AWS Control Tower's default behavior in managed mode is to assign baseline IAM Identity Center Groups for AWS Control Tower to newly enrolled accounts. These group assignments are also reapplied when an account update is performed; for instance, when a new version of the landing zone is made available.
The default IAM Identity Center Groups for AWS Control Tower are rather permissive. For instance, the AWSControlTowerAdmins permission set assigns the AWSAdministratorAccess managed IAM policy to the IAM Role. This behavior goes against our policy of maintaining least privilege access to our AWS accounts.
We have created Cerberus to monitor events from the sso.amazonaws.com service. Cerberus, often referred to as the hound of Hades, is a multi-headed dog that guards the gates of the underworld to prevent the dead from leaving, or in this case, prevent CreateAccountAssignment of unauthorized (unwanted) default permission sets to AWS Control Tower managed accounts.
Instruction on how to deploy the application, Cerberus AWS SAM App.
Deployment steps:
- Deploy the Cerberus AWS SAM App in the Management or delegated administrator IAM Identity Center account
- Deploy the EventBrdige Rule in the Management account
- Reference the Output
EventBusArnfrom the Cerberus AWS SAM App deployed stack forCerberusEventBusArnparameter
- Reference the Output
Contributions are welcome! Please follow these steps:
- Fork the repository.
- Create a feature branch.
- Commit your changes.
- Submit a pull request.
This project uses black for code formatting. Run the following command to format your code:
black .This project is licensed under the MIT License.