Allow STS

[gricey432]

It looks to me like sts:* should be fine in the InnovationSandboxAwsNukeSupportedServicesScp but would be interested to know if it's purposefully omitted due to some concern.

Use case is a developer is trying to sandbox a solution which involves a role making an assumerole call to another role. This is being blocked by the SCP.

I've added sts:* to our copy of the SCP and that has resolved the issue but would love to understand if there's a risk to that or if it's something that could be contributed back to this repo.

[aws-khargita]

Hi @gricey432, thanks for raising this issue.

The SCPs in v1 were designed to be conservative by only allowing the services that AWS Nuke supports deleting. For some services such as STS, this doesn't really apply since there are no resources to delete.

It should be safe to support STS by default, and this would be a good enhancement as it's a foundational service. We just need to be conscious of the update behavior of the CloudFormation stacks. Modifying the default values will undo any drift in the SCPs introduced by manually modifying the values like you did. It may require a custom resource to ensure that modifications are preserved while new default values are merged in.

If you feel motivated to do so, you can open a PR for this issue. Just note that due to policy, we have to take those changes through internal processes and cannot merge the PR directly on GitHub. However, we will still attribute credit to contributors in our changelog.