Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] New account added to AWS Tenant not getting audited #26

Open
dutt0 opened this issue Mar 13, 2024 · 3 comments
Open

[Bug] New account added to AWS Tenant not getting audited #26

dutt0 opened this issue Mar 13, 2024 · 3 comments
Labels
bug Something isn't working v1.0 Iteration for Policy v1.0

Comments

@dutt0
Copy link
Collaborator

dutt0 commented Mar 13, 2024

Description of the bug/Issue
New account added to AWS Tenant not getting audited

Expected behavior
Need to find solution to update the solution to cover new accounts created after initial install

Additional context
Originally reported in old repo

@dutt0 dutt0 added the bug Something isn't working label Mar 13, 2024
@nadersip
Copy link

Tested on ASEA, waiting for LZA to be tested.

@nadersip
Copy link

@singhgss While testing on LZA, we got the following error

Image

@singhgss
Copy link
Contributor

Issue Encountered

  • During testing in the LZA environment, a new account creation triggers the org role creation Lambda function.
  • The Pipeline Role with admin privileges is not created immediately as the LZA pipeline is still in progress.
  • The role is created approximately 20 minutes after the account creation.

Current Implementation

  • Implemented retry logic in the Lambda function with exponential backoff.
  • Lambda function attempts to assume a role that is created around 20 minutes post-account creation.
  • Lambda function has a maximum execution time of 15 minutes, causing it to reach this limit before the necessary role is available.

Consideration

  • Currently considering forcing an update on the stack to ensure new accounts are included in the update cycle.
  • This would ensure the new GCExecutionRoles are created for new accounts.

Proposed Solution

  • Option 1: Create a DynamoDB table and inject new account information into it using the new account created event.
    • Schedule a time event to trigger role creation on accounts listed in the DynamoDB table.
    • Remove records from the table once role creation succeeds.
  • Option 2: Use tagging on org accounts to indicate if roles have been deployed and when they were last updated.
    • This approach allows flexibility to trigger role updates by removing the tag.
    • Schedule role deployment every 4 hours for eventual consistency.
    • Easily identify which accounts have roles applied.

Preferred Solution

  • Using tagging seems preferable as it provides a way to trigger role updates and manage deployment effectively.

@dutt0 dutt0 added the v1.0 Iteration for Policy v1.0 label Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working v1.0 Iteration for Policy v1.0
Projects
None yet
Development

No branches or pull requests

3 participants