identify SCPs. AWS Control Tower-Controls- prefixes RCP policy names identify them. Policies without targets: The tool lists SCPs and RCPs without accounts, roots, or OUs. These policies may be duplicates or reallocated. IaC generator scan: You will be asked if you want to import policies into CloudFormation templates using the resource scan. If you click “yes,” the tool will utilise the IaC generator to launch a CloudFormation resource scan to retrieve policy name, targets, tags, etc. Use scanned policy resources to construct a template: The program creates CloudFormation templates from policy resources. Any policies without objectives will be in the template. Review procedure: Use the CloudFormation IaC generator to preview the template after generation. Create CloudFormation stacks using templates: After reviewing templates, import them into CloudFormation stacks to deploy. Remember that CloudFormation policies are imported, not rebuilt. Templates reflect current policies and qualities.

Thinking before applying the solution

Consider these factors before applying the solution.

If you have enabled policy management delegation for AWS Organisations, execute this solution with the delegated administrator account. If not, execute the solution using the management account. Note: Delegated administrator member accounts should handle organisation policies. The CloudFormation templates will not import SCPs and RCPs (with or without targets) since they should be managed by AWS Control Tower. Changes to AWS Control Tower resources outside of AWS Control Tower might cause drift and unanticipated effects. Fully access SCP and RCP on AWSCloudFormation stacks cannot import AWS managed policies like FullAWSAccess RCP. If you surpass CloudFormation template size limitations, several templates may be produced. The program automatically divides material into many templates as needed, making it easy to meet quotas and import content. Note that templates automatically set the following properties. Maintain deletion policy. This allows policies to remain even if the stack is deleted. Change Replace to Delete. Revisions to the policy allow removal of the physical ID.

Recommended next steps

The figure shows two possible future steps.

After integrating rules into a CloudFormation stack, experts recommend retaining templates in a private Git repository. Manage imported policies with a continuous integration and delivery (CI/CD) pipeline and the Policies folder the tool automatically generates in the current local directory where the created templates were downloaded. Git repository version control allows pull requests, branch management, and history tracking. This process helps your team examine, update, and apply policies with better cooperation and control. Set up a CI/CD pipeline to automate CloudFormation stack updates to ensure regular and reliable updates. One suggestion is to install CloudFormation Hooks. CloudFormation Hooks can verify policies' syntax, security, and vulnerability reduction.

In conclusion

By integrating your AWS Organization's RCPs and SCPs into CloudFormation, you can manage and automate AWS governance efficiently. After import, you can maintain and change policies in CloudFormation to ensure company-wide consistency and version control. The program also creates a Policies folder in your current directory with downloaded templates for use as a central repository and with a continuous integration/continuous delivery pipeline. CloudFormation Hooks can test SCPs and RCPs against policy language and best practices to improve policy management. Centralising policy changes reduces misconfiguration and improves governance automation.

via Twitter https://twitter.com/releaseteam

via Twitter https://twitter.com/releaseteam