The document discusses securing root email accounts across multiple AWS accounts. It describes the purpose of having separate root email addresses for the management account and other accounts. It outlines the challenges of migrating an existing CloudFormation stack that manages root emails to AWS CDK. The solution involved rewriting Python lambdas to Node.js with help from chatGPT, and using CDK's built-in grant features to minimize IAM permissions. Integration tests were added to automatically test the deployment. The conclusion recommends techniques like prompt engineering and keeping solutions simple.
2. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
About me
● Senior Cloud Architect
● Golden Jacket guy 🧥
● Traveller 🗺
● Yogi
● Nerd 🤓
● loves emojis…
3. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
MV Consulting 2023
Agenda
3
● What was the purpose? 💭
● The challenge 😃
● Obstacles / complications 🚧
● The solution 💎
● Conclusion 😌
4. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The purpose 💭
5
5. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Purpose 💭
6
● was a superwerker maintainer
− repo got stalled in the middle of the cdk
migration
− I left my previous company
● again wanted to learn more cdk, especially
custom resources
● what is this project about?
6. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Why need it at all?
7
1. aws management account root mail
2. aws-roots+<uuid>@manuel-vogel.de
3. other accounts’ root mail
4. aws-roots+<other-uuid>@manuel-vogel.de
7. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Which tasks can only be performed by the root user?
9
8. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
● Change account settings.
● Restore IAM user permissions. If the only IAM administrator accidentally revokes their own
permissions
● Billing Console
○ Activate IAM access to the Billing and Cost Management console.
○ View certain tax invoices.
● Register as a seller in the Reserved Instance Marketplace.
● All principals are denied
○ Edit/delete an Amazon SQS resource policy that denies all principals.
○ Edit/delete an Amazon Simple Storage Service (Amazon S3) bucket policy that denies all
principals.
● AWS GovCloud (US)
○ Sign up for
○ Request AWS GovCloud (US) account root user access keys from AWS Support.
● Configure an Amazon S3 bucket to enable MFA (multi-factor authentication).
Root user tasks…
8
9. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Overview 😃 - looks easy… right?
10
10. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
What’s in for you 💭
11
● multiple cdk constructs
● quickly to setup (~5 minutes ⏳)
● use it for your own aws root account
● updates are planned for customization
○ use CMK
○ use custom lambda functions
● contribute & let me know your feedback
11. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The challenge 😃
12
12. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The challenge 😃
13
● migrate a whole CF stack: rootmail.yaml
○ 748 LoC 📄
○ nested StackSet
○ in another region
○ with inline custom resources 🤯
○ written in python 🐍
13. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The challenge 😃
14
● hidden complexity with CW alarm & CFN wait
14. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The challenge 😃
15
15. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The challenge 😃
16
npm run projen
rm -rf node_modules/@mavogel/awscdk-rootmail/node_modules
npm run deploy
# wait… 🧐
16. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Why not use integration tests …
17
17. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Quick intro for integ-test runner
18
● Assert how constructs interact
● Actual deployments
● Simulate real behaviour
● Contract testing
● still alpha
● cdk team itself uses it 💡
1. USAGE
2. integ-runner [TEST...] --language ts
18. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Quick intro for integ-test runner
19
● Actual deployments
● Simulate real behaviour
1. USAGE
2. integ-runner [TEST...] --language ts
19. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Quick intro for integ-test runner
20
1. USAGE
2. integ-runner [TEST...] --language ts
or it can also be …
20. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Quick intro for integ-test runner
21
1. USAGE
2. integ-runner [TEST...] --language ts
what if you need to poll? 🤔
21. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Quick intro for integ-test runner
22
● does not work for the
lambdas yet…
● implement polling by
yourself… 😕
we will waitForIt…
22. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Overview 😃 - recap what we wanted to build…
23
23. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Obstacles on the way 🚧
24
24. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Obstacles on the way 🚧
25
25. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Obstacles on the way 🚧
26
26. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The solution 💎
27
27. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The solution 💎
28
Used chatGPT to rewrite lambdas from python to
node18
28. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The solution 💎
29
use chatGPT to have least privilege on lambda
permissions
29. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The solution 💎
30
use chatGPT to create a script for emptying and
deleting a S3 bucket
30. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The solution 💎
31
31. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The solution 💎
32
● However! chatGPT has architecture
limitations!
● Cannot replace a human review
32. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The solution 💎
33
● everything up and running with integ tests? 🤔
● can we really test this automatically?
33. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
We’d need some autowiring of the DNS 💡
34
34. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The solution v2 💎 😏
35
then cdk-app-review from Thorsten Hoeger
35. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
● rewrite custom resources
− isCompleteHandler
− onEventHandler also for cleanup
The solution v2 💎 😏
36
36. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
● rewrite custom resources
− isCompleteHandler
The solution v2 💎 😏
37
37. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The solution v2 💎 😏
38
● limit to 1 deploy region only
● do DNS lookup
38. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
The solution v2 💎 😏
39
● AWS news for more regions
39. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Conclusion 😌
40
40. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Conclusion 😌
41
● 🎉 integ tests are nice
○ takes some time to dig into them
○ sample repo from AWS is great
● 💎 takeaways
○ prompt engineering
○ KISS - don’t overcomplicate
○ use cdk native features - grants write
as little IAM permissions by yourself
● 🚀 I can recommend
○ THoeger’s cdk-app-review
○ Cristian’s chatGPT workshop
41. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Conclusion 😌
42
No, we shall not do this 🚫
We use grants instead ✅
42. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Conclusion 😌
43
here
here
43. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Conclusion 😌 - Final design
44
44. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Conclusion 😌 - How can you use it?
45
via cdk construct via cloudformation template (still WIP 🚧) )
https://github.com/MV-Consulting/awscdk-rootmail
45. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Conclusion 😌
46
● another opinion from AWS
● https://github.com/aws-samples/aws-account-
factory-email
46. | AWS UG Frankfurt - Oct 2023
MV Consulting 2023
Conclusion 😌
47
● keep your root mail boxes 📩 secure 🔐
1. aws management account root mail
2. aws-roots+<uuid>@manuel-vogel.de
3. other accounts’ root mail
4. root+<uuid>@aws.manuel-vogel.de
47. K-1 BusinessClub Main Tower,
Neue Mainzer Str. 52, 60311
Frankfurt, Germany
manuel-vogel.de
Tel: +49151 413 43 721
Book an appointment
Thanks for attending