Adding Confused Deputy to your Terraform provisioning engine
Confused Deputy context keys on the endpoints to restrict access for lambda:Invoke operations
The parameter parser Lambda function created by AWS Service Catalog-provided engines has an
access policy that grants cross-account lambda:Invoke permission only to the
AWS Service Catalog service principal:
This should be the only permission necessary in order for the integration with AWS Service Catalog to function
properly. However, you can constrain this further using the
aws:SourceAccount
Confused Deputy context key. When AWS Service Catalog sends messages to these queues, AWS Service Catalog populates the
key with the provisioning account's ID. This is helpful when you intend to distribute products
via portfolio sharing and want to ensure that only specific accounts are using your engine.
For example, you can restrict your engine to only allow requests that originate from 000000000000 and 111111111111 using the condition shown below:
Confused Deputy context keys on the endpoints to restrict access for sqs:SendMessage operations
The provisioning operation intake Amazon SQS queues created by AWS Service Catalog-provided engines
have an access policy that grants cross-account sqs:SendMessage (and associated KMS)
permissions only to the AWS Service Catalog service principal:
This should be the only permission necessary in order for the integration with AWS Service Catalog to
function properly. However, you can constrain this further using the
aws:SourceAccount
Confused Deputy context key. When AWS Service Catalog sends messages to these queues, AWS Service Catalog populates
the keys with the provisioning account's ID. This is helpful when you
intend to distribute products via portfolio sharing and want to ensure that only specific accounts
are using your engine.
For example, you can restrict your engine to only allow requests that originate from 000000000000 and 111111111111 using the condition shown below: