https://github.com/rewindio/cerberus

AWS Control Tower account permission set guardian
https://github.com/rewindio/cerberus

api-only jira--seceng

Last synced: about 2 months ago
JSON representation

AWS Control Tower account permission set guardian

• Host: GitHub
• URL: https://github.com/rewindio/cerberus
• Owner: rewindio
• License: mit
• Created: 2025-05-27T13:06:49.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2026-04-27T13:30:48.000Z (about 2 months ago)
• Last Synced: 2026-04-28T00:33:54.126Z (about 2 months ago)
• Topics: api-only, jira--seceng
• Language: Python
• Homepage:
• Size: 311 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Codeowners: .github/CODEOWNERS
  • Security: SECURITY.md

Awesome Lists containing this project

README

          
# Cerberus

![Cerberus](/static/CerberusLogo.png)

AWS Control Tower's default behavior in managed mode is to assign baseline [IAM Identity Center Groups for AWS Control Tower](https://docs.aws.amazon.com/en_us/controltower/latest/userguide//sso-groups.html) to newly enrolled accounts. These group assignments are also reapplied when an account update is performed; for instance, when a new version of the landing zone is made available.

The default **IAM Identity Center Groups for AWS Control Tower** are rather permissive. For instance, the `AWSControlTowerAdmins` permission set assigns the `AWSAdministratorAccess` managed IAM policy to the IAM Role. This behavior goes against our policy of maintaining least privilege access to our AWS accounts.

We have created [Cerberus](https://www.britannica.com/topic/Cerberus) to monitor events from the `sso.amazonaws.com` service. Cerberus, often referred to as the hound of Hades, is a multi-headed dog that guards the gates of the underworld to prevent the dead from leaving, or in this case, prevent `CreateAccountAssignment` of unauthorized (unwanted) default permission sets to AWS Control Tower managed accounts.

# AWS Serverless Application Model (SAM)

Instruction on how to deploy the application, [Cerberus AWS SAM App](cerberus/README.md).

Deployment steps:

1. Deploy the [Cerberus AWS SAM App](cerberus/template.yaml) in the Management or delegated administrator IAM Identity Center account

2. Deploy the [EventBrdige Rule](cft-eventbridge-rule.yaml) in the Management account

   - Reference the Output `EventBusArn` from the **Cerberus AWS SAM App** deployed stack for `CerberusEventBusArn` parameter

## Contributing

Contributions are welcome! Please follow these steps:

1. Fork the repository.

2. Create a feature branch.

3. Commit your changes.

4. Submit a pull request.

## Code Formatting

This project uses [black](https://black.readthedocs.io/) for code formatting. Run the following command to format your code:

```bash

black .

```

## License

This project is licensed under the [MIT License](LICENSE).