Adding deployment role parameter and restricting s3:GetObject to the deployment role

andywick-aws · andywick-aws · commit 85fb0b46b047 · 2021-08-26T14:20:56.000-05:00
diff --git a/extras/aws-control-tower/prerequisites/prereq-lambda-s3-bucket.yaml b/extras/aws-control-tower/prerequisites/prereq-lambda-s3-bucket.yaml
@@ -10,7 +10,14 @@ Parameters:
     Default: lambda-zips
     Description: S3 bucket name prefix for the Lambda zip files. The account and region are added to the prefix.
     Type: String
-  
+
+  pDeploymentRoleName:
+    AllowedPattern: '^[\w+=,.@-]{1,64}$'
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: AWSControlTowerExecution
+    Description: Role used to deploy resources within accounts and requires s3:GetObject access
+    Type: String
+
   pOrganizationId:
     AllowedPattern: '^o-[a-z0-9]{10,32}$'
     ConstraintDescription: >
@@ -61,18 +68,20 @@ Resources:
             Condition:
               StringEquals:
                 aws:PrincipalOrgID: !Ref pOrganizationId
+              ArnLike:
+                aws:PrincipalArn: !Sub arn:${AWS::Partition}:iam::*:${pDeploymentRoleName}
             Effect: Allow
             Principal: "*"
             Resource: !Sub arn:${AWS::Partition}:s3:::${rLambdaS3Bucket}/*
             Sid: AllowOrgGetObject
-          
+
           - Action: "s3:*"
             Condition:
               StringNotEquals:
                 aws:PrincipalOrgID: !Ref pOrganizationId
             Effect: Deny
             Principal: "*"
-            Resource: 
+            Resource:
               - !Sub arn:${AWS::Partition}:s3:::${rLambdaS3Bucket}
               - !Sub arn:${AWS::Partition}:s3:::${rLambdaS3Bucket}/*
             Sid: DenyExternalPrincipals
@@ -83,18 +92,18 @@ Resources:
                 "aws:SecureTransport": "false"
             Effect: Deny
             Principal: "*"
-            Resource: 
+            Resource:
               - !Sub arn:${AWS::Partition}:s3:::${rLambdaS3Bucket}
               - !Sub arn:${AWS::Partition}:s3:::${rLambdaS3Bucket}/*
             Sid: SecureTransport
 
 
   rS3BucketSSMParameter:
-    Type: AWS::SSM::Parameter 
+    Type: AWS::SSM::Parameter
     Properties:
       Description: Lambda zip file bucket
       Name: !Sub /org/primary/lambda_zips_bucket/${AWS::Region}
       Tags:
         cfct: managed-by-cfct
       Type: String
-      Value: !Ref rLambdaS3Bucket
+      Value: !Ref rLambdaS3Bucket
diff --git a/extras/lambda-s3-buckets.yaml b/extras/lambda-s3-buckets.yaml
@@ -15,11 +15,14 @@ Metadata:
           default: Bucket Attributes
         Parameters:
           - pBucketNamePrefix
+          - pDeploymentRoleName
           - pOrganizationId
 
     ParameterLabels:
       pBucketNamePrefix:
         default: Bucket Name Prefix
+      pDeploymentRoleName:
+        default: Deployment Role Name
       pOrganizationId:
         default: AWS Organization ID
 
@@ -33,6 +36,13 @@ Parameters:
     Description: S3 bucket name prefix for the Lambda zip files
     Type: String
 
+  pDeploymentRoleName:
+    AllowedPattern: '^[\w+=,.@-]{1,64}$'
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
+    Default: AWSControlTowerExecution
+    Description: Role used to deploy resources within accounts and requires s3:GetObject access
+    Type: String
+
   pOrganizationId:
     AllowedPattern: '^o-[a-z0-9]{10,32}$'
     ConstraintDescription: >
@@ -86,6 +96,8 @@ Resources:
             Condition:
               StringEquals:
                 aws:PrincipalOrgID: !Ref pOrganizationId
+              ArnLike:
+                aws:PrincipalArn: !Sub arn:${AWS::Partition}:iam::*:${pDeploymentRoleName}
             Effect: Allow
             Principal: "*"
             Resource: !Sub arn:${AWS::Partition}:s3:::${rLambdaS3Bucket}/*
@@ -124,9 +136,8 @@ Resources:
 #      ######################################################################
 #      Commented out to allow for modifications before deployment.
 #      CloudFormation doesn't allow dynamic tag keys here.
-#      Examples:
-#       aws-landing-zone: managed-by-aws-landing-zone
+#      Example:
 #       cfct: managed-by-cfct
 #      #######################################################################
-#      Tags:
-#        aws-landing-zone: managed-by-aws-landing-zone
+      Tags:
+        cfct: managed-by-cfct
