-
Notifications
You must be signed in to change notification settings - Fork 256
/
Copy pathsra-common-prerequisites-management-account-parameters.yaml
373 lines (366 loc) · 15.5 KB
/
sra-common-prerequisites-management-account-parameters.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
########################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
########################################################################
AWSTemplateFormatVersion: 2010-09-09
Description:
This template creates AWS Control Tower Account SSM Parameters. - 'common_prerequisites' solution in the repo,
https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2h)
Metadata:
SRA:
Version: 1.0
Order: 4
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: General Properties
Parameters:
- pSRASolutionTagKey
- pSRASolutionName
- pSRAStagingS3BucketName
- Label:
default: Landing Zone
Parameters:
- pControlTower
- pGovernedRegions
- pSecurityAccountId
- pLogArchiveAccountId
- Label:
default: Management Account Parameters - Lambda Function Properties
Parameters:
- pManagementAccountParametersLambdaRoleName
- pManagementAccountParametersLambdaFunctionName
- Label:
default: General Lambda Function Properties
Parameters:
- pCreateLambdaLogGroup
- pLambdaLogGroupRetention
- pLambdaLogGroupKmsKey
- pLambdaLogLevel
ParameterLabels:
pControlTower:
default: AWS Control Tower landing zone deployed/in-use
pGovernedRegions:
default: AWS regions (comma separated) if not using AWS Control Tower (leave set to ct-regions for AWS Control Tower environments)
pSecurityAccountId:
default: Security Tooling Account ID
pLogArchiveAccountId:
default: Log Archive Account ID
pCreateLambdaLogGroup:
default: Create Lambda Log Group
pLambdaLogGroupKmsKey:
default: (Optional) Lambda Logs KMS Key
pLambdaLogGroupRetention:
default: Lambda Log Group Retention
pLambdaLogLevel:
default: Lambda Log Level
pManagementAccountParametersLambdaFunctionName:
default: Management Account Parameters - Lambda Function Name
pManagementAccountParametersLambdaRoleName:
default: Management Account Parameters - Lambda Role Name
pSRASolutionName:
default: SRA Solution Name
pSRASolutionTagKey:
default: SRA Solution Tag Key
pSRAStagingS3BucketName:
default: (Optional) SRA Staging S3 Bucket Name
Parameters:
pControlTower:
AllowedValues: ['true', 'false']
Default: 'true'
Description:
Indicates whether AWS Control Tower is deployed and being used for this AWS environment.
Type: String
pGovernedRegions:
AllowedPattern: '^(ct-regions)|((\b(?<!@)(af-south-1|ap-east-1|ap-northeast-1|ap-northeast-2|ap-northeast-3|ap-south-1|ap-south-2|ap-southeast-1|ap-southeast-2|ap-southeast-3|ap-southeast-4|ca-central-1|cn-north-1|cn-northwest-1|eu-central-1|eu-central-2|eu-north-1|eu-south-1|eu-south-2|eu-west-1|eu-west-2|eu-west-3|me-central-1|me-south-1|sa-east-1|us-east-1|us-east-2|us-gov-east-1|us-gov-west-1|us-west-1|us-west-2)\b,{0,1})*)$'
ConstraintDescription:
For AWS Control Tower, set to ct-regions (default). If not using AWS Control Tower, specify comma separated list of regions (e.g. us-west-2,us-east-1,ap-south-1) in lower case.
Default: ct-regions
Description: AWS regions (comma separated) if not using AWS Control Tower (leave set to ct-regions for AWS Control Tower environments)
Type: String
pSecurityAccountId:
AllowedPattern: '^\d{12}$'
Default: 111111111111
ConstraintDescription: Must be 12 digits.
Description: AWS Account ID of the Security Tooling account (ignored for AWS Control Tower environments).
Type: String
pLogArchiveAccountId:
AllowedPattern: '^\d{12}$'
Default: 222222222222
ConstraintDescription: Must be 12 digits.
Description: AWS Account ID of the Log Archive account (ignored for AWS Control Tower environments).
Type: String
pCreateLambdaLogGroup:
AllowedValues: ['true', 'false']
Default: 'false'
Description:
Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS
Key for encryption.
Type: String
pLambdaLogGroupKmsKey:
AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$'
ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
Default: ''
Description:
(Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side
encryption keys.
Type: String
pLambdaLogGroupRetention:
AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
Default: 14
Description: Specifies the number of days you want to retain log events
Type: String
pLambdaLogLevel:
AllowedValues: [INFO, ERROR, DEBUG]
Default: INFO
Description: Lambda Function Logging Level
Type: String
pManagementAccountParametersLambdaFunctionName:
AllowedPattern: '^[\w-]{1,64}$'
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -]
Default: sra-management-account-parameters
Description: Lambda function name for creating Control Tower account SSM parameters.
Type: String
pManagementAccountParametersLambdaRoleName:
AllowedPattern: '^[\w+=,.@-]{1,64}$'
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -].
Default: sra-management-account-parameters-lambda
Description: Lambda execution role for creating Control Tower account SSM parameters.
Type: String
pSRASolutionName:
AllowedValues: [sra-common-prerequisites]
Default: sra-common-prerequisites
Description: The SRA solution name. The default value is the folder name of the solution
Type: String
pSRASolutionTagKey:
AllowedValues: [sra-solution]
Default: sra-solution
Description: The SRA solution tag key applied to all resources created by the solution that support tagging. The value is the pSRASolutionName.
Type: String
pSRAStagingS3BucketName:
AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$'
ConstraintDescription:
S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
Default: ''
Description:
(Optional) SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates). If empty, the SRA
Staging S3 bucket name will be resolved from the SSM Parameter '/sra/staging-s3-bucket-name'.
Type: String
Conditions:
cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'true']
cUseKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
cUseSRAStagingS3BucketNameSSMParameter: !Equals [!Ref pSRAStagingS3BucketName, '']
cUseGraviton: !Or
- !Equals [!Ref 'AWS::Region', ap-northeast-1]
- !Equals [!Ref 'AWS::Region', ap-south-1]
- !Equals [!Ref 'AWS::Region', ap-southeast-1]
- !Equals [!Ref 'AWS::Region', ap-southeast-2]
- !Equals [!Ref 'AWS::Region', eu-central-1]
- !Equals [!Ref 'AWS::Region', eu-west-1]
- !Equals [!Ref 'AWS::Region', eu-west-2]
- !Equals [!Ref 'AWS::Region', us-east-1]
- !Equals [!Ref 'AWS::Region', us-east-2]
- !Equals [!Ref 'AWS::Region', us-west-2]
Resources:
rManagementAccountParametersLambdaCustomResource:
Type: Custom::LambdaCustomResource
Version: '1.0'
Properties:
ServiceToken: !GetAtt rManagementAccountParametersLambdaFunction.Arn
TAG_KEY: !Ref pSRASolutionTagKey
TAG_VALUE: !Ref pSRASolutionName
CONTROL_TOWER: !Ref pControlTower
OTHER_REGIONS: !Ref pGovernedRegions
OTHER_SECURITY_ACCT: !Ref pSecurityAccountId
OTHER_LOG_ARCHIVE_ACCT: !Ref pLogArchiveAccountId
rManagementAccountParametersLambdaFunction:
Metadata:
cfn_nag:
rules_to_suppress:
- id: W58
reason: Lambda role provides access to CloudWatch Logs
- id: W89
reason: Lambda does not need to communicate with VPC resources.
- id: W92
reason: Lambda does not need reserved concurrent executions.
checkov:
skip:
- id: CKV_AWS_115
comment: Lambda does not need reserved concurrent executions.
- id: CKV_AWS_116
comment: DLQ not needed, as Lambda function only triggered by CloudFormation events.
- id: CKV_AWS_117
comment: Lambda does not need to communicate with VPC resources.
- id: CKV_AWS_173
comment: Environment variables are not sensitive
Type: AWS::Lambda::Function
Properties:
FunctionName: !Ref pManagementAccountParametersLambdaFunctionName
Description: Creates Control Tower account SSM Parameters in the Management Account
Architectures: !If
- cUseGraviton
- [arm64]
- !Ref AWS::NoValue
Handler: app.lambda_handler
Role: !GetAtt rManagementAccountParametersLambdaRole.Arn
Runtime: python3.9
Timeout: 300
Code:
S3Bucket: !If
- cUseSRAStagingS3BucketNameSSMParameter
- '{{resolve:ssm:/sra/staging-s3-bucket-name}}'
- !Ref pSRAStagingS3BucketName
S3Key: !Sub ${pSRASolutionName}/lambda_code/${pSRASolutionName}.zip
Environment:
Variables:
LOG_LEVEL: !Ref pLambdaLogLevel
CONTROL_TOWER: !Ref pControlTower
OTHER_REGIONS: !Ref pGovernedRegions
OTHER_SECURITY_ACCT: !Ref pSecurityAccountId
OTHER_LOG_ARCHIVE_ACCT: !Ref pLogArchiveAccountId
Tags:
- Key: !Ref pSRASolutionTagKey
Value: !Ref pSRASolutionName
rManagementAccountParametersLambdaLogGroup:
Condition: cCreateLambdaLogGroup
DeletionPolicy: Retain
Type: AWS::Logs::LogGroup
UpdateReplacePolicy: Retain
Properties:
LogGroupName: !Sub /aws/lambda/${pManagementAccountParametersLambdaFunctionName}
KmsKeyId: !If
- cUseKmsKey
- !Ref pLambdaLogGroupKmsKey
- !Ref AWS::NoValue
RetentionInDays: !Ref pLambdaLogGroupRetention
rManagementAccountParametersLambdaRole:
Type: AWS::IAM::Role
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: Allow * in resource when required
- id: W28
reason: The role name is defined to identify automation resources
Properties:
RoleName: !Ref pManagementAccountParametersLambdaRoleName
Description: !Sub Role for '${pManagementAccountParametersLambdaRoleName}' Lambda function
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service:
- lambda.amazonaws.com
Tags:
- Key: !Ref pSRASolutionTagKey
Value: !Ref pSRASolutionName
Policies:
- PolicyName: ssm-account-parameter-creator
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: STSOrganizationRead
Effect: Allow
Action:
- organizations:DescribeOrganization
- organizations:ListAccounts
- organizations:ListRoots
Resource: '*'
- Sid: CloudFormationRead
Effect: Allow
Action:
- cloudformation:DescribeStackSet
- cloudformation:ListStackInstances
Resource: '*'
- Sid: SSMParameterRead
Effect: Allow
Action: ssm:DescribeParameters
Resource: '*'
- Sid: SSMParameterReadValues
Effect: Allow
Action: ssm:GetParameters
Resource: !Sub arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/sra/*
- Sid: SSMParameterWrite
Effect: Allow
Action:
- ssm:AddTagsToResource
- ssm:DeleteParameters
- ssm:PutParameter
Resource: !Sub arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/sra/*
- Sid: TagsRead
Effect: Allow
Action: tag:GetResources
Resource: '*'
- PolicyName: CloudWatchLogGroup
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: CloudWatchLogs
Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${pManagementAccountParametersLambdaFunctionName}:log-stream:*
Outputs:
oAuditAccountId:
Description: Audit Account ID
Value: !GetAtt rManagementAccountParametersLambdaCustomResource.AuditAccountId
Export:
Name: eAuditAccountId
oCustomerControlTowerRegions:
Description: Customer Control Tower Regions
Value: !Join [',', !GetAtt rManagementAccountParametersLambdaCustomResource.CustomerControlTowerRegions]
Export:
Name: eCustomerControlTowerRegions
oEnabledRegions:
Description: Enabled Regions
Value: !Join [',', !GetAtt rManagementAccountParametersLambdaCustomResource.EnabledRegions]
Export:
Name: eEnabledRegions
oEnabledRegionsWithoutHomeRegion:
Description: Enabled Regions without Home Region
Value: !Join [',', !GetAtt rManagementAccountParametersLambdaCustomResource.EnabledRegionsWithoutHomeRegion]
Export:
Name: eEnabledRegionsWithoutHomeRegion
oHomeRegion:
Description: Control Tower Home Region
Value: !GetAtt rManagementAccountParametersLambdaCustomResource.HomeRegion
Export:
Name: eHomeRegion
oLogArchiveAccountId:
Description: Log Archive Account ID
Value: !GetAtt rManagementAccountParametersLambdaCustomResource.LogArchiveAccountId
Export:
Name: eLogArchiveAccountId
oManagementAccountId:
Description: Management Account ID
Value: !GetAtt rManagementAccountParametersLambdaCustomResource.ManagementAccountId
Export:
Name: eManagementAccountId
oOrganizationId:
Description: Organization ID
Value: !GetAtt rManagementAccountParametersLambdaCustomResource.OrganizationId
oRootOrganizationalUnitId:
Description: Root Organizational Unit ID
Value: !GetAtt rManagementAccountParametersLambdaCustomResource.RootOrganizationalUnitId
Export:
Name: eRootOrganizationalUnitId
oManagementAccountParametersLambdaFunctionArn:
Description: Management Account Parameters Lambda Function ARN
Value: !GetAtt rManagementAccountParametersLambdaFunction.Arn
Export:
Name: eManagementAccountParametersLambdaFunctionArn
oManagementAccountParametersLambdaLogGroupArn:
Condition: cCreateLambdaLogGroup
Description: Management Account Parameters Lambda Log Group ARN
Value: !GetAtt rManagementAccountParametersLambdaLogGroup.Arn
Export:
Name: eManagementAccountParametersLambdaLogGroupArn
oManagementAccountParametersLambdaRoleArn:
Description: Management Account Parameters Lambda Role ARN
Value: !GetAtt rManagementAccountParametersLambdaRole.Arn
Export:
Name: eManagementAccountParametersLambdaRoleArn