Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect Control Tower Resources #711

Open
thebigcosinus opened this issue Nov 18, 2021 · 3 comments
Open

Protect Control Tower Resources #711

thebigcosinus opened this issue Nov 18, 2021 · 3 comments

Comments

@thebigcosinus
Copy link

Hi,

I'm looking for a template to protect accounts in an organization deployed with AWS SSO and Control Tower

Thanks
@james-green-affinity
Copy link

james-green-affinity commented Dec 1, 2021
edited

There you go

Disclaimer!
Double check this yourself!

`
regions:

  • eu-west-2
  • global

account-blocklist:

  • "00000" #

accounts:
"0000000": #
filters:

  CloudFormationStack:
  - type: glob
    value: "*"

  NetpuneSnapshot:
  - type: glob
    value: "*"

  ConfigServiceConfigRule:
  - type: glob
    value: "*"

  IAMRole:
  - type: regex
    value: "aws-controltower-*"
  - type: regex
    value: "AWSControlTowerExecution"
  - type: regex
    value: "AWSReservedSSO_*"
  - type: regex
    value: "AWSReservedSSO_*"
  - "backup"

  IAMRolePolicyAttachment:
  - type: regex
    value: "aws-controltower-*"
  - type: regex
    value: "AWSReservedSSO_*"
  - "AWSControlTowerExecution*"
  - "backup"

  IAMRolePolicy:
  - type: regex
    value: "aws-controltower-*"
  - type: regex
    value: "AWSControlTowerExecution"
  - type: regex
    value: "terraform-*"


  ConfigServiceDeliveryChannel:
  - "aws-controltower-BaselineConfigDeliveryChannel"

  ConfigServiceConfigurationRecorder:
  - "aws-controltower-BaselineConfigRecorder"

  CloudTrailTrail:
  - type: glob
    value: "*"

  EC2DHCPOption:
  - type: glob
    value: "*"

  SNSTopic:
  - type: regex
    value: "TopicARN: arn:aws:sns:eu-west-2:000000000000:aws-controltower-SecurityNotifications-*"

  CloudWatchEventsRule:
  - "Rule: aws-controltower-ConfigComplianceChangeEventRule"

  CloudWatchLogsLogGroup:
  - "/aws/lambda/aws-controltower-NotificationForwarder"
  - "aws-controltower/CloudTrailLogs"
  - "/aws/lambda/us-east-1.basicAuth"
  - type: regex
    value: "/aws/rds/*"
  - type: regex
    value: "/ecs/*"


  CloudWatchEventsTarget:
  - type: regex
    value: "Rule: aws-controltower-*"

  SNSSubscription:
  - type: regex
    value: "Owner: * ARN: arn:aws:sns:eu-west-2:*:aws-controltower-*"

  LambdaFunction:
  - type: regex
    value: "aws-controltower-NotificationForwarder*"

  GuardDutyDetector:
  - type: glob
    value: "*"

  IAMSAMLProvider:
  - type: regex
    value: "arn:aws:iam::*:saml-provider/AWSSSO_c0b2c38aa90e902f_DO_NOT_DELETE"

  EFSMountTarget:
  - type: glob
    value: "*"

  AWSBackupRecoveryPoint:
  - type: glob
    value: "*"

  RDSInstance:
  - type: glob
    value: "*"

  NeptuneCluster:
  - type: glob
    value: "*"`

@mavogel
Copy link
Contributor

mavogel commented Dec 6, 2021

you might want to use aws s3 cp s3://aws-nuke-config-retain-control-tower/aws-nuke-config.yaml . as a baseline and then adapt the values

  • either hardcoded
  • or dynamically: yq e '.accounts."PLACEHOLDER".filters.ConfigServiceConfigRule += {"type":"regex","value":".*securityhub.*"}' -i aws-nuke-config.yaml

@LVSant
Copy link

LVSant commented Jun 29, 2022

I'd like to contribute with what's being working for us.
We use AWS SSO and AWS Control Tower.

presets:
  sso:
    filters:
      IAMSAMLProvider:
        - type: "regex"
          value: "AWSSSO_.*_DO_NOT_DELETE"
      IAMRole:
        - type: "glob"
          value: "AWSReservedSSO_*"
      IAMRolePolicyAttachment:
        - type: "glob"
          value: "AWSReservedSSO_*"
  controltower:
    filters:
      CloudTrailTrail:
        - type: "contains"
          value: "aws-controltower"
      CloudWatchEventsRule:
        - type: "contains"
          value: "aws-controltower"
      EC2VPCEndpoint:
        - type: "contains"
          value: "aws-controltower"
      EC2VPC:
        - type: "contains"
          value: "aws-controltower"
      OpsWorksUserProfile:
        - type: "contains"
          value: "AWSControlTowerExecution"
      CloudWatchLogsLogGroup:
        - type: "contains"
          value: "aws-controltower"
        - type: "contains"
          value: "AWSControlTowerBP"
      CloudWatchEventsTarget:
        - type: "contains"
          value: "aws-controltower"
      SNSSubscription:
        - type: "contains"
          value: "aws-controltower"
      SNSTopic:
        - type: "contains"
          value: "aws-controltower"
      EC2Subnet:
        - type: "contains"
          value: "aws-controltower"
      ConfigServiceDeliveryChannel:
        - type: "contains"
          value: "aws-controltower"
      ConfigServiceConfigurationRecorder:
        - type: "contains"
          value: "aws-controltower"
      CloudFormationStack:
        - type: "contains"
          value: "AWSControlTower"
      EC2RouteTable:
        - type: "contains"
          value: "aws-controltower"
      LambdaFunction:
        - type: "contains"
          value: "aws-controltower"
      EC2DHCPOption:
        - type: "contains"
          value: "aws-controltower"
      IAMRole:
        - type: "contains"
          value: "aws-controltower"
        - type: "contains"
          value: "AWSControlTower"
      IAMRolePolicyAttachment:
        - type: "contains"
          value: "aws-controltower"
        - type: "contains"
          value: "AWSControlTower"
      IAMRolePolicy:
        - type: "contains"
          value: "aws-controltower"

@mavogel mavogel mentioned this issue Oct 2, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@thebigcosinus @LVSant @mavogel @james-green-affinity