Initial Release of Cerberus

[gregsienkiewicz]

Pull Request: Initial Release of Cerberus

Description

This pull request introduces the initial release of Cerberus, an open-source project designed to manage and remove AWS Control Tower default permission set associations. Cerberus leverages the AWS Serverless Application Model (SAM) to provide a scalable, serverless solution for monitoring and managing IAM Identity Center events.

Key Features

• State Machine: A Step Functions state machine defined in cerberus.asl.json to process CreateAccountAssignment events.
• Lambda Function: A Python-based Lambda function (app.py) to handle the removal of unauthorized permission sets.
• CloudFormation Templates:
  • template.yaml: Defines the serverless resources, including the state machine, Lambda function, EventBridge rules, and supporting infrastructure.
  • cft-eventbridge-rule.yaml: A CloudFormation template for setting up EventBridge rules.
• Regex-Based Validation: Environment variables allow customizable regex patterns for permission set names, principal group names, and user email validation.
• Unit Tests: Comprehensive unit tests (test_cerberus.py) to ensure the correctness of the Lambda function logic.
• Documentation:
  • README.md: Overview of the project, deployment instructions, and contribution guidelines.
  • cerberus/README.md: Detailed instructions for building, deploying, and testing the application.

Key Files

• Application Code:
  • src/cerberus/app.py: Core Lambda function logic.
  • statemachine/cerberus.asl.json: State machine definition.
• Infrastructure:
  • template.yaml: SAM template for deploying the application.
  • cft-eventbridge-rule.yaml: CloudFormation template for EventBridge rules.
• Testing:
  • tests/unit/test_cerberus.py: Unit tests for the Lambda function.
  • tests/requirements.txt: Dependencies for running tests.
• CI/CD:
  • lint.yml: GitHub Actions workflow for linting with black.
  • code-scanning.yml: GitHub Actions workflow for CodeQL analysis.

[Copilot]

Pull Request Overview

Initial release of Cerberus, a serverless AWS solution to monitor and remove Control Tower default permission‐set assignments.

• Added infrastructure templates (SAM, EventBridge rule)
• Implemented core Lambda logic and Step Functions state machine
• Included unit tests, documentation, and CI configuration

Reviewed Changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
cft-eventbridge-rule.yaml	CloudFormation template for forwarding SSO events
cerberus/tests/unit/test_cerberus.py	Unit tests for the Lambda handler
cerberus/tests/requirements.txt	Added boto3 dependency for tests
cerberus/template.yaml	SAM template defining state machine, Lambda, events
cerberus/statemachine/cerberus.asl.json	Step Functions ASL for processing events
cerberus/src/cerberus/app.py	Lambda function logic for deleting assignments
cerberus/samconfig.toml	SAM CLI configuration
cerberus/README.md	Detailed build, deploy, and usage documentation
SECURITY.md	Project security policy
README.md	Project overview and quickstart
.github/workflows/lint.yml	GitHub Actions workflow for linting

Comments suppressed due to low confidence (2)

cerberus/src/cerberus/app.py:120

• The real API response from delete_account_assignment is being overwritten with a static success dict—remove or adjust this line so that the actual AWS response is used.

            response = {"AccountAssignmentDeletionStatus": {"Status": "SUCCEEDED"}}

[jason-meredith-rewind]

wicked name 🔥