https://github.com/someengineering/fix-cf

FIX CloudFormation Stack Templates
https://github.com/someengineering/fix-cf

Last synced: 8 months ago
JSON representation

FIX CloudFormation Stack Templates

• Host: GitHub
• URL: https://github.com/someengineering/fix-cf
• Owner: someengineering
• License: agpl-3.0
• Created: 2023-09-22T15:11:42.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2024-10-10T10:30:58.000Z (over 1 year ago)
• Last Synced: 2025-05-02T00:32:25.223Z (10 months ago)
• Language: Shell
• Size: 55.7 KB
• Stars: 3
• Watchers: 3
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

          
# Fix CloudFormation Stack Templates

## Description

This repository hosts the [CloudFormation templates](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?templateURL=https://fixpublic.s3.amazonaws.com/aws/fix-role-global.yaml&stackName=FixAccess&param_WorkspaceId=00000000-0000-0000-0000-000000000000&param_ExternalId=00000000-0000-0000-0000-000000000000) for [Fix SaaS](https://fix.security/) cross-account access, available at [https://fixpublic.s3.amazonaws.com/aws/fix-role-global.yaml](https://fixpublic.s3.amazonaws.com/aws/fix-role-global.yaml).

The repository aims to provide a publicly auditable history of the Fix CloudFormation template.

The stack sets up a cross-account access role, allowing Fix to access your AWS account. This role, created within your AWS account and assumable by Fix, enables security scans in your account. Additionally, a SNS message is generated to trigger a callback to Fix, notifying us of the role's name, the account ID in which the role was created, and the ARN of the stack. This information verifies the successful creation and assumability of the role by Fix.

## CloudFormation Template Parameters

The CloudFormation template requires the following parameters:

| Parameter | Description |

| ---------- | ---------- |

| `WorkspaceId` | Your Fix-assigned Workspace ID |

| `ExternalId`  | Your Fix-assigned External ID  |

These parameters are generated and provided by Fix, accessible within your Fix account settings, and are pre-populated when using the links in the Fix application.

## CloudFormation Resources

The CloudFormation template creates the following resources:

* `FixCrossAccountAccessRole` ([AWS::IAM::Role](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html)): This cross-account access role enables Fix to access your AWS account.

* `FixAccountCallback` ([Custom::Function](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources-sns.html)): This custom resource triggers a SNS message callback to Fix, though it does not create an actual resource in the AWS account.

## Fix Cross Account Access Role

The role is established with a trust policy allowing Fix to assume the role. For enhanced security, it utilizes an external ID. The role grants the AWS managed permission `ReadOnlyAccess` as well as pricing and organization list permissions. It also revokes unnecessary permissions that are part of `ReadOnlyAccess` but not used by Fix.

## Technical Details of the Callback Message

The SNS callback submits the following information to Fix:

```json

{

    "workspace_id": "",

    "external_id": "",

    "role_name": "",

    "stack_id": ""

}

```

Fix leverages the workspace_id and external_id to authenticate the request's origin. The role_name is used to construct the ARN that Fix will assume when performing security scans, while the stack_id is used to retrieve the user's account_id from its ARN.