From fbf1847e45374fe22c3e112b4d9b5c50c893808b Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Thu, 28 Sep 2023 14:04:55 -0400 Subject: [PATCH 1/3] Updated Config conformance pack solution for CT optional --- README.md | 2 +- .../config_conformance_pack_org/README.md | 5 ++- .../scripts/list_config_recorder_status.py | 33 ++++++------------- ...-conformance-pack-org-delivery-bucket.yaml | 2 +- ...-config-conformance-pack-org-main-ssm.yaml | 28 +++++++++++++--- .../sra-config-conformance-pack-org-main.yaml | 28 +++++++++++++--- 6 files changed, 62 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index ae20c0ca..ffa8f636 100644 --- a/README.md +++ b/README.md @@ -122,7 +122,7 @@ Follow the instructions within the [Quick Setup](aws_sra_examples/quick_setup) t | [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts) | Sets the billing, operations, and security alternate contacts for all accounts within the organization. | | | | [CloudTrail](aws_sra_examples/solutions/cloudtrail/cloudtrail_org) | Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events. | CloudTrail enabled in each account with management events only. | | | [Config Management Account](aws_sra_examples/solutions/config/config_management_account) | Enables AWS Config in the Management account to allow resource compliance monitoring. | Configures AWS Config in all accounts except for the Management account in each governed region. | | -| [Config Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) | Deploys a conformance pack to all accounts and provided regions within an organization. | | | +| [Config Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) | Deploys a conformance pack to all accounts and provided regions within an organization. | | | | [Config Organization Aggregator](aws_sra_examples/solutions/config/config_aggregator_org) | **Not required for most Control Tower environments.** Deploy an Organization Config Aggregator to a delegated admin other than the Audit account. | Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account. | | | [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption) | Configures the EC2 default EBS encryption to use the default KMS key within all provided regions. | | | | [Firewall Manager](aws_sra_examples/solutions/firewall_manager/firewall_manager_org) | Demonstrates configuring a security group policy and WAF policies for all accounts within an organization. | | | diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/README.md b/aws_sra_examples/solutions/config/config_conformance_pack_org/README.md index 692d8dd4..ea68db8a 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/README.md +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/README.md @@ -58,10 +58,9 @@ evaluate your AWS environment, use one of the sample conformance pack templates. --- -### 3.0 Audit Account +### 3.0 Audit Account (Security Tooling) -The example solutions use `Audit Account` instead of `Security Tooling Account` to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the `Audit Account` SSM parameter is -populated from the `SecurityAccountId` parameter within the `AWSControlTowerBP-BASELINE-CONFIG` StackSet. +The example solutions use `Audit Account` instead of `Security Tooling Account` to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the `Audit Account` can be determined from the `SecurityAccountId` parameter within the `AWSControlTowerBP-BASELINE-CONFIG` StackSet in AWS Control Tower environments, but is specified manually in other environments, and then stored in an SSM parameter (this is all done in the common prerequisites solution). #### 3.1 AWS CloudFormation diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py b/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py index e7801e19..41488cf0 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py @@ -27,6 +27,7 @@ from mypy_boto3_cloudformation import CloudFormationClient from mypy_boto3_organizations import OrganizationsClient from mypy_boto3_sts.client import STSClient + from mypy_boto3_ssm.client import SSMClient # Logging Settings LOGGER = logging.getLogger() @@ -34,18 +35,19 @@ logging.getLogger("botocore").setLevel(logging.CRITICAL) # Global Variables -CLOUDFORMATION_PAGE_SIZE = 20 -CLOUDFORMATION_THROTTLE_PERIOD = 0.2 +# CLOUDFORMATION_PAGE_SIZE = 20 +# CLOUDFORMATION_THROTTLE_PERIOD = 0.2 MAX_THREADS = 20 ORG_PAGE_SIZE = 20 # Max page size for list_accounts ORG_THROTTLE_PERIOD = 0.2 -ASSUME_ROLE_NAME = "AWSControlTowerExecution" +ASSUME_ROLE_NAME = "sra-execution" BOTO3_CONFIG = Config(retries={"max_attempts": 10, "mode": "standard"}) try: MANAGEMENT_ACCOUNT_SESSION = boto3.Session() ORG_CLIENT: OrganizationsClient = MANAGEMENT_ACCOUNT_SESSION.client("organizations", config=BOTO3_CONFIG) CFN_CLIENT: CloudFormationClient = MANAGEMENT_ACCOUNT_SESSION.client("cloudformation", config=BOTO3_CONFIG) + SSM_CLIENT: SSMClient = MANAGEMENT_ACCOUNT_SESSION.client("ssm") except Exception as error: LOGGER.error({"Unexpected_Error": error}) raise ValueError("Unexpected error executing Lambda function. Review CloudWatch logs for details.") from None @@ -101,29 +103,14 @@ def get_all_organization_accounts() -> list: def get_control_tower_regions() -> list: # noqa: CCR001 - """Query 'AWSControlTowerBP-BASELINE-CLOUDWATCH' CloudFormation stack to identify customer regions. + """Query SSM Parameter Store to identify customer regions. Returns: - Customer regions chosen in Control Tower + Customer regions """ - paginator = CFN_CLIENT.get_paginator("list_stack_instances") - customer_regions = set() - aws_account = "" - all_regions_identified = False - for page in paginator.paginate(StackSetName="AWSControlTowerBP-BASELINE-CLOUDWATCH", PaginationConfig={"PageSize": CLOUDFORMATION_PAGE_SIZE}): - for instance in page["Summaries"]: - if not aws_account: - aws_account = instance["Account"] - customer_regions.add(instance["Region"]) - continue - if aws_account == instance["Account"]: - customer_regions.add(instance["Region"]) - continue - all_regions_identified = True - break - if all_regions_identified: - break - sleep(CLOUDFORMATION_THROTTLE_PERIOD) + customer_regions = [] + ssm_response = SSM_CLIENT.get_parameter(Name="/sra/regions/customer-control-tower-regions") + customer_regions = ssm_response["Parameter"]["Value"].split(",") return list(customer_regions) diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-delivery-bucket.yaml b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-delivery-bucket.yaml index 97e6226f..da3223d9 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-delivery-bucket.yaml +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-delivery-bucket.yaml @@ -94,7 +94,7 @@ Resources: StringLike: aws:PrincipalArn: - !Sub arn:${AWS::Partition}:iam::*:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms - - !Sub arn:${AWS::Partition}:iam::*:role/AWSControlTowerExecution + - !Sub arn:${AWS::Partition}:iam::*:role/sra-execution Resource: !Sub arn:${AWS::Partition}:s3:::${rConformancePackBucket} Principal: '*' diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml index 4c40ab79..9af8ed82 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml @@ -20,6 +20,12 @@ Metadata: - pSRAStagingS3BucketName - pSourceStackName + - Label: + default: IAM Properties + Parameters: + - pStackSetAdminRole + - pStackExecutionRole + - Label: default: Conformance Pack Properties Parameters: @@ -38,6 +44,10 @@ Metadata: - pOrganizationId ParameterLabels: + pStackSetAdminRole: + default: Stack Set Role + pStackExecutionRole: + default: Stack execution role pAuditAccountId: default: Audit Account ID pConformancePackName: @@ -66,6 +76,16 @@ Metadata: default: SRA Staging S3 Bucket Name Parameters: + pStackSetAdminRole: + AllowedValues: [sra-stackset] + Default: sra-stackset + Description: The administration role name that is used in the stackset. + Type: String + pStackExecutionRole: + AllowedValues: [sra-execution] + Default: sra-execution + Description: The execution role name that is used in the stack. + Type: String pAuditAccountId: AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$ ConstraintDescription: @@ -176,10 +196,10 @@ Resources: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-config-conformance-pack-org-delivery-bucket - AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole + AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole} CallAs: SELF Description: !Sub ${pSRASolutionVersion} - Creates S3 bucket to store the conformance pack results - ExecutionRoleName: AWSControlTowerExecution + ExecutionRoleName: !Ref pStackExecutionRole ManagedExecution: Active: true OperationPreferences: @@ -208,7 +228,7 @@ Resources: DependsOn: rConfigConformancePackOrgDeliveryBucketStackSet Properties: StackSetName: sra-config-conformance-pack-org-deployment - AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole + AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole} CallAs: SELF Description: !If - cRegisterDelegatedAdmin @@ -220,7 +240,7 @@ Resources: ] - !Sub ${pSRASolutionVersion} - This template creates an AWS Organizations Config Conformance Pack in the Control Tower Audit account. - 'config_conformance_pack_org' solution in repo, https://github.com/aws-samples/aws-security-reference-architecture-examples. - ExecutionRoleName: AWSControlTowerExecution + ExecutionRoleName: !Ref pStackExecutionRole ManagedExecution: Active: true OperationPreferences: diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml index db6f9a75..11935780 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml @@ -18,6 +18,12 @@ Metadata: - pSRAStagingS3BucketName - pSRASolutionVersion + - Label: + default: IAM Properties + Parameters: + - pStackSetAdminRole + - pStackExecutionRole + - Label: default: Conformance Pack Properties Parameters: @@ -36,6 +42,10 @@ Metadata: - pOrganizationId ParameterLabels: + pStackSetAdminRole: + default: Stack Set Role + pStackExecutionRole: + default: Stack execution role pAuditAccountId: default: Audit Account ID pConformancePackName: @@ -62,6 +72,16 @@ Metadata: default: SRA Staging S3 Bucket Name Parameters: + pStackSetAdminRole: + AllowedValues: [sra-stackset] + Default: sra-stackset + Description: The administration role name that is used in the stackset. + Type: String + pStackExecutionRole: + AllowedValues: [sra-execution] + Default: sra-execution + Description: The execution role name that is used in the stack. + Type: String pAuditAccountId: AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$ ConstraintDescription: @@ -163,10 +183,10 @@ Resources: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-config-conformance-pack-org-delivery-bucket - AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole + AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole} CallAs: SELF Description: !Sub ${pSRASolutionVersion} - Creates S3 bucket to store the conformance pack results - ExecutionRoleName: AWSControlTowerExecution + ExecutionRoleName: !Ref pStackExecutionRole ManagedExecution: Active: true OperationPreferences: @@ -195,7 +215,7 @@ Resources: DependsOn: rConfigConformancePackOrgDeliveryBucketStackSet Properties: StackSetName: sra-config-conformance-pack-org-deployment - AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole + AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole} CallAs: SELF Description: !If - cRegisterDelegatedAdmin @@ -207,7 +227,7 @@ Resources: ] - !Sub ${pSRASolutionVersion} - This template creates an AWS Organizations Config Conformance Pack in the Control Tower Audit account. - 'config_conformance_pack_org' solution in repo, https://github.com/aws-samples/aws-security-reference-architecture-examples. - ExecutionRoleName: AWSControlTowerExecution + ExecutionRoleName: !Ref pStackExecutionRole ManagedExecution: Active: true OperationPreferences: From 02f7db18817f0f3f6bf06ed192e64b591d961e31 Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Thu, 28 Sep 2023 16:53:45 -0400 Subject: [PATCH 2/3] linting fixes --- .../scripts/list_config_recorder_status.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py b/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py index 41488cf0..167b6224 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py @@ -35,8 +35,6 @@ logging.getLogger("botocore").setLevel(logging.CRITICAL) # Global Variables -# CLOUDFORMATION_PAGE_SIZE = 20 -# CLOUDFORMATION_THROTTLE_PERIOD = 0.2 MAX_THREADS = 20 ORG_PAGE_SIZE = 20 # Max page size for list_accounts ORG_THROTTLE_PERIOD = 0.2 From 3ae382c5ec27016061f744efa8167d59faf11cc9 Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Thu, 28 Sep 2023 16:57:28 -0400 Subject: [PATCH 3/3] linting fixes --- .../scripts/list_config_recorder_status.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py b/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py index 167b6224..d6ba1525 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py @@ -26,8 +26,8 @@ if TYPE_CHECKING: from mypy_boto3_cloudformation import CloudFormationClient from mypy_boto3_organizations import OrganizationsClient - from mypy_boto3_sts.client import STSClient from mypy_boto3_ssm.client import SSMClient + from mypy_boto3_sts.client import STSClient # Logging Settings LOGGER = logging.getLogger()