we have someAWSAccount assuming someaccountrole with instance profile name p in AWS.
Managed policy by name some-permission-boundary is created in this account(someAWSAccount). Purpose of creating this boundary policy in this account is mentioned below.
Requirement is,
Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: hello-world/
Handler: app.LambdaHandler
Runtime: nodejs8.10
Events:
MySQSEvent:
Type: SQS
Properties:
Queue: !GetAtt SomeQueue.Arn
BatchSize: 10
PermissionsBoundary: "arn:aws:iam::${AWS::AccountId}:policy/some-permission-boundary"
SomeQueue:
Type: AWS::SQS::Queue
to enforce some rules to AWS resources generated from above SAM template, by enforcing SAM template to have PermissionsBoundary: "arn:aws:iam::${AWS::AccountId}:policy/some-permission-boundary" as part of Properties list,
so that any AWS resource type( like Lambda, SQS, roles, policies etc...) that are created amidst
sam deploy --template-file above-SAM-template --stack-name somestack --profile p
should be in compliance with rules mentioned in arn:aws:iam::${AWS::AccountId}:policy/some-permission-boundary
Developers write these SAM tempates and security team need to make sure that sam deploy does not work until this PermissionsBoundary property is part of the Properties list of SAM template.
So, for this, we are thinking to design another managed policy in someAWSAaccount that make sure sam deploy fails if SAM template does not have this entry: sam deploy --template-file above-SAM-template --profile p
What should the deployer policy(managed policy) look like, to enforce this rule? Which Principal should get assigned with this deployer policy?
or
Do you suggest an alternate approach?
