SCP definitions for GR2.0

Quick Start & SCP Propagation Manual

1. Quick Start & SCP Propagation Manual.
2. Box / CT Cloud CORP2BU / Aero-GR-Exit / GR2-CT-SCP-Propagation.pdf.
3. Box / CT Cloud CORP2BU / Aero-GR-Exit/ GR2-CT-SCP-Propagation.docx.

Initialize for Org with SCP

Using SCP Propagation for one or more AWS Orgazanizations which already have SCP requires create mapping and downloading the SCP from AWS organizations with a profile with required read access permissions.

Assuming the bash & python files are executable already with chmod +x <path to py or sh file>.

1. Create a new branch.
2. In a new branch delete mapping/ files.
3. In a new branch delete SCP/ files.
4. With AWS Profile for target AWS Organizations run src/get-org-data.py --backup.
   • Get Org Data creates mapping in mapping folder & SCPs in SCP folder for given AWS Profile.
5. Repeat #4 for other Organizations - if any - to get their mapping & SCPs.

Note
Mapping files format is mapping/<ORG_ACCOUNT_ALIAS>.yml. SCP files format is SCP/<SCP_NAME>.scp.yml.

Note
Assumptions is SCP with the smae name are shared SCP with the same content. If you need different SCP version for SCP-A, then create multiple version, each used by its own organization. You can update SCP Name before creating mapping in all organizations.

Note
Different SCP versions can be implemented as SCP-...-Org-A, SCP-...-Org-B this way mapping for Org-A will uses SCP/SCP-...-Org-A.scp.yml and Org-B will uses SCP/SCP-...-Org-B.scp.yml.

IAM Access Analyzer for SCP

To sanity check and validate SCPs you should execute src/chk-scp-access-analyzer.py --mapping-file mapping/<mapping-file.yml> which provides analysis report in terminal with CSV & JSON file reports with references and how to add and finding to exception - if applicable.

Add Exception for SCP Finding

After carefully reviewing IAM Access Analyzer findings - if any - you can use below steps to add exception for specific finding and specific SCP. It is best-practice and recommended to fix all errors and consider warnings you may want to have any exceptions.

# You need to have jq & yq installed via pip

# Read Exceptions in YAML Format
jq '. | map({SCP: .SCP, exceptions: .exceptions})' /tmp/scp/chk-scp-access-analyzer.json | yq . -y

# Assume below output
- SCP: protect-gr-infrastructure
  exceptions:
    exception1:
      - value: Statement
      - index: 7
      - value: Action
      - index: 0
    exception2:
      - value: Statement
      - index: 7
      - value: Condition
      - value: StringLike
      - key: aws:ResourceTag/Name

# Create src/exception/protect-gr-infrastructure.yml
# Fomat is src/exception/<SCP>.yml
# Copy exceptions to exception file - below contect
# File: src/exception/protect-gr-infrastructure.yml
# Content:
exception1:
    - value: Statement
    - index: 7
    - value: Action
    - index: 0
exception2:
    - value: Statement
    - index: 7
    - value: Condition
    - value: StringLike
    - key: aws:ResourceTag/Name

OU Structure

Concepts

Denying actions to all but named list of principals

Using the aws:PrincipalArn condition key, we can deny actions to all principals except for a named list of principals (patterns are supported using the StringNotLike comparison operator), such as the Guardrails team and the super admin role:

"Condition": {
    "StringNotLike": {
        "aws:PrincipalArn": [
            "arn:*:iam::*:role/cs/p-engineering",
            "arn:*:iam::*:role/cs/p-platformadmin",
            "arn:*:iam::*:role/cs/super-admin-to-gov-gecc"
        ]
    }
}

Apply actions only if the tag has a value

Using the Null comparison operator with the ec2:ResourceTag condition key, we can prevent users from modifying any EC2 resource that has a specific tag key, regardless of the tag value:

"Condition": {
  "Null": {
      "aws:ResourceTag/Guardrails": "false"
  }
}

Purpose

This repository contains all SCPs defined GE Aerospace The SCPs are applied automatically upon merging a PR to master based on the configurations in the mapping folder

Please, refer to SCP folder for list of all SCPs in YAML format

Legacy

The legacy SCP git repo is now read-only

Please, submit any PRs to change here

There is still useful information in this repo about the overall structure, albeit it is somewhat dated. For example it still contains references to the 'managed' OUs

Current state

Please, refer to the current state folder for a weekly dump of the content of the orgs

SCP Propagation Automation

Pushing updates to master or opening PR againste master triggers GitHub Action to execute sanity check and use Access Analyzer to validate the updated SCPs and deploy them upon PR merge.

SCP Propagation Automation Improvements

1. Environment Variable & Runner

   • Update --version & which for aws, python, python3, pip, pip3, aws.
   • Check & report Environment Variables.
   • Add Account ID & Name to Environment Variables report.
   • TODO: Fix role name svc/scp-policy-app-role for Dev or add isDev logic.
   • Dev role_name is scp-policy-app-role
   • Prod role_name is svc/scp-policy-app-role
   • Verify which variable needs to export and which is exported already.
   • Streamline setup and validation.

2. Development & Code

   • Add Description to SCP Policies
   • New Tags to filter & find Aero GRE Update & TODO. See below for grep example.
   • Improve and add context to SCP Access Analyzer reports.

3. Local Check & Control and Testing

   • Check all mapped SCPs exist in local.
   • Import missing mapped SCPs.
   • Check all SCP by Access Analyzer.

Important Notes

Note
Unused SCP will be deleted from Target Org but stays in the Repo.

Note
Detached SCP from all OUs deletes SCP from Org but SCP exists in the Repo.

Note
Deleting in-use SCP in the Repo will not detach & delete it from Org & will cause issue.

Note
Failed Action should be fully reverted, fixed and tried again otherwise on next push since changes already pushed the diff would be null for previously changed mappings & SCPs causing confusion, failure and hard to trace the root cause.

Test Scenarios - What to Do

1. ✅ Aero GRE Env Info + AWS CLI.
2. ✅ Push update & validate Environment Variables report.
3. ✅ Rename src/exceptions/*.yml to test Full Analysis Report. Revert the change.
   • ✅ Rerun with the same error is false-positive since error pushed and new push has no change to validate.
   • ✅ Later when SCP with error updates then the error shows itself which caused by past changes not the latest.
4. ✅ Validate all SCPs. Revert the change. See Testing / a. Validate all SCPs.
5. ✅ Test SCP Detach. If used just detach or delete from Org if unused.
6. ✅ Process SCP Mappings against Org in-use SCP to find missing local SCPs.
7. ✅ Import missing Local SCPs from Org.
8. ✅ Test SCP Actions
   • ✅ Test SCP Attach. Add existed SCP to OU.
   • ✅ Test SCP Create. Propagate new SCP.
   • ✅ Test SCP Delete. Propagate unused SCP deletion.
   • ✅ Test SCP Delete but keep it in mapping. Propagation won't fail!
   • ✅ Test SCP Delete. Remove in-use SCP from mapping and delete or rename it.
   • ✅ Test SCP Limit. Attach more than 5 SCP to an OU. Should Fail!

Test Scenarios - What Not to Do

1. ❌Unused invalid SCP with Findings or size limit if updated generates error since included in diff result. Cleanup/fix unused SPCs.
2. ❌Not exist OU or OU structure will not be created or deleted, in these cases create/delete OUs appropriately.
3. ❌ Do not push changes without sanity check and full IAM Access Analyzer execution & review.

Execution Snippets

# Tree List Execution Snippets
tree bin src -I __pycache__

# Process Local SCP from Mapping & Sync with Org
bin/chk-scp-sync.sh mapping/cc-architecture-001.yml

# ETL SCP from json to YAML Format - Used for AWS Output
src/chk-scp-json2yaml.py

# Runs AWS Access Analyzer for SCPs Used in the Mapping or All SCPs
src/chk-scp-access-analyzer.py --mapping-file mapping/cc-architecture-001.yml

# List Test SCP Updates in SCP
grep -In ': Test SCP.*' SCP/*.scp.yml

# List Fix Findings in SCP
grep -In '[#|:] Fix Findings.*' SCP/*.scp.yml

# List SCP Test in SCP & Mappings
grep -In '# SCP Test.*' SCP/*.scp.yml mapping/*.yml

# List SCP
$ls -1 SCP/*.scp.yml

# List SCP in Mapping
grep '\- ' mapping/cc-architecture-001.yml | sort -u

# List OU in Mapping
grep '^/.*' mapping/cc-architecture-001.yml | tr -d ':' | sort -u

Initialize A Repo & Import Org Data

If you have already an organization with a proper role with required read permission you can export the mapping and all of SCP to bootstrap the repo then by setting up workflow and GitHub Action manage the SCP by the PR.

Note
Bash & Python files have a shebag line and if you make them executable chmod +x <file_path> you can use below command. If you rather you also call python script with python <path_to_scirpt.py> or bash <path_to_script.sh> and if your python3 is not python use python3 <path_to_script.py.

Make sure config.yml is updated with the ACCOUNT_ALIAS: 'ACCOUNT_ID' data in YAML format. Note ACCOUNT_ID should be quoted since 12 digits AWS account may have leading zeros.

# Export SCP & Mapping file from an AWS Organization
# 1. Help
src/get-org-data.py --help

# 2. Export Mapping & SCP - if you have mapping for the same AWS Org by deleting it you replace it with Current Org Mapping
src/get-org-data.py --backup

# You can export AWS_PROFILE like above example or call the script with desired Profile
AWS_PROFILE=<MY_ORG_PROFILE> src/get-org-data.py --backup

GitHub Runner

To Do: Upgrade GitHub Runner to python 3.11 support until October 2027 & AWS SDK support until April 2028. See AWS Developer Tools Blog / Python support policy updates for AWS SDKs and Tools.
To Do: Upgrade to AWS CLI V2. See Installing or updating to the latest version of the AWS CLI.
To Do: Upgrade to actions/checkout@v4 and node 20. See GitHub Actions / Checkout V4.

GitHub Runner Configuration

Note
Without self-runner .github\workflows\master.yml will timeout and will not be executed. ALso, action should be configured in the repo configuration.

1. Create self-runner (ec2 or lambda).
2. Update Cloudformation files ...
3. Update repo configuration to use created self-runner.