Skip to content

Commit 378f723

Browse files
IevIeievgeniia ieromenko
IevIe
and
ievgeniia ieromenko
authored
Updated Account Alternate Contacts solution for CT optional (#193)
* updated account alternate contacts solutions to make ct optional * updated README.md * updating documentation --------- Co-authored-by: ievgeniia ieromenko <[email protected]>
1 parent 189734f commit 378f723

File tree

5 files changed

+63
-9
lines changed

5 files changed

+63
-9
lines changed

Diff for: CHANGELOG.md

+16
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,11 @@
33
## Table of Contents<!-- omit in toc -->
44

55
- [Introduction](#introduction)
6+
- [2023-11-06](#2023-11-06)
67
- [2023-10-23](#2023-10-23)
78
- [2023-10-10](#2023-10-10)
9+
- [2023-09-27](#2023-09-27)
10+
- [2023-09-26](#2023-09-26)
811
- [2023-09-22](#2023-09-22)
912
- [2023-08-07](#2023-08-07)
1013
- [2023-07-07](#2023-07-07)
@@ -45,6 +48,10 @@
4548
All notable changes to this project will be documented in this file.
4649

4750
---
51+
## 2023-11-06
52+
53+
- Updated [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts) solution to make AWS Control Tower optional.
54+
4855
## 2023-10-23
4956

5057
Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/firewall_manager/firewall_manager_org) solution to make AWS Control Tower optional.
@@ -53,6 +60,15 @@ Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference
5360

5461
- Updated [Inspector](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/inspector/inspector_org) solution to enable automatic lambda code scan.
5562

63+
## 2023-09-27
64+
65+
- Updated [Config Management Account](aws_sra_examples/solutions/config/config_management_account) solution to make AWS Control Tower optional.
66+
- Updated [AWS Config Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) solution to make AWS Control Tower optional.
67+
68+
## 2023-09-26
69+
70+
- Updated [Macie](aws_sra_examples/solutions/macie/macie_org) solution to make AWS Control Tower optional.
71+
5672
## 2023-09-22
5773

5874
- Updated [Detective Organization](aws_sra_examples/solutions/detective/detective_org) solution to make AWS Control Tower optional.

Diff for: README.md

+4-4
Original file line numberDiff line numberDiff line change
@@ -130,12 +130,12 @@ _Note: The `Quick Setup` is not designed to be used with the `Easy Setup` proced
130130

131131
| Example Solution | Solution Highlights | What does Control Tower provide? | Depends On |
132132
| :---------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
133-
| [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts) | Sets the billing, operations, and security alternate contacts for all accounts within the organization. | | <ul><li>AWS Control Tower</li></ul> |
133+
| [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts) | Sets the billing, operations, and security alternate contacts for all accounts within the organization. | | |
134134
| [CloudTrail](aws_sra_examples/solutions/cloudtrail/cloudtrail_org) | Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events. | CloudTrail enabled in each account with management events only. | |
135135
| [Config Management Account](aws_sra_examples/solutions/config/config_management_account) | Enables AWS Config in the Management account to allow resource compliance monitoring. | Configures AWS Config in all accounts except for the Management account in each governed region. | <ul><li>AWS Control Tower</li></ul> |
136-
| [Config Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) | Deploys a conformance pack to all accounts and provided regions within an organization. | | <ul><li>AWS Control Tower</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account)</li></ul> |
136+
| [Config Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) | Deploys a conformance pack to all accounts and provided regions within an organization. | | <ul><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account)</li></ul> |
137137
| [Config Organization Aggregator](aws_sra_examples/solutions/config/config_aggregator_org) | **Not required for most Control Tower environments.** Deploy an Organization Config Aggregator to a delegated admin other than the Audit account. | Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account. | <ul><li>AWS Control Tower</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li></ul> |
138-
| [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption) | Configures the EC2 default EBS encryption to use the default KMS key within all provided regions. | | <ul><li>AWS Control Tower</li></ul> |
138+
| [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption) | Configures the EC2 default EBS encryption to use the default KMS key within all provided regions. | | |
139139
| [Firewall Manager](aws_sra_examples/solutions/firewall_manager/firewall_manager_org) | Demonstrates configuring a security group policy and WAF policies for all accounts within an organization. | | |
140140
| [GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org) | Configures GuardDuty within a delegated admin account for all accounts within an organization. | | |
141141
| [IAM Access Analyzer](aws_sra_examples/solutions/iam/iam_access_analyzer) | Configures an organization analyzer within a delegated admin account and account level analyzer within each account. | | [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li></ul> |
@@ -144,7 +144,7 @@ _Note: The `Quick Setup` is not designed to be used with the `Easy Setup` proced
144144
| [S3 Block Account Public Access](aws_sra_examples/solutions/s3/s3_block_account_public_access) | Configures the account-level S3 BPA settings for all accounts within the organization. | Configures S3 BPA settings on buckets created by Control Tower only. | <ul><li>AWS Control Tower</li></ul> |
145145
| [Security Hub](aws_sra_examples/solutions/securityhub/securityhub_org) | Configures Security Hub within a delegated admin account for all accounts and governed regions within the organization. | | <ul><li>AWS Config in all Org Accounts</li><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account) (_if using AWS Control Tower_)</li></ul> |
146146
| [Inspector](aws_sra_examples/solutions/inspector/inspector_org) | Configure Inspector within a delegated admin account for all accounts and governed regions within the organization. | | |
147-
| [Detective](aws_sra_examples/solutions/detective/detective) | The Detective Organization solution will automate enabling Amazon Detective by delegating administration to an account (e.g. Audit or Security Tooling) and configuring Detective for all the existing and future AWS Organization accounts. **Note:** As of 06/07/2023, this solution is not included in the quick setup (it will be in a future code release) | | <ul><li>AWS Control Tower</li><li>[GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org)</li></ul> |
147+
| [Detective](aws_sra_examples/solutions/detective/detective) | The Detective Organization solution will automate enabling Amazon Detective by delegating administration to an account (e.g. Audit or Security Tooling) and configuring Detective for all the existing and future AWS Organization accounts. | | <ul><li>[GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org)</li></ul> |
148148

149149

150150
## Utils

Diff for: aws_sra_examples/solutions/account/account_alternate_contacts/templates/sra-account-alternate-contacts-main-ssm.yaml

+21-2
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,11 @@ Metadata:
2222
- pSRAStagingS3BucketName
2323
- pSRAAlarmEmail
2424
- pRootOrganizationalUnitId
25+
- Label:
26+
default: IAM Properties
27+
Parameters:
28+
- pStackSetAdminRole
29+
- pStackExecutionRole
2530
- Label:
2631
default: Lambda Function Properties
2732
Parameters:
@@ -58,6 +63,10 @@ Metadata:
5863
Parameters:
5964
- pComplianceFrequency
6065
ParameterLabels:
66+
pStackSetAdminRole:
67+
default: Stack Set Role
68+
pStackExecutionRole:
69+
default: Stack execution role
6170
pBillingContactAction:
6271
default: Billing Alternate Contact Action
6372
pBillingEmail:
@@ -116,6 +125,16 @@ Metadata:
116125
default: SRA Staging S3 Bucket Name
117126

118127
Parameters:
128+
pStackSetAdminRole:
129+
AllowedValues: [sra-stackset]
130+
Default: sra-stackset
131+
Description: The administration role name that is used in the stackset.
132+
Type: String
133+
pStackExecutionRole:
134+
AllowedValues: [sra-execution]
135+
Default: sra-execution
136+
Description: The execution role name that is used in the stack.
137+
Type: String
119138
pBillingContactAction:
120139
AllowedValues: ['add', 'delete', 'ignore']
121140
Default: 'add'
@@ -441,13 +460,13 @@ Resources:
441460
UpdateReplacePolicy: Delete
442461
Properties:
443462
StackSetName: sra-account-alternate-global-events
444-
AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
463+
AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
445464
CallAs: SELF
446465
Capabilities:
447466
- CAPABILITY_NAMED_IAM
448467
Description:
449468
!Sub ${pSRASolutionVersion} - Deploys EventBridge Rules via ${pSRASolutionName} for capturing global events forwarding to the home region.
450-
ExecutionRoleName: AWSControlTowerExecution
469+
ExecutionRoleName: !Ref pStackExecutionRole
451470
ManagedExecution:
452471
Active: true
453472
OperationPreferences:

0 commit comments

Comments
 (0)