GithubHelp home page GithubHelp logo

aws-samples / aws-security-reference-architecture-examples Goto Github PK

View Code? Open in Web Editor NEW
927.0 36.0 229.0 24.08 MB

Example solutions demonstrating how to implement patterns within the AWS Security Reference Architecture guide using CloudFormation (including Customizations for AWS Control Tower) and Terraform.

License: Other

Python 60.63% Shell 2.37% HCL 37.00%
aws aws-cloudformation aws-control-tower aws-security aws-security-automation

aws-security-reference-architecture-examples's Introduction

AWS Security Reference Architecture Examples

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

⚠️Influence the future of the AWS Security Reference Architecture (AWS SRA) code library by taking a short survey.

Table of Contents

Introduction

This repository contains code to help developers and engineers deploy AWS security-related services in either an AWS Organizations multi-account environment with or without AWS Control Tower as it's landing zone following patterns that align with the AWS Security Reference Architecture. The Amazon Web Services (AWS) Security Reference Architecture (AWS SRA) is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment.

The AWS service configurations and resources (e.g. IAM roles and policies) deployed by these templates are deliberately very restrictive. They are intended to illustrate an implementation pattern rather than provide a complete solution. You may need to modify and tailor these solutions to suit your environment and security needs.

For the solutions within this repository that require AWS Control Tower, they have been deployed and tested within an AWS Control Tower environment using AWS CloudFormation, Customizations for AWS Control Tower (CFCT), and Terraform.

For those solutions that do not require AWS Control Tower, they have been tested within an AWS Organizations environment using AWS CloudFormation, and Terraform.

Getting started

Whether you're new to AWS security or looking to enhance your existing setup, our code library provides comprehensive solutions to help fortify your AWS environments. Deploying the AWS SRA code library can be deployed using two different methods: AWS CloudFormation and Terraform.

Deployment with CloudFormation

Using AWS SRA in AWS Control Tower Environments

For multi-account environments that use (or will use) the AWS Control Tower landing zone, you can install the AWS SRA code solutions using the instructions in this section.

AWS SRA Easy Setup with an AWS Control Tower Landing Zone (Recommended)

How to get started with the easy setup process in AWS Control Tower diagram

  1. Setup the environment to configure AWS Control Tower within a new or existing AWS account. Existing AWS Control Tower environments can also be used but may require existing service configurations to be removed.
  2. Choose a deployment method:
  3. If using CfCT, deploy the AWSControlTowerExecution role into the management account.
  4. Using parameters within the easy setup template file, choose which AWS SRA Solutions to deploy. This can be done during initial setup or as an update later.

For more information view the AWS SRA Easy Setup solution page.

Manual Setup in AWS Control Tower Environments

How to get started process diagram (manual install)

  1. Setup the environment to configure AWS Control Tower within a new or existing AWS account. Existing AWS Control Tower environments can also be used but may require existing service configurations to be removed.
  2. Deploy the Common Prerequisites solution. Note: This only needs to be done once for all the solutions.
  3. Choose a deployment method:
  4. (Optional) - Deploy the Customizations for AWS Control Tower (CFCT) Setup solution. Note Only implement if the CFCT deployment method was selected.
  5. Per your requirements select one or all of the below AWS SRA Solutions to implement via the selected deployment method.
    • You may use the Quick Setup to deploy the AWS SRA Solutions at this step.

Using AWS SRA in AWS Organizations Environments with CloudFormation

For multi-account environments that use AWS Organizations and do NOT have an AWS Control Tower landing zone installed, you can install the AWS SRA code solutions using the instructions in this section.

How to get started with the easy setup process in AWS Organizations diagram

Easy Setup in AWS Organizations Environments (Recommended)

  1. Setup the environment to configure AWS Organizations within a new or existing AWS account. Existing AWS Organizations environments can also be used but may require existing service configurations to be removed.
    • The Security Tooling and Log Archive accounts must be created or already be part of the existing AWS Organizations environment (though they may be named differently in your environment).
    • It is recommended that the OU structure is setup in alignment with the AWS SRA design guidance
  2. Deploy using CloudFormation
  3. Using parameters within the easy setup template file, choose which AWS SRA Solutions to deploy. This can be done during initial setup or as an update later.

For more information view the AWS SRA Easy Setup solution page.

Manual Setup in AWS Organizations

  1. Setup the environment to configure AWS Organizations within a new or existing AWS account. Existing AWS Organizations environments can also be used but may require existing service configurations to be removed.
    • The Security Tooling and Log Archive accounts must be created or already be part of the existing AWS Organizations environment (though they may be named differently in your environment).
    • It is recommended that the OU structure is setup in alignment with the AWS SRA design guidance
  2. Deploy the Common Prerequisites solution. Note: This only needs to be done once for all the solutions.
  3. Per your requirements select one or all of the below AWS SRA Solutions to implement via CloudFormation.
    • You may use the Quick Setup to deploy the AWS SRA Solutions at this step.

Easy Setup with CloudFormation Details

Using the AWS SRA Easy Setup, the common prerequisites and all AWS SRA solutions are automatically packaged, staged, and deployed into your AWS environment with minimal effort. This is the recommended method to install the AWS SRA code library because it reduces the likelihood of missing a step in the Manual install method. If using this method to install the AWS SRA code library, there is no other process you need to follow.

Follow the instructions in the AWS SRA Easy Setup solution page to install everything you need to get the AWS SRA code library and it's solutions deployed.

Quick Setup with CloudFormation (Deprecated)

The Quick Setup has been deprecated. Refer to the Easy Setup instead.

Deployment with Terraform

Please follow the instructions for SRA Terraform deployments in the SRA Terraform edition documentation.

Example Solutions

  • Note: All solutions below depend on the Common Prerequisites solution in addition to the specified solutions within the Depends On column.
  • Navigate to corresponding example solution to review what is deployed and configured within the environment.
  • If a solution depends on AWS Control Tower then the AWS Control Tower landing zone must be deployed before installing the solution (along with any other solution dependencies). Each solution will be updated to remove the requirement of needing an AWS Control Tower landing zone (making it optional) in future updates, however, AWS Organizations will always be required.
  • For solutions supported in the SRA Terraform edition, please see the SRA Terraform edition documentation.
Example Solution Solution Highlights What does Control Tower provide? Depends On
Account Alternate Contacts Sets the billing, operations, and security alternate contacts for all accounts within the organization.
AMI Bakery Creates and configures an AMI image management pipeline.
CloudTrail Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events. CloudTrail enabled in each account with management events only.
Config Management Account Enables AWS Config in the Management account to allow resource compliance monitoring. Configures AWS Config in all accounts except for the Management account in each governed region.
  • AWS Control Tower
Config Organization Aggregator Not required for most Control Tower environments. Deploy an Organization Config Aggregator to a delegated admin other than the Audit account. Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account.
Config Organization Conformance Pack Deploys a conformance pack to all accounts and provided regions within an organization.
Config Organization Configures AWS Config in all accounts in each governed region. Deploys an Organization Config Aggregator to a delegated admin account. This solution is incompatible with the AWS Control Tower environment.
Detective The Detective Organization solution will automate enabling Amazon Detective by delegating administration to an account (e.g. Audit or Security Tooling) and configuring Detective for all the existing and future AWS Organization accounts.
EC2 Default EBS Encryption Configures the EC2 default EBS encryption to use the default KMS key within all provided regions.
Firewall Manager Demonstrates configuring a security group policy and WAF policies for all accounts within an organization.
GuardDuty Configures GuardDuty within a delegated admin account for all accounts within an organization.
IAM Access Analyzer Configures an organization analyzer within a delegated admin account and account level analyzer within each account. Common Register Delegated Administrator
IAM Account Password Policy Sets the account password policy for users to align with common compliance standards.
Inspector Configure Inspector within a delegated admin account for all accounts and governed regions within the organization.
Macie Configures Macie within a delegated admin account for all accounts within the organization.
S3 Block Account Public Access Configures the account-level S3 BPA settings for all accounts within the organization. Configures S3 BPA settings on buckets created by Control Tower only.
  • AWS Control Tower
Security Hub Configures Security Hub within a delegated admin account for all accounts and governed regions within the organization.
Shield Advanced Enables and configures AWS Shield Advanced for some or all the existing and future AWS Organization accounts

Utils

  • packaging_scripts/stage-solution.sh (Package and stage all the AWS SRA example solutions. For more information see Staging script details)

Environment Setup

Based on the deployment method selected these solutions are required to implement SRA solutions.

Repository and Solution Naming Convention

The repository is organized by AWS service solutions, which include deployment platforms (e.g., AWS Control Tower and AWS CloudFormation StackSet).

Example:

.
├── solutions
│   ├── guardduty
│   │   └── guardduty_org
│   │       ├── README.md
│   │       ├── customizations_for_aws_control_tower
│   │       │   ├── manifest.yaml
│   │       │   └── parameters
│   │       ├── documentation
│   │       ├── lambda
│   │       │   └── src
│   │       │       ├── app.py
│   │       │       └── requirements.txt
│   │       └── templates
│   │           ├── sra-guardduty-org-configuration-role.yaml
│   │           ├── sra-guardduty-org-configuration.yaml
│   │           ├── sra-guardduty-org-delete-detector-role.yaml
│   │           ├── sra-guardduty-org-delivery-kms-key.yaml
│   │           └── sra-guardduty-org-delivery-s3-bucket.yaml
│   ├── ...

Frequently Asked Questions

Q. How were these particular solutions chosen? A. All the examples in this repository are derived from common patterns that many customers ask us to help them deploy within their environments. We will be adding to the examples over time.

Q. How were these solutions created? A. We’ve collected, cataloged, and curated our multi-account security solution knowledge based on working with a variety of AWS customers.

Q. Who is the audience for these AWS Security Reference Architecture examples? A. Security professionals that are looking for illustrative examples of deploying security patterns in AWS. These code samples provide a starting point from which you can build and tailor infrastructure for your needs.

Q. Why didn't the solutions use inline Lambda functions within the CloudFormation templates? A. Reasons:

Q. I have ideas to improve this repository. What should I do? A. Please create an issue or submit a pull request.

License Summary

The documentation is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file.

The sample code within this documentation is made available under the MIT-0 license. See the LICENSE-SAMPLECODE file.

Please note when building the project that some of the configured developer dependencies are subject to copyleft licenses. Please review these as needed for your use.

aws-security-reference-architecture-examples's People

Contributors

alazaroc avatar amazon-auto avatar andywick-aws avatar arya23065 avatar climbertjh2 avatar firefishy avatar freskimaliu avatar ievie avatar jm-aws avatar justin-kontny avatar knmaws avatar liamschn avatar tekdj7 avatar thi-baut avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

chatchai-komrangded samhays nomis2k jthek001 iratemonkey gibbsie pierreliddle cacalote vielmantech chatcharoen rezahashemi gusdelact odusolan supportfactory sborregodiaz mmontalvolgbm vpnj012k ueong jonaskriks lhmt stevekim-git codejitsu sumosaf lordjabez folpindo philimol adevhammer phunguyenmtt dopic vinaymaddi1269 neoscotch szkjeccy minhtran3124 atdavidpark shouchou ncode3 security2020 sudheery80 mastephens avineshwar andywick-aws mohank71 lalitkale mmdonohue anphn-mtt drwperez ivanvlademirs benlorence cybersecops pankajworks jsykk21 davinane veilair whoiscnu qstong0601 derrops-net lifetimestudios rsekhar84 enbalait uakbr mrbin-99 sujeetrimal ajitgaddam fasere75 iyksam20 smbowen abdulkhader86 kingx48 layzhi celestialized goswamig joymondal markshuang gauravtiwari0310 broscr maatticlabs nhaz3l ckamps ericrose boblone19 andrewcheny satishkori sarada-mohanty nfayzullaev waynekearns firefishy zhangjianyu1979 tekdj7 xee5ch cunfuu kunicode spurohit42 chevine russomi-cloud markwharton emmanueleloka rajamohamedml integracore2 waytoinnovation trivedisorabh

aws-security-reference-architecture-examples's Issues

[FEATURE] Add general contributing guidance

Is your feature request related to a problem? Please describe.

Provide a checklist to help contributors understand the solution build and testing requirements

Describe the solution you'd like

Clear and concise list of items to check before subitting a PR

Deploying sra examples multiple times using same stackset

Is your feature request related to a problem? Please describe

I wanted to deploy multiple conformance packs using the security reference architecture solution but currently it is not possible.

Describe the solution you'd like

The ideal solution would be to an array of conformance packs or something similar.

Describe alternatives you've considered

Extended the template to add extra params and then passing those params.

For example:

  • pConformancePackName
  • pConformancePackNameGDPR
    etc.

Additional context

None

[FEATURE] Refactor Firewall Manager Solution

Is your feature request related to a problem? Please describe.

Consistency across solutions

Describe the solution you'd like

  1. All - Sort parameters, properties, etc. in alphabetical order, where possible
  2. Lambda - Remove boto3 from requirements.txt, if the Lambda runtime version supports the APIs needed
  3. Lambda - Use custom resource properties instead of environment variables
  4. Lambda - Refactor Lambda code to use resource properties
  5. Lambda - Add additional permissions required when deploying to regions other than us-east-1
  6. Lambda - Run API calls from us-east-1
  7. Lambda - Add wait time when updating delegated admin
  8. CloudFormation - Add parameter AllowedPattern, where possible
  9. CloudFormation - Verify templates pass new CFN NAG rules
  10. Add support for Customizations for Control Tower V2

Describe alternatives you've considered

None

Additional context

https://docs.aws.amazon.com/waf/latest/developerguide/enable-integration.html

[BUG] Can't turn off S3 data event logging

Describe the bug

Once S3 data event logging has been enabled using the pEnableS3DataEvents parameter, it cannot be disabled.

The stack for the trail will accept false as a value for the parameter update, but does not translate that to an update on the trail.

To Reproduce

The following is a "pseudorepro". These steps should be reproducible by adapting them to whatever deployment method is used in practice.

Set up all the prerequisites.

  • create an S3 bucket for Lambda code
  • package the lambda code to the S3 bucket using the package_lambda.sh script
  • create the KMS key using the stack template
  • create the S3 bucket for CloudTrail logs using the stack template

Create the trail configured to log just management events.

  • Use the stack template

  • Derive most of the parameter values from the configuration of the prerequisites

  • Use the following values to configure trail's event selectors

    pEnableDataEventsOnly: false
pEnableLambdaDataEvents: false
pEnableS3DataEvents: false

  • Wait for the stack creation to complete

  • Confirm via the API that the EventSelectors.DataResources list is empty

    $ aws cloudtrail get-event-selectors --trail-name ...
{
    "TrailARN": "arn:aws:cloudtrail:...",
    "EventSelectors": [
        {
            "ReadWriteType": "All",
            "IncludeManagementEvents": true,
            "DataResources": [],
            "ExcludeManagementEventSources": []
        }
    ]
}

Now update the trail so that it also logs S3 data events.

  • Use the stack template

  • Update the following parameter:

    pEnableS3DataEvents: true

  • Wait for the stack update to complete

  • Confirm via the API that the EventSelectors.DataResources list has a selector for all S3 objects

    $ aws cloudtrail get-event-selectors --trail-name ...
{
    "TrailARN": "arn:aws:cloudtrail:eu-west-1:...",
    "EventSelectors": [
        {
            "ReadWriteType": "All",
            "IncludeManagementEvents": true,
            "DataResources": [
                {
                    "Type": "AWS::S3::Object",
                    "Values": [
                        "arn:aws:s3:::"
                    ]
                }
            ],
            "ExcludeManagementEventSources": []
        }
    ]
}

  • Confirm in CloudTrail history that a PutEventSelectors event is present

Now update the trail again so that it no longer logs S3 data events.

  • Use the stack template

  • Update the following parameter:

    pEnableS3DataEvents: false

  • Wait for the stack update to complete

  • Confirm via the API that the EventSelectors.DataResources list still has a selector for all S3 objects. The output would be the same as before.

  • Confirm in CloudTrail history that a PutEventSelectors event is absent

Expected behavior

After updating the trail so that it no longer logs S3 data events:

  • The EventSelectors.DataResources list should be empty again
  • There should be a corresponding PutEventSelectors event in CloudTrail history

Deployment Environment

Custom deployment environment using stack sets.

Additional context

The problem seems to be caused by the following branch in the update method of the custom resource lambda.

aws-security-reference-architecture-examples/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/lambda/src/app.py

Lines 243 to 249 in 0eba951

if event_selectors and event_selectors["DataResources"]:
CLOUDTRAIL_CLIENT.put_event_selectors(
TrailName=cloudtrail_name,
EventSelectors=[event_selectors]
)
logger.info("Data Events Updated")

It will call put_event_selectors only when the DataResources list is not empty.

When we attempt to turn off S3 data event logging, the template is updated with these parameter values:

pEnableDataEventsOnly: false
pEnableLambdaDataEvents: false
pEnableS3DataEvents: false

The Lambda receives these input parameters:

ENABLE_DATA_EVENTS_ONLY: false
ENABLE_LAMBDA_DATA_EVENTS: flase
ENABLE_S3_DATA_EVENTS: false

Which causes get_data_event_config to return DataResources as an empty list.

{
    "ReadWriteType": "All",
    "IncludeManagementEvents": True,
    "DataResources": [],
}

And so the branch to call put_event_selectors is not followed, and so the data selector is not removed.

I have fixed the function in my own environment. I could submit a PR with the essential fix if it would help.

[FEATURE] Refactor extras to align with contribution guidelines

Is your feature request related to a problem? Please describe.

Refactor and refresh the content within the extras section of the code repo to align with the contribution guidelines.

Describe the solution you'd like

All - Sort parameters, properties, etc. in alphabetical order, where possible
CloudFormation - Verify templates pass new CFN NAG rules
Change primary account references to management

Describe alternatives you've considered

None

Additional context

None

[BUG] GuardDuty solution does not deregister admin account in AWS Organization

Describe the bug

When removing the GuardDuty solution it does not deregister the administrator account in AWS organizations, which prevents assigning a new account as the delegated admin.

To Reproduce

Steps to reproduce the behavior:

  1. Delete the solution triggering the CloudFormation stack delete
  2. Check the current delegated services for the account
    aws guardduty list-delegated-services-for-account --account ACCOUNT_ID

Expected behavior

GuardDuty delegated admin is deregistered after the solution is deleted

[BUG] Error when Deploying Alternate Contacts Solution via CfCT

Hi There,

I'm running into an issue when trying to deploy the Alternate Contacts Solution through Customisations for Control Tower that is part of the SRA Repo.

The CodeBuild logs (Custom-Control-Tower-StackSet-CodeBuild) show the following:

{"time_stamp": "2022-08-04 11:08:40,441","log_level": "ERROR","log_message": Unhandled Exception: argument of type 'int' is not iterable}
Traceback (most recent call last):
  File "/codebuild/output/src245367560/src/state_machine_trigger.py", line 69, in main
    sm_input_list = get_stack_set_inputs()
  File "/codebuild/output/src245367560/src/state_machine_trigger.py", line 95, in get_stack_set_inputs
    return parse.stack_set_manifest()
  File "/codebuild/output/src245367560/src/cfct/manifest/manifest_parser.py", line 62, in stack_set_manifest
    return get_stack_set_input.parse_stack_set_manifest_v2()
  File "/codebuild/output/src245367560/src/cfct/manifest/manifest_parser.py", line 256, in parse_stack_set_manifest_v2
    sm_input = build.stack_set_state_machine_input_v2(
  File "/codebuild/output/src245367560/src/cfct/manifest/manifest_parser.py", line 370, in stack_set_state_machine_input_v2
    sm_params = self.param_handler.update_params(parameters, account_list,
  File "/codebuild/output/src245367560/src/cfct/manifest/cfn_params_handler.py", line 229, in update_params
    value = value if separator not in value else \
TypeError: argument of type 'int' is not iterable
Traceback (most recent call last):
  File "/codebuild/output/src245367560/src/state_machine_trigger.py", line 132, in <module>
    main()
  File "/codebuild/output/src245367560/src/state_machine_trigger.py", line 69, in main
    sm_input_list = get_stack_set_inputs()
  File "/codebuild/output/src245367560/src/state_machine_trigger.py", line 95, in get_stack_set_inputs
    return parse.stack_set_manifest()
  File "/codebuild/output/src245367560/src/cfct/manifest/manifest_parser.py", line 62, in stack_set_manifest
    return get_stack_set_input.parse_stack_set_manifest_v2()
  File "/codebuild/output/src245367560/src/cfct/manifest/manifest_parser.py", line 256, in parse_stack_set_manifest_v2
    sm_input = build.stack_set_state_machine_input_v2(
  File "/codebuild/output/src245367560/src/cfct/manifest/manifest_parser.py", line 370, in stack_set_state_machine_input_v2
    sm_params = self.param_handler.update_params(parameters, account_list,
  File "/codebuild/output/src245367560/src/cfct/manifest/cfn_params_handler.py", line 229, in update_params
    value = value if separator not in value else \
TypeError: argument of type 'int' is not iterable

My manifest.yaml entry is as below:

  # -----------------------------------------------------------------------------
  # Account Alternate Contacts
  # -----------------------------------------------------------------------------
  - name: sra-account-alternate-contacts-main-ssm
    resource_file: templates/sra-account-alternate-contacts-main-ssm.yaml
    parameter_file: parameters/sra-account-alternate-contacts-main-ssm.json
    deploy_method: stack_set
    deployment_targets:
      accounts:
        - 012345678910

However, I am able to successfully deploy the Solution outside of CfCT as a Standalone Solution.

Thanks in Advance

[FEATURE] Refactor GuardDuty Org Solution

Is your feature request related to a problem? Please describe.

Consistency across solutions, new cfn nag rules, new Security Hub rules, Customizations for Control Tower version 2

Describe the solution you'd like

  1. All - Sort parameters, properties, etc. in alphabetical order, where possible
  2. S3 - Add Ownership Controls configuration to the bucket
  3. S3 - Remove PutObjectAcl from the bucket policy, flagged by Security Hub standard
  4. Lambda - Remove boto3 from requirements.txt, if the Lambda runtime version supports the APIs needed
  5. Lambda - Use custom resource properties instead of environment variables
  6. Lambda - Refactor Lambda code to use resource properties
  7. Lambda - Multi-threaded member detector delete
  8. Lambda - Update member detectors with S3 logs enabled when parameter is true
  9. Lambda - Set the Finding Publishing Fequency
  10. CloudFormation - Add parameter AllowedPattern, where possible
  11. CloudFormation - Verify templates pass new CFN NAG rules
  12. CloudFormation - Add parameter for Finding Publishing Frequency
  13. Add support for Customizations for Control Tower V2

Describe alternatives you've considered

None

Additional context

https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html#enable-object-ownership

[BUG] Security Hub - Disabling All Standards

Describe the bug

I've a scenario where a Customer wishes to disable all Standards that Security Hub offers and instead leverage prowler scans findings being imported into Security Hub and therefore reducing the Cost of AWS Config in the process.

When disabling all the appropriate standards via the CFN Parameters using as an Input for CfCT to deploy to the AWS Org, we're seeing that in the Management Account all Standards are disabled in all regions, however in every other Member Account in the AWS Org all standards are disabled with the exception of CIS 1.2 which is enabled in all AWS Regions (that are governed by Control Tower).

To Reproduce

Pass in the following parameter settings via a json file in the manifest.yaml:
{
"ParameterKey": "pEnableCISStandard",
"ParameterValue": "false"
},
{
"ParameterKey": "pEnablePCIStandard",
"ParameterValue": "false"
},
{
"ParameterKey": "pEnableSecurityBestPracticesStandard",
"ParameterValue": "false"
}

Utilise the sra-securityhub-org-main-ssm.yaml in the manifest.yaml as the CFN Template
Commit and wait for the CFCT Pipeline to complete.

Expected behavior

Security Hub Standard in all accounts should reflect what was provided via CloudFormation Parameters.

[FEATURE] Add DynamoDB data events to CloudTrail Solution

Is your feature request related to a problem? Please describe.

CloudTrail now supports logging DynamoDB data events. Add support for enabling DynamoDB data events to the CloudTrail solution

Describe the solution you'd like

  • CloudFormation - Add parameter to enable DynamoDB data events
  • Lambda - modify the Lambda function to enable the DynamoDB data events

Describe alternatives you've considered

No alternatives

Additional context

https://aws.amazon.com/blogs/database/amazon-dynamodb-now-supports-audit-logging-and-monitoring-using-aws-cloudtrail/

[FEATURE] Make creating the custom resource Lambda CloudWatch log group optional

Is your feature request related to a problem? Please describe.

Defining the CloudWatch log group within CloudFormation prevents debugging issues if/when there is an error in the Lambda code since the log group is deleted by CloudFormation. Adding retain on the log group is another option considered but this adds a manual step when removing the solution.

Describe the solution you'd like

The Lambda function will create the log group with the default expiration. Modifying the expiration can be done after the log group is created by a separate process.

[Suggested additions]

Is your feature request related to a problem? Please describe

Various alternative methods to adding security enhancements to Control Tower/Organizations exists. Here are a couple that would be nice to have built out as sample solutions here (Centralize under this framework)

Describe the solution you'd like

Centralized Flow Logs - Similar to https://aws.amazon.com/blogs/mt/vpc-flow-log-with-aws-control-tower-lifecycle/
Automatic Alternate Contact configuration - Similar to https://aws.amazon.com/blogs/mt/automatically-update-alternate-contacts-for-newly-created-aws-accounts/

Describe alternatives you've considered

Just use the blogs (although it would be nice to have a single place to access all of these)

Additional context

Add any other context or screenshots about the feature request here. e.g. link to a new AWS feature

[FEATURE] Refactor Config Conformance Pack Solution

Is your feature request related to a problem? Please describe.

Consistency across solutions, new cfn nag rules, new Security Hub rules, Customizations for Control Tower version 2

Describe the solution you'd like

  1. All - Sort parameters, properties, etc. in alphabetical order, where possible
  2. S3 - Add Ownership Controls configuration to the bucket
  3. S3 - Remove PutObjectAcl from the bucket policy, flagged by Security Hub standard
  4. Lambda - Remove boto3 from requirements.txt, if the Lambda runtime version supports the APIs needed
  5. Lambda - Use custom resource properties instead of environment variables
  6. Lambda - Refactor Lambda code to use resource properties
  7. CloudFormation - Add parameter AllowedPattern, where possible
  8. CloudFormation - Verify templates pass new CFN NAG rules
  9. Add support for Customizations for Control Tower V2

Describe alternatives you've considered

None

Additional context

None

[FEATURE] Packaging script updates to support Windows Git Bash

Is your feature request related to a problem? Please describe.

The packaging script does not work within Git Bash on a Windows machine.

Describe the solution you'd like

  • Support Zip and 7zip
  • Provide temporary folder name suffix to allow mktemp to work correctly
  • Cleanup created folders when exiting on an error
  • Add output messages for each stage

[BUG] Version number in manifest files for S3 Block Public Access (CfCT deployment) is incorrect

Describe the bug

The Version numbers in the CfCT deployment for S3 Block Public Access are incorrect.

To Reproduce

Steps to reproduce the behavior:

  1. Attempt to use the S3 Block Public Access solution through CfCT deployment
  2. Deployment fails because the version number is v1.2 in the config, while the CFN template requires v1.3
  3. See CFN template fail to deploy.

Expected behavior

The manifest.yaml and parameters.json files should be updated to use the only allowed value: v1.3

Screenshots

N/A

Deployment Environment (please complete the following information)

  • Deployment Framework [e.g. Customizations for Control Tower and CloudFormation StackSets]: Customizations for Control Tower (CfCT)
  • Deployment Framework Version [e.g. 1.0, 2.0]: 1.3

Additional context

By updating the value in manifest_v2.yaml I was able to use the CFN stack as provided.

[BUG] Correct documentation typos

Describe the bug

Config Conformance Pack - Provide both example conformance pack templates in the README
Firewall Manager - Align instructions with other solutions
Register Delegated Administrator - Fix resource_file template name

[FEATURE] Improvements to the GuardDuty Solution

I've been reviewing the configurations of GuardDuty following a base deployment on top of Control Tower and have noticed that there is no configuration option within the Current Automation to Enable EKS Audit Logs or the New Malware Protection option.

Would be extremely useful for these aspects to be added in longer term.

Thanks in Advance.

[BUG] Macie solution check available regions max threads

Describe the bug

If the number of regions is 2 or less, the max workers would be negative and fail

To Reproduce

Steps to reproduce the behavior:

  1. Enter 2 regions in the enable regions parameter
  2. Run the solution and check the Lambda logs

Expected behavior

The max_works should be at least 1

[BUG] customizations-for-aws-control-tower fails deployment

Describe the bug

Because of the this release yesterday, the CustomControlTowerS3AccessLogsBucket creation in the customizations-for-aws-control-tower.template template of the CfCt stack is failing.

To get it to work, I had to remove this line from the template
AccessControl: LogDeliveryWrite (line 263)
see this wiki page for more details.

The bug has been fixed in aws-solutions/aws-control-tower-customizations@fabefd8

To Reproduce

Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

Deployment Environment (please complete the following information)

  • Deployment Framework [e.g. Customizations for Control Tower and CloudFormation StackSets]:
  • Deployment Framework Version [e.g. 1.0, 2.0]:

Additional context

Add any other context about the problem here.

[BUG] Create SSM params stack fail if the control tower governs only one region

Describe the bug

Creation of the common_prequsities stack which creates SSM parameters using CFn fails if the number of regions governed by AWS Control Tower is less than 2.

To Reproduce

Steps to reproduce the behavior:

  1. Create stack from this template
  2. It fails to execute Custom CFN Lambda Resource because the region governed by AWS Control Tower is less than 2, the lambda is failing to create SSM parameter for this path. Because It is not possible to create SSM parameter without a value, therefore it fails.

Error Log:

2022-03-16 xxxxxxxx | rManagementAccountParametersLambdaCustomResource | CREATE_FAILED | Received response status [FAILED] from custom resource. Message returned: An error occurred (ValidationException) when calling the PutParameter operation: 1 validation error detected: Value at 'value' failed to satisfy constraint: Member must have length greater than or equal to 1.

Expected behavior

We should be able to launch SRA even if the number of regions governed by AWS Control Tower is one.

Screenshots

If applicable, add screenshots to help explain your problem.

Deployment Environment (please complete the following information)

N/A since the error happens while deploying the pre-requisites.

Additional context

Error happens while deploying the pre-requisites.

[BUG] - CF Templates from Examples fail if Region doesn't support arm Lambda Functions

Describe the bug

CF Templates fail if Region doest support arm Lambda Functions

To Reproduce

Steps to reproduce the behavior:

  1. Apply any SRA Example in Regions that doesnt support arm Lambda (sa-east-1), for example.

Expected behavior

Stackset fail with architecture unsupported error

Recomendation

Update the CF to check if Region has supported arm lambda.

[BUG] Version number in manifest files for EBS Default Encryption (CfCT deployment) is incorrect

Describe the bug

The Version numbers in the CfCT deployment for EBS Default Encryption are incorrect.

To Reproduce

Steps to reproduce the behavior:

  1. Attempt to use the EBS Default Encryption solution through CfCT deployment
  2. Deployment fails because the version number is v1.2 in the config, while the CFN template requires v1.3
  3. See CFN template fail to deploy.

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

N/A

Deployment Environment (please complete the following information)

  • Deployment Framework [e.g. Customizations for Control Tower and CloudFormation StackSets]: Customizations for Control Tower (CfCT)
  • Deployment Framework Version [e.g. 1.0, 2.0]: 1.3

Additional context

By updating the value in manifest_v2.yaml I was able to use the CFN stack as provided.

[FEATURE] Remove AWS Landing Zone Solution

Is your feature request related to a problem? Please describe.

N/A

Describe the solution you'd like

Remove the AWS Landing Zone solution configurations and references

Describe alternatives you've considered

N/A

Additional context

N/A

[FEATURE] Add Amazon Inspector

Is your feature request related to a problem? Please describe

In alignment with the updated toolsets in SRA guidance, it would be extremely useful for Amazon Inspector example solution to be created and shared in this repo.

Describe the solution you'd like

A example solution that deploys Amazon Inspector, including delegating the administrator and the option to automatically enable scanning for all member accounts.

Thank you in advance.

[BUG] Packaging script is missing error message for API failure

Describe the bug

When a bucket is provided in the packaging script and there isn't an active session, the script does not provide a failure message.

To Reproduce

Steps to reproduce the behavior:

  1. Run the package-lambda.sh without an existing AWS CLI session providing the --bucket attribute
  2. No message stating that the upload failed

Expected behavior

A message output stating that the S3 API call failed

[BUG] prereq-ssm-account-params.yaml missing parameter

Describe the bug

The prereq-ssm-account-params.yaml doesn't create the /org/primary/account_id SSM parameter which is referenced in solutions

Expected behavior

Add the /org/primary/account_id to the SSM parameters

S3 default encryption setting for CloudTrail

The Question

I was checking the CloudTrail, CMK, S3 setup and I saw that the S3 bucket is configured to use the CMK for default encryption.
Here is the code.

      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              KMSMasterKeyID: !Ref pOrganizationCloudTrailKMSKeyId
              SSEAlgorithm: aws:kms
            BucketKeyEnabled: True

Now I was wondering if this was necessary and if it would work?

  • Is this configuration necessary? --> CloudTrail encryption is encrypting the objects and uploading them to S3. S3 Default encryption only applies to objects which are uploaded without any encryption information, which is not the case.
  • When you upload an object to s3 without encryption information (if this is even allowed), then the default encryption will be applied, but then the KMS policy should allow that the bucket (in a different account) can use the CMK to encrypt.

Environment

  • CloudTrail

Other information

/

[BUG] Problem with MAX_PASSWORD_AGE regex (IAM Password Policy)

Describe the bug

In the IAM Password Policy module I set the "MAX_PASSWORD_AGE" parameter to 180 . The deploy failed and give the follow error:

"Received response status [FAILED] from custom resource. Message returned: 'MAX_PASSWORD_AGE' parameter with value of '180' does not follow the allowed pattern: ^[0-9]$|^[0-9][0-9]$|^[0-9][0-2][0-8]$. "

It looks like some problem with the regex. I found a similar regex issue with the "PASSWORD_REUSE_PREVENTION" parameter a couple of weeks ago (#116)

To Reproduce

Steps to reproduce the behavior:

  1. Set the MaxPasswordAge parameter to 180.
  2. Deploy the IAM Password Module

Expected behavior

The template should deploy with the MAX_PASSWORD_AGE value set to '180' because it's in the allowed range for this parameter (1-1095)

[FEATURE] Refactor Macie Solution

Is your feature request related to a problem? Please describe.

No. The solution should align with the contribution guidelines and refreshed to align with other solutions.

Describe the solution you'd like

  • Change primary references to management
  • Remove creation of the CloudWatch log group
  • Align Lambda function code with contribution guidelines
  • Add threading to Lambda function code to speed up processing
  • CloudFormation template changes to organize alphabetically
  • Update Lambda runtime to python3.9
  • Remove unused KMS policy permissions
  • Add Security account to KMS policy

Describe alternatives you've considered

N/A

[FEATURE] Enabling Encryption with the SRA

Is your feature request related to a problem? Please describe

  • Currently, SRA is using SSM parameters for non-sensitive data (e.g., Organization ID, Management Account ID). Having the SSM parameters encrypted, or an option during the deployment would be nice.

  • A Customer has a control that requires all SSM parameters to be encrypted by their CMK.

Describe the solution you'd like

  • Implement SSM parameters encrypted despite whether they have sensitive data. Preferably, provide an option for customer to provide the CMK to be used.

  • Also, ok with moving to Secrets Manager for encrypted secrets, if that is easier.

[BUG] Default for S3 BPA Exclude Tags

Describe the bug

No default value for S3 BPA Exclude Tags

To Reproduce

Steps to reproduce the behavior:

  1. Run aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-main-ssm.yaml --stack-name sra-s3-block-account-public-access-main-ssm --capabilities CAPABILITY_NAMED_IAM
  2. Get Error

Expected behavior

No Error

Deployment Environment (please complete the following information)

  • SRA 2.1.0

Refactor CloudTrail solution

Enhancement

Description

Refactor the CloudTrail solution to align with new coding and template standards.

Proposed Solution

  • 1. S3 - Remove additional replicated bucket configuration
  • 2. S3 - Add Ownership Controls configuration to the bucket
  • 3. All - Sort parameters, properties, etc. in alphabetical order, where possible
  • 4. Lambda - Remove boto3 from requirements.txt, if the Lambda runtime version supports the APIs needed
  • 5. Lambda - Use custom resource properties instead of environment variables
  • 6. Lambda - Refactor Lambda code to use resource properties
  • 7. CloudFormation - Add parameter AllowedPattern, where possible
  • 8. CloudFormation - Verify templates pass new CFN NAG rules
  • 9. Add support for Customizations for Control Tower V2

Deployment

  • AWS Landing Zone
  • Customizations for Control Tower
  • CloudFormation StackSets

Other Information

[BUG] Organization Macie manifest-v2.yaml parameter

Describe the bug

The Parameter key specified in Manifest "MacieOrgConfigurationRole" was inconsistent with the CFn template.Therefore, an error will occur in the verification of CfCT.

pOrgPrimaryLambdaRoleName should be pLambdaRoleName

Expected behavior

pOrgPrimaryLambdaRoleName should be pLambdaRoleName

[FEATURE] Automated Patching with AWS Systems Manager Patch Manager

Is your feature request related to a problem? Please describe

In alignment with the updated toolsets in SRA guidance, it would be extremely useful for automated patching example solution to be created and shared in this repo using AWS Systems Manager Patch Manager.

Describe the solution you'd like

A example solution that deploys AWS Systems Manager Patch Manager with a patch baseline across the appropriate OUs with configurable key variables.

Thank you in advance.

[FEATURE] S3 bucket template changes to include deployment role

Is your feature request related to a problem? Please describe.

The bucket policy within the S3 bucket template allows all roles within the AWS Organization to read objects.

Describe the solution you'd like

Add a condition to restrict the bucket access to a specific role

[FEATURE] Add support to deploy multiple AWS Config Conformance Packs

Is your feature request related to a problem? Please describe

We have a use case where we need to deploy more than one Config Conformance Packs, such as HIPAA and FFIEC. However, SRA solution only supports deploying one Conformance Pack at this time.

This limitation requires us to deploy and manage the second Conformance Pack out of the SRA solutions, which is not ideal.

Describe the solution you'd like

It'd be great if SRA could support more than one Conformance Packs. Some parameter that prompts the user for the number of Conformance Packs to deploy and then gets the names of multiple Conformance Packs as a comma separated values. Just a thought.

Describe alternatives you've considered

For now, we are deploying and managing the multiple Conformance Packs directly via CloudFormation, outside of SRA.

Additional context

N/A

[BUG] Securityhub Org fails to deploy via CloudFormation

Describe the bug

The securityhub org stack fails to deploy the rSecurityHubOrgLambdaCustomResource in our Organization environment.

Am using the default cloudformation template with no changes.

Screenshot 2023-04-30 at 17 19 36

I cant seem to find anything in cloudtrail with an ERROR tag only a bunch of INFOs from the Lambda function.

As far as I'm aware all the prerequisites are completed (other SRAs deploy fine). The only potential thing is there was an initial Security Hub setup that was removed & Security Hub disabled prior to attempting to run this stack.

The latest version of SRA is being used.

[FEATURE] Add Organization Config Aggregator

Is your feature request related to a problem? Please describe.

Managing the AWS Config aggregator across an organization is simplified with using the organization config aggregator in a delegated admin account

Describe the solution you'd like

AWS Config aggregator solution configured using AWS Organizations with delegated administration to the security tooling account

Describe alternatives you've considered

N/A

Additional context

https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html

[FEATURE] Refactor extras - Lambda Bucket Template

Is your feature request related to a problem? Please describe.

Consistency across solutions and pass new cfn nag rules

Describe the solution you'd like

  1. All - Sort parameters, properties, etc. in alphabetical order, where possible
  2. S3 - Add Ownership Controls configuration to the bucket
  3. S3 - Add versioning

Describe alternatives you've considered

None

Additional context

None

[BUG] Missing Ref calls in sra-common-prerequisites-main.yaml

Describe the bug

There are missing Ref calls in sra-common-prerequisites-main.yaml that mean when the template is used, it will use the variable name rather than the variable value. This causes the template to fail at deployment time.

To Reproduce

Steps to reproduce the behavior:

  1. Go to /aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main.yaml
  2. Scroll down to Line 269
  3. In the !Split function a variable is referenced but does not use !Ref function
  4. Scroll down to line 314
  5. In the !Split function a variable is referenced but does not use !Ref function

Expected behavior

!Ref should be used to pull the variable value

Screenshots

Deployment Environment (please complete the following information)

  • Deployment Framework: [Customizations for Control Tower and CloudFormation StackSets]:
  • Deployment Framework Version [2.0]:

Additional context

I have created a fork and updated the template file here. https://github.com/bigjimmynz/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main.yaml

It has been tested within my own Control Tower and Customizations for Control Tower environment

@ajmorga for internal reference

[BUG] syntax error in package-lambda.sh

[ec2-user@ip-10-129-28-246 ~]$ python package-lambda.sh -h
File "package-lambda.sh", line 20
usage="$(basename "$0") [-h] <--file_name s> [--bucket s] <--src_folder s> ---script to package lambda zip and upload to s3
^
SyntaxError: invalid syntax

[FEATURE] IAM Password Policy Solution

Is your feature request related to a problem? Please describe.

The account password policy needs to be set in order to pass CIS compliance checks

Describe the solution you'd like

Provide a solution to set the account password policy

Describe alternatives you've considered

N/A

Additional context

N/A

[FEATURE] Add NIST Standard support to Security Hub

In a recent update, Security Hub now natively supports NIST 800-53 Rev5 standard, which eliminates deploying and managing NIST 800-53 Rev5 Config Conformance pack. It'd be nice to have the standard supported in Security Hub so it can be enabled on all a new accounts added to the Organization.

Add any other context or screenshots about the feature request here. e.g. link to a new AWS feature

https://aws.amazon.com/about-aws/whats-new/2023/03/aws-security-hub-support-nist-sp-800-53-rev-5/

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.