AWS Essentials Guardrails (2024)

Preventive guardrails

Protective measures, known as preventive guardrails, are implemented to safeguard SoftwareOne's assets. These measures ensure adherence to specific partner performance indicators and maintain the confidentiality of certain business details. These guardrails are established through a Permissions Boundary and a series of Service Control Policies (SCP). SCPs are enforced across the entire AWS Organization, limiting IAM actions in all associated accounts. Since SCPs are not applicable to the master account, it is necessary to attach a Permissions Boundary policy to every IAM principal in the AWS Master Payer Account. The SWOApplyPermissionsBoundaryLambda is activated upon the deployment of Essentials, attaching the Permission Boundary. It also activates whenever a new IAM User or IAM Role is created in the AWS Master Payer account, ensuring that there are no gaps in security measures.

Permissions Boundary:

The "Master Permissions Boundary" policy is designed to restrict a range of actions in an AWS environment. Here's a comprehensive breakdown of the restrictions:

Protecting Cost and Usage Reports:
- Denies actions on AWS Cost and Usage Report (CUR) definitions (cur:*ReportDefinition).
- Targets resources with names beginning with "SWO" or "swo" in the CUR service.
- Excludes specified admin roles from these restrictions.
Preventing Alteration of the Permissions Boundary Policy:
- Denies any action related to policy management (iam:*Policy*) on the SWOMasterPermissionsBoundary policy itself.
- Excludes specified admin roles from this restriction.
Denying Removal of Permissions Boundaries:
- Denies the deletion of permissions boundaries (iam:DeleteUserPermissionsBoundary, iam:DeleteRolePermissionsBoundary) applied to any user or role.
- Applies specifically when the permissions boundary is SWOMasterPermissionsBoundary.
- Excludes specified admin roles from this restriction.
Restricting Application of Permissions Boundaries:
- Denies the application of permissions boundaries (iam:PutUserPermissionsBoundary, iam:PutRolePermissionsBoundary) unless it's the SWOMasterPermissionsBoundary.
- Applies to all IAM users and roles.
Denying Modifications to SWO Roles and Policies:
- Denies any action related to IAM policy and role management (iam:*Policy*, iam:*Role*) for resources with names beginning with "SWO" or "swo".
- Excludes specified admin roles from this restriction.
Restricting Changes to SWO CloudFormation Stacks:
- Denies any action related to CloudFormation stacks (cloudformation:*Stack, cloudformation:UpdateTerminationProtection) for stacks with names beginning with "SWO" or "swo".
- Excludes specified admin roles from this restriction.
Preventing Modifications to SWO Lambda Functions:
- Denies various Lambda function-related actions (lambda:*Function*, lambda:AddPermission, lambda:RemovePermission) for functions with names beginning with "SWO" or "swo".
- Excludes specified admin roles from this restriction.
Protecting SWO SNS Topics:
- Denies actions that could modify or delete SNS topics (sns:DeleteTopic, sns:SetTopicAttributes, sns:AddPermission, sns:RemovePermission) with names beginning with "SWO" or "swo".
- Excludes specified admin roles from this restriction.
Restricting Organization's SCP Modifications:
- Denies several actions related to AWS Organizations (organizations:RemoveAccountFromOrganization, organizations:UpdateOrganizationalUnit, etc.) on specific AWS Organizations resources.
- Excludes specified admin roles from this restriction.
Safeguarding SWO CloudTrail Logs:
- Denies actions that could stop logging or delete CloudTrail trails (cloudtrail:StopLogging, cloudtrail:DeleteTrail) with names beginning with "SWO" or "swo".
- Excludes specified admin roles from this restriction.
Protecting SWO EventBridge Rules:
- Denies any modification to EventBridge rules (events:*Rule) with names beginning with "SWO" or "swo".
- Excludes specified admin roles from this restriction.
Billing Console Access Restriction:
- Denies access to various AWS Billing and Cost Management actions:
  - budgets:*Budget
  - ce:UpdatePreferences
  - ce:*Report
  - ce:*NotificationSubscription
  - cur:*
  - tax:*
  - billing:*
  - invoicing:*
  - consolidatedbilling:*
  - payments:*
  - account:*
- Applies to all resources and excludes specified billing-related roles and admin roles.
Support Console Access Restricting (only when Partner Led Support is used):
- If enabled, denies access to AWS Support (support:*).
- Applies to all resources and excludes specified support roles and admin roles.

Service Control Policies

Service Control Policies (SCPs) are deployed within an AWS Organization using a Lambda function named "SWOScpDeployLambdaFunction." This function is designed to automate the deployment, updating, and deletion of SCPs as defined in the template. When the CloudFormation stack is executed, this Lambda function is triggered, and it uses the AWS Organizations API to manage the SCPs' lifecycle, ensuring that they are applied, modified, or removed as specified in the template.

Here is a detailed description of each SCP that the Lambda function manages:

SWODenyLeaveOrganisationScp:
- Preventing Departure from AWS Organization:
  - Denies the use of the organizations:LeaveOrganization API call.
  - Applies to all resources, ensuring organizational membership integrity.
SWODenyAccessToModifySWORolesOrPoliciesScp:
- Protecting SWO IAM Roles and Policies:
  - Denies any action related to IAM (iam:*) on SWO roles and policies (resources prefixed with "swo" or "SWO").
  - Excludes specified admin roles, like "SWOReadOnlyRole", "SWOSupportRole", and "SWOAdminRole", allowing them to manage these resources.
SWODenyAccessToModifySWORolesOrPoliciesScpV2:
- Securing SWO SysOps Roles:
  - Specifically denies IAM actions (iam:*) on SWO SysOps roles under the "swo/sysops/*" path.
  - Only allows roles within the "swo/sysops/*" path to manage these specific roles, enhancing security and operational control.
SWORestrictAccessToSupportPortalScp (Conditional):
- Restricting Access to AWS Support Portal:
  - Denies all actions within the AWS Support service (support:*) across all resources.
  - Activated when IsPlesEnabled parameter is set to Enable.
  - Excludes specific roles like "SWOReadOnlyRole", "SWOSupportRole", and "SWOAdminRole", ensuring authorized access to AWS Support.

Detective guardrails

Detective guardrails are set up to monitor specific activities in the AWS Master Payer account and take actions like sending email notifications through SNS (Simple Notification Service). This monitoring is mainly done using CloudTrail, which records events in the Northern Virginia (us-east-1) AWS region. By standard setup, CloudTrail tracks all organizational activities and keeps these logs for 90 days in an S3 bucket. However, it can be customized to monitor just the Master Payer account.

The choice of the us-east-1 region is crucial because some AWS services only log their activities there. EventBridge Rules are used to identify and act on specific types of events.

Below is the list of implemented nottifications:

Root login detection
SWO IAM Roles modification
SWO IAM Policies modification
SWO SNS Topics modification
SWO Service Control Policies
SWO Lambda functions modification
SWO CloudTrail modification (including "Stop/Start logging")