SCP revert logic should be improved #1027
Description
Describe the bug
This is something in between a bug and feature.
In security-config.yaml we are using the SCP revert automation
scpRevertChangesConfig:
enable: true
This deploys a lambda etc that reverts SCP's if they are made manually. I looked through the code, and the logic is:
async function isChangeMadeByAccelerator(principalArn: string): Promise<boolean> {
console.log(`SCP modification performed by ${principalArn}`);
const principalArr = principalArn.split(':');
const principal = principalArr[principalArr.length - 1];
const roleNameArr = principal.split('/');
const roleName = roleNameArr[roleNameArr.length - 1];
if (roleName?.startsWith(acceleratorRolePrefix)) {
return true;
} else {
return false;
}
}
While this works, it also creates a simple way to revert changes without LZA reverting them. Using a principal named AWSAccelerator-* bypasses this check, and automation will see it as valid. I tested this only with AWS IAM Identity Center user, but in theory it should work with all principals.
Instead it should check for the ARN arn:aws:iam::*:role/AWSAccelerator-*.
To Reproduce
For IIC:
- Enable
scpRevertChangesConfig - Create an IIC user starting with AWSAccelerator
- Manually change a SCP
Expected behavior
It should check for the role ARN, not to easily circumvent this automation.
Please complete the following information about the solution:
- Version: v1.14.2
- Region: eu-north-1
- Was the solution modified from the version published on this repository?
- If the answer to the previous question was yes, are the changes available on GitHub?
- Have you checked your service quotas for the services this solution uses?
- Were there any errors in the CloudWatch Logs?