Account Assessment for AWS Organizations programmatically scans all AWS accounts in an AWS Organization for identity-based and resource-based policies with Organization-based conditions.
Note: For any relevant information outside the scope of this readme, please refer to the solution landing page and implementation guide.
The default deployment of solution pre-packaged template deploys following infrastructure in your account.
- Python Prerequisite: python=3.9 | pip3=21.3.1
- Javascript Prerequisite: node=v18.10.0 | npm=8.19.2
Clone the repository and make desired code changes.
git clone aws-solutions/account-assessment-for-aws-organizations
Note: Following steps have been tested under above pre-requisites
βββ deployment/ - contains build scripts, deployment templates, and dist folders for staging assets.
βββ cdk-solution-helper/ - helper function for converting CDK output to a format compatible with the AWS Solutions pipelines.
βββ build-open-source-dist.sh - builds the open source package with cleaned assets and builds a .zip file in the /open-source folder for distribution to GitHub
βββ build-s3-dist.sh - builds the solution and copies artifacts to the appropriate /global-s3-assets or /regional-s3-assets folders.
βββ build-lambdas.sh - builds and packages the lambda code only
βββ source/
βββ account-assessment-solution.ts - the CDK app that wraps your solution.
βββ lambda/ - the source code for the solution's lambda functions
βββ requirements.txt
βββ testing_requirements.txt - python test dependency file
βββ assessment_runner/ - job management microservice
βββ aws/
βββ services - low-level clients to interact with AWS Services
βββ utils/
βββ delegated_admins/ - delegated admin scan microservice
βββ deploy_webui/ - lambda-backed custom resource to deploy solution WebUI to S3
βββ resource_based_policy/ - IAM policies scan microservice
βββ step_functions_lambda/
βββ supported_configuration/
βββ tests/
βββ trusted_access_enabled_services/ - Trusted AWS Services scan microservice
βββ utils/
βββ bin
βββ account-assessment-solution.ts - the main CDK stack for your solution.
βββ lib
βββ account-assessment-hub-stack.ts - the hub CDK stack.
βββ account-assessment-spoke-stack.ts - the spoke CDK stack.
βββ app-register.ts - integrates Hub and Spoke stacks with AppRegistry
βββorg-management-account-stack.ts - the AWS Organizations Management CDK stack.
βββ components - hub stack resources grouped into constructs for better maintainability
βββ api.ts - resources related to API Gateway
βββ cognito-authenticator.ts - resources related to authentication
βββ job-history-component.ts - DynamoDB table and Lambda functions related to the job management microservice
βββ resource-based-policy-component.ts - Lambda functions related to the resouce based policy microservice
βββ resource-based-policy-state-machine.ts - custom resource to deploy solution WebUI to S3
βββ simple-assessment-component.ts - generic set of DynamoDB table and Lambda functions for all microservices.
βββ web-ui-deployer.ts - custom resource to deploy solution WebUI to S3
βββ web-ui-hosting.ts - resources to host the web ui in S3
βββ webui - react app that serves as user interface for this solution
βββ test/
βββ __snapshots__/
βββ cdk-solution-test.ts - example unit and snapshot tests for CDK project.
βββ cdk.json - config file for CDK.
βββ jest.config.js - config file for unit tests.
βββ package.json - package file for the CDK project.
βββ README.md - doc file for the CDK project.
βββ run-all-tests.sh - runs all tests within the /source folder. Referenced in the buildspec and build scripts.
βββ .gitignore
βββ .viperlightignore - Viperlight scan ignore configuration (accepts file, path, or line item).
βββ .viperlightrc - Viperlight scan configuration.
βββ buildspec.yml - main build specification for CodeBuild to perform builds and execute unit tests.
βββ CHANGELOG.md - required for every solution to include changes based on version to auto-build release notes.
βββ CODE_OF_CONDUCT.md - standardized open source file for all solutions.
βββ CONTRIBUTING.md - standardized open source file for all solutions.
βββ LICENSE.txt - required open source file for all solutions - should contain the Apache 2.0 license.
βββ NOTICE.txt - required open source file for all solutions - should contain references to all 3rd party libraries.
βββ README.md - required file for all solutions.
Run unit tests to make sure added customization passes the tests.
cd ./source
chmod +x ./run-all-tests.sh
./run-all-tests.sh
cd ..
β Ensure all unit tests pass. Review the generated coverage report
To build your customized distributable follow given steps.
- Configure the solution name, version number and bucket name as environment variables
- At deployment time, the webui distributable will be copied from DIST_OUTPUT_BUCKET to the created hosting bucket.
Replace
solutions-featuresby your own bucket name, if you make changes to the web ui.
SOLUTION_NAME=AccountAssessment
DIST_OUTPUT_BUCKET=solutions-features
VERSION=custom001
- Build the distributable using build-s3-dist.sh
cd ./deployment
chmod +x ./build-s3-dist.sh
./build-s3-dist.sh $DIST_OUTPUT_BUCKET $SOLUTION_NAME $VERSION
cd ..
- If you customized the web ui, upload the folder
webuifromdeployment/regional-s3-assetsto your own s3 bucket. Replacesolutions-featuresin package.json by yor own bucket name.
Determine the parameter values that you want to deploy the stacks with:
- DeploymentNamespace: An arbitrary value that is shared by Hub Stack and OrgMgmt Stack and Spoke Stack.
- CognitoDomainPrefix: An arbitrary, globally unique value to prefix the login page url.
- UserEmail: The email address for the first Cognito User which the deployment creates.
- AllowListedIPRanges: CIDR blocks to permit API access. To allow any IP, use 0.0.0.0/1,128.0.0.0/1
- HubAccountId: The AccountId of your AWS Account you are deploying the Hub Stack to.
PROFILE_HUB, PROFILE_SPOKE, PROFILE_ORG_MGMT are the AWS CLI profiles on your machine that determines AccountId and Region to deploy to. We recommend to choose an account as PROFILE_HUB that is different from your Org Management Account. Each account in your AWS Organization that you intend to scan wit this solution is a spoke account and needs a deployment of the spoke template.
In case your accounts have not been bootstrapped for cdk yet, run:
cd ./source
npm run bootstrap -- --profile <PROFILE_HUB>
npm run bootstrap -- --profile <PROFILE_SPOKE>
npm run bootstrap -- --profile <PROFILE_ORG_MGMT>
cd ..
With the values determined above, run the following commands:
cd ./source
npm run deploy -- --parameters DeploymentNamespace=<NAMESPACE> --parameters CognitoDomainPrefix=<PREFIX> --parameters UserEmail=<EMAIL> --parameters AllowListedIPRanges=<IP-RANGES> --profile <PROFILE_HUB>
npm run deploySpoke -- --parameters DeploymentNamespace=<NAMESPACE> --parameters HubAccountId=<HUB_ACCOUNT_ID> --profile <PROFILE_SPOKE>
npm run deployOrgMgmt -- --parameters DeploymentNamespace=<NAMESPACE> --parameters HubAccountId=<HUB_ACCOUNT_ID> --profile <PROFILE_ORG_MGMT>
cd ..
Once you have built and deployed the complete solution once, you may want to shorten the cycle times for iterative development.
- Download the file
aws-exports-generated.jsonfrom your WebUIHostingBucket that was created during the first deployment. - Place the file in
/source/webui/public - Replace the generated values of the following properties in the file to point to localhost:
"redirectSignIn": "http://localhost:3000/",
"redirectSignOut": "http://localhost:3000/",
Start the web ui react app locally. It will use Cognito and API Gateway in your Hub Account as the backend.
cd ./source/webui
npm run start
When you make changes to the lambda function code only (source/lambda), you may want to package and deploy the lambda
code without building the webui. For that, run the following commands with the parameter values determined above:
cd ./source
npm run buildLambdaAndDeploy -- --parameters DeploymentNamespace=<NAMESPACE> --parameters CognitoDomainPrefix=<PREFIX> --parameters UserEmail=<EMAIL> --parameters AllowListedIPRanges=<IP-RANGES> --profile <PROFILE_HUB>
cd ..
This will replace the file deployment/regional-s3-assets/lambda.zip from your initial build with a new package of your
modified source code and its dependencies, retaining deployment/regional-s3-assets/webui from the initial build.
Should you make changes to the CDK app code only, and neither webui nor lambda code, it is sufficient to run:
cd ./source
npm run deploy -- --parameters DeploymentNamespace=<NAMESPACE> --parameters CognitoDomainPrefix=<PREFIX> --parameters UserEmail=<EMAIL> --parameters AllowListedIPRanges=<IP-RANGES> --profile <PROFILE_HUB>
cd ..
This will update your hub stack with the changed resources, but use the unchanged webui and lambda code in
deployment/regional-s3-assets from the initial build.
This solution collects anonymized operational metrics to help AWS improve the quality and features of the solution. For more information, including how to disable this capability, please see the implementation guide.
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
Licensed under the Apache License Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
http://www.apache.org/licenses/
or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions and limitations under the License.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent