{"id":49372127,"url":"https://github.com/rewindio/cerberus","last_synced_at":"2026-04-28T00:33:54.597Z","repository":{"id":346425052,"uuid":"991325265","full_name":"rewindio/cerberus","owner":"rewindio","description":"AWS Control Tower account permission set guardian","archived":false,"fork":false,"pushed_at":"2026-04-27T13:30:48.000Z","size":318,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-28T00:33:54.126Z","etag":null,"topics":["api-only","jira--seceng"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rewindio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-05-27T13:06:49.000Z","updated_at":"2026-04-27T13:31:26.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/rewindio/cerberus","commit_stats":null,"previous_names":["rewindio/cerberus"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/rewindio/cerberus","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rewindio%2Fcerberus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rewindio%2Fcerberus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rewindio%2Fcerberus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rewindio%2Fcerberus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rewindio","download_url":"https://codeload.github.com/rewindio/cerberus/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rewindio%2Fcerberus/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32361477,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-27T20:07:02.737Z","status":"ssl_error","status_checked_at":"2026-04-27T20:07:00.910Z","response_time":128,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api-only","jira--seceng"],"created_at":"2026-04-28T00:33:52.866Z","updated_at":"2026-04-28T00:33:54.591Z","avatar_url":"https://github.com/rewindio.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cerberus\n\n![Cerberus](/static/CerberusLogo.png)\n\nAWS Control Tower's default behavior in managed mode is to assign baseline [IAM Identity Center Groups for AWS Control Tower](https://docs.aws.amazon.com/en_us/controltower/latest/userguide//sso-groups.html) to newly enrolled accounts. These group assignments are also reapplied when an account update is performed; for instance, when a new version of the landing zone is made available.\n\nThe default **IAM Identity Center Groups for AWS Control Tower** are rather permissive. For instance, the `AWSControlTowerAdmins` permission set assigns the `AWSAdministratorAccess` managed IAM policy to the IAM Role. This behavior goes against our policy of maintaining least privilege access to our AWS accounts.\n\nWe have created [Cerberus](https://www.britannica.com/topic/Cerberus) to monitor events from the `sso.amazonaws.com` service. Cerberus, often referred to as the hound of Hades, is a multi-headed dog that guards the gates of the underworld to prevent the dead from leaving, or in this case, prevent `CreateAccountAssignment` of unauthorized (unwanted) default permission sets to AWS Control Tower managed accounts.\n\n# AWS Serverless Application Model (SAM)\n\nInstruction on how to deploy the application, [Cerberus AWS SAM App](cerberus/README.md).\n\nDeployment steps:\n\n1. Deploy the [Cerberus AWS SAM App](cerberus/template.yaml) in the Management or delegated administrator IAM Identity Center account\n2. Deploy the [EventBrdige Rule](cft-eventbridge-rule.yaml) in the Management account\n   - Reference the Output `EventBusArn` from the **Cerberus AWS SAM App** deployed stack for `CerberusEventBusArn` parameter\n\n## Contributing\n\nContributions are welcome! Please follow these steps:\n\n1. Fork the repository.\n2. Create a feature branch.\n3. Commit your changes.\n4. Submit a pull request.\n\n## Code Formatting\n\nThis project uses [black](https://black.readthedocs.io/) for code formatting. Run the following command to format your code:\n\n```bash\nblack .\n```\n\n## License\n\nThis project is licensed under the [MIT License](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frewindio%2Fcerberus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frewindio%2Fcerberus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frewindio%2Fcerberus/lists"}