adding CfCT templates

aws-samples · Sep 9, 2024 · 802c461 · 802c461
1 parent cea07f9
commit 802c461
Show file tree

Hide file tree

Showing 3 changed files with 231 additions and 2 deletions.
diff --git a/aws_sra_examples/solutions/security_lake/security_lake_org/README.md b/aws_sra_examples/solutions/security_lake/security_lake_org/README.md
@@ -156,15 +156,15 @@ Choose a Deployment Method:
 In the `management account (home region)`, launch the [sra-security-lake-org-main-ssm.yaml](templates/sra-security-lake-org-main-ssm.yaml) template. This uses an approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/).
 
   ```bash
-  aws cloudformation deploy --template-file $PWD/aws_sra_examples/solutions/security-lake/security-lake-org/templates/sra-security-lake-org-main-ssm.yaml --stack-name sra-security-lake-org-main-ssm --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pSecurityLakeWarning=<ACCEPT_OR_REJECT>
+  aws cloudformation deploy --template-file $PWD/aws_sra_examples/solutions/security_lake/security_lake_org/templates/sra-security-lake-org-main-ssm.yaml --stack-name sra-security-lake-org-main-ssm --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pSecurityLakeWarning=<ACCEPT_OR_REJECT>
   ```
 
 ##### Important<!-- omit in toc -->
 
 Pay close attention to the `--parameter-overrides` argument.  For launching of the AWS Cloudformation stack using the command above to be successful, the `pSecurityLakeWarning` parameter in the `--parameter-overrides` argument must be set to `Accept`.  If it is set to `Reject` the stack launch will fail and provide an error.
 - To create an Audit account subscriber with data access, add `pRegisterAuditAccountDataSubscriber` parameter in the `--parameter-overrides` with argument set to `true`. Provide value for `pAuditAccountDataSubscriberExternalId` parameter.
 - To create an Audit account subscriber with query access, add `pRegisterAuditAccountQuerySubscriber` parameter in the `--parameter-overrides` with argument set to `true`. Provide value for `pAuditAccountQuerySubscriberExternalId` parameter.
-- To creates a resource link to shared tables in an Audit account, , add `pCreateResourceLink` parameter in the `--parameter-overrides` with argument set to `true`
+- To creates a resource link to shared tables in an Audit account, add `pCreateResourceLink` parameter in the `--parameter-overrides` with argument set to `true`
 
 #### Verify Solution Deployment<!-- omit in toc -->
 

diff --git a/...utions/security_lake/security_lake_org/customizations_for_aws_control_tower/manifest.yaml b/...utions/security_lake/security_lake_org/customizations_for_aws_control_tower/manifest.yaml
@@ -0,0 +1,87 @@
+---
+#Default region for deploying Custom Control Tower: Code Pipeline, Step functions, Lambda, SSM parameters, and StackSets
+region: us-east-1
+version: 2021-03-15
+
+# Control Tower Custom Resources (Service Control Policies or CloudFormation)
+resources:
+  # -----------------------------------------------------------------------------
+  # Organization shield
+  # -----------------------------------------------------------------------------
+  - name: sra-security-lake-main-ssm
+    resource_file: templates/sra-security-lake-main-ssm.yaml
+    parameters:
+      - parameter_key: pSecurityLakeOrgLambdaRoleName
+        parameter_value: sra-security-lake-org-lambda
+      - parameter_key: pCreateResourceLink
+        parameter_value: 'false'
+      - parameter_key: pCreateLakeFormationSlr
+        parameter_value: 'true'
+      - parameter_key: pSRASecurityLakeMetaStoreManagerRoleName
+        parameter_value: AmazonSecurityLakeMetaStoreManagerV2
+      - parameter_key: pSourceVersion
+        parameter_value: '2.0'
+      - parameter_key: pCloudTrailManagementEvents
+        parameter_value: ALL
+      - parameter_key: pCloudTrailLambdaDataEvents
+        parameter_value: ALL
+      - parameter_key: pCloudTrailS3DataEvents
+        parameter_value: ''
+      - parameter_key: pSecurityHubFindings
+        parameter_value: ALL
+      - parameter_key: pVpcFlowLogs
+        parameter_value: ALL
+      - parameter_key: pWafLogs
+        parameter_value: ''
+      - parameter_key: pRoute53Logs
+        parameter_value: ALL
+      - parameter_key: pVpcFlowLogs
+        parameter_value: ALL
+      - parameter_key: pOrgConfigurationSources
+        parameter_value: ROUTE53,VPC_FLOW,SH_FINDINGS,CLOUD_TRAIL_MGMT,LAMBDA_EXECUTION,EKS_AUDIT
+      - parameter_key: pCreateOrganizationConfiguration
+        parameter_value: 'true'
+      - parameter_key: pSecurityLakeOrgKeyAlias
+        parameter_value: sra-security-lake-org-key
+      - parameter_key: pComplianceFrequency
+        parameter_value: 7
+      - parameter_key: pControlTowerRegionsOnly
+        parameter_value: 'true'
+      - parameter_key: pCreateLambdaLogGroup
+        parameter_value: 'false'
+      - parameter_key: pEnabledRegions
+        parameter_value: ''
+      - parameter_key: pLambdaLogGroupKmsKey
+        parameter_value: ''
+      - parameter_key: pLambdaLogGroupRetention
+        parameter_value: 14
+      - parameter_key: pLambdaLogLevel
+        parameter_value: INFO
+      - parameter_key: pSRAAlarmEmail
+        parameter_value: ''
+      - parameter_key: pSRASolutionVersion
+        parameter_value: v1.0
+      - parameter_key: pRegisterAuditAccountDataSubscriber
+        parameter_value: 'false'
+      - parameter_key: pAuditAccountDataSubscriberPrefix
+        parameter_value: sra-audit-account-data-subscriber
+      - parameter_key: pAuditAccountDataSubscriberExternalId
+        parameter_value: ''
+      - parameter_key: pAuditAccountQuerySubscriberPrefix
+        parameter_value: sra-audit-account-query-subscriber
+      - parameter_key: pAuditAccountQuerySubscriberExternalId
+        parameter_value: ''
+      - parameter_key: pRegisterAuditAccountQuerySubscriber
+        parameter_value: 'false'
+      - parameter_key: pStackSetAdminRole
+        parameter_value: sra-stackset
+      - parameter_key: pStackExecutionRole
+        parameter_value: sra-execution
+      - parameter_key: pSecurityLakeWarning
+        parameter_value: Reject
+      - parameter_key: pDisableSecurityLake
+        parameter_value: 'false'  
+    deploy_method: stack_set
+    deployment_targets:
+      accounts:
+        - REPLACE_ME_ORG_MANAGEMENT_ACCOUNT_NAME
diff --git a/..._lake_org/customizations_for_aws_control_tower/parameters/sra-security-lake-main-ssm.json b/..._lake_org/customizations_for_aws_control_tower/parameters/sra-security-lake-main-ssm.json
@@ -0,0 +1,142 @@
+[
+  {
+    "ParameterKey": "pSecurityLakeOrgLambdaRoleName",
+    "ParameterValue": "sra-security-lake-org-lambda"
+  },
+  {
+    "ParameterKey": "pCreateResourceLink",
+    "ParameterValue": "false"
+  },
+  {
+    "ParameterKey": "pCreateLakeFormationSlr",
+    "ParameterValue": "true"
+  },
+  {
+    "ParameterKey": "pSRASecurityLakeMetaStoreManagerRoleName",
+    "ParameterValue": "AmazonSecurityLakeMetaStoreManagerV2"
+  },
+  {
+    "ParameterKey": "pSourceVersion",
+    "ParameterValue": "2.0"
+  },
+  {
+    "ParameterKey": "pCloudTrailManagementEvents",
+    "ParameterValue": "ALL"
+  },
+  {
+    "ParameterKey": "pCloudTrailLambdaDataEvents",
+    "ParameterValue": "ALL"
+  },
+  {
+    "ParameterKey": "pCloudTrailS3DataEvents",
+    "ParameterValue": ""
+  },
+  {
+    "ParameterKey": "pSecurityHubFindings",
+    "ParameterValue": "ALL"
+  },
+  {
+    "ParameterKey": "pVpcFlowLogs",
+    "ParameterValue": "ALL"
+  },
+  {
+    "ParameterKey": "pWafLogs",
+    "ParameterValue": ""
+  },
+  {
+    "ParameterKey": "pRoute53Logs",
+    "ParameterValue": "ALL"
+  },
+  {
+    "ParameterKey": "pVpcFlowLogs",
+    "ParameterValue": "ALL"
+  },
+  {
+    "ParameterKey": "pOrgConfigurationSources",
+    "ParameterValue": "ROUTE53,VPC_FLOW,SH_FINDINGS,CLOUD_TRAIL_MGMT,LAMBDA_EXECUTION,EKS_AUDIT"
+  },
+  {
+    "ParameterKey": "pCreateOrganizationConfiguration",
+    "ParameterValue": "true"
+  },
+  {
+    "ParameterKey": "pSecurityLakeOrgKeyAlias",
+    "ParameterValue": "sra-security-lake-org-key"
+  },
+  {
+    "ParameterKey": "pComplianceFrequency",
+    "ParameterValue": "7"
+  },
+  {
+    "ParameterKey": "pControlTowerRegionsOnly",
+    "ParameterValue": "true"
+  },
+  {
+    "ParameterKey": "pCreateLambdaLogGroup",
+    "ParameterValue": "false"
+  },
+  {
+    "ParameterKey": "pEnabledRegions",
+    "ParameterValue": ""
+  },
+  {
+    "ParameterKey": "pLambdaLogGroupKmsKey",
+    "ParameterValue": ""
+  },
+  {
+    "ParameterKey": "pLambdaLogGroupRetention",
+    "ParameterValue": "14"
+  },
+  {
+    "ParameterKey": "pLambdaLogLevel",
+    "ParameterValue": "INFO"
+  },
+  {
+    "ParameterKey": "pSRAAlarmEmail",
+    "ParameterValue": ""
+  },
+  {
+    "ParameterKey": "pSRASolutionVersion",
+    "ParameterValue": "v1.0"
+  },
+  {
+    "ParameterKey": "pRegisterAuditAccountDataSubscriber",
+    "ParameterValue": "false"
+  },
+  {
+    "ParameterKey": "pAuditAccountDataSubscriberPrefix",
+    "ParameterValue": "sra-audit-account-data-subscriber"
+  },
+  {
+    "ParameterKey": "pAuditAccountDataSubscriberExternalId",
+    "ParameterValue": ""
+  },
+  {
+    "ParameterKey": "pAuditAccountQuerySubscriberPrefix",
+    "ParameterValue": "sra-audit-account-query-subscriber"
+  },
+  {
+    "ParameterKey": "pAuditAccountQuerySubscriberExternalId",
+    "ParameterValue": ""
+  },
+  {
+    "ParameterKey": "pRegisterAuditAccountQuerySubscriber",
+    "ParameterValue": "false"
+  },
+  {
+    "ParameterKey": "pStackSetAdminRole",
+    "ParameterValue": "sra-stackset"
+  },
+  {
+    "ParameterKey": "pStackExecutionRole",
+    "ParameterValue": "sra-execution"
+  },
+  {
+    "ParameterKey": "pSecurityLakeWarning",
+    "ParameterValue": "Reject"
+  },
+  {
+    "ParameterKey": "pDisableSecurityLake",
+    "ParameterValue": "false"
+  }
+]