Merge branch 'aws-samples:main' into shield-advanced

CHANGELOG.md

@@ -3,11 +3,14 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2023-11-06](#2023-11-06)
+- [2023-10-23](#2023-10-23)
 - [2023-10-10](#2023-10-10)
+- [2023-09-27](#2023-09-27)
+- [2023-09-26](#2023-09-26)
 - [2023-09-22](#2023-09-22)
 - [2023-08-07](#2023-08-07)
 - [2023-07-07](#2023-07-07)
-- [2023-07-01](#2023-07-07)
 - [2023-07-01](#2023-07-01)
 - [2023-06-21](#2023-06-21)
 - [2023-06-20](#2023-06-20)
@@ -45,10 +48,27 @@
 All notable changes to this project will be documented in this file.
 
 ---
+## 2023-11-06
+
+- Updated [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts) solution to make AWS Control Tower optional.
+
+## 2023-10-23
+
+Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/firewall_manager/firewall_manager_org) solution to make AWS Control Tower optional.
+
 ## 2023-10-10
 
 - Updated [Inspector](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/inspector/inspector_org) solution to enable automatic lambda code scan.
 
+## 2023-09-27
+
+- Updated [Config Management Account](aws_sra_examples/solutions/config/config_management_account) solution to make AWS Control Tower optional.
+- Updated [AWS Config Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) solution to make AWS Control Tower optional.
+
+## 2023-09-26
+
+- Updated [Macie](aws_sra_examples/solutions/macie/macie_org) solution to make AWS Control Tower optional.
+
 ## 2023-09-22
 
 - Updated [Detective Organization](aws_sra_examples/solutions/detective/detective_org) solution to make AWS Control Tower optional.
@@ -65,7 +85,7 @@ All notable changes to this project will be documented in this file.
 
 ## 2023-07-07
 
-- Updated [CloudTrail](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/cloudtrail/cloudtrail_org) solution to enable delegated administrator. 
+- Updated [CloudTrail](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/cloudtrail/cloudtrail_org) solution to enable delegated administrator.
 
 ## 2023-07-01
 

aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml

@@ -232,7 +232,7 @@ resources:
       - parameter_key: pEnableNISTStandard
         parameter_value: 'false'
       - parameter_key: pNISTStandardVersion
-        parameter_value: 'false'
+        parameter_value: '5.0.0'
       - parameter_key: pRegionLinkingMode
         parameter_value: 'SPECIFIED_REGIONS'
 

aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml

@@ -45,6 +45,7 @@ Metadata:
         Parameters:
           - pDeployAccountAlternateContactsSolution
           - pDeployCloudTrailSolution
+          - pDeployConfigSolution
           - pDeployConfigManagementSolution
           - pDeployConfigConformancePackSolution
           - pDeployEC2DefaultEBSEncryptionSolution
@@ -88,6 +89,26 @@ Metadata:
           - pCloudTrailLogGroupRetention
           - pCreateCloudTrailLogGroup
           - pOrganizationCloudTrailKeyAlias
+      - Label:
+          default: AWS Config Solution (This solution is incompatible with the AWS Control Tower environment)
+        Parameters:
+          - pCommonPrerequisitesRegionsOnly
+          - pConfigEnabledRegions
+          - pRecorderName
+          - pAllSupported
+          - pIncludeGlobalResourceTypes
+          - pResourceTypes
+          - pDeliveryChannelName
+          - pConfigOrgDeliveryBucketPrefix
+          - pConfigOrgDeliveryKeyAlias
+          - pFrequency
+          - pConfigTopicName
+          - pSubscribeToConfigurationTopic
+          - pConfigurationEmail
+          - pConfigOrgSnsKeyAlias
+          - pAggregatorName
+          - pAggregatorRoleName
+          - pRegisterDelegatedAdminAccount
       - Label:
           default: AWS Config Management Solution
         Parameters:
@@ -298,6 +319,8 @@ Metadata:
         default: Deploy the CloudTrail Solution
       pDeployConfigConformancePackSolution:
         default: Deploy the AWS Config Conformance Pack Solution
+      pDeployConfigSolution:
+        default: Deploy the AWS Config Solution (This solution is incompatible with the AWS Control Tower environment)
       pDeployConfigManagementSolution:
         default: Deploy the AWS Config Management Solution
       pDeployEC2DefaultEBSEncryptionSolution:
@@ -437,6 +460,33 @@ Metadata:
       pVpcId:
         default: (Optional) Existing VPC ID
 
+      pCommonPrerequisitesRegionsOnly:
+        default: Common Prerequisites Regions Only
+      pConfigEnabledRegions:
+        default: (Optional) Enabled Regions
+      pRecorderName:
+        default: Recorder Name
+      pDeliveryChannelName:
+        default: Delivery Channel Name
+      pConfigOrgDeliveryBucketPrefix:
+        default: Config Delivery Bucket Prefix
+      pConfigOrgDeliveryKeyAlias:
+        default: Config Delivery KMS Key Alias
+      pConfigTopicName:
+        default: Config SNS Topic Name
+      pSubscribeToConfigurationTopic:
+        default: Subscribe to Configuration Topic
+      pConfigurationEmail:
+        default: Configuration Email
+      pConfigOrgSnsKeyAlias:
+        default: Config SNS KMS Key Alias
+      pAggregatorName:
+        default: Config Aggregator Name
+      pAggregatorRoleName:
+        default: Config Aggregator Role Name
+      pRegisterDelegatedAdminAccount:
+        default: Register Delegated Admin Account
+
 Parameters:
   pRepoURL:
     Default: https://github.com/aws-samples/aws-security-reference-architecture-examples.git
@@ -735,6 +785,11 @@ Parameters:
     Default: 'No'
     Description: Deploy the AWS Config Conformance Pack solution
     Type: String
+  pDeployConfigSolution:
+    AllowedValues: ['Yes', 'No']
+    Default: 'No'
+    Description: Deploy the AWS Config solution (This solution is incompatible with the AWS Control Tower environment)
+    Type: String
   pDeployConfigManagementSolution:
     AllowedValues: ['Yes', 'No', 'Already Deployed']
     Default: 'No'
@@ -1072,7 +1127,7 @@ Parameters:
     Description: You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).
     Type: String
   pResourceTypes:
-    AllowedPattern: '^$|^([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$|^(([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+(,|, ))*[a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$'
+    AllowedPattern: '^$|^([0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+)$|^(([0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+(,|, ))*[0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+)$'
     Default: ''
     Description:
       (Optional) A list of valid AWS resource types to include in this recording group. Eg. AWS::CloudTrail::Trail. If 'All Supported' parameter is
@@ -1136,6 +1191,82 @@ Parameters:
     Description: (Optional) Existing VPC ID for the Firewall Manager Security Groups. Required if Create VPC For Security Group is "false".
     Type: String
 
+  pCommonPrerequisitesRegionsOnly:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Only enable in the customer regions specified in Common Prerequisites solution
+    Type: String
+  pRecorderName:
+    AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
+    ConstraintDescription:
+      Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
+    Default: sra-ConfigRecorder
+    Description: Config recorder name
+    Type: String
+  pDeliveryChannelName:
+    AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
+    ConstraintDescription:
+      Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
+    Default: sra-config-s3-delivery
+    Description: Config delivery channel name
+    Type: String
+  pConfigOrgDeliveryBucketPrefix:
+    AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$'
+    ConstraintDescription:
+      S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
+    Default: sra-config-org-delivery
+    Description:
+      Config Delivery S3 bucket prefix. The account and region will get added to the end. e.g. sra-config-delivery-123456789012-us-east-1
+    Type: String
+  pConfigOrgDeliveryKeyAlias:
+    Default: sra-config-org-delivery-key
+    Description: Config Delivery KMS Key Alias
+    Type: String
+  pConfigTopicName:
+    AllowedPattern: '^[\w+=,.@-]{1,64}$'
+    Default: sra-ConfigNotifications
+    Description: Configuration Notification SNS Topic in Audit Account that AWS Config delivers notifications to.
+    Type: String
+  pSubscribeToConfigurationTopic:
+    AllowedValues: [true, false]
+    Default: false
+    Description: Indicates whether ConfigurationEmail will be subscribed to the Configuration Notification SNS Topic.
+    Type: String
+  pConfigurationEmail:
+    AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$'
+    ConstraintDescription: Email Validation as per RFC2822 standards.
+    Description: Email for receiving all AWS configuration events
+    Default: ''
+    Type: 'String'
+  pConfigOrgSnsKeyAlias:
+    Default: sra-config-org-sns-key
+    Description: Config SNS KMS Key Alias
+    Type: String
+  pAggregatorName:
+    AllowedPattern: '^[\w\-]+'
+    ConstraintDescription: Max 256 alphanumeric characters.
+    Default: sra-config-aggregator-org
+    MaxLength: 256
+    MinLength: 1
+    Type: String
+  pAggregatorRoleName:
+    AllowedPattern: '^[\w+=,.@-]{1,64}$'
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -].
+    Default: sra-config-aggregator-org
+    Type: String
+  pRegisterDelegatedAdminAccount:
+    AllowedValues: ['Yes', 'No']
+    Default: 'Yes'
+    Description: Register a delegated administrator account using the Common Register Delegated Administrator solution.
+    Type: String
+  pConfigEnabledRegions:
+    AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
+    ConstraintDescription:
+      Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
+      us-east-1,ap-southeast-2)
+    Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions.
+    Type: String
+
 Rules:
   BillingContactValidation:
     RuleCondition: !And
@@ -1156,6 +1287,7 @@ Rules:
       - Assert: !Or
           - !Equals [!Ref pDeployConfigManagementSolution, 'Yes']
           - !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed']
+          - !Equals [!Ref pDeployConfigSolution, 'Yes']
         AssertDescription:
           "'Deploy the AWS Config Management Solution' parameter must be set to 'Yes' or 'Already Deployed', if the 'Deploy the AWS Config Conformance
           Pack Solution' parameter is set to 'Yes'."
@@ -1165,6 +1297,7 @@ Rules:
       - Assert: !Or
           - !Equals [!Ref pDeployConfigManagementSolution, 'Yes']
           - !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed']
+          - !Equals [!Ref pDeployConfigSolution, 'Yes']
         AssertDescription:
           "'Deploy the AWS Config Management Solution' parameter must be set to 'Yes' or 'Already Deployed', if the 'Deploy the Security Hub Solution'
           parameter is set to 'Yes'."
@@ -1194,6 +1327,16 @@ Rules:
         AssertDescription:
           "'Security Full Name', 'Security Title', 'Security Email' and 'Security Phone' parameters are required if the 'Security Alternate Contact
           Action' parameter is set to 'add'."
+  EnabledRegionValidation:
+    RuleCondition: !Equals [!Ref pCommonPrerequisitesRegionsOnly, 'false']
+    Assertions:
+      - Assert: !Not [!Equals [!Ref pConfigEnabledRegions, '']]
+        AssertDescription: "'Enabled Regions' parameter has to have a value if 'Common Prerequisites Regions Only' parameter is set to 'false'."
+  ResourceTypesValidation:
+    RuleCondition: !Equals [!Ref pAllSupported, 'false']
+    Assertions:
+      - AssertDescription: "'Resource Types' parameter is required if 'All Supported' parameter is set to 'false'."
+        Assert: !Not [!Equals [!Ref pResourceTypes, '']]
 
 Conditions:
   cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
@@ -1214,12 +1357,14 @@ Conditions:
   cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'Yes']
   cDeployAccountAlternateContactsSolution: !Equals [!Ref pDeployAccountAlternateContactsSolution, 'Yes']
   cDeployCloudTrailSolution: !Equals [!Ref pDeployCloudTrailSolution, 'Yes']
+  cDeployConfigSolution: !Equals [!Ref pDeployConfigSolution, 'Yes']
   cDeployConfigManagementSolution: !Equals [!Ref pDeployConfigManagementSolution, 'Yes']
   cDeployConfigManagementSolutionAlreadyDeployed: !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed']
   cDeployConfigConformancePackSolution: !And
     - !Or
       - !Condition cDeployConfigManagementSolution
       - !Condition cDeployConfigManagementSolutionAlreadyDeployed
+      - !Condition cDeployConfigSolution
     - !Equals [!Ref pDeployConfigConformancePackSolution, 'Yes']
   cDeployDetectiveSolution: !Equals [!Ref pDeployDetectiveSolution, 'Yes']
   cDeployEC2DefaultEBSEncryptionSolution: !Equals [!Ref pDeployEC2DefaultEBSEncryptionSolution, 'Yes']
@@ -2083,3 +2228,34 @@ Resources:
         pLambdaLogLevel: !Ref pLambdaLogLevel
         pSRAAlarmEmail: !Ref pSRAAlarmEmail
         pComplianceFrequency: !Ref pComplianceFrequency
+
+  rConfigSolutionStack:
+    Type: AWS::CloudFormation::Stack
+    DependsOn: rCommonPrerequisitesMainSsm
+    Condition: cDeployConfigSolution
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Properties:
+      TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-config-org/templates/sra-config-org-main-ssm.yaml
+      Parameters:
+        pControlTowerRegionsOnly: !Ref pCommonPrerequisitesRegionsOnly
+        pEnabledRegions: !Ref pConfigEnabledRegions
+        pRecorderName: !Ref pRecorderName
+        pDeliveryChannelName: !Ref pDeliveryChannelName
+        pConfigOrgDeliveryBucketPrefix: !Ref pConfigOrgDeliveryBucketPrefix
+        pConfigOrgDeliveryKeyAlias: !Ref pConfigOrgDeliveryKeyAlias
+        pConfigTopicName: !Ref pConfigTopicName
+        pSubscribeToConfigurationTopic: !Ref pSubscribeToConfigurationTopic
+        pConfigurationEmail: !Ref pConfigurationEmail
+        pConfigOrgSnsKeyAlias: !Ref pConfigOrgSnsKeyAlias
+        pAggregatorName: !Ref pAggregatorName
+        pAggregatorRoleName: !Ref pAggregatorRoleName
+        pRegisterDelegatedAdminAccount: !Ref pRegisterDelegatedAdminAccount
+        pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey
+        pLambdaLogLevel: !Ref pLambdaLogLevel
+        pSRAAlarmEmail: !Ref pSRAAlarmEmail
+        pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention
+        pFrequency: !Ref pFrequency
+        pAllSupported: !Ref pAllSupported
+        pIncludeGlobalResourceTypes: !Ref pIncludeGlobalResourceTypes
+        pResourceTypes: !Ref pResourceTypes