Feedback for “How to Deploy CloudQuery into an AWS Organization”

[Fennerr]

I just spent ~3hours debugging an issue with the recommended deployment. I was deploying the template from a delegated admin account within my org, and it kept returning an error (had something to do with deploying a stackset with PermissionModel: SERVICE_MANAGED, and it was vague and indicated that I had not setup the delegated administration correctly within my org. Turns out I had set it up correctly, and went down a rabbit hole trying to find out why it wouldn't deploy).

After looking around, I finally came across this thread: aws-cloudformation/cloudformation-coverage-roadmap#799

The issue is that the CloudQueryMemberRoles resource in the template needs to have a CallAs: DELEGATED_ADMIN property defined in order to deploy it from a delegated admin account.

I thought of adding in the context on the wiki page, but thought that this fix should probably be done by creating a seperate delegated_admin_template.yml file in the https://github.com/cloudquery/iam-for-aws-org repo, and then updating the wiki page to tell users that want to deploy the template from a delegated admin account to use that template instead.

[github-actions]

Thanks for reporting this issue 👍
You can reach us via Discord too.
If you enjoy using this project, please consider starring it for support

[Fennerr]

The deployment also failed when deploying across the entire organization as the CloudqueryReadOnly role is assigned the same name as the CloudQueryMemberRoles. I have changed the name for the first role to cloudquery-admin-role to avoid this conflict.

[jsonpr]

Hi @Fennerr, thanks for opening this issue!

Delegated Administrator is a newer feature from AWS - we'll take a look at the guide and see how it works with delegated administrator.

Could you confirm for our testing that you are using a separate non-administrator account as the delegated administrator account for StackSets?

[Fennerr]

Hi @jsonpr

I created a separate AWS account specifically for Cloud Query, and assigned it as a delegated administrator for CloudFormation StackSets. This needs to be done from the organization's management account (by browsing to CloudFormation StackSets, clicking on enable trusted access if that has not been done yet, and then adding the account ID for the delegated admin account). This lets you create stacksets in the management account from a delegated administrator's account.

You might need to also "Enable all features", which is done by default for newer orgs unless you selected 'only use consolidated billing' when creating the org (I had not).

These articles cover the setup:

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html

Its pretty straight forward, but nowhere do they mention setting the CallAs property for StackSets created using CloudFormation

[Fennerr]

I also deployed the CloudFormation stack using the supplied template, and specified the root OU when deploying it. It's pretty interesting to note that it did not create the Cloud Query read-only role in the management account. I was wondering if it would - as it would make it trivial to get admin access to the management account from a delegated admin account (just deploy an admin role you can assume to it), but fortunately this is not the case.

[jsonpr]

Hey @Fennerr - thanks for the detailed information!

Reminds me of research we did on Delegated Administrator: https://www.cloudquery.io/blog/guide-aws-org-delegation.

From my limited research, the only page I see the CallAs call out is here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-stackset.html#cfn-cloudformation-stackset-callas

Yea - I remember a discussion I had with others on when deploying from a Delegated Admin account for StackSets, it doesn't deploy the child resources to the Management Account. It's a good callout - if the stackset delegated admin account would deploy to the management account, it could be an unintended path of access from the delegated admin account.

[Fennerr]

Exactly!

I am a cybersecurity consultant, with a focus on AWS, so I am always keeping an eye out for those possible privilege escalation paths. Very nice blog post by the way - I actually came across it when trying to debug this issue that I was facing with deploying the resource from a delegated admin account.

[jsonpr]

@Fennerr - thanks for the kind feedback!

Happy to chat about cybersecurity, consulting, and definitely privilege escalation. One of my main focus areas is AWS IAM. I can be reached at jason@cloudquery.io.

Based on your feedback for https://github.com/cloudquery/iam-for-aws-orgs, we added additional documentation here: cloudquery/iam-for-aws-orgs#2. This is a temporary measure as we discuss further options such as adding an additional template like you suggested and adding conditionals to the original template. We want to ensure the user experience for deploying if not using Delegated Administrator is smooth and both options would introduce some complexity. That coupled with the potential lack of visibility into the Organization Management Account if using the Delegated Administrator route merits further discussion.

Closing this issue as resolved now, thanks again for all the feedback, context, and using CloudQuery!