AWS Config Rule: Codepipeline Region Fanout

CODEPIPELINE_REGION_FANOUT_CHECK

Luna Ricci

Last Update vor 4 Tagen

Description: Checks if each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS CodePipeline has deployed in all the previous combined stages, where N is the region fanout number. The first deployment stage can deploy to a maximum of one region and the second deployment stage can deploy to a maximum number specified in the regionFanoutFactor. If you do not provide a regionFanoutFactor, by default the value is three. For example: If 1st deployment stage deploys to one region and 2nd deployment stage deploys to three regions, 3rd deployment stage can deploy to 12 regions, that is, sum of previous stages multiplied by the region fanout (three) number. The rule is NON_COMPLIANT if the deployment is in more than one region in 1st stage or three regions in 2nd stage or 12 regions in 3rd stage.


Trigger type: Configuration changes


AWS Region: Only available in Asia Pacific (Mumbai), Europe (Paris), US East (Ohio), Europe (Ireland), Europe (Frankfurt), South America (Sao Paulo), US East (N. Virginia), Asia Pacific (Seoul), Europe (London), Asia Pacific (Tokyo), US West (Oregon), US West (N. California), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central) Region


How to Resolve Manually

By default, your regionFanoutFactor is set to 3. This can be altered if you have a condition whereby you need to fanout to multiple regions very early in the deployment set of stages, however this is a use case you will need to consider for your own use case scenario. This is quite a complex AWS Config Rule and may not be triggered very often.


One method to avoid fanout to multiple regions so quickly and early in the deployment stages, is to restrict the amount of regions you are working in, and deploying to at the same time within Codepipeline.


You should avoid deploying out to all regions from the same source, as this could be very disruptive. If you deploy out of hours to a European region, and this fans out to include Asia, US and other European regions, chances are that it's Office Hours for one of those regions, and you cannot deploy to each region on set, different hours.


It is possible to restrict on an Account Level, or Organizational Level which regions you are utilizing, thus will stop a large region fanout as this AWS Config Rule describes. By placing Service Control Policies (SCPs) on Accounts or Organizational OU's, you can restrict the API actions allowed on each regions, effectively controlling the fanout as described above.


For more information on SCP's, read this article and how StackZone can help you with these.


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us