Skip to content

Instantly share code, notes, and snippets.

@treyperrone

treyperrone/202402-aws-test-deny-AMIs.md

Created February 22, 2024 04:55
Show Gist options
  • Save treyperrone/e97f8be3fab21a15f23299502275230c to your computer and use it in GitHub Desktop.
Save treyperrone/e97f8be3fab21a15f23299502275230c to your computer and use it in GitHub Desktop.
Download ZIP
202402-aws-test-deny-AMIs
Raw
202402-aws-test-deny-AMIs.md

2024 February

Test various things surrounding deny launch of AMIs via SCPs

Basic setup details:

  • primary AWS account with AWS orgs setup acctID xxxxxxxx2016
    • account only has orgs in it and only SCPs in place are a simple denyleavingorgs at root level
  • child account created called image-factory acctID xxxxxxxx3352 where AMIs would be created/shared from
  • child account created called lab2024 acctID xxxxxxxx6393

Testing was done on this setup in past week for a MRK key in image-factory account and then usage of key for lab acct see: https://gist.github.com/treyperrone/7417a34c4d8e85d2f8724aef4a02de98

TEST CASE 1 - simple test scenario: can we limit launch of ec2 to amazon owner alias.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyMarketplaceAMIAccess",
      "Effect": "Deny",
      "Action": [
        "ec2:RunScheduledInstances",
        "ec2:RunInstances"
      ],
      "Resource": "arn:aws:ec2:*::image/ami-*",
      "Condition": {
        "StringNotEquals": {
          "ec2:Owner": [
            "amazon"
          ]
        }
      }
    }
  ]
}

  • switch to image-factory acct

    • Allows launch an ubuntu id ami-0971b6ff39e964529 named ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-arm64-server-20240119.1 owned by acct 099720109477
    • Blocks launch of a Centos 9 stream AMI ami-0b2e9fef7a3024ce6 from looking around on marketplace
    • Allows launch of amazonlinux2023 id ami-0f93c02efd1974b8b named al2023-ami-2023.3.20240219.0-kernel-6.1-arm64 by owner 137112412989

  • switch to lab2024 acct

    • Allows launch of amazonlinux2023 id ami-0f93c02efd1974b8b named al2023-ami-2023.3.20240219.0-kernel-6.1-arm64 by owner 137112412989
    aws ec2 run-instances \
--image-id ami-0f93c02efd1974b8b \
--count 1 \
--instance-type t4g.nano \
--security-group-ids sg-0afe189dbba7fc8df \
--subnet-id subnet-06bda357a91d1e5c1 \
--tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=cli-test-shared-ami-$(date '+%Y-%m-%d_%H-%M')}]" \
--ebs-optimized \
--credit-specification CpuCredits=standard \
--no-associate-public-ip-address
    • Blocks launch of a Centos 9 stream AMI ami-0b2e9fef7a3024ce6 from looking around on marketplace
    aws ec2 run-instances \
--image-id ami-0b2e9fef7a3024ce6 \
--count 1 \
--instance-type t4g.nano \
--security-group-ids sg-0afe189dbba7fc8df \
--subnet-id subnet-06bda357a91d1e5c1 \
--tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=cli-test-shared-ami-$(date '+%Y-%m-%d_%H-%M')}]" \
--ebs-optimized \
--credit-specification CpuCredits=standard \
--no-associate-public-ip-address

An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. User: arn:aws:sts::xxxxxxxx6393:assumed-role/aw24-OrganizationAccountAccessRole/tp24 is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:us-east-1::image/ami-0b2e9fef7a3024ce6 with an explicit deny in a service control policy. Encoded authorization failure message: xhYtMpsMnGip0CHHK7AoQWCr3IupTgFTr6a1tg9YMTePjLJosjp3IYvTffbPyZxPgW6BuCA7nkx8AtHIPlCwrdJ6JA6C3On3Oadwci1hl0aIlVWk05kmbOp7RlLwExLtfck_JTg1fWL9ruxgGRAl5NgTRkVfl1GWY41cWcgbJl4rcw8Fu0lmZ4MpXM9avdL70hAk1yT-HhyDnGoxDsGW0GJSc3RLxZe37b7-3ooBzXqH_kuNoIxVeXzcIDMBEAvB_pUILdHo5QO5gWIcZT_ePljK8p5ZYHq9kVAcOQwnScucTH7GfSBV6iZUhujAio30ctgSoG7ChJZIB1tgq43uRO4Ljg4ljttABsA6CNXaTghWiQZuZhtfblRef9oSwfaMGZHEgWAwWO73w1bUaM2bQspCFVMXwLdzs2aEaIrRz4p_6DwGudpeKUGC50HrJkdv9iZdrHoLiTplLU6vauvpz7VpzFdqq93aZFBt71AKQjTEZuTwFdVmi44GB5LT6joOPDw7_q1L1XOyo04AREXxeaG6IewkszkQmvgDjFgTfzTciEAnn6K3F5cCN3LGJQ3bRpU7h8Wuca8gfJLrnJvMt235R_3VLyl7luqSoGsYp4bmRNFqN8n4LDz2is63_axIs81sIKbWdNRnyF3As-8tlpcGVdNwFSlbcC61qca02PjeroPhzhKOIdbBt5DPVYzAT4gB3s3lYDRScF2IU6NsFgMMl6gRic6tdxeG-2Oi4JSDPIRHdQ4qwnQ__kvfqw6OkXc0_Zh1v6ao2eGvWcHKOezu

Test Case 2

  • Lets now set the policy to only allow run-instance of AMIs owned by image-factory acct like such:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyNonEnterpriseAMIAccess",
      "Effect": "Deny",
      "Action": [
        "ec2:RunScheduledInstances",
        "ec2:RunInstances"
      ],
      "Resource": "arn:aws:ec2:*::image/ami-*",
      "Condition": {
        "StringNotEquals": {
          "ec2:Owner": [
            "xxxxxxxx3352"
          ]
        }
      }
    }
  ]
}
  • Now in lab2024 child acct try and launch al2023 image again and it is indeed BLOCKED
[cloudshell-user@ip-10-130-89-93 ~]$ aws ec2 run-instances   --image-id ami-0f93c02efd1974b8b   --count 1   --instance-type t4g.nano   --security-group-ids sg-0afe189dbba7fc8df   --subnet-id subnet-06bda357a91d1e5c1   --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=cli-test-shared-ami-$(date '+%Y-%m-%d_%H-%M')}]"   --ebs-optimized   --credit-specification CpuCredits=standard   --no-associate-public-ip-address 

An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. User: arn:aws:sts::590183926393:assumed-role/aw24-OrganizationAccountAccessRole/tp24 is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:us-east-1::image/ami-0f93c02efd1974b8b with an explicit deny in a service control policy. Encoded authorization failure message: U5cQk33q8HlpjVoQhR-yRjwuJqoDX3yGHmIjB-eYjNFcmoTzLhyVBXfvaFfMblLC0oX3OvtUEAwbxDXi4DYRzQy4KyVVTvIH9D8C2oqoU-LbajqMDMrcG_EZwFe_aYm5Ez6o8vVnrKM0smUfkB4RztM9LlY-HmwZfnR9YoIAmJuR9UnT6Ydp0lN0VE2yTpauUyF1IHoOQ5ueGhpPDgW9wLeKQNLbqYQ0mOzn_6uZqK9N9nd0HROYOi3WN0ZwSbS-GbV9ClhXT--i5S7OZlK1_ZZKtwN3MY_0wJFP20UQRkoVIwAsdUa7aFMq9B38mlbAUNl-et9wozFAgSPPdQcOuq5xVipjSbptZYcOZu6NLJqJlvblEO9cZG9ApXu89sxPP1rY7JvFCtfl9QkimIB7-VB2iMspLvPwxJLfGxjloON66AHZuM5K_lkM6aPwUQuYE9BeQjpwTZmWSrkNa_zUv8asgA6Ceek3pcF0kkywESl9RnMQGlH7I97Gex-Pr1UFCtwr7-i1nyb4uudxOp2PGGoboeVozedQqJ3NaNLsPH7eojeBUncipEjVVY4YlsD_3hMJ4KHd8hgp-TpdvboS3ZlF0wGx34qzTk18MyTgMkbX2yvsitsLRzjm1n5V_XdH4AqOLhqVi_ZDQiakvKrzzPr6O-Z4GUJZ7r84hjjTVQqW_BNTCNfCiim4AtcrNcz95uDPOYkeOBa62yu2LrzjAiMbvkyhS9exm0naU_vGirhhGhmozH_cphv5a0nrLJ--iG-lBj1zAvKnaL91opvsMm1wfQkkb30m09QzdMg3ew
  • in lab2024 lets launch our shared AMI from testing in past week and SUCCESS as its owned by image-factory acct xxxxxxxx3352/tp-al2023-2024-02-17
aws ec2 run-instances \
  --image-id ami-0b2e9fef7a3024ce6 \
  --count 1 \
  --instance-type t4g.nano \
  --security-group-ids sg-0afe189dbba7fc8df \
  --subnet-id subnet-06bda357a91d1e5c1 \
  --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=cli-test-shared-ami-$(date '+%Y-%m-%d_%H-%M')}]" \
  --ebs-optimized \
  --credit-specification CpuCredits=standard \
  --no-associate-public-ip-address
  • Jump back to image-factory acct for sanity check that we now CANNOT launch other AMIs
    • launch the al2023 again and errors You are not authorized to perform this operation. User: arn:aws:sts::xxxxxxxx3352:assumed-role/aw24-OrganizationAccountAccessRole/tp24 is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:us-east-1::image/ami-0f93c02efd1974b8b with an explicit deny in a service control policy.
    • launch the self owned AMI 058264393352/tp-al2023-2024-02-17 from testing other day and WORKS FINE per SCP

Test Case 3 - multiple OR to allow some accts launch amazon owned ami

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment