Skip to content

Commit

Permalink
Updated Account Alternate Contacts solution for CT optional (#193)
Browse files Browse the repository at this point in the history 
* updated account alternate contacts solutions to make ct optional

* updated README.md

* updating documentation

---------

Co-authored-by: ievgeniia ieromenko <[email protected]>
  • Loading branch information
@IevIe
IevIe and ievgeniia ieromenko authored Nov 7, 2023
1 parent 189734f commit 378f723
Show file tree
Hide file tree
Showing 5 changed files with 63 additions and 9 deletions.
16 changes: 16 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,11 @@
## Table of Contents<!-- omit in toc -->

- [Introduction](#introduction)
- [2023-11-06](#2023-11-06)
- [2023-10-23](#2023-10-23)
- [2023-10-10](#2023-10-10)
- [2023-09-27](#2023-09-27)
- [2023-09-26](#2023-09-26)
- [2023-09-22](#2023-09-22)
- [2023-08-07](#2023-08-07)
- [2023-07-07](#2023-07-07)
Expand Down Expand Up @@ -45,6 +48,10 @@
All notable changes to this project will be documented in this file.

---
## 2023-11-06

- Updated [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts) solution to make AWS Control Tower optional.

## 2023-10-23

Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/firewall_manager/firewall_manager_org) solution to make AWS Control Tower optional.
Expand All @@ -53,6 +60,15 @@ Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference

- Updated [Inspector](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/inspector/inspector_org) solution to enable automatic lambda code scan.

## 2023-09-27

- Updated [Config Management Account](aws_sra_examples/solutions/config/config_management_account) solution to make AWS Control Tower optional.
- Updated [AWS Config Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) solution to make AWS Control Tower optional.

## 2023-09-26

- Updated [Macie](aws_sra_examples/solutions/macie/macie_org) solution to make AWS Control Tower optional.

## 2023-09-22

- Updated [Detective Organization](aws_sra_examples/solutions/detective/detective_org) solution to make AWS Control Tower optional.
Expand Down
8 changes: 4 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,12 +130,12 @@ _Note: The `Quick Setup` is not designed to be used with the `Easy Setup` proced

| Example Solution | Solution Highlights | What does Control Tower provide? | Depends On |
| :---------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts) | Sets the billing, operations, and security alternate contacts for all accounts within the organization. | | <ul><li>AWS Control Tower</li></ul> |
| [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts) | Sets the billing, operations, and security alternate contacts for all accounts within the organization. | | |
| [CloudTrail](aws_sra_examples/solutions/cloudtrail/cloudtrail_org) | Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events. | CloudTrail enabled in each account with management events only. | |
| [Config Management Account](aws_sra_examples/solutions/config/config_management_account) | Enables AWS Config in the Management account to allow resource compliance monitoring. | Configures AWS Config in all accounts except for the Management account in each governed region. | <ul><li>AWS Control Tower</li></ul> |
| [Config Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) | Deploys a conformance pack to all accounts and provided regions within an organization. | | <ul><li>AWS Control Tower</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account)</li></ul> |
| [Config Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) | Deploys a conformance pack to all accounts and provided regions within an organization. | | <ul><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account)</li></ul> |
| [Config Organization Aggregator](aws_sra_examples/solutions/config/config_aggregator_org) | **Not required for most Control Tower environments.** Deploy an Organization Config Aggregator to a delegated admin other than the Audit account. | Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account. | <ul><li>AWS Control Tower</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li></ul> |
| [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption) | Configures the EC2 default EBS encryption to use the default KMS key within all provided regions. | | <ul><li>AWS Control Tower</li></ul> |
| [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption) | Configures the EC2 default EBS encryption to use the default KMS key within all provided regions. | | |
| [Firewall Manager](aws_sra_examples/solutions/firewall_manager/firewall_manager_org) | Demonstrates configuring a security group policy and WAF policies for all accounts within an organization. | | |
| [GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org) | Configures GuardDuty within a delegated admin account for all accounts within an organization. | | |
| [IAM Access Analyzer](aws_sra_examples/solutions/iam/iam_access_analyzer) | Configures an organization analyzer within a delegated admin account and account level analyzer within each account. | | [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li></ul> |
Expand All @@ -144,7 +144,7 @@ _Note: The `Quick Setup` is not designed to be used with the `Easy Setup` proced
| [S3 Block Account Public Access](aws_sra_examples/solutions/s3/s3_block_account_public_access) | Configures the account-level S3 BPA settings for all accounts within the organization. | Configures S3 BPA settings on buckets created by Control Tower only. | <ul><li>AWS Control Tower</li></ul> |
| [Security Hub](aws_sra_examples/solutions/securityhub/securityhub_org) | Configures Security Hub within a delegated admin account for all accounts and governed regions within the organization. | | <ul><li>AWS Config in all Org Accounts</li><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account) (_if using AWS Control Tower_)</li></ul> |
| [Inspector](aws_sra_examples/solutions/inspector/inspector_org) | Configure Inspector within a delegated admin account for all accounts and governed regions within the organization. | | |
| [Detective](aws_sra_examples/solutions/detective/detective) | The Detective Organization solution will automate enabling Amazon Detective by delegating administration to an account (e.g. Audit or Security Tooling) and configuring Detective for all the existing and future AWS Organization accounts. **Note:** As of 06/07/2023, this solution is not included in the quick setup (it will be in a future code release) | | <ul><li>AWS Control Tower</li><li>[GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org)</li></ul> |
| [Detective](aws_sra_examples/solutions/detective/detective) | The Detective Organization solution will automate enabling Amazon Detective by delegating administration to an account (e.g. Audit or Security Tooling) and configuring Detective for all the existing and future AWS Organization accounts. | | <ul><li>[GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org)</li></ul> |


## Utils
Expand Down
23 changes: 21 additions & 2 deletions ...account/account_alternate_contacts/templates/sra-account-alternate-contacts-main-ssm.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,11 @@ Metadata:
- pSRAStagingS3BucketName
- pSRAAlarmEmail
- pRootOrganizationalUnitId
- Label:
default: IAM Properties
Parameters:
- pStackSetAdminRole
- pStackExecutionRole
- Label:
default: Lambda Function Properties
Parameters:
Expand Down Expand Up @@ -58,6 +63,10 @@ Metadata:
Parameters:
- pComplianceFrequency
ParameterLabels:
pStackSetAdminRole:
default: Stack Set Role
pStackExecutionRole:
default: Stack execution role
pBillingContactAction:
default: Billing Alternate Contact Action
pBillingEmail:
Expand Down Expand Up @@ -116,6 +125,16 @@ Metadata:
default: SRA Staging S3 Bucket Name

Parameters:
pStackSetAdminRole:
AllowedValues: [sra-stackset]
Default: sra-stackset
Description: The administration role name that is used in the stackset.
Type: String
pStackExecutionRole:
AllowedValues: [sra-execution]
Default: sra-execution
Description: The execution role name that is used in the stack.
Type: String
pBillingContactAction:
AllowedValues: ['add', 'delete', 'ignore']
Default: 'add'
Expand Down Expand Up @@ -441,13 +460,13 @@ Resources:
UpdateReplacePolicy: Delete
Properties:
StackSetName: sra-account-alternate-global-events
AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
CallAs: SELF
Capabilities:
- CAPABILITY_NAMED_IAM
Description:
!Sub ${pSRASolutionVersion} - Deploys EventBridge Rules via ${pSRASolutionName} for capturing global events forwarding to the home region.
ExecutionRoleName: AWSControlTowerExecution
ExecutionRoleName: !Ref pStackExecutionRole
ManagedExecution:
Active: true
OperationPreferences:
Expand Down
Loading

0 comments on commit 378f723

Please sign in to comment.