Modify SCPs only on change

[ceejaey]

trafficstars

Is your feature request related to a problem? Please describe. If we deploy any change using CfCT, our security team alerts that the Service Control Policies are always be redeployed/updated, regardless if no change was made to SCPs (e.g. changing CloudFormation resource)

We had initially designed one of our CloudTrail alert signals to detect changes to SCPs, but this is quite noisy during initial build phase, so might need to supress.

Describe the feature you'd like Only deploy/update SCPs if a difference exists between the SCPs already deployed and those passed to the SCP state machine

Additional context We use CfCT for:

• deployment of Service Control Policies across all accounts in our Control Tower environment
• deployment of any components within our Core OU (logging/audit)
• deployment of common shared components or configuration that we'd expect to exist within any AWS account in our Organisation (e.g. SSM params for account numbers for use within Cloudformation scripts/Configuration of S3 bucket account policy/IAM policy etc)

We centralise all our CloudTrail activity to central logging account, and this is monitored by our security team for indicators of compromise.

We use CfCT as a deployment mechanism, with a CodeCommit repo that has a pipeline which publishes changes to the main branch to the bucket which will trigger CfCT.

[snebhu3]

@ceejaey thanks for bringing this up. I have created an internal backlog to address this behavior.