Validating IAM Policies as Automated Unit Tests

Table of Contents

1. Challenge

   Locally install cfn-guard

   The first thing you need to do is install CloudFormation Guard locally so that you can test it later on. To do this, you can download the pre-built binary for testing.

   • Navigate to AWS CloudShell.
   • Install Guard from a pre-built release binary (https://docs.aws.amazon.com/cfn-guard/latest/ug/setting-up-linux.html)
   • Set your path variable to include CloudFormation Guard.
   • Check the version of CloudFormation Guard to ensure that the tool is ready to go.
2. Challenge

   Test cfn-guard locally

   Now that you've installed CloudFormation Guard locally to your CloudShell instance, you need to test it against a rule set and a template file.

   • Change to the ~/Path-Proactive-Security-in-Your-AWS-CI-CD-Pipeline/5-lab-validating-iam-policies-as-automated-unit-tests directory in AWS CloudShell.
   • Inspect the cfn-guard/iam-no-s3-wildcard.guard file.
   • Inspect the infra/template.yml CloudFormation file.
   • Validate the CloudFormation template against your cfn-guard rules using both provided templates.
   • Ensure there are no errors before moving on.
3. Challenge

   Update the buildspec for the guard governance stage

   Your next step is to create a separate buildspec.yml file for a brand new governance stage that you'll add within your pipeline.

   • Inspect the configuration/buildspec-guard.yml file that will be used for the new stage.
   • Ensure there are three phases defined within the file.
     • install
     • pre_build
     • build
   • Recursively zip up the configuration, infra, and cfn-guard directories and their files into an artifacts.zip file.
4. Challenge

   Test the AWS CodePipeline pipeline

   With all of the pipeline pieces in place, you can now upload your artifacts.zip file to test the pipeline runs successfully.

   • Upload the ZIP file to the Amazon S3 bucket from your AWS CloudShell window.
   • Verify the pipeline succeeds.
   • Inspect the logs for each stage within the pipeline.
5. Challenge

   Create the new guard governance stage

   With the CodeBuild project ready to go, you can now integrate it into a brand new stage within the existing pipeline.

   • Edit the existing governance-pipeline pipeline: In the governance-pipeline pipeline, add a brand new stage called GovernanceGuard immediately after GovernanceLint
   • Add a new Add action group for the new stage:
     • Input artifacts: GovernanceLintOutputs
     • Project name: governance-guard existing CodeBuild project
     • Define buildspec override - optional: enabled and set to configuration/buildspec-guard.yml
     • Output artifacts: GovernanceGuardOutputs

   And, modify the Deploy stage as well:

   • Set Input artifacts to GovernanceGuardOutputs
   • Set Template > Artifact name to GovernanceGuardOutputs
6. Challenge

   Create the new CodeBuild guard project

   Now that you have the guard policy rules set ready to go, and your buildpsec files ready, you need to create a new CodeBuild project as well as a new stage within your governance pipeline.

   • Clone the existing governance-lint AWS CodeBuild project and name it governance-guard.
   • For the Source 1 - Primary set it to AWS CodePipeline with no source version set.
   • Use the existing service role for the service role permissions (Example: arn:aws:iam::123456789876:role/governance-codebuild-role)