This repository accompanies the IAM Policy Tester Pipeline blogpost. It contains an example of a secure, cross-account, continous delivery CodePipeline. This pipeline demonstrates the unit testing of an IAM policy to validate permissions in different AWS Accounts.
The same resource, with the same IAM policy attached may not be able authorised for certain actions in an account. External policies, such as SCP's can limit the actions of a resource, despite the IAM policy associated with a resource.
Such conflicts can occur when crossing the boundry from development accounts to production-like accounts that contain further restrictions.
This pipeline demonstrates how this problem can be detected using iam policy simulator
to validate if an IAM policy and action is permitted within an account.
Clone the AWS Policy Tester Pipeline repository. From your terminal application, execute the following command:
git clone https://github.com/aws-samples/iam-policy-tester-pipeline
This creates a directory named iam-policy-tester-pipeline
in your current directory.
Follow the instructions here to create a CodeCommit repository in the Development Account. Name your repository as sample-lambda. Alternatively, from your terminal application, execute the following command.
aws codecommit create-repository --repository-name sample-lambda --repository-description "Sample Lambda Function"
Note the cloneUrlHttp
URL in the response from above CLI.
You may refer here on further details, in order to setup AWS Cli , if required.
From your terminal application, within the SampleLambda
directory, execute the following command:
git init && git remote add AWSCodeCommit HTTP_CLONE_URL_FROM_STEP_2
Follow the instructions here for local git setup required to push code to CodeCommit repository.
You need to specify the user, group, or role whose policies you want to include in the simulation. To do this, within the SampleLambda
directory, modify the value in scripts/source.txt
file.
From your terminal application, execute the following commands:
git add *
git commit -am "Initialise the SampleLambda repository"
git push AWSCodeCommit master
From your terminal application, back in the iam-policy-tester-pipeline
directory, execute the following command:
chmod +x single-click-cross-account-pipeline.sh && ./single-click-cross-account-pipeline.sh
This last step deploys the entire pipeline. It expects to receive the account numbers to which it will deploy the reference architecture. It creates Amazon S3 buckets for the build artifacts and encryption keys for secure cross-account communication, and sets up CodePipeline, CodeBuild, and CodeDeploy in the account structure described above. After this step, each update in the sample-lambda repository triggers an execution of the pipeline. You can manually release a change in the pipeline after deploying it to ensure it is working.
This sample code is made available under the Apache 2.0 License. See the LICENSE file.