iann0036/aws-account-controller iann0036/aws-account-controller

  • Stars
    star
    344
  • Rank 123,066 (Top 3 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created over 5 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
iann0036/aws-account-controller
github

iann0036

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Self-service creation and deletion of sandbox-style accounts.

AWS Account Controller

Update March 2022: This is now largely deprecated due to the CloseAccount method

Self-service creation and deletion of sandbox-style accounts

PLEASE READ THE CAVEATS OF THIS SOLUTION BEFORE CONTINUING

Prerequisites

The following is required before proceeding:

  • An AWS master account that has Organizations and SSO enabled
  • A credit card which will be used to apply payment information to terminated accounts (reloadable debit cards work also)
  • A 2Captcha account that is sufficiently topped-up with credit ($10 would be more than enough)
  • A preferred master e-mail address to receive account correspondence to
  • A registered domain name or subdomain, which is publicly accessible
  • SES to have the master e-mail address be verified
  • SES to have either have the domain/subdomain also verified or have SES out of sandbox mode

Installation

Launch Stack

Click the above link to deploy the stack to your environment. This stack creates:

  • Optionally, a Route 53 hosted zone (or provide your own by zone ID)
  • An MX record to SES inbound in the hosted zone
  • Node.js Lambda Function, used for all actions performed, with appropriate permissions
  • Log group for the Lambda Function, with a short term expiry
  • An S3 bucket for debugging screenshots, with a short term expiry
  • An S3 bucket for storing raw e-mail content, with a short term expiry
  • An SES Receipt Rule Set, which is automatically promoted to be default
  • An event rule that triggers Lambda execution when an organizations account is tagged for deletion (if enabled)
  • An API Gateway to service the SSO Account Manager application (if enabled)
  • An IAM user with a login profile, used to deploy a Connect instance and register the SSO application

If you prefer, you can also manually upsert the template.yml stack from source.

If you chose to have the stack create a hosted zone for the account root e-mails instead of you bringing your own, you should ensure the nameservers of the new zone are associated with an accessible domains (automatic if the domain was created within Route 53).

Also make sure SES sending service limits are appropriate for the amount of e-mails you intend to receive.

Currently, the only tested region is us-east-1. The stack deploy time is approximately 8 minutes.

Uninstallation

To remove this solution, ensure that both S3 buckets have their objects removed then delete the CloudFormation stack. The SES Receipt Rule Set will revert back to default-rule-set. An attempt will be made to terminate the Connect instance, however you should verify this occurs.

Usage

In order for you to easily build upon this system, the system makes heavy use of tags for system automation and configuration.

SSO Account Manager

The account manager (as seen at the top of this page) is a custom application that SSO users can access to create accounts or delete previously created accounts on-demand. It will be available to any user who is in the AccountManagerUsers SSO group. The application is accessible via the users SSO dashboard:

SSO Dashboard

The application will ensure only accounts owned by the creator are shown, unless the creator explicitly shares the account with other users, in which case it will be shared with all users who are also in the AccountManagerUsers SSO group. Accounts which are created can optionally require a monthly budget to be set, which if exceeded will automatically trigger a deletion of the account (the maximum budget is an option during installation). Note that actual account spend may exceed the budget as pricing metrics can be delayed up to 6 hours or more for some services.

During installation, if you select true for the Deny Subscription Calls parameter, a number of calls will be denied to created accounts via an SCP such as calls to create reserved instances, register domain names or apply S3 object locks.

You can also elect not to include the SSO functionality by selecting false during installation for the Enable Account Creation Functionality parameter. You do not require SSO to be enabled within the account if you select this option.

E-mail Forwarding

E-mails that are targetting the addresses of the root account will be forwarded by default to the master e-mail address.

Email Forwarding

You can specify a different destination per account by placing a tag with the key AccountEmailForwardingAddress on the account in Organizations. This is set to the SSO user automatically if the account was created with the SSO Account Manager application and the Send Root E-mails to User parameter was set to true during installation.

You can also override the format of the subject line for forwarded e-mails. During installation, you can change the subject line to any string with the following variables available for substitution:

  • {from} - The From address of the original e-mail
  • {to} - The To address of the original e-mail
  • {subject} - The subject of the original e-mail
  • {accountid} - The ID of the account
  • {accountname} - The name of the account
  • {accountemail} - The root email address of the account

Account Deletion (Manual Method)

In order to elect to delete an account without the use of the SSO Account Manager, simply tag an account within the Organizations console with the following (case not sensitive):

Tag Key: Delete

Tag Value: true

Email Forwarding

Once tagged, a process will perform the following actions on your behalf:

  • Trigger a password reset for the root account
  • Reset the password to the automatically generated master password
  • Add payment information to the account
  • Perform a phone verification of the account
  • Close the account
  • Remove (or schedule removal of) the account from Organizations

The above process takes approximately 4 minutes.

If the account more than 7 days old, the process completely remove the account from Organizations. If the account is less than 7 days old, a tag with the key AccountDeletionTime will be set with the timestamp the account was deleted at and another tag with the key ScheduledRemovalTime will be set with the timestamp the account will be removed from Organizations.

You can also elect not to include the deletion functionality by selecting false during installation to the Enable Account Deletion Functionality parameter.

Other Features / Options

There are some other features and options that may be specified during installation. These include:

  • Unsubscribe Marketing E-mails - if set to true, newly created accounts will be unsubscribed from all AWS marketing material
  • SSO Account Manager Application Name - sets a custom name for the SSO Account Manager
  • Automation IAM User Username - sets a custom username for the IAM user used to perform Connect and/or SSO functions
  • Maximum Monthly Spend Per Account - enforces a custom upper limit on the monthly budget new accounts can request, or disables budgets completely
  • Deny Subscription Calls - if set to true, a service control policy which restricts the use of subscription-based calls, like reserved instances, will be applied to new accounts
  • Control Tower Mode - if set to true, accounts will be created with the Control Tower Account Factory, rather than via Organizations directly

Architecture

Architecture Diagram

Disclaimer

Per the original post, I highly recommend you do not use this in an organization that has production workloads associated with it. It is intended for developer accounts only.

More Repositories

1

iamlive

Generate an IAM policy from AWS, Azure, or Google Cloud (GCP) calls using client-side monitoring (CSM) or embedded proxy
Go
3,096
star
2

former2

Generate CloudFormation / Terraform / Troposphere templates from your existing AWS resources.
JavaScript
2,228
star
3

AWSConsoleRecorder

Records actions made in the AWS Management Console and outputs the equivalent CLI/SDK commands and CloudFormation/Terraform templates.
CSS
1,425
star
4

iam-dataset

A consolidated cloud IAM dataset
Python
228
star
5

iamfast

AWS IAM policy generation from application code
JavaScript
170
star
6

aws-leastprivilege

Generates an IAM policy for the CloudFormation service role that adheres to least privilege.
Python
110
star
7

AWSConsoleRecorderGenerator

A helper extension that is used to assist in the development of the Console Recorder for AWS.
JavaScript
101
star
8

aws.permissions.cloud

A crowdsourced AWS IAM permissions reference.
JavaScript
88
star
9

cloud9-sync

Live Sync for AWS Cloud9 - Synchronize your VS Code workspace with the AWS Cloud9 service.
JavaScript
77
star
10

aws-pagination-rules

The rules for pagination in AWS SDKs
66
star
11

wildfire

Record browser actions then replay immediately. Craft your own custom automation workflows.
JavaScript
65
star
12

aws-bill-export

Download AWS bills from the console programmatically.
JavaScript
59
star
13

cfn-tf-custom-types

CloudFormation Custom Types for Terraform resources.
Python
57
star
14

vscode-aws-cloudshell

(Unofficial) AWS CloudShell plugin for VS Code
TypeScript
54
star
15

iamlive-lambda-extension

Lambda Extension for iamlive
Go
43
star
16

bandersnatch-graph

Graphing all possibilities in the Netflix Black Mirror episode, "Bandersnatch"
Python
42
star
17

censor-shell

Censors or hides shell / Bash / console output based on defined patterns - great for hiding secrets in demos!
Go
41
star
18

hcl2cdktf

Converts HCL to Terraform CDK
JavaScript
40
star
19

cfn-stack-rename

Rename a CloudFormation stack
Python
36
star
20

amazon-connect-cfn

Create Amazon Connect instances, contact flows etc. with CloudFormation
JavaScript
35
star
21

cfn-remediate-drift

Automated CloudFormation drift remediation using Import functionality
Python
26
star
22

tf-cfn-provider

Transform to add support for all Terraform providers as CloudFormation resources.
Python
24
star
23

tree-view-cfn

Force CloudFormation to generate a tree view for any stack
Python
18
star
24

gcp.permissions.cloud

A crowdsourced Google Cloud IAM permissions reference.
JavaScript
18
star
25

azure.permissions.cloud

A crowdsourced Azure RBAC permissions reference.
JavaScript
16
star
26

polai

A Cedar policy language lexer, parser & evaluator
Go
15
star
27

auto-capacity-reservations

Automatically assigns EC2 capacity reservations based on the number of instances active.
Python
14
star
28

codepipeline-cost-compare

Compare the costs of V1 and V2 CodePipeline types based on historic usage
Python
13
star
29

iann0036

Public README
CSS
12
star
30

honeycode-appflow-integration

Add Honeycode as a destination from AppFlow
JavaScript
12
star
31

honeycode-export

Export Honeycode table data to S3
JavaScript
11
star
32

cfn-analyse

CloudFormation static analysis tool.
Python
11
star
33

former2-helper

A browser extension to help avoid CORS issues for former2.com
JavaScript
11
star
34

cfn-guard-rules

A collection of CloudFormation Guard 2.0 rules
Python
10
star
35

iamfast-vscode

AWS IAM policy generation from application code in VS Code
TypeScript
9
star
36

aws-erd

AWS Entity Relationship Diagram Generator.
JavaScript
9
star
37

cfnfmt

CloudFormation template style formatter [WORK IN PROGRESS]
JavaScript
8
star
38

iamfast-python

Python
7
star
39

CloudFormationMultiCloud

Add support for Azure and Google Cloud resources in CloudFormation.
Python
7
star
40

cfn-hooks

CloudFormation Hooks Samples
Python
6
star
41

vpc-lattice-demo

A demonstration stack featuring Amazon VPC Lattice
6
star
42

pg-init-custom-resource

A CloudFormation Custom Resource for initialising an RDS Postgres database.
Python
6
star
43

cfn-rps-lint

Automatically lints your AWS CloudFormation Resource Provider JSON Schema
TypeScript
6
star
44

cfn-types

Example CloudFormation Custom Resource Types
Java
6
star
45

session-manager-cli

Attempts to reverse engineer the AWS Session Manager CLI
Go
6
star
46

cloud9-sso

Add Cloud9 environments to AWS SSO
JavaScript
5
star
47

aurora-activity-streams-sechub

Analyse database activity with Aurora Database Activity Streams and send findings to Security Hub
Python
5
star
48

Lone-Tab

A Chrome extension to have unique sessions per tab.
JavaScript
5
star
49

Security-Hub-Custom-Provider-Demo

An AWS Security Hub Custom Findings provider, using the Have I Been Pwned API
Python
5
star
50

toyxks

Basic (toy) External Key Store for AWS KMS
Go
4
star
51

iamfast-core

[ABANDONED APPROACH] AWS IAM policy generation from application code
TypeScript
4
star
52

chess-dot-com-state-machine-sample

An AWS Step Functions sample using the Chess.com API
3
star
53

deepcomposer-upload

Upload a single-track MIDI to the AWS DeepComposer service
JavaScript
3
star
54

CAP

Common Alerting Protocol
PHP
3
star
55

lambda-codepipeline-custom-action

Lambda-backed custom action type provider for CodePipeline.
3
star
56

Touch-Bar-Browser-Integration

Objective-C
3
star
57

textract-demo

Demonstration of Amazon Textract using its Boto3 library
Python
2
star
58

cedargo

Go bindings for Cedar policy evaluation engine
Rust
2
star
59

iamfast-go

Go
1
star
60

reCaptcha-Breaker-Chrome-Extension

Automatically solves the audio section of the reCAPTCHA system. To use, simply open the audio section of the reCAPTCHA system.
PHP
1
star
61

iamfast-java

Java
1
star
62

aws-cedar-auth-frontend

Frontend for iann0036/aws-cedar-auth
CSS
1
star
63

airjargon

Aviation Terms Translator
HTML
1
star
64

ManicYak

PHP
1
star
65

ManicHost

JavaScript
1
star
66

homebrew-iamlive

Homebrew Formulae for iamlive
Ruby
1
star
67

iac-history

Random work for a chart
Python
1
star
68

newsfeeder

News Feeder is a news feed aggregator service, which compiles content from multiple online content sources. Its main purpose is to provide a single location and format to view news content instead of users having to access multiple websites for their specific news. News Feeder was a University of Wollongong CSCI321 project.
PHP
1
star