Enhancing CI/CD Workflows: Integrating AWS Access Analyzer for IAM Security

Tanishka MarrottTanishka Marrott
3 min read

Table of contents

We're enhancing both efficiency and security within deployment processes by integrating the tool cfn-policy-validator into a cohesive CI/CD pipeline.

Core Intent

Automating IAM Policy Validation Tests to ensure IAM security is inherently part of every deployment cycle. If validation tests fail, the build is automatically halted, ensuring infra-wide security and compliance.

Link to the repo: https://github.com/TanishkaMarrott/Integrating-AWS-IAM-Access-Analyzer-in-a-CI-CD-Pipeline

Key Benefits

  • Simplicity: Reduces operational overhead by ingraining IAM security within every deployment cycle.

  • Compliance: Ensures each deployment conforms to IAM security benchmarks.

  • Efficiency: Reduces operational overhead and manual intervention, resulting in faster and more reliable deployments.

  • Cost Optimization: Decreases costs, time, and energy spent on post-deployment fixes, emphasizing "shift-left security."

Why Not Directly Use Access Analyzer APIs?

Challenges in Policy Validation:

  • Difficulty in eliminating the use of wildcards (*) in IAM policies due to reliance on resource ARNs available only post-deployment.

  • Access Analyzer does not parse templates or resolve dynamic parameters in CloudFormation templates; it depends purely on resource ARNs and can analyze policies only post-deployment.

Solution: Integrating CFN Policy Validator into the CI/CD Pipeline

At AWS ReInforce 2022, I discovered the IAM Policy Validator for CloudFormation. This command-line tool:

  • Parses CloudFormation templates and attached IAM policies.

  • Resolves CloudFormation-specific elements like pseudo parameters and intrinsic functions.

  • Analyzes templates against Access Analyzer APIs (ValidatePolicy and AccessPreview) to check for security best practices and public/cross-account access.

How it Works:

  • Auto-generates ARNs for referenced resources, ensuring the structure of the ARN is accurate.

  • Policy validation focuses on analyzing the relationship between resources and actions, not the exact resource ARNs.

Workflow Overview

  1. CodeCommit Repository: Stores the codebase.

  2. CodePipeline: Orchestrates the CI/CD process.

  3. Centralized Dependency Installation: Pre-installs dependencies for faster subsequent build phases.

  4. First Build Stage: Validates the syntax of the CloudFormation template using cfn-lint and runs unit tests in parallel.

  5. Second Build Stage: Uses cfn-policy-validator to parse templates, pull policies, resolve dynamic parameters, and analyze policies through Access Analyzer APIs.

  6. Blocking and Non-Blocking Findings: Provides actionable insights into policy issues.

Non-Functional Enhancements

  1. Centralized Dependencies: Reduces build times and ensures consistency across builds.

  2. Parallel Testing: Shortens testing times, feedback loops, and optimizes resource usage.

  3. Dynamic Scaling: Manages build lifecycles efficiently, cutting unnecessary costs and optimizing resource use.

  4. Caching: Speeds up build times by caching frequently accessed data/files in the build environment.

Conclusion

This project aims to create an automated, fully-functional CI/CD pipeline that enhances the security and reliability of the deployment lifecycle. The design addresses both functional and non-functional aspects, ensuring quick, secure, and robust deployments.

Acknowledgements & Feedback Thank you for exploring this project. I appreciate AWS Workshop Studio for providing a brilliant base for this work. Any suggestions or feedback to improve the design are welcome. For queries, please reach out to tanishka.marrott@gmail.com.

Tanishka Marrott

1
Subscribe to my newsletter

Read articles from Tanishka Marrott directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSAWS Certified Solutions Architect AssociateAWS IAMIAMaccess-analyzerCodeCommitCodeDeploycodebuildCodePipelineci-cd

Written by

Tanishka Marrott
Tanishka Marrott

I'm a results-oriented cloud architect passionate about designing resilient cloud solutions. I specialize in building scalable architectures that meet business needs and are agile. With a strong focus on scalability, performance, and security, I ensure solutions are adaptable. My DevSecOps foundation allows me to embed security into CI/CD pipelines, optimizing deployments for security and efficiency. At Quantiphi, I led security initiatives, boosting compliance from 65% to 90%. Expertise in data engineering, system design, serverless solutions, and real-time data analytics drives my enthusiasm for transforming ideas into impactful solutions. I'm dedicated to refining cloud infrastructures and continuously improving designs. If our goals align, feel free to message me. I'd be happy to connect!