Enhancing CI/CD Workflows: Integrating AWS Access Analyzer for IAM Security

Project Focus: Security + Automation

Enhancing CI/CD Workflows: Integrating AWS Access Analyzer for IAM Security

We're enhancing both efficiency and security within deployment processes by integrating the tool cfn-policy-validator into a cohesive CI/CD pipeline.

Core Intent

Automating IAM Policy Validation Tests to ensure IAM security is inherently part of every deployment cycle. If validation tests fail, the build is automatically halted, ensuring infra-wide security and compliance.

Link to the repo: https://github.com/TanishkaMarrott/Integrating-AWS-IAM-Access-Analyzer-in-a-CI-CD-Pipeline

Key Benefits

  • Simplicity: Reduces operational overhead by ingraining IAM security within every deployment cycle.

  • Compliance: Ensures each deployment conforms to IAM security benchmarks.

  • Efficiency: Reduces operational overhead and manual intervention, resulting in faster and more reliable deployments.

  • Cost Optimization: Decreases costs, time, and energy spent on post-deployment fixes, emphasizing "shift-left security."

Why Not Directly Use Access Analyzer APIs?

Challenges in Policy Validation:

  • Difficulty in eliminating the use of wildcards (*) in IAM policies due to reliance on resource ARNs available only post-deployment.

  • Access Analyzer does not parse templates or resolve dynamic parameters in CloudFormation templates; it depends purely on resource ARNs and can analyze policies only post-deployment.

Solution: Integrating CFN Policy Validator into the CI/CD Pipeline

At AWS ReInforce 2022, I discovered the IAM Policy Validator for CloudFormation. This command-line tool:

  • Parses CloudFormation templates and attached IAM policies.

  • Resolves CloudFormation-specific elements like pseudo parameters and intrinsic functions.

  • Analyzes templates against Access Analyzer APIs (ValidatePolicy and AccessPreview) to check for security best practices and public/cross-account access.

How it Works:

  • Auto-generates ARNs for referenced resources, ensuring the structure of the ARN is accurate.

  • Policy validation focuses on analyzing the relationship between resources and actions, not the exact resource ARNs.

Workflow Overview

  1. CodeCommit Repository: Stores the codebase.

  2. CodePipeline: Orchestrates the CI/CD process.

  3. Centralized Dependency Installation: Pre-installs dependencies for faster subsequent build phases.

  4. First Build Stage: Validates the syntax of the CloudFormation template using cfn-lint and runs unit tests in parallel.

  5. Second Build Stage: Uses cfn-policy-validator to parse templates, pull policies, resolve dynamic parameters, and analyze policies through Access Analyzer APIs.

  6. Blocking and Non-Blocking Findings: Provides actionable insights into policy issues.

Non-Functional Enhancements

  1. Centralized Dependencies: Reduces build times and ensures consistency across builds.

  2. Parallel Testing: Shortens testing times, feedback loops, and optimizes resource usage.

  3. Dynamic Scaling: Manages build lifecycles efficiently, cutting unnecessary costs and optimizing resource use.

  4. Caching: Speeds up build times by caching frequently accessed data/files in the build environment.

Conclusion

This project aims to create an automated, fully-functional CI/CD pipeline that enhances the security and reliability of the deployment lifecycle. The design addresses both functional and non-functional aspects, ensuring quick, secure, and robust deployments.

Acknowledgements & Feedback Thank you for exploring this project. I appreciate AWS Workshop Studio for providing a brilliant base for this work. Any suggestions or feedback to improve the design are welcome. For queries, please reach out to tanishka.marrott@gmail.com.

Tanishka Marrott