From 58262bc3ad16037a434470aa03a2ff56a71770b6 Mon Sep 17 00:00:00 2001 From: "Wickersham, Andy" Date: Tue, 29 Mar 2022 12:08:03 -0500 Subject: [PATCH 1/2] Moved staging S3 bucket deployment instructions, added AWS CLI commands, default values for optional parameters --- CHANGELOG.md | 16 ++ .../docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md | 17 +- .../cloudtrail/cloudtrail_org/README.md | 9 + .../sra-cloudtrail-org-main-ssm.yaml | 2 + .../templates/sra-cloudtrail-org-main.yaml | 2 + .../common/common_cfct_setup/README.md | 19 ++- .../sra-common-cfct-setup-main-ssm.yaml | 158 ------------------ .../templates/sra-common-cfct-setup-main.yaml | 1 + .../common/common_prerequisites/README.md | 22 ++- .../sra-common-prerequisites-main-ssm.yaml | 5 +- .../sra-common-prerequisites-main.yaml | 1 + ...uisites-management-account-parameters.yaml | 2 + ...ommon-prerequisites-staging-s3-bucket.yaml | 2 + .../README.md | 12 +- ...-register-delegated-administrator-ssm.yaml | 4 +- ...mmon-register-delegated-administrator.yaml | 3 +- .../config/config_aggregator_org/README.md | 9 + .../config_conformance_pack_org/README.md | 9 + ...-config-conformance-pack-org-main-ssm.yaml | 2 + .../sra-config-conformance-pack-org-main.yaml | 2 + .../config_management_account/README.md | 9 + ...ra-config-management-account-main-ssm.yaml | 4 +- .../sra-config-management-account-main.yaml | 3 + .../ec2/ec2_default_ebs_encryption/README.md | 9 + ...a-ec2-default-ebs-encryption-main-ssm.yaml | 1 + .../sra-ec2-default-ebs-encryption-main.yaml | 1 + .../firewall_manager_org/README.md | 9 + .../sra-firewall-manager-org-main-ssm.yaml | 2 + .../sra-firewall-manager-org-main.yaml | 2 + .../guardduty/guardduty_org/README.md | 9 + .../sra-guardduty-org-configuration.yaml | 4 +- .../templates/sra-guardduty-org-main-ssm.yaml | 5 + .../templates/sra-guardduty-org-main.yaml | 11 +- .../iam/iam_access_analyzer/README.md | 9 + .../sra-iam-access-analyzer-main-ssm.yaml | 1 - .../iam/iam_password_policy/README.md | 12 +- .../sra-iam-password-policy-main-ssm.yaml | 1 + .../sra-iam-password-policy-main.yaml | 1 + .../solutions/macie/macie_org/README.md | 9 + .../sra-macie-org-configuration.yaml | 4 +- .../templates/sra-macie-org-main-ssm.yaml | 5 + .../templates/sra-macie-org-main.yaml | 4 + .../s3_block_account_public_access/README.md | 14 +- .../securityhub/securityhub_org/README.md | 11 +- .../manifest.yaml | 2 +- .../sra-securityhub-org-configuration.yaml | 4 +- .../sra-securityhub-org-main-ssm.yaml | 5 + .../templates/sra-securityhub-org-main.yaml | 5 + pyproject.toml | 2 +- 49 files changed, 263 insertions(+), 192 deletions(-) delete mode 100644 aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main-ssm.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index d862d5efd..3ed5113b4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Table of Contents - [Introduction](#introduction) +- [2022-03-29](#2022-03-29) - [2022-03-16](#2022-03-16) - [2022-03-14](#2022-03-14) - [2022-01-07](#2022-01-07) @@ -22,6 +23,21 @@ All notable changes to this project will be documented in this file. --- +## 2022-03-29 + +### Changed + +- Updated the [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) solution README to remove deploying the Staging S3 Bucket within the Solution Deployment steps. The + [DOWNLOAD-AND-STAGE-SOLUTIONS.md](aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md) document now includes this step. +- Updated the [DOWNLOAD-AND-STAGE-SOLUTIONS.md](aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md) document to include deploying the Staging S3 Bucket template. Also, added an AWS CLI command for deploying the template via the command line. +- Updated the `Solution Deployment` instructions in all solution README files to include AWS CLI commands for deploying the main templates. The AWS CLI command can be used to deploy the template via the command line within tools like CloudShell. +- Updated all main template parameters that allow a blank string to include a default empty string allowing the AWS CLI command to work without passing the `optional` parameters. +- Added an allowed pattern for email address parameters. + +### Removed + +- Removed the sra-common-cfct-setup-main-ssm.yaml template as it was the same as the other main template. + ## 2022-03-16 ### Fixed diff --git a/aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md b/aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md index 87c95cbc7..a89c4086f 100644 --- a/aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md +++ b/aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md @@ -8,8 +8,21 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License- 1. [Install the prerequisites](#install-the-prerequisites). 2. [Download the SRA examples code from GitHub](#download-the-sra-examples-code-from-github). -3. [Authenticate to the AWS management account](#authenticate-to-the-aws-management-account). -4. Package and stage all the AWS SRA example solutions. For more information see [Staging script details](#staging-script-details). + + ```bash + git clone https://github.com/aws-samples/aws-security-reference-architecture-examples.git $HOME/aws-sra-examples + cd $HOME/aws-sra-examples + ``` + +3. In the `management account (home region)`, launch an AWS CloudFormation **Stack** using the [sra-common-prerequisites-staging-s3-bucket.yaml](../solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml) + template file as the source. + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml --stack-name sra-common-prerequisites-staging-s3-bucket --capabilities CAPABILITY_NAMED_IAM + ``` + +4. [Authenticate to the AWS management account](#authenticate-to-the-aws-management-account). +5. Package and stage all the AWS SRA example solutions. For more information see [Staging script details](#staging-script-details). ```bash diff --git a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/README.md b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/README.md index 43098fdec..2f8aa0842 100644 --- a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/README.md +++ b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/README.md @@ -148,8 +148,17 @@ In the `management account (home region)`, launch an AWS CloudFormation **Stack* - **Option 1:** (Recommended) Use the [sra-cloudtrail-org-main-ssm.yaml](templates/sra-cloudtrail-org-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main-ssm.yaml --stack-name sra-cloudtrail-org-main-ssm --capabilities CAPABILITY_NAMED_IAM + ``` + - **Option 2:** Use the [sra-cloudtrail-org-main.yaml](templates/sra-cloudtrail-org-main.yaml) template. Input is required for the CloudFormation parameters where the default is not set. + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main.yaml --stack-name sra-cloudtrail-org-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pAuditAccountId= pLogArchiveAccountId= pOrganizationId= pSRAStagingS3BucketName= + ``` + #### Verify Solution Deployment 1. Log into the `management account` and navigate to the CloudTrail page diff --git a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main-ssm.yaml b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main-ssm.yaml index ea0c4a882..b49cd5878 100644 --- a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main-ssm.yaml @@ -111,6 +111,7 @@ Parameters: pCloudTrailLogGroupKmsKey: AllowedPattern: ^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$ ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the CloudTrail log group data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -161,6 +162,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: ^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$ ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. diff --git a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main.yaml b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main.yaml index 55f54ffe8..56555aa9c 100644 --- a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main.yaml +++ b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main.yaml @@ -107,6 +107,7 @@ Parameters: pCloudTrailLogGroupKmsKey: AllowedPattern: ^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$ ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the CloudTrail log group data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -148,6 +149,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: ^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$ ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. diff --git a/aws_sra_examples/solutions/common/common_cfct_setup/README.md b/aws_sra_examples/solutions/common/common_cfct_setup/README.md index ddefff159..eb910d2c6 100644 --- a/aws_sra_examples/solutions/common/common_cfct_setup/README.md +++ b/aws_sra_examples/solutions/common/common_cfct_setup/README.md @@ -11,11 +11,15 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License- ## Introduction -The `SRA Customizations for Control Tower (CFCT) Solution` deploys the [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/) (CFCT) solution. This provides a method to simplify the deployment of SRA solutions and customer customizations within an AWS Control Tower environment. +The `SRA Customizations for Control Tower (CFCT) Solution` deploys the [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/) (CFCT) solution. This provides a method to simplify +the deployment of SRA solutions and customer customizations within an AWS Control Tower environment. -The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices. Before deploying this solution, you must have an AWS Control Tower landing zone deployed in your account. +The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices. Before deploying +this solution, you must have an AWS Control Tower landing zone deployed in your account. -You can easily add customizations to your AWS Control Tower landing zone using an AWS CloudFormation template and service control policies (SCPs). You can deploy the custom template and policies to individual accounts and organizational units (OUs) within your organization. This solution integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with your landing zone. For example, when a new account is created using the AWS Control Tower account factory, the solution ensures that all resources attached to the account's OUs will be automatically deployed. +You can easily add customizations to your AWS Control Tower landing zone using an AWS CloudFormation template and service control policies (SCPs). You can deploy the custom template and policies to individual accounts and organizational units (OUs) +within your organization. This solution integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with your landing zone. For example, when a new account is created using the AWS Control Tower account +factory, the solution ensures that all resources attached to the account's OUs will be automatically deployed. ## Deployed Resource Details @@ -47,9 +51,12 @@ You can easily add customizations to your AWS Control Tower landing zone using a ### Solution Deployment -1. In the `management account (home region)`, launch the AWS CloudFormation **Stack** using the template file as the source from the below chosen options: - - **Option 1:** (Recommended) Use this template, [sra-common-cfct-setup-main-ssm.yaml](templates/sra-common-cfct-setup-main-ssm.yaml), for a more automated approach where CloudFormation parameters resolve SSM parameters. - - **Option 2:** Use this template, [sra-common-cfct-setup-main.yaml](templates/sra-common-cfct-setup-main.yaml), where input is required for the CloudFormation parameters, without resolving SSM parameters. +1. In the `management account (home region)`, launch an AWS CloudFormation **Stack** using the [sra-common-cfct-setup-main.yaml](templates/sra-common-cfct-setup-main.yaml) template file as the source. + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml --stack-name sra-common-cfct-setup-main --capabilities CAPABILITY_NAMED_IAM + ``` + 2. For CodeCommit setup follow these steps: [AWS CodeCommit Repo](../../../docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md#aws-codecommit-repo) ### Solution Delete Instructions diff --git a/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main-ssm.yaml b/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main-ssm.yaml deleted file mode 100644 index 2b35735c5..000000000 --- a/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main-ssm.yaml +++ /dev/null @@ -1,158 +0,0 @@ -######################################################################## -# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: MIT-0 -######################################################################## -AWSTemplateFormatVersion: 2010-09-09 -Description: - This template deploys Customizations for Control Tower (CFCT). Resolving SSM parameters. - 'common_cfct_setup' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples -Metadata: - SRA: - Version: 1.0 - Entry: Parameters for deploying CFCT solution resolving SSM parameters - Order: 1 - cfn-lint: - config: - ignore_checks: - - W6001 - AWS::CloudFormation::Interface: - ParameterGroups: - - Label: - default: General Properties - Parameters: - - pSRASolutionName - - Label: - default: CFCT - Pipeline Configuration - Parameters: - - pDeployCustomizationsForAWSControlTower - - pPipelineApprovalStage - - pPipelineApprovalEmail - - pCodePipelineSource - - Label: - default: CFCT - AWS CodeCommit Setup (Applicable if 'AWS CodeCommit' was selected as the CodePipeline Source) - Parameters: - - pExistingRepository - - pCodeCommitRepositoryName - - pCodeCommitBranchName - - Label: - default: CFCT - AWS CloudFormation StackSets Configuration - Parameters: - - pRegionConcurrencyType - - pMaxConcurrentPercentage - - pFailureTolerancePercentage - - ParameterLabels: - pCodeCommitBranchName: - default: CodeCommit Branch Name - pCodeCommitRepositoryName: - default: CodeCommit Repository Name - pCodePipelineSource: - default: AWS CodePipeline Source - pDeployCustomizationsForAWSControlTower: - default: Deploy Customizations for AWS Control Tower - pExistingRepository: - default: Existing CodeCommit Repository? - pFailureTolerancePercentage: - default: Failure Tolerance Percentage - pMaxConcurrentPercentage: - default: Max Concurrent Percentage - pPipelineApprovalEmail: - default: Pipeline Approval Email Address - pPipelineApprovalStage: - default: Pipeline Approval Stage - pRegionConcurrencyType: - default: Region Concurrency Type - pSRASolutionName: - default: SRA Solution Name - -Parameters: - pCodeCommitBranchName: - Default: main - Description: Name of the branch in CodeCommit repository that contains custom Control Tower configuration. - MaxLength: 256 - MinLength: 1 - Type: String - pCodeCommitRepositoryName: - AllowedPattern: '^[\w-.]{1,100}(? pCustomerControlTowerRegions= pCustomerControlTowerRegionsWithoutHomeRegion= pEnabledRegions= pEnabledRegionsWithoutHomeRegion= pHomeRegion= pLogArchiveAccountId= pOrganizationId= pRootOrganizationalUnitId= + ``` + ## References - [How AWS Control Tower works with roles to create and manage accounts](https://docs.aws.amazon.com/controltower/latest/userguide/roles-how.html) diff --git a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main-ssm.yaml b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main-ssm.yaml index 27af867d2..fd937a763 100644 --- a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main-ssm.yaml +++ b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main-ssm.yaml @@ -139,8 +139,8 @@ Parameters: Default: /sra/regions/enabled-regions Description: SSM Parameter for Enabled regions. Regions that are enabled within all accounts in the AWS Organization. This list should include all enabled - regions and not just the Control Tower governed regions. For example, it is recommended to enable GuardDuty in all active regions, which might - include regions not governed by Control Tower. + regions and not just the Control Tower governed regions. For example, it is recommended to enable some services like GuardDuty in all active + regions, which might include regions not governed by Control Tower. Type: AWS::SSM::Parameter::Value> pEnabledRegionsWithoutHomeRegion: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' @@ -159,6 +159,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. diff --git a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main.yaml b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main.yaml index 75689978a..36ac16e04 100644 --- a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main.yaml +++ b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main.yaml @@ -157,6 +157,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. diff --git a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml index adfb60f1e..d48492ff8 100644 --- a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml +++ b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml @@ -61,6 +61,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -101,6 +102,7 @@ Parameters: AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Default: '' Description: (Optional) SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates). If empty, the SRA Staging S3 bucket name will be resolved from the SSM Parameter '/sra/staging-s3-bucket-name'. diff --git a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml index fb6a0935f..af1241b16 100644 --- a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml +++ b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml @@ -70,6 +70,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -99,6 +100,7 @@ Parameters: pOrganizationId: AllowedPattern: '^$|^o-[a-z0-9]{10,32}$' ConstraintDescription: Must start with 'o-' followed by from 10 to 32 lowercase letters or digits. (e.g. o-abc1234567) + Default: '' Description: (Optional) AWS Organizations ID. If empty, custom resource will be deployed to determine the AWS Organization ID. Type: String pSRASolutionName: diff --git a/aws_sra_examples/solutions/common/common_register_delegated_administrator/README.md b/aws_sra_examples/solutions/common/common_register_delegated_administrator/README.md index 92359c6cd..6d14e03e1 100644 --- a/aws_sra_examples/solutions/common/common_register_delegated_administrator/README.md +++ b/aws_sra_examples/solutions/common/common_register_delegated_administrator/README.md @@ -85,9 +85,19 @@ Choose a Deployment Method: In the `management account (home region)`, launch an AWS CloudFormation **Stack** using one of the options below: -- **Option 1:** (Recommended) Use the [sra-common-register-delegated-administrator-ssm.yaml](templates/sra-common-register-delegated-administrator-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). The `Audit account` is set as the delegated administrator account for all the associated SRA solutions. +- **Option 1:** (Recommended) Use the [sra-common-register-delegated-administrator-ssm.yaml](templates/sra-common-register-delegated-administrator-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are + populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). The `Audit account` is set as the delegated administrator account for all the associated SRA solutions. + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml --stack-name sra-common-register-delegated-administrator-ssm --capabilities CAPABILITY_NAMED_IAM + ``` + - **Option 2:** Use the [sra-common-register-delegated-administrator.yaml](templates/sra-common-register-delegated-administrator.yaml) template. Input is required for the CloudFormation parameters where the default is not set. + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator.yaml --stack-name sra-common-register-delegated-administrator --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pDelegatedAdminAccountId= pSRAStagingS3BucketName= + ``` + #### Verify Solution Deployment - Verify the configuration using the following AWS CLI shell script diff --git a/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml b/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml index 46979c637..846f34227 100644 --- a/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml +++ b/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml @@ -74,6 +74,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -109,8 +110,7 @@ Parameters: # - securityhub.amazonaws.com # - stacksets.cloudformation.amazonaws.com # - storage-lens.s3.amazonaws.com - Default: - access-analyzer.amazonaws.com, config-multiaccountsetup.amazonaws.com, config.amazonaws.com, macie.amazonaws.com, securityhub.amazonaws.com + Default: access-analyzer.amazonaws.com, config-multiaccountsetup.amazonaws.com, config.amazonaws.com Description: Comma delimited list of AWS service principals to delegate an administrator account Type: CommaDelimitedList pSRASolutionName: diff --git a/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator.yaml b/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator.yaml index c4c530eb2..3cbe3823e 100644 --- a/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator.yaml +++ b/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator.yaml @@ -72,6 +72,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -97,7 +98,6 @@ Parameters: Default: sra-common-register-delegated-admin Description: Lambda function name Type: String - pServicePrincipalList: # AllowedValues: # - access-analyzer.amazonaws.com @@ -108,6 +108,7 @@ Parameters: # - securityhub.amazonaws.com # - stacksets.cloudformation.amazonaws.com # - storage-lens.s3.amazonaws.com + Default: access-analyzer.amazonaws.com, config-multiaccountsetup.amazonaws.com, config.amazonaws.com Description: Comma delimited list of AWS service principals to delegate an administrator account Type: CommaDelimitedList pSRASolutionName: diff --git a/aws_sra_examples/solutions/config/config_aggregator_org/README.md b/aws_sra_examples/solutions/config/config_aggregator_org/README.md index 42615f38c..036f5aa50 100644 --- a/aws_sra_examples/solutions/config/config_aggregator_org/README.md +++ b/aws_sra_examples/solutions/config/config_aggregator_org/README.md @@ -83,8 +83,17 @@ In the `management account (home region)`, launch an AWS CloudFormation **Stack* - **Option 1:** (Recommended) Use the [sra-config-aggregator-org-main-ssm.yaml](templates/sra-config-aggregator-org-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-main-ssm.yaml --stack-name sra-config-aggregator-org-main-ssm --capabilities CAPABILITY_NAMED_IAM + ``` + - **Option 2:** Use the [sra-config-aggregator-org-main.yaml](templates/sra-config-aggregator-org-main.yaml) template. Input is required for the CloudFormation parameters where the default is not set. + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-main-ssm.yaml --stack-name sra-config-aggregator-org-main-ssm --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pAuditAccountId= pSRAStagingS3BucketName= + ``` + #### Verify Solution Deployment - Log into the Audit account and navigate to the AWS Config page diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/README.md b/aws_sra_examples/solutions/config/config_conformance_pack_org/README.md index a6245f9af..692d8dd47 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/README.md +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/README.md @@ -107,8 +107,17 @@ In the `management account (home region)`, launch an AWS CloudFormation **Stack* - **Option 1:** (Recommended) Use the [sra-config-conformance-pack-org-main-ssm.yaml](templates/sra-config-conformance-pack-org-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml --stack-name sra-config-conformance-pack-org-main-ssm --capabilities CAPABILITY_NAMED_IAM + ``` + - **Option 2:** Use the [sra-config-conformance-pack-org-main.yaml](templates/sra-config-conformance-pack-org-main.yaml) template. Input is required for the CloudFormation parameters where the default values are not set. + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml --stack-name sra-config-conformance-pack-org-main-ssm --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pAuditAccountId= pLogArchiveAccountId= pOrganizationId= pRegionsToDeployConformancePacks= pSRAStagingS3BucketName= + ``` + #### Verify Solution Deployment 1. In the `Audit account` and navigate to the AWS Config page diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml index 99226387e..5341490ec 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml @@ -86,11 +86,13 @@ Parameters: AllowedPattern: '^$|^[a-zA-Z][-a-zA-Z0-9]*$' ConstraintDescription: Delivery S3 prefix can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Default: '' Description: (Optional) The prefix for the Amazon S3 bucket. Type: String pExcludedAccounts: AllowedPattern: '^$|^(\d{12})$|^((\d{12},)*\d{12})$' ConstraintDescription: AWS Account IDs separated by commas. (e.g. 123456789012,234567890123) + Default: '' Description: Comma delimited list of account IDs to exclude from the Organization conformance pack. Accounts that do not have AWS Config enabled must be excluded. diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml index 51029375a..cc554eb62 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml @@ -82,11 +82,13 @@ Parameters: AllowedPattern: '^$|^[a-zA-Z][-a-zA-Z0-9]*$' ConstraintDescription: Delivery S3 prefix can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Default: '' Description: (Optional) The prefix for the Amazon S3 bucket. Type: String pExcludedAccounts: AllowedPattern: '^$|^(\d{12})$|^((\d{12},)*\d{12})$' ConstraintDescription: AWS Account IDs separated by commas. (e.g. 123456789012,234567890123) + Default: '' Description: Comma delimited list of account IDs to exclude from the Organization conformance pack. Accounts that do not have AWS Config enabled must be excluded. diff --git a/aws_sra_examples/solutions/config/config_management_account/README.md b/aws_sra_examples/solutions/config/config_management_account/README.md index c60a4988a..c3a8efac5 100644 --- a/aws_sra_examples/solutions/config/config_management_account/README.md +++ b/aws_sra_examples/solutions/config/config_management_account/README.md @@ -110,8 +110,17 @@ In the `management account (home region)`, launch the AWS CloudFormation **Stack - **Option 1:** (Recommended) Use the [sra-config-management-account-main-ssm.yaml](templates/sra-config-management-account-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml --stack-name sra-config-management-account-main-ssm --capabilities CAPABILITY_NAMED_IAM + ``` + - **Option 2:** Use the [sra-config-management-account-main.yaml](templates/sra-config-management-account-main.yaml) template. Input is required for the CloudFormation parameters where the default values are not set. + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main.yaml --stack-name sra-config-management-account-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pAuditAccountId= pConfigRegionsToEnable= pHomeRegion= pLogArchiveAccountId= pOrganizationId= pSRAStagingS3BucketName= + ``` + --- ## References diff --git a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml index cbb1b9c57..a31001a23 100644 --- a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml +++ b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml @@ -96,7 +96,6 @@ Parameters: ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/regions/customer-control-tower-regions - # Default: /sra/regions/enabled-regions Description: SSM Parameter for AWS regions to enable AWS Config Type: AWS::SSM::Parameter::Value> pCreateLambdaLogGroup: @@ -126,6 +125,7 @@ Parameters: pKmsKeyArn: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*)?:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: Key ARN example - arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + Default: '' Description: (Optional) KMS key ARN to use for encrypting the AWS Config configuration snapshots and history files when storing in the S3 bucket in the Log Archive account. If empty, snapshots and history files will be encrypted based on the Default Encryption setting of the S3 bucket. @@ -133,6 +133,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -163,6 +164,7 @@ Parameters: Type: AWS::SSM::Parameter::Value pResourceTypes: AllowedPattern: '^$|^([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$|^(([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+(,|, ))*[a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$' + Default: '' Description: (Optional) A list of valid AWS resource types to include in this recording group. Eg. AWS::CloudTrail::Trail. If 'All Supported' parameter is set to 'false', then this parameter becomes required. diff --git a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main.yaml b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main.yaml index 370ea9593..170c9944a 100644 --- a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main.yaml +++ b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main.yaml @@ -121,6 +121,7 @@ Parameters: pKmsKeyArn: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*)?:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: Key ARN example - arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + Default: '' Description: (Optional) KMS key ARN to use for encrypting the AWS Config configuration snapshots and history files when storing in the S3 bucket in the Log Archive account. If empty, snapshots and history files will be encrypted based on the Default Encryption setting of the S3 bucket. @@ -128,6 +129,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -154,6 +156,7 @@ Parameters: Type: String pResourceTypes: AllowedPattern: '^$|^([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$|^(([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+(,|, ))*[a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$' + Default: '' Description: (Optional) A list of valid AWS resource types to include in this recording group. Eg. AWS::CloudTrail::Trail. If 'All Supported' parameter is set to 'false', then this parameter becomes required. diff --git a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/README.md b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/README.md index d45586feb..ccd902c36 100644 --- a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/README.md +++ b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/README.md @@ -112,8 +112,17 @@ In the `management account (home region)`, launch an AWS CloudFormation **Stack* - **Option 1:** (Recommended) Use the [sra-ec2-default-ebs-encryption-main-ssm.yaml](templates/sra-ec2-default-ebs-encryption-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main-ssm.yaml --stack-name sra-ec2-default-ebs-encryption-main-ssm --capabilities CAPABILITY_NAMED_IAM + ``` + - **Option 2:** Use the [sra-ec2-default-ebs-encryption-main.yaml](templates/sra-ec2-default-ebs-encryption-main.yaml) template. Input is required for the CloudFormation parameters where the default is not set. + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main.yaml --stack-name sra-ec2-default-ebs-encryption-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pOrganizationId= pRootOrganizationalUnitId= pSRAStagingS3BucketName= + ``` + **Region parameter definitions:** - Control Tower Regions Only diff --git a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main-ssm.yaml b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main-ssm.yaml index 96ead2e00..eac9463a2 100644 --- a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main-ssm.yaml +++ b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main-ssm.yaml @@ -136,6 +136,7 @@ Parameters: Description: EC2 Default EBS Encryption Role Name Type: String pEnabledRegions: + Default: '' Description: (Optional) Comma delimited list of regions to enable. Leave blank to enable all regions. Type: String pOrganizationId: diff --git a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main.yaml b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main.yaml index f8992cd79..fe1b10435 100644 --- a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main.yaml +++ b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main.yaml @@ -136,6 +136,7 @@ Parameters: Description: EC2 Default EBS Encryption Role Name Type: String pEnabledRegions: + Default: '' Description: (Optional) Comma delimited list of regions to enable. Leave blank to enable all regions. Type: String pOrganizationId: diff --git a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/README.md b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/README.md index 079989026..de8145762 100755 --- a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/README.md +++ b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/README.md @@ -167,8 +167,17 @@ In the `management account (home region)`, launch an AWS CloudFormation **Stack* - **Option 1:** (Recommended) Use the [sra-firewall-manager-org-main-ssm.yaml](templates/sra-firewall-manager-org-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main-ssm.yaml --stack-name sra-firewall-manager-org-main-ssm --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pInternalNetCIDR= + ``` + - **Option 2:** Use the [sra-firewall-manager-org-main.yaml](templates/sra-firewall-manager-org-main.yaml) template. Input is required for the CloudFormation parameters where the default values are not set. + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main.yaml --stack-name sra-firewall-manager-org-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pDelegatedAdminAccountId= pInternalNetCIDR= pSRAStagingS3BucketName= + ``` + #### Verify Solution Deployment 1. Log into the Delegated Admin Account (eg. `Audit account`) and navigate to the AWS Firewall Manager page diff --git a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main-ssm.yaml b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main-ssm.yaml index d6b338318..c0b2c7e1f 100644 --- a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main-ssm.yaml @@ -132,6 +132,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -174,6 +175,7 @@ Parameters: pVpcId: AllowedPattern: '^$|^vpc-[0-9a-f]{17}$' ConstraintDescription: Must have a prefix of "vpc-". Followed by 17 characters (numbers, letters "a-f") + Default: '' Description: (Optional) Existing VPC ID for the Firewall Manager Security Groups. Required if Create VPC For Security Group is "false". Type: String diff --git a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main.yaml b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main.yaml index b276be9d5..db7c80f7b 100644 --- a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main.yaml +++ b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main.yaml @@ -130,6 +130,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -171,6 +172,7 @@ Parameters: pVpcId: AllowedPattern: '^$|^vpc-[0-9a-f]{17}$' ConstraintDescription: Must have a prefix of "vpc-". Followed by 17 characters (numbers, letters "a-f") + Default: '' Description: (Optional) Existing VPC ID for the Firewall Manager Security Groups. Required if Create VPC For Security Group is "false". Type: String diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/README.md b/aws_sra_examples/solutions/guardduty/guardduty_org/README.md index 547a8ce49..d77db74b6 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/README.md +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/README.md @@ -134,8 +134,17 @@ In the `management account (home region)`, launch an AWS CloudFormation **Stack* - **Option 1:** (Recommended) Use the [sra-guardduty-org-main-ssm.yaml](templates/sra-guardduty-org-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml --stack-name sra-guardduty-org-main-ssm --capabilities CAPABILITY_NAMED_IAM + ``` + - **Option 2:** Use the [sra-guardduty-org-main.yaml](templates/sra-guardduty-org-main.yaml) template. Input is required for the CloudFormation parameters where the default is not set. + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main.yaml --stack-name sra-guardduty-org-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pAuditAccountId= pLogArchiveAccountId= pOrganizationId= pRootOrganizationalUnitId= pSRAStagingS3BucketName= + ``` + #### Verify Solution Deployment 1. Log into the Management account and navigate to the GuardDuty page diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml index bc6f7f080..4fe70828b 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml @@ -189,8 +189,8 @@ Parameters: Description: GuardDuty S3 bucket name Type: String pSRAAlarmEmail: - AllowedPattern: ^$|^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$ - ConstraintDescription: Email Validation as per RFC2822 standards. + AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' + ConstraintDescription: Must be a valid email address. Description: (Optional) Email address for receiving DLQ alarms Type: String pSRASolutionName: diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml index 77440cd16..e45f896b4 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml @@ -143,6 +143,7 @@ Parameters: ConstraintDescription: Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. us-east-1,ap-southeast-2) + Default: '' Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. Type: String pFindingPublishingFrequency: @@ -183,6 +184,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -219,6 +221,9 @@ Parameters: Description: SSM Parameter for Root Organizational Unit ID Type: AWS::SSM::Parameter::Value pSRAAlarmEmail: + AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' + ConstraintDescription: Must be a valid email address. + Default: '' Description: (Optional) Email address for receiving SRA alarms Type: String pSRASolutionName: diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main.yaml index 35843f249..0da7ece44 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main.yaml @@ -115,10 +115,10 @@ Parameters: Description: Auto enable S3 logs Type: String pControlTowerRegionsOnly: - Type: String - Description: Only enable in the Control Tower governed regions - Default: 'true' AllowedValues: ['true', 'false'] + Default: 'true' + Description: Only enable in the Control Tower governed regions + Type: String pCreateLambdaLogGroup: AllowedValues: ['true', 'false'] Default: 'false' @@ -142,6 +142,7 @@ Parameters: ConstraintDescription: Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. us-east-1,ap-southeast-2) + Default: '' Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. Type: String pFindingPublishingFrequency: @@ -182,6 +183,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -214,6 +216,9 @@ Parameters: Description: Root Organizational Unit ID Type: String pSRAAlarmEmail: + AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' + ConstraintDescription: Must be a valid email address. + Default: '' Description: (Optional) Email address for receiving SRA alarms Type: String pSRASolutionName: diff --git a/aws_sra_examples/solutions/iam/iam_access_analyzer/README.md b/aws_sra_examples/solutions/iam/iam_access_analyzer/README.md index 7237aad7b..06eb8d7af 100644 --- a/aws_sra_examples/solutions/iam/iam_access_analyzer/README.md +++ b/aws_sra_examples/solutions/iam/iam_access_analyzer/README.md @@ -94,8 +94,17 @@ In the `management account (home region)`, launch an AWS CloudFormation **Stack* - **Option 1:** (Recommended) Use the [sra-iam-access-analyzer-main-ssm.yaml](templates/sra-iam-access-analyzer-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml --stack-name sra-iam-access-analyzer-main-ssm --capabilities CAPABILITY_NAMED_IAM + ``` + - **Option 2:** Use the [sra-iam-access-analyzer-main.yaml](templates/sra-iam-access-analyzer-main.yaml) template. Input is required for the CloudFormation parameters where the default is not set. + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main.yaml --stack-name sra-iam-access-analyzer-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pAccessAnalyzerRegionsToEnable= pAuditAccountId= pRootOrganizationalUnitId= pSRAStagingS3BucketName= + ``` + #### Verify Solution Deployment 1. Log into the Audit account and navigate to the IAM Access Analyzer page diff --git a/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml b/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml index 7d8c938f9..40004011f 100644 --- a/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml +++ b/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml @@ -60,7 +60,6 @@ Parameters: ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/regions/customer-control-tower-regions - # Default: /sra/regions/enabled-regions Description: SSM Parameter for AWS regions to enable AWS Config Type: AWS::SSM::Parameter::Value> pAuditAccountId: diff --git a/aws_sra_examples/solutions/iam/iam_password_policy/README.md b/aws_sra_examples/solutions/iam/iam_password_policy/README.md index a1a4b5f0b..76d367b3c 100644 --- a/aws_sra_examples/solutions/iam/iam_password_policy/README.md +++ b/aws_sra_examples/solutions/iam/iam_password_policy/README.md @@ -66,9 +66,19 @@ Choose a Deployment Method: In the `management account (home region)`, launch an AWS CloudFormation **Stack** using one of the options below: -- **Option 1:** (Recommended) Use the [sra-iam-password-policy-main-ssm.yaml](templates/sra-iam-password-policy-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). +- **Option 1:** (Recommended) Use the [sra-iam-password-policy-main-ssm.yaml](templates/sra-iam-password-policy-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters + created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main-ssm.yaml --stack-name sra-iam-password-policy-main-ssm --capabilities CAPABILITY_NAMED_IAM + ``` + - **Option 2:** Use the [sra-iam-password-policy-main.yaml](templates/sra-iam-password-policy-main.yaml) template. Input is required for the CloudFormation parameters where the default is not set. + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main.yaml --stack-name sra-iam-password-policy-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pRootOrganizationalUnitId= pSRAStagingS3BucketName= + ``` + #### Verify Solution Deployment 1. Log into any account within the AWS Organization diff --git a/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main-ssm.yaml b/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main-ssm.yaml index dc7982f48..73d9f6afd 100644 --- a/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main-ssm.yaml +++ b/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main-ssm.yaml @@ -117,6 +117,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. diff --git a/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main.yaml b/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main.yaml index 808315bd2..a23760473 100644 --- a/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main.yaml +++ b/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main.yaml @@ -117,6 +117,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. diff --git a/aws_sra_examples/solutions/macie/macie_org/README.md b/aws_sra_examples/solutions/macie/macie_org/README.md index e014e4466..bbb87bb9f 100644 --- a/aws_sra_examples/solutions/macie/macie_org/README.md +++ b/aws_sra_examples/solutions/macie/macie_org/README.md @@ -135,8 +135,17 @@ In the `management account (home region)`, launch an AWS CloudFormation **Stack* - **Option 1:** (Recommended) Use the [sra-macie-org-main-ssm.yaml](templates/sra-macie-org-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml --stack-name sra-macie-org-main-ssm --capabilities CAPABILITY_NAMED_IAM + ``` + - **Option 2:** Use the [sra-macie-org-main.yaml](templates/sra-macie-org-main.yaml) template. Input is required for the CloudFormation parameters where the default is not set. + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main.yaml --stack-name sra-macie-org-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pAuditAccountId= pLogArchiveAccountId= pOrganizationId= pRootOrganizationalUnitId= pSRAStagingS3BucketName= + ``` + #### Verify Solution Deployment 1. Log into the Management account and navigate to the Macie page diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml index b99587dbd..1a52d7da4 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml @@ -180,8 +180,8 @@ Parameters: Description: Macie classification export S3 bucket name Type: String pSRAAlarmEmail: - AllowedPattern: ^$|^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$ - ConstraintDescription: Email Validation as per RFC2822 standards. + AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' + ConstraintDescription: Must be a valid email address. Description: (Optional) Email address for receiving DLQ alarms Type: String pSRASolutionName: diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml index 5c14b692b..bcf03773f 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml @@ -135,6 +135,7 @@ Parameters: ConstraintDescription: Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. us-east-1,ap-southeast-2) + Default: '' Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. Type: String pFindingPublishingFrequency: @@ -159,6 +160,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -213,6 +215,9 @@ Parameters: Description: SSM Parameter for Root Organizational Unit ID Type: AWS::SSM::Parameter::Value pSRAAlarmEmail: + AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' + ConstraintDescription: Must be a valid email address. + Default: '' Description: (Optional) Email address for receiving SRA alarms Type: String pSRASolutionName: diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main.yaml index 8b886fa63..4748f001c 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main.yaml @@ -134,6 +134,7 @@ Parameters: ConstraintDescription: Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. us-east-1,ap-southeast-2) + Default: '' Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. Type: String pFindingPublishingFrequency: @@ -158,6 +159,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -208,6 +210,8 @@ Parameters: Description: Root Organizational Unit ID Type: String pSRAAlarmEmail: + AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' + ConstraintDescription: Must be a valid email address. Description: (Optional) Email address for receiving SRA alarms Type: String pSRASolutionName: diff --git a/aws_sra_examples/solutions/s3/s3_block_account_public_access/README.md b/aws_sra_examples/solutions/s3/s3_block_account_public_access/README.md index 438498922..ae9aa1cca 100644 --- a/aws_sra_examples/solutions/s3/s3_block_account_public_access/README.md +++ b/aws_sra_examples/solutions/s3/s3_block_account_public_access/README.md @@ -118,9 +118,21 @@ Choose a Deployment Method: #### AWS CloudFormation -- **Option 1:** (Recommended) Use the [sra-s3-block-account-public-access-main-ssm.yaml](templates/sra-s3-block-account-public-access-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). +In the `management account (home region)`, launch an AWS CloudFormation **Stack** using one of the options below: + +- **Option 1:** (Recommended) Use the [sra-s3-block-account-public-access-main-ssm.yaml](templates/sra-s3-block-account-public-access-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated + from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-main-ssm.yaml --stack-name sra-s3-block-account-public-access-main-ssm --capabilities CAPABILITY_NAMED_IAM + ``` + - **Option 2:** Use the [sra-s3-block-account-public-access-main.yaml](templates/sra-s3-block-account-public-access-main.yaml) template. Input is required for the CloudFormation parameters where the default is not set. + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-main.yaml --stack-name sra-s3-block-account-public-access-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pOrganizationId= pRootOrganizationalUnitId= pSRAStagingS3BucketName= + ``` + #### Verify Solution Deployment How to verify after the pipeline completes? diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/README.md b/aws_sra_examples/solutions/securityhub/securityhub_org/README.md index 835c50986..31145731a 100644 --- a/aws_sra_examples/solutions/securityhub/securityhub_org/README.md +++ b/aws_sra_examples/solutions/securityhub/securityhub_org/README.md @@ -71,7 +71,7 @@ The Security Hub Organization solution will automate enabling AWS Security Hub b #### 1.9 SNS Topic -- SNS Topic used to fanout the Lambda function for deleting GuardDuty within each account and region. +- SNS Topic used to fanout the Lambda function for deleting the service within each account and region. #### 1.10 AWS Control Tower Lifecycle Event Rule @@ -147,8 +147,17 @@ In the `management account (home region)`, launch an AWS CloudFormation **Stack* - **Option 1:** (Recommended) Use the [sra-securityhub-org-main-ssm.yaml](templates/sra-securityhub-org-main-ssm.yaml) template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the [SRA Prerequisites Solution](../../common/common_prerequisites/). + + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main-ssm.yaml --stack-name sra-securityhub-org-main-ssm --capabilities CAPABILITY_NAMED_IAM + ``` + - **Option 2:** Use the [sra-securityhub-org-main.yaml](templates/sra-securityhub-org-main.yaml) template. Input is required for the CloudFormation parameters where the default is not set. + ```bash + aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main.yaml --stack-name sra-securityhub-org-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pAuditAccountId= pOrganizationId= pRootOrganizationalUnitId= pSRAStagingS3BucketName= + ``` + #### Verify Solution Deployment 1. Log into the `management account` and navigate to the Security Hub page diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/customizations_for_aws_control_tower/manifest.yaml b/aws_sra_examples/solutions/securityhub/securityhub_org/customizations_for_aws_control_tower/manifest.yaml index e420000d1..1c9f26730 100644 --- a/aws_sra_examples/solutions/securityhub/securityhub_org/customizations_for_aws_control_tower/manifest.yaml +++ b/aws_sra_examples/solutions/securityhub/securityhub_org/customizations_for_aws_control_tower/manifest.yaml @@ -9,7 +9,7 @@ organization_policies: [] # Control Tower Custom CloudFormation Resources cloudformation_resources: # ----------------------------------------------------------------------------- - # Organization GuardDuty + # Organization Security Hub # ----------------------------------------------------------------------------- - name: sra-securityhub-org-main-ssm template_file: templates/sra-securityhub-org-main-ssm.yaml diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml index 5883a71cf..ff171b6b5 100644 --- a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml +++ b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml @@ -218,8 +218,8 @@ Parameters: aggregate findings from new Regions as Security Hub supports them and you opt into them. Type: String pSRAAlarmEmail: - AllowedPattern: ^$|^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$ - ConstraintDescription: Email Validation as per RFC2822 standards. + AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' + ConstraintDescription: Must be a valid email address. Description: (Optional) Email address for receiving DLQ alarms Type: String pSRASolutionName: diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main-ssm.yaml b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main-ssm.yaml index b95624443..88c960f13 100644 --- a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main-ssm.yaml @@ -139,6 +139,7 @@ Parameters: ConstraintDescription: Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. us-east-1,ap-southeast-2) + Default: '' Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. Type: String pEnablePCIStandard: @@ -154,6 +155,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -208,6 +210,9 @@ Parameters: Description: SecurityHub configuration Lambda role name Type: String pSRAAlarmEmail: + AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' + ConstraintDescription: Must be a valid email address. + Default: '' Description: (Optional) Email address for receiving SRA alarms Type: String pSRASolutionName: diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main.yaml b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main.yaml index 456cc2b35..37e4692d8 100644 --- a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main.yaml +++ b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main.yaml @@ -138,6 +138,7 @@ Parameters: ConstraintDescription: Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. us-east-1,ap-southeast-2) + Default: '' Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. Type: String pEnablePCIStandard: @@ -153,6 +154,7 @@ Parameters: pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' + Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. @@ -204,6 +206,9 @@ Parameters: Description: SecurityHub configuration Lambda role name Type: String pSRAAlarmEmail: + AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' + ConstraintDescription: Must be a valid email address. + Default: '' Description: (Optional) Email address for receiving SRA alarms Type: String pSRASolutionName: diff --git a/pyproject.toml b/pyproject.toml index 5e724e20c..5ee8e0076 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "aws_sra_examples" -version = "2.0.1" +version = "2.0.2" description = "AWS Security Reference Architecture Examples" authors = ["Amazon Web Services "] From 7e09a01f6cdc4587042bf1977389544f990eb319 Mon Sep 17 00:00:00 2001 From: "Wickersham, Andy" Date: Tue, 29 Mar 2022 12:48:36 -0500 Subject: [PATCH 2/2] Updated template description --- CHANGELOG.md | 1 + .../cloudtrail_org/templates/sra-cloudtrail-org-bucket.yaml | 2 +- .../cloudtrail_org/templates/sra-cloudtrail-org-kms.yaml | 2 +- .../cloudtrail_org/templates/sra-cloudtrail-org-main-ssm.yaml | 2 +- .../cloudtrail_org/templates/sra-cloudtrail-org-main.yaml | 2 +- .../cloudtrail_org/templates/sra-cloudtrail-org.yaml | 2 +- .../templates/sra-common-cfct-setup-main.yaml | 2 +- ...sra-common-prerequisites-control-tower-execution-role.yaml | 2 +- .../templates/sra-common-prerequisites-main-ssm.yaml | 2 +- .../templates/sra-common-prerequisites-main.yaml | 2 +- ...ra-common-prerequisites-management-account-parameters.yaml | 2 +- .../sra-common-prerequisites-member-account-parameters.yaml | 2 +- .../templates/sra-common-prerequisites-secrets-kms.yaml | 2 +- .../templates/sra-common-prerequisites-staging-s3-bucket.yaml | 2 +- .../sra-common-register-delegated-administrator-ssm.yaml | 1 + .../sra-common-register-delegated-administrator.yaml | 1 + .../templates/sra-config-aggregator-org-configuration.yaml | 2 +- .../templates/sra-config-aggregator-org-main-ssm.yaml | 2 +- .../templates/sra-config-aggregator-org-main.yaml | 2 +- .../sra-config-conformance-pack-org-delivery-bucket.yaml | 4 +++- .../templates/sra-config-conformance-pack-org-deployment.yaml | 4 +++- .../templates/sra-config-conformance-pack-org-main-ssm.yaml | 2 +- .../templates/sra-config-conformance-pack-org-main.yaml | 3 +-- .../templates/sra-config-management-account-main-ssm.yaml | 2 +- .../templates/sra-config-management-account-main.yaml | 1 + .../templates/sra-config-management-account-role.yaml | 2 +- .../sra-config-management-account-update-aggregator.yaml | 2 +- .../templates/sra-config-management-account.yaml | 2 +- .../templates/sra-ec2-default-ebs-encryption-main-ssm.yaml | 2 +- .../templates/sra-ec2-default-ebs-encryption-main.yaml | 2 +- .../templates/sra-ec2-default-ebs-encryption-role.yaml | 2 +- .../templates/sra-ec2-default-ebs-encryption.yaml | 2 +- .../templates/sra-firewall-manager-org-delegate-admin.yaml | 2 +- .../sra-firewall-manager-org-disassociate-iam-role.yaml | 2 +- .../templates/sra-firewall-manager-org-main-ssm.yaml | 2 +- .../templates/sra-firewall-manager-org-main.yaml | 2 +- .../templates/sra-firewall-manager-org-sg-policy.yaml | 2 +- .../templates/sra-firewall-manager-org-waf-policy.yaml | 2 +- .../templates/sra-guardduty-org-configuration-role.yaml | 2 +- .../templates/sra-guardduty-org-configuration.yaml | 2 +- .../templates/sra-guardduty-org-delete-detector-role.yaml | 2 +- .../templates/sra-guardduty-org-delivery-kms-key.yaml | 2 +- .../templates/sra-guardduty-org-delivery-s3-bucket.yaml | 2 +- .../guardduty_org/templates/sra-guardduty-org-main-ssm.yaml | 2 +- .../guardduty_org/templates/sra-guardduty-org-main.yaml | 2 +- .../templates/sra-iam-access-analyzer-account.yaml | 2 +- .../templates/sra-iam-access-analyzer-main-ssm.yaml | 2 +- .../templates/sra-iam-access-analyzer-main.yaml | 2 +- .../templates/sra-iam-access-analyzer-org.yaml | 2 +- .../templates/sra-iam-password-policy-main-ssm.yaml | 2 +- .../templates/sra-iam-password-policy-main.yaml | 3 +-- .../templates/sra-iam-password-policy.yaml | 2 +- .../macie_org/templates/sra-macie-org-configuration-role.yaml | 2 +- .../macie_org/templates/sra-macie-org-configuration.yaml | 2 +- .../macie_org/templates/sra-macie-org-delivery-kms-key.yaml | 2 +- .../macie_org/templates/sra-macie-org-delivery-s3-bucket.yaml | 2 +- .../macie/macie_org/templates/sra-macie-org-disable-role.yaml | 2 +- .../macie/macie_org/templates/sra-macie-org-main-ssm.yaml | 2 +- .../macie/macie_org/templates/sra-macie-org-main.yaml | 2 +- .../sra-s3-block-account-public-access-main-ssm.yaml | 2 +- .../templates/sra-s3-block-account-public-access-main.yaml | 2 +- .../templates/sra-s3-block-account-public-access-role.yaml | 2 +- .../templates/sra-s3-block-account-public-access.yaml | 2 +- .../templates/sra-securityhub-org-configuration-role.yaml | 2 +- .../templates/sra-securityhub-org-configuration.yaml | 2 +- .../templates/sra-securityhub-org-main-ssm.yaml | 2 +- .../securityhub_org/templates/sra-securityhub-org-main.yaml | 2 +- 67 files changed, 71 insertions(+), 65 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ed5113b4..a95cc2a10 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,7 @@ All notable changes to this project will be documented in this file. - Updated the `Solution Deployment` instructions in all solution README files to include AWS CLI commands for deploying the main templates. The AWS CLI command can be used to deploy the template via the command line within tools like CloudShell. - Updated all main template parameters that allow a blank string to include a default empty string allowing the AWS CLI command to work without passing the `optional` parameters. - Added an allowed pattern for email address parameters. +- All solution template description were updated. ### Removed diff --git a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-bucket.yaml b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-bucket.yaml index 80ce7e718..bc902a572 100644 --- a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-bucket.yaml +++ b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-bucket.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables and configures an AWS S3 bucket for the CloudTrail Organization trail in the Control Tower Log Archive account. - - 'cloudtrail_org' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + 'cloudtrail_org' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse0i) Metadata: SRA: diff --git a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-kms.yaml b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-kms.yaml index fd1011f01..269430957 100644 --- a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-kms.yaml +++ b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-kms.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables and configures an AWS KMS Key for the CloudTrail Organization trail in the Control Tower Audit account. - 'cloudtrail_org' - solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse0i) Metadata: SRA: diff --git a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main-ssm.yaml b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main-ssm.yaml index b49cd5878..688aad017 100644 --- a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main-ssm.yaml @@ -6,7 +6,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables an AWS Organizations CloudTrail in the Control Tower Management account with a customer managed KMS key created in the Audit account sending the encrypted logs to an S3 bucket created within the Log Archive account. - 'cloudtrail_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse0i) Metadata: SRA: diff --git a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main.yaml b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main.yaml index 56555aa9c..0cfe194dc 100644 --- a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main.yaml +++ b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main.yaml @@ -6,7 +6,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables an AWS Organizations CloudTrail in the Control Tower Management account with a customer managed KMS key created in the Audit account sending the encrypted logs to an S3 bucket created within the Log Archive account. - 'cloudtrail_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse0i) Metadata: SRA: diff --git a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml index 42558c2fe..507b1759f 100644 --- a/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml +++ b/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables and configures an AWS CloudTrail Organization trail in the Control Tower Management account. - 'cloudtrail_org' solution in - the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse0i) Metadata: SRA: diff --git a/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml b/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml index d097d85cb..cc53ceb15 100644 --- a/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml +++ b/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template deploys Customizations for Control Tower (CFCT). - 'common_cfct_setup' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2a) Metadata: SRA: Version: 1.0 diff --git a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-control-tower-execution-role.yaml b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-control-tower-execution-role.yaml index 4bac59ea5..3722c44d7 100644 --- a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-control-tower-execution-role.yaml +++ b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-control-tower-execution-role.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: AWS Control Tower Execution IAM Role Creation. - 'common_prerequisites' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2h) Metadata: SRA: Version: 1.1 diff --git a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main-ssm.yaml b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main-ssm.yaml index fd937a763..210bf7778 100644 --- a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main-ssm.yaml +++ b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main-ssm.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates the pre-requisite resources for staging the SRA solutions. Resolving SSM parameters. - 'common_prerequisites' solution in the - repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2h) Metadata: SRA: Version: 1.2 diff --git a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main.yaml b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main.yaml index 36ac16e04..2a3ae3c4f 100644 --- a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main.yaml +++ b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-main.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates the pre-requisite resources for staging the SRA solutions. - 'common_prerequisites' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2h) Metadata: SRA: Version: 1.2 diff --git a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml index d48492ff8..8c184ed60 100644 --- a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml +++ b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates AWS Control Tower Account SSM Parameters. - 'common_prerequisites' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2h) Metadata: SRA: Version: 1.0 diff --git a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-member-account-parameters.yaml b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-member-account-parameters.yaml index 5644c3dd7..10f917bd5 100644 --- a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-member-account-parameters.yaml +++ b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-member-account-parameters.yaml @@ -6,7 +6,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates the pre-requisite SSM parameters for staging the SRA solutions in the member accounts by resolving the corresponding SSM parameters in the management account. - 'common_prerequisites' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2h) Metadata: SRA: Version: 1.1 diff --git a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-secrets-kms.yaml b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-secrets-kms.yaml index 6a5ea22fe..0a54eae4c 100644 --- a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-secrets-kms.yaml +++ b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-secrets-kms.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a KMS key for SRA secrets used to share CloudFormation outputs to the Management account. - 'common_prerequisites' solution in - the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2h) Metadata: SRA: diff --git a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml index af1241b16..dd9b8d00a 100644 --- a/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml +++ b/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: '2010-09-09' Description: Creates the SRA staging S3 bucket to store solution Lambda source code, CloudFormation templates, and other deployment files. - - 'common_prerequisites' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + 'common_prerequisites' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2h) Metadata: SRA: Version: 1.0 diff --git a/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml b/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml index 846f34227..7c99652ae 100644 --- a/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml +++ b/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml @@ -6,6 +6,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template deploys a custom resource in the Control Tower Management account to enable service access and delegates an administrator account. - 'common_register_delegated_administrator' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + (sra-1ssgnse2n) Metadata: SRA: diff --git a/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator.yaml b/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator.yaml index 3cbe3823e..871bcaf6f 100644 --- a/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator.yaml +++ b/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator.yaml @@ -6,6 +6,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template deploys a custom resource in the Control Tower Management account to enable service access and delegates an administrator account. - 'common_register_delegated_administrator' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + (sra-1ssgnse2n) Metadata: SRA: diff --git a/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-configuration.yaml b/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-configuration.yaml index a89116170..444846fa5 100644 --- a/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-configuration.yaml +++ b/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-configuration.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables an AWS Organizations Config Aggregator in the Control Tower Audit account. - 'config_aggregator_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse3a) Metadata: SRA: diff --git a/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-main-ssm.yaml b/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-main-ssm.yaml index 9ecd1f8a3..1503b2ebe 100644 --- a/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-main-ssm.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables an AWS Organizations Config Aggregator in the Control Tower Audit account. - 'config_aggregator_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse3a) Metadata: SRA: diff --git a/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-main.yaml b/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-main.yaml index a864912bd..4978c0d93 100644 --- a/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-main.yaml +++ b/aws_sra_examples/solutions/config/config_aggregator_org/templates/sra-config-aggregator-org-main.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables an AWS Organizations Config Aggregator in the Control Tower Audit account. - 'config_aggregator_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse3a) Metadata: SRA: diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-delivery-bucket.yaml b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-delivery-bucket.yaml index 2aa72ace2..97e6226f4 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-delivery-bucket.yaml +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-delivery-bucket.yaml @@ -3,7 +3,9 @@ # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 -Description: Creates S3 buckets to store the conformance pack results +Description: + Creates S3 buckets to store the conformance pack results. - 'config_conformance_pack_org' solution in the repo, + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse3o) Metadata: SRA: diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-deployment.yaml b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-deployment.yaml index fbaf41bbd..eb1e349e5 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-deployment.yaml +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-deployment.yaml @@ -3,7 +3,9 @@ # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 -Description: Template creates an AWS Config Organization Conformance Pack. +Description: + Template creates an AWS Config Organization Conformance Pack. - 'config_conformance_pack_org' solution in the repo, + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse3o) Metadata: SRA: diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml index 5341490ec..08635399d 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an AWS Organizations Config Conformance Pack in the Control Tower Audit account. - 'config_conformance_pack_org' solution in - the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse3o) Metadata: SRA: diff --git a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml index cc554eb62..b5820f3f4 100644 --- a/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml +++ b/aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml @@ -5,8 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an AWS Organizations Config Conformance Pack in the Control Tower Audit account. - 'config_conformance_pack_org' solution in - the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples - + the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse3o) Metadata: SRA: Version: 1.1 diff --git a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml index a31001a23..64f07004d 100644 --- a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml +++ b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main-ssm.yaml @@ -6,7 +6,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables AWS Config in the Control Tower Management account and adds the Management account to the AWS Config Aggregator in the Control Tower Audit account. Resolving SSM parameters. - 'config_management_account' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2s) Metadata: SRA: diff --git a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main.yaml b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main.yaml index 170c9944a..dc83a5c1b 100644 --- a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main.yaml +++ b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-main.yaml @@ -6,6 +6,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables AWS Config in the Control Tower Management account and adds the Management account to the AWS Config Aggregator in the Control Tower Audit account. - 'config_management_account' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + (sra-1ssgnse2s) Metadata: SRA: Version: 1.1 diff --git a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml index d4733496c..d93c62de3 100644 --- a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml +++ b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-role.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an IAM role for AWS Config Recorder in the Control Tower Management account. - 'config_management_account' solution in the - repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2s) Metadata: SRA: Version: 1.0 diff --git a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-update-aggregator.yaml b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-update-aggregator.yaml index e22e955e2..c090c83c7 100644 --- a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-update-aggregator.yaml +++ b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account-update-aggregator.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template adds the Management account to the AWS Config Aggregator in the Control Tower Audit account. - 'config_management_account' solution in - the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2s) Metadata: SRA: Version: 1.0 diff --git a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account.yaml b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account.yaml index 9cd0cdc86..6d2d03f12 100644 --- a/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account.yaml +++ b/aws_sra_examples/solutions/config/config_management_account/templates/sra-config-management-account.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables AWS Config in the Control Tower Management account. - 'config_management_account' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2s) Metadata: SRA: Version: 1.0 diff --git a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main-ssm.yaml b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main-ssm.yaml index eac9463a2..437a99594 100644 --- a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main-ssm.yaml +++ b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main-ssm.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This solution enables the EC2 default ebs encryption in each account and region. - 'ec2_default_ebs_encryption' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse40) Metadata: SRA: diff --git a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main.yaml b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main.yaml index fe1b10435..f621bacd3 100644 --- a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main.yaml +++ b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-main.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This solution enables the EC2 default ebs encryption in each account and region. - 'ec2_default_ebs_encryption' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse40) Metadata: SRA: diff --git a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-role.yaml b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-role.yaml index c129b9bde..996cfc2d5 100644 --- a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-role.yaml +++ b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption-role.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template deploys an IAM role for enabling the EC2 default ebs encryption in each account and region. - 'ec2_default_ebs_encryption' solution in - the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse40) Metadata: SRA: diff --git a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml index ce45a9d77..61fa989e9 100644 --- a/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml +++ b/aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption/templates/sra-ec2-default-ebs-encryption.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template deploys a Lambda function that enables the EC2 default ebs encryption in each account and region. - 'ec2_default_ebs_encryption' - solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse40) Metadata: SRA: diff --git a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-delegate-admin.yaml b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-delegate-admin.yaml index 6fbee1933..a08313cbf 100644 --- a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-delegate-admin.yaml +++ b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-delegate-admin.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables AWS Firewall Manager and delegates an administrator account. - 'firewall_manager_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4d) Metadata: SRA: diff --git a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-disassociate-iam-role.yaml b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-disassociate-iam-role.yaml index c20784968..432af4db6 100644 --- a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-disassociate-iam-role.yaml +++ b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-disassociate-iam-role.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an IAM role to disassociate the administrator account - 'firewall_manager_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4d) Metadata: SRA: diff --git a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main-ssm.yaml b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main-ssm.yaml index c0b2c7e1f..954d7637e 100644 --- a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main-ssm.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This solution enables Firewall Manager by associating a delegated administrator account, configuring a security group and WAF policy. - - 'firewall_manager_org' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + 'firewall_manager_org' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4d) Metadata: SRA: diff --git a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main.yaml b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main.yaml index db7c80f7b..787167a22 100644 --- a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main.yaml +++ b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-main.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This solution enables Firewall Manager by associating a delegated administrator account, configuring a security group and WAF policy. - - 'firewall_manager_org' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + 'firewall_manager_org' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4d) Metadata: SRA: diff --git a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-sg-policy.yaml b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-sg-policy.yaml index 764c34c05..ec6152528 100644 --- a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-sg-policy.yaml +++ b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-sg-policy.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a security group policy. - 'firewall_manager_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4d) Metadata: SRA: diff --git a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-waf-policy.yaml b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-waf-policy.yaml index 8b928da24..379d4f987 100755 --- a/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-waf-policy.yaml +++ b/aws_sra_examples/solutions/firewall_manager/firewall_manager_org/templates/sra-firewall-manager-org-waf-policy.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template builds a Firewall Manager WAF v2 policy and deploys it. - 'firewall_manager_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4d) Metadata: SRA: diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration-role.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration-role.yaml index 263a756d9..95b19d571 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration-role.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration-role.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an IAM role to configure the delegated administrator account - 'guardduty_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4k) Metadata: SRA: diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml index 4fe70828b..703f94b0b 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a custom resource Lambda to delegate administration and configure GuardDuty - 'guardduty_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4k) Metadata: SRA: diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delete-detector-role.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delete-detector-role.yaml index 43f302bab..327dcbd07 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delete-detector-role.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delete-detector-role.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an IAM role to delete the GuardDuty detector within each account and region. - 'guardduty_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4k) Metadata: SRA: diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-kms-key.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-kms-key.yaml index 3ecee89d1..c36c4d6ee 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-kms-key.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-kms-key.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates the GuardDuty delivery KMS key - 'guardduty_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4k) Metadata: SRA: diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-s3-bucket.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-s3-bucket.yaml index f34436264..fc7856ffd 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-s3-bucket.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-s3-bucket.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates the GuardDuty delivery S3 bucket - 'guardduty_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4k) Metadata: SRA: diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml index e45f896b4..2173aeff7 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml @@ -6,7 +6,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables an AWS Organizations GuardDuty in the Control Tower Audit or another delegated admin account with a customer managed KMS key created in the Audit account sending the encrypted findings to an S3 bucket created within the Log Archive account. - 'guardduty_org' solution in - the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4k) Metadata: SRA: diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main.yaml index 0da7ece44..f240a76d6 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main.yaml @@ -6,7 +6,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables an AWS Organizations GuardDuty in the Control Tower Audit or another delegated admin account with a customer managed KMS key created in the Audit account sending the encrypted findings to an S3 bucket created within the Log Archive account. - 'guardduty_org' solution in - the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4k) Metadata: SRA: diff --git a/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-account.yaml b/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-account.yaml index b3bb265ee..45a314ed5 100644 --- a/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-account.yaml +++ b/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-account.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an account IAM Access Analyzer - 'iam_access_analyzer' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse52) Metadata: AWS::CloudFormation::Interface: diff --git a/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml b/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml index 40004011f..9611bc834 100644 --- a/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml +++ b/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an organization IAM Access Analyzer - 'iam_access_analyzer' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse52) Metadata: SRA: diff --git a/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main.yaml b/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main.yaml index 9f929833b..23a97d6f4 100644 --- a/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main.yaml +++ b/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an organization IAM Access Analyzer - 'iam_access_analyzer' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse52) Metadata: SRA: diff --git a/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-org.yaml b/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-org.yaml index a466e7521..c007c4385 100644 --- a/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-org.yaml +++ b/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-org.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an organization IAM Access Analyzer - 'iam_access_analyzer' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse52) Metadata: AWS::CloudFormation::Interface: diff --git a/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main-ssm.yaml b/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main-ssm.yaml index 73d9f6afd..277111ddf 100644 --- a/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main-ssm.yaml +++ b/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main-ssm.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a custom resource Lambda and updates the account password policy. - 'iam_password_policy' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse59) Metadata: SRA: diff --git a/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main.yaml b/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main.yaml index a23760473..274af541a 100644 --- a/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main.yaml +++ b/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy-main.yaml @@ -5,8 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a custom resource Lambda and updates the account password policy. - 'iam_password_policy' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples - + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse59) Metadata: SRA: Version: 1.1 diff --git a/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy.yaml b/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy.yaml index 5ab34abac..8245056a1 100644 --- a/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy.yaml +++ b/aws_sra_examples/solutions/iam/iam_password_policy/templates/sra-iam-password-policy.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a custom resource Lambda to update the account password policy - 'iam_password_policy' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse59) Metadata: SRA: diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration-role.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration-role.yaml index 9728c6703..30b7ca7b3 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration-role.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration-role.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an IAM role to configure Macie within the delegated administrator account - 'macie_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5m) Metadata: SRA: diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml index 1a52d7da4..5307bd5e5 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a custom resource to configure Macie within the delegated administrator account and each member account. - 'macie_org' - solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5m) Metadata: SRA: diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-delivery-kms-key.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-delivery-kms-key.yaml index 910acf023..3aeec715c 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-delivery-kms-key.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-delivery-kms-key.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: Creates the Macie KMS Key This template creates a KMS key to encrypt Macie findings sent to S3. - 'macie_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5m) Metadata: SRA: diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-delivery-s3-bucket.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-delivery-s3-bucket.yaml index 8fac560a3..e69ef2d82 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-delivery-s3-bucket.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-delivery-s3-bucket.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an IAM role to create the Macie finding delivery S3 bucket. - 'macie_org' solution in the repo, - https://github.com/aws-samples/aws-security-reference-architecture-examples + https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5m) Metadata: SRA: diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-disable-role.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-disable-role.yaml index 0ae8a53a4..8164945c4 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-disable-role.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-disable-role.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: Create an IAM role for disabling Macie Creates the Macie KMS Key This template creates an IAM role for disabling Macie . - 'macie_org' solution in - the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5m) Metadata: SRA: diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml index bcf03773f..8258dc1bf 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml @@ -6,7 +6,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables an AWS Organizations Macie in the Control Tower Audit or another delegated admin account with a customer managed KMS key created in the Audit account sending the encrypted findings to an S3 bucket created within the Log Archive account. - 'macie_org' solution in the - repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5m) Metadata: SRA: diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main.yaml index 4748f001c..1ee1aa38b 100644 --- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main.yaml +++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main.yaml @@ -6,7 +6,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template enables an AWS Organizations Macie in the Control Tower Audit or another delegated admin account with a customer managed KMS key created in the Audit account sending the encrypted findings to an S3 bucket created within the Log Archive account. - 'macie_org' solution in the - repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5m) Metadata: SRA: diff --git a/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-main-ssm.yaml b/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-main-ssm.yaml index 91fc08e9f..0fad752e5 100644 --- a/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-main-ssm.yaml +++ b/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-main-ssm.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates Lambda function and associated resources to enable the S3 account level block public access settings - - 's3_block_account_public_access' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + 's3_block_account_public_access' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5t) Metadata: SRA: diff --git a/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-main.yaml b/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-main.yaml index 7ac815aca..d4142044a 100644 --- a/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-main.yaml +++ b/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-main.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates Lambda function and associated resources to enable the S3 account level block public access settings - - 's3_block_account_public_access' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + 's3_block_account_public_access' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5t) Metadata: SRA: diff --git a/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-role.yaml b/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-role.yaml index 4c368b98c..7987cfdf5 100644 --- a/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-role.yaml +++ b/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access-role.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an IAM role for enabling S3 account public access block settings within each account - 's3_block_account_public_access' - solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5t) Metadata: SRA: diff --git a/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access.yaml b/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access.yaml index 1e9edbe4a..8e0a7ccdf 100644 --- a/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access.yaml +++ b/aws_sra_examples/solutions/s3/s3_block_account_public_access/templates/sra-s3-block-account-public-access.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates Lambda function and associated resources to enable the S3 account level block public access settings - - 's3_block_account_public_access' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + 's3_block_account_public_access' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5t) Metadata: SRA: diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration-role.yaml b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration-role.yaml index d247c1909..6daf59424 100644 --- a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration-role.yaml +++ b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration-role.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates an IAM role to configure Security Hub in all accounts including the delegated administrator account. - 'securityhub_org' - solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse6b) Metadata: SRA: diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml index ff171b6b5..1b7569e53 100644 --- a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml +++ b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-configuration.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a custom resource Lambda to delegate administration and configure SecurityHub within an AWS Organization - 'securityhub_org' - solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse6b) Metadata: SRA: diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main-ssm.yaml b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main-ssm.yaml index 88c960f13..acde1a206 100644 --- a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main-ssm.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a custom resource Lambda to delegate administration and configure SecurityHub within an AWS Organization - 'securityhub_org' - solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse6b) Metadata: SRA: diff --git a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main.yaml b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main.yaml index 37e4692d8..cec2b3f50 100644 --- a/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main.yaml +++ b/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main.yaml @@ -5,7 +5,7 @@ AWSTemplateFormatVersion: 2010-09-09 Description: This template creates a custom resource Lambda to delegate administration and configure SecurityHub within an AWS Organization - 'securityhub_org' - solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples + solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse6b) Metadata: SRA: