diff --git a/README.md b/README.md
index ae20c0ca..ffa8f636 100644
--- a/README.md
+++ b/README.md
@@ -122,7 +122,7 @@ Follow the instructions within the [Quick Setup](aws_sra_examples/quick_setup) t
| [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts) | Sets the billing, operations, and security alternate contacts for all accounts within the organization. | | |
| [CloudTrail](aws_sra_examples/solutions/cloudtrail/cloudtrail_org) | Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events. | CloudTrail enabled in each account with management events only. | |
| [Config Management Account](aws_sra_examples/solutions/config/config_management_account) | Enables AWS Config in the Management account to allow resource compliance monitoring. | Configures AWS Config in all accounts except for the Management account in each governed region. | |
-| [Config Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) | Deploys a conformance pack to all accounts and provided regions within an organization. | | - AWS Control Tower
- [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)
- [Config Management Account](aws_sra_examples/solutions/config/config_management_account)
|
+| [Config Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) | Deploys a conformance pack to all accounts and provided regions within an organization. | | - AWS Config in all Org Accounts
- [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)
- [Config Management Account](aws_sra_examples/solutions/config/config_management_account) in Control Tower environment
|
| [Config Organization Aggregator](aws_sra_examples/solutions/config/config_aggregator_org) | **Not required for most Control Tower environments.** Deploy an Organization Config Aggregator to a delegated admin other than the Audit account. | Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account. | - AWS Control Tower
- [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)
|
| [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption) | Configures the EC2 default EBS encryption to use the default KMS key within all provided regions. | | |
| [Firewall Manager](aws_sra_examples/solutions/firewall_manager/firewall_manager_org) | Demonstrates configuring a security group policy and WAF policies for all accounts within an organization. | | |
diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/README.md b/aws_sra_examples/solutions/config/config_conformance_pack_org/README.md
index 692d8dd4..ea68db8a 100644
--- a/aws_sra_examples/solutions/config/config_conformance_pack_org/README.md
+++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/README.md
@@ -58,10 +58,9 @@ evaluate your AWS environment, use one of the sample conformance pack templates.
---
-### 3.0 Audit Account
+### 3.0 Audit Account (Security Tooling)
-The example solutions use `Audit Account` instead of `Security Tooling Account` to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the `Audit Account` SSM parameter is
-populated from the `SecurityAccountId` parameter within the `AWSControlTowerBP-BASELINE-CONFIG` StackSet.
+The example solutions use `Audit Account` instead of `Security Tooling Account` to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the `Audit Account` can be determined from the `SecurityAccountId` parameter within the `AWSControlTowerBP-BASELINE-CONFIG` StackSet in AWS Control Tower environments, but is specified manually in other environments, and then stored in an SSM parameter (this is all done in the common prerequisites solution).
#### 3.1 AWS CloudFormation
diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py b/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py
index e7801e19..d6ba1525 100644
--- a/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py
+++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py
@@ -26,6 +26,7 @@
if TYPE_CHECKING:
from mypy_boto3_cloudformation import CloudFormationClient
from mypy_boto3_organizations import OrganizationsClient
+ from mypy_boto3_ssm.client import SSMClient
from mypy_boto3_sts.client import STSClient
# Logging Settings
@@ -34,18 +35,17 @@
logging.getLogger("botocore").setLevel(logging.CRITICAL)
# Global Variables
-CLOUDFORMATION_PAGE_SIZE = 20
-CLOUDFORMATION_THROTTLE_PERIOD = 0.2
MAX_THREADS = 20
ORG_PAGE_SIZE = 20 # Max page size for list_accounts
ORG_THROTTLE_PERIOD = 0.2
-ASSUME_ROLE_NAME = "AWSControlTowerExecution"
+ASSUME_ROLE_NAME = "sra-execution"
BOTO3_CONFIG = Config(retries={"max_attempts": 10, "mode": "standard"})
try:
MANAGEMENT_ACCOUNT_SESSION = boto3.Session()
ORG_CLIENT: OrganizationsClient = MANAGEMENT_ACCOUNT_SESSION.client("organizations", config=BOTO3_CONFIG)
CFN_CLIENT: CloudFormationClient = MANAGEMENT_ACCOUNT_SESSION.client("cloudformation", config=BOTO3_CONFIG)
+ SSM_CLIENT: SSMClient = MANAGEMENT_ACCOUNT_SESSION.client("ssm")
except Exception as error:
LOGGER.error({"Unexpected_Error": error})
raise ValueError("Unexpected error executing Lambda function. Review CloudWatch logs for details.") from None
@@ -101,29 +101,14 @@ def get_all_organization_accounts() -> list:
def get_control_tower_regions() -> list: # noqa: CCR001
- """Query 'AWSControlTowerBP-BASELINE-CLOUDWATCH' CloudFormation stack to identify customer regions.
+ """Query SSM Parameter Store to identify customer regions.
Returns:
- Customer regions chosen in Control Tower
+ Customer regions
"""
- paginator = CFN_CLIENT.get_paginator("list_stack_instances")
- customer_regions = set()
- aws_account = ""
- all_regions_identified = False
- for page in paginator.paginate(StackSetName="AWSControlTowerBP-BASELINE-CLOUDWATCH", PaginationConfig={"PageSize": CLOUDFORMATION_PAGE_SIZE}):
- for instance in page["Summaries"]:
- if not aws_account:
- aws_account = instance["Account"]
- customer_regions.add(instance["Region"])
- continue
- if aws_account == instance["Account"]:
- customer_regions.add(instance["Region"])
- continue
- all_regions_identified = True
- break
- if all_regions_identified:
- break
- sleep(CLOUDFORMATION_THROTTLE_PERIOD)
+ customer_regions = []
+ ssm_response = SSM_CLIENT.get_parameter(Name="/sra/regions/customer-control-tower-regions")
+ customer_regions = ssm_response["Parameter"]["Value"].split(",")
return list(customer_regions)
diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-delivery-bucket.yaml b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-delivery-bucket.yaml
index 97e6226f..da3223d9 100644
--- a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-delivery-bucket.yaml
+++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-delivery-bucket.yaml
@@ -94,7 +94,7 @@ Resources:
StringLike:
aws:PrincipalArn:
- !Sub arn:${AWS::Partition}:iam::*:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms
- - !Sub arn:${AWS::Partition}:iam::*:role/AWSControlTowerExecution
+ - !Sub arn:${AWS::Partition}:iam::*:role/sra-execution
Resource: !Sub arn:${AWS::Partition}:s3:::${rConformancePackBucket}
Principal: '*'
diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml
index 4c40ab79..9af8ed82 100644
--- a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml
+++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml
@@ -20,6 +20,12 @@ Metadata:
- pSRAStagingS3BucketName
- pSourceStackName
+ - Label:
+ default: IAM Properties
+ Parameters:
+ - pStackSetAdminRole
+ - pStackExecutionRole
+
- Label:
default: Conformance Pack Properties
Parameters:
@@ -38,6 +44,10 @@ Metadata:
- pOrganizationId
ParameterLabels:
+ pStackSetAdminRole:
+ default: Stack Set Role
+ pStackExecutionRole:
+ default: Stack execution role
pAuditAccountId:
default: Audit Account ID
pConformancePackName:
@@ -66,6 +76,16 @@ Metadata:
default: SRA Staging S3 Bucket Name
Parameters:
+ pStackSetAdminRole:
+ AllowedValues: [sra-stackset]
+ Default: sra-stackset
+ Description: The administration role name that is used in the stackset.
+ Type: String
+ pStackExecutionRole:
+ AllowedValues: [sra-execution]
+ Default: sra-execution
+ Description: The execution role name that is used in the stack.
+ Type: String
pAuditAccountId:
AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$
ConstraintDescription:
@@ -176,10 +196,10 @@ Resources:
Type: AWS::CloudFormation::StackSet
Properties:
StackSetName: sra-config-conformance-pack-org-delivery-bucket
- AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+ AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
CallAs: SELF
Description: !Sub ${pSRASolutionVersion} - Creates S3 bucket to store the conformance pack results
- ExecutionRoleName: AWSControlTowerExecution
+ ExecutionRoleName: !Ref pStackExecutionRole
ManagedExecution:
Active: true
OperationPreferences:
@@ -208,7 +228,7 @@ Resources:
DependsOn: rConfigConformancePackOrgDeliveryBucketStackSet
Properties:
StackSetName: sra-config-conformance-pack-org-deployment
- AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+ AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
CallAs: SELF
Description: !If
- cRegisterDelegatedAdmin
@@ -220,7 +240,7 @@ Resources:
]
- !Sub ${pSRASolutionVersion} - This template creates an AWS Organizations Config Conformance Pack in the Control Tower Audit account. -
'config_conformance_pack_org' solution in repo, https://github.com/aws-samples/aws-security-reference-architecture-examples.
- ExecutionRoleName: AWSControlTowerExecution
+ ExecutionRoleName: !Ref pStackExecutionRole
ManagedExecution:
Active: true
OperationPreferences:
diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml
index db6f9a75..11935780 100644
--- a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml
+++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml
@@ -18,6 +18,12 @@ Metadata:
- pSRAStagingS3BucketName
- pSRASolutionVersion
+ - Label:
+ default: IAM Properties
+ Parameters:
+ - pStackSetAdminRole
+ - pStackExecutionRole
+
- Label:
default: Conformance Pack Properties
Parameters:
@@ -36,6 +42,10 @@ Metadata:
- pOrganizationId
ParameterLabels:
+ pStackSetAdminRole:
+ default: Stack Set Role
+ pStackExecutionRole:
+ default: Stack execution role
pAuditAccountId:
default: Audit Account ID
pConformancePackName:
@@ -62,6 +72,16 @@ Metadata:
default: SRA Staging S3 Bucket Name
Parameters:
+ pStackSetAdminRole:
+ AllowedValues: [sra-stackset]
+ Default: sra-stackset
+ Description: The administration role name that is used in the stackset.
+ Type: String
+ pStackExecutionRole:
+ AllowedValues: [sra-execution]
+ Default: sra-execution
+ Description: The execution role name that is used in the stack.
+ Type: String
pAuditAccountId:
AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$
ConstraintDescription:
@@ -163,10 +183,10 @@ Resources:
Type: AWS::CloudFormation::StackSet
Properties:
StackSetName: sra-config-conformance-pack-org-delivery-bucket
- AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+ AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
CallAs: SELF
Description: !Sub ${pSRASolutionVersion} - Creates S3 bucket to store the conformance pack results
- ExecutionRoleName: AWSControlTowerExecution
+ ExecutionRoleName: !Ref pStackExecutionRole
ManagedExecution:
Active: true
OperationPreferences:
@@ -195,7 +215,7 @@ Resources:
DependsOn: rConfigConformancePackOrgDeliveryBucketStackSet
Properties:
StackSetName: sra-config-conformance-pack-org-deployment
- AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+ AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
CallAs: SELF
Description: !If
- cRegisterDelegatedAdmin
@@ -207,7 +227,7 @@ Resources:
]
- !Sub ${pSRASolutionVersion} - This template creates an AWS Organizations Config Conformance Pack in the Control Tower Audit account. -
'config_conformance_pack_org' solution in repo, https://github.com/aws-samples/aws-security-reference-architecture-examples.
- ExecutionRoleName: AWSControlTowerExecution
+ ExecutionRoleName: !Ref pStackExecutionRole
ManagedExecution:
Active: true
OperationPreferences: