Skip to content

ran-isenberg/auto-cross-account-access-service

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
.github
.github
 
 
.vscode
.vscode
 
 
catalog_backend
catalog_backend
 
 
cdk
cdk
 
 
demo
demo
 
 
docs
docs
 
 
tests
tests
 
 
.coveragerc
.coveragerc
 
 
.gitignore
.gitignore
 
 
.markdownlint.yaml
.markdownlint.yaml
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
app.py
app.py
 
 
cdk.context.json
cdk.context.json
 
 
cdk.json
cdk.json
 
 
mkdocs.yml
mkdocs.yml
 
 
mypy.ini
mypy.ini
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
poetry.lock
poetry.lock
 
 
poetry.toml
poetry.toml
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

Automating Service-to-Service IAM Authorization

Serverless Platform Engineering Example

license PythonSupport codecov version github-star-badge OpenSSF Scorecard issues

alt text

đź“śDocumentation | Blogs website

Contact details | [email protected]

Twitter Follow Website

This repository provides a sample implementation to showcase how to enforce governance policies through AWS Service Catalog, helping ensure compliance and efficient management of AWS resources while keeping a high level of visibility on deployed service across your organization.

AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.

Platform engineering teams can use this repository as a basis for their own organizational portfolio of security and governance solutions.

This repository contains a sample serverless Python based implementation for governance using AWS Service Catalog, Amazon SNS, SQS, DynamoDB, CloudWatch and Lambda.

It demonstrates how to create and manage service catalog portfolios and products, as well as enforce governance policies.

Another important feature is tracking provisioned products - a global DynamoDB table stores detailed information about provisioned products automatically, their versions, regions, and users, enhancing platform engineering visibility.

Two samples products are included:

  1. WAF rules
  2. IAM role for CI/CD pipelines

Prerequisites

  • AWS account with necessary permissions.
  • AWS CLI installed and configured.
  • Node.js and npm installed.
  • AWS CDK (Cloud Development Kit) installed.
  • AWS account after running the CDK bootstrap command in the designated region
  • Python 3.12 installed
  • Poetry
  • Docker

Setup

  1. Clone the repository 
    git clone https://github.com/ran-isenberg/auto-cross-account-access-service.git
cd auto-cross-account-access-service
  2. Setup environment
 poetry config --local virtualenvs.in-project true
 poetry shell
 poetry install
 make dev
  1. Deploy service catalog portfolio
 make deploy
  1. Share the portfolio with an account of your choice and provision a product. Refer to the documentation

Architecture

The solution architecture includes:

  • AWS Service Catalog for managing portfolios and products.
  • Global DynamoDB table for tracking provisioned products.
  • Custom resource for creating visibility entries
  • SNS topic and SQS queue
  • AWS Lambda for handling custom resource requests
  • AWS CloudWatch logs, metrics, traces (AWS X-Ray), alarms and dashboards for observability.

Step-by-Step Provisioned Product Deployment Flow

This section describes the step-by-step deployment flow for the architecture depicted in the diagram.

alt text

1. Provision Product by Admin

Step 1: The Admin initiates the provisioning of a product through the AWS Service Catalog service and the platform engineering portfolio.

  • Action: Admin provisions the product.
  • Outcome: The provisioning process starts for the selected product.

2. Create Stack

Step 2: The AWS Service Catalog triggers the creation of a CloudFormation stack for the provisioned product.

  • Action: AWS Service Catalog creates the CloudFormation stack.
  • Outcome: A new CloudFormation stack is created and ready to deploy resources.

3. Create Resources with CI/CD Pipeline Role

Step 3: The CI/CD pipeline role is used to create resources defined in the CloudFormation stack.

  • Action: Resources are created using the CI/CD pipeline role.
  • Outcome: The resources defined in the stack template are provisioned.

4. Custom Resource Execution

Step 4: The stack includes a custom resource that is executed during the stack creation process.

  • Action: The custom resource is created.
  • Outcome: Custom logic defined in the custom resource is triggered.

5. Publish Message with Product Details

Step 5: The custom resource publishes a message containing the provisioned product metadata to an Amazon SNS topic.

  • Action: Publish message to SNS.
  • Outcome: The message with necessary details is published to the SNS topic.

6. Send Message to SQS Queue

Step 6: The SNS topic forwards the message to an SQS queue in the Platform Engineering Service Catalog Account.

  • Action: SNS sends the message to the SQS queue.
  • Outcome: The message is queued for processing.

7. Handle Message with AWS Lambda

Step 7: An AWS Lambda function is triggered to handle the message from the SQS queue.

  • Action: Lambda function processes the message.
  • Outcome: The message is processed, and necessary actions are taken.

8. Add Provisioned Product Information to DynamoDB

Step 8: The Lambda function adds information about the provisioned product, including its version, region, and user details, to a global DynamoDB table for enhanced visibility.

  • Action: Add provisioned product information to DynamoDB.
  • Outcome: The global DynamoDB table is updated with the new product details.

Here's an example of two entries in the DynamoDB table after two products are provisioned. alt text

9. Release from Wait State and Finish Stack Deployment

Step 9: The stack is released from the wait state, and the deployment process is completed.

  • Action: Release stack from wait state.
  • Outcome: The CloudFormation stack deployment is finalized, and the provisioned product is ready for use.

Code Contributions

Code contributions are welcomed. Read this guide.

Code of Conduct

Read our code of conduct here.

Connect

License

This library is licensed under the MIT License. See the LICENSE file.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 2

  •  
  •  

Languages