Enhancing CI/CD Workflows: Integrating AWS Access Analyzer for IAM Security
Project Focus: Security + Automation
We're enhancing both efficiency and security within deployment processes by integrating the tool cfn-policy-validator
into a cohesive CI/CD pipeline.
Core Intent
Automating IAM Policy Validation Tests to ensure IAM security is inherently part of every deployment cycle. If validation tests fail, the build is automatically halted, ensuring infra-wide security and compliance.
Link to the repo: https://github.com/TanishkaMarrott/Integrating-AWS-IAM-Access-Analyzer-in-a-CI-CD-Pipeline
Key Benefits
Simplicity: Reduces operational overhead by ingraining IAM security within every deployment cycle.
Compliance: Ensures each deployment conforms to IAM security benchmarks.
Efficiency: Reduces operational overhead and manual intervention, resulting in faster and more reliable deployments.
Cost Optimization: Decreases costs, time, and energy spent on post-deployment fixes, emphasizing "shift-left security."
Why Not Directly Use Access Analyzer APIs?
Challenges in Policy Validation:
Difficulty in eliminating the use of wildcards (*) in IAM policies due to reliance on resource ARNs available only post-deployment.
Access Analyzer does not parse templates or resolve dynamic parameters in CloudFormation templates; it depends purely on resource ARNs and can analyze policies only post-deployment.
Solution: Integrating CFN Policy Validator into the CI/CD Pipeline
At AWS ReInforce 2022, I discovered the IAM Policy Validator for CloudFormation. This command-line tool:
Parses CloudFormation templates and attached IAM policies.
Resolves CloudFormation-specific elements like pseudo parameters and intrinsic functions.
Analyzes templates against Access Analyzer APIs (ValidatePolicy and AccessPreview) to check for security best practices and public/cross-account access.
How it Works:
Auto-generates ARNs for referenced resources, ensuring the structure of the ARN is accurate.
Policy validation focuses on analyzing the relationship between resources and actions, not the exact resource ARNs.
Workflow Overview
CodeCommit Repository: Stores the codebase.
CodePipeline: Orchestrates the CI/CD process.
Centralized Dependency Installation: Pre-installs dependencies for faster subsequent build phases.
First Build Stage: Validates the syntax of the CloudFormation template using
cfn-lint
and runs unit tests in parallel.Second Build Stage: Uses
cfn-policy-validator
to parse templates, pull policies, resolve dynamic parameters, and analyze policies through Access Analyzer APIs.Blocking and Non-Blocking Findings: Provides actionable insights into policy issues.
Non-Functional Enhancements
Centralized Dependencies: Reduces build times and ensures consistency across builds.
Parallel Testing: Shortens testing times, feedback loops, and optimizes resource usage.
Dynamic Scaling: Manages build lifecycles efficiently, cutting unnecessary costs and optimizing resource use.
Caching: Speeds up build times by caching frequently accessed data/files in the build environment.
Conclusion
This project aims to create an automated, fully-functional CI/CD pipeline that enhances the security and reliability of the deployment lifecycle. The design addresses both functional and non-functional aspects, ensuring quick, secure, and robust deployments.
Acknowledgements & Feedback Thank you for exploring this project. I appreciate AWS Workshop Studio for providing a brilliant base for this work. Any suggestions or feedback to improve the design are welcome. For queries, please reach out to tanishka.marrott@gmail.com.
Tanishka Marrott