update ec2 ebs encrypt for ct optional (#174)

* update ec2 ebs encrypt for ct optional * fix isort error
aws-samples · Oct 16, 2023 · f67dc65 · f67dc65
1 parent 220c90d
commit f67dc65
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 27 deletions.
diff --git a/...ons/ec2/ec2_default_ebs_encryption/documentation/ec2-default-ebs-encryption.png b/...ons/ec2/ec2_default_ebs_encryption/documentation/ec2-default-ebs-encryption.png
diff --git a/...es/solutions/ec2/ec2_default_ebs_encryption/documentation/ec2-default-ebs-encryption.pptx b/...es/solutions/ec2/ec2_default_ebs_encryption/documentation/ec2-default-ebs-encryption.pptx
diff --git a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/lambda/src/app.py b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/lambda/src/app.py
@@ -31,6 +31,7 @@
     from mypy_boto3_organizations.type_defs import AccountTypeDef, DescribeAccountResponseTypeDef, TagTypeDef
     from mypy_boto3_sns import SNSClient
     from mypy_boto3_sns.type_defs import PublishBatchResponseTypeDef, PublishResponseTypeDef
+    from mypy_boto3_ssm.client import SSMClient
     from mypy_boto3_sts import STSClient
 
 # Setup Default Logger
@@ -55,6 +56,7 @@
     CFN_CLIENT: CloudFormationClient = MANAGEMENT_ACCOUNT_SESSION.client("cloudformation", config=BOTO3_CONFIG)
     ORG_CLIENT: OrganizationsClient = MANAGEMENT_ACCOUNT_SESSION.client("organizations", config=BOTO3_CONFIG)
     SNS_CLIENT: SNSClient = MANAGEMENT_ACCOUNT_SESSION.client("sns", config=BOTO3_CONFIG)
+    SSM_CLIENT: SSMClient = MANAGEMENT_ACCOUNT_SESSION.client("ssm")
 except Exception as error:
     LOGGER.error({"Unexpected_Error": error})
     raise ValueError("Unexpected error executing Lambda function. Review CloudWatch logs for details.") from None
@@ -92,30 +94,14 @@ def assume_role(role: str, role_session_name: str, account: str = None, session:
 
 
 def get_control_tower_regions() -> list:  # noqa: CCR001
-    """Query 'AWSControlTowerBP-BASELINE-CLOUDWATCH' CloudFormation stack to identify customer regions.
+    """Query ssm to identify customer regions.
 
     Returns:
         Customer regions chosen in Control Tower
     """
-    paginator = CFN_CLIENT.get_paginator("list_stack_instances")
-    customer_regions = set()
-    aws_account = ""
-    all_regions_identified = False
-    for page in paginator.paginate(StackSetName="AWSControlTowerBP-BASELINE-CLOUDWATCH", PaginationConfig={"PageSize": CLOUDFORMATION_PAGE_SIZE}):
-        for instance in page["Summaries"]:
-            if not aws_account:
-                aws_account = instance["Account"]
-                customer_regions.add(instance["Region"])
-                continue
-            if aws_account == instance["Account"]:
-                customer_regions.add(instance["Region"])
-                continue
-            all_regions_identified = True
-            break
-        if all_regions_identified:
-            break
-        sleep(CLOUDFORMATION_THROTTLE_PERIOD)
-
+    customer_regions = []
+    ssm_response = SSM_CLIENT.get_parameter(Name="/sra/regions/customer-control-tower-regions")
+    customer_regions = ssm_response["Parameter"]["Value"].split(",")
     return list(customer_regions)
 
 
@@ -332,7 +318,6 @@ def process_accounts(event: Union[CloudFormationCustomResourceEvent, dict], para
     sns_messages = []
     accounts = get_active_organization_accounts()
     for account in accounts:
-
         if is_account_with_exclude_tags(account, params):
             continue
 

diff --git a/...c2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-global-events.yaml b/...c2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-global-events.yaml
@@ -53,7 +53,7 @@ Resources:
         source:
           - aws.organizations
         detail-type:
-          - AWS API Call via CloudTrail
+          - AWS Service Event via CloudTrail
         detail:
           eventSource:
             - organizations.amazonaws.com

diff --git a/...ons/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main-ssm.yaml b/...ons/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main-ssm.yaml
@@ -23,6 +23,12 @@ Metadata:
           - pRootOrganizationalUnitId
           - pSRAAlarmEmail
 
+      - Label:
+          default: IAM Properties
+        Parameters:
+          - pStackSetAdminRole
+          - pStackExecutionRole
+
       - Label:
           default: EC2 Default EBS Encryption Properties
         Parameters:
@@ -45,6 +51,10 @@ Metadata:
           - pComplianceFrequency
 
     ParameterLabels:
+      pStackSetAdminRole:
+        default: Stack Set Role
+      pStackExecutionRole:
+        default: Stack execution role
       pComplianceFrequency:
         default: Frequency to Check for Organizational Compliance
       pControlTowerRegionsOnly:
@@ -75,6 +85,16 @@ Metadata:
         default: SRA Staging S3 Bucket Name
 
 Parameters:
+  pStackSetAdminRole:
+    AllowedValues: [sra-stackset]
+    Default: sra-stackset
+    Description: The administration role name that is used in the stackset.
+    Type: String
+  pStackExecutionRole:
+    AllowedValues: [sra-execution]
+    Default: sra-execution
+    Description: The execution role name that is used in the stack.
+    Type: String
   pComplianceFrequency:
     ConstraintDescription: Compliance Frequency must be a number between 1 and 30, inclusive.
     Default: 7
@@ -256,13 +276,13 @@ Resources:
     DependsOn: rEC2DefaultEBSEncryptionStack
     Properties:
       StackSetName: sra-ec2-default-ebs-encryption-global-events
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Capabilities:
         - CAPABILITY_NAMED_IAM
       Description:
         !Sub ${pSRASolutionVersion} - Deploys EventBridge Rules via ${pSRASolutionName} for capturing global events forwarding to the home region.
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences:

diff --git a/...lutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main.yaml b/...lutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main.yaml
@@ -23,6 +23,12 @@ Metadata:
           - pRootOrganizationalUnitId
           - pSRAAlarmEmail
 
+      - Label:
+          default: IAM Properties
+        Parameters:
+          - pStackSetAdminRole
+          - pStackExecutionRole
+
       - Label:
           default: EC2 Default EBS Encryption Properties
         Parameters:
@@ -45,6 +51,10 @@ Metadata:
           - pComplianceFrequency
 
     ParameterLabels:
+      pStackSetAdminRole:
+        default: Stack Set Role
+      pStackExecutionRole:
+        default: Stack execution role
       pComplianceFrequency:
         default: Frequency to Check for Organizational Compliance
       pControlTowerRegionsOnly:
@@ -75,6 +85,16 @@ Metadata:
         default: SRA Staging S3 Bucket Name
 
 Parameters:
+  pStackSetAdminRole:
+    AllowedValues: [sra-stackset]
+    Default: sra-stackset
+    Description: The administration role name that is used in the stackset.
+    Type: String
+  pStackExecutionRole:
+    AllowedValues: [sra-execution]
+    Default: sra-execution
+    Description: The execution role name that is used in the stack.
+    Type: String
   pComplianceFrequency:
     ConstraintDescription: Compliance Frequency must be a number between 1 and 30, inclusive.
     Default: 7
@@ -251,13 +271,13 @@ Resources:
     DependsOn: rEC2DefaultEBSEncryptionStack
     Properties:
       StackSetName: sra-ec2-default-ebs-encryption-global-events
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Capabilities:
         - CAPABILITY_NAMED_IAM
       Description:
         !Sub ${pSRASolutionVersion} - Deploys EventBridge Rules via ${pSRASolutionName} for capturing global events forwarding to the home region.
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences:

diff --git a/...es/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml b/...es/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml
@@ -326,6 +326,17 @@ Resources:
                 Action: cloudformation:ListStackInstances
                 Resource: !Sub arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stackset/AWSControlTowerBP-*
 
+        - PolicyName: "ssm-access"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Action:
+                  - ssm:GetParameter
+                  - ssm:GetParameters
+                Resource:
+                  - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/sra*"
+
         - PolicyName: sra-ec2-default-ebs-encryption-policy-iam
           PolicyDocument:
             Version: 2012-10-17
@@ -483,7 +494,7 @@ Resources:
         source:
           - aws.organizations
         detail-type:
-          - AWS API Call via CloudTrail
+          - AWS Service Event via CloudTrail
         detail:
           eventSource:
             - organizations.amazonaws.com