Skip to content

Commit 45949b5

Browse files
IevIeievgeniia ieromenko
IevIe
and
ievgeniia ieromenko
authored
Added Config solution (#201)
* adding abi config module * updated config enabled regions param * param fixes * outputs fixes * adding kms key outputs * updated param description * added sns fanout update to the branch * updated params * updated main-ssm outputs * updated documentation --------- Co-authored-by: ievgeniia ieromenko <[email protected]>
1 parent 75422aa commit 45949b5

21 files changed

+5935
-1
lines changed

README.md

+1
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,7 @@ _Note: The `Quick Setup` is not designed to be used with the `Easy Setup` proced
133133
| [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts) | Sets the billing, operations, and security alternate contacts for all accounts within the organization. | | |
134134
| [CloudTrail](aws_sra_examples/solutions/cloudtrail/cloudtrail_org) | Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events. | CloudTrail enabled in each account with management events only. | |
135135
| [Config Management Account](aws_sra_examples/solutions/config/config_management_account) | Enables AWS Config in the Management account to allow resource compliance monitoring. | Configures AWS Config in all accounts except for the Management account in each governed region. | <ul><li>AWS Control Tower</li></ul> |
136+
| [Config Organization](aws_sra_examples/solutions/config/config_org) | Configures AWS Config in all accounts in each governed region. Deploys an Organization Config Aggregator to a delegated admin account. **This solution is incompatible with the AWS Control Tower environment**. | | <ul><li>AWS Organization</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li> |
136137
| [Config Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) | Deploys a conformance pack to all accounts and provided regions within an organization. | | <ul><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account)</li></ul> |
137138
| [Config Organization Aggregator](aws_sra_examples/solutions/config/config_aggregator_org) | **Not required for most Control Tower environments.** Deploy an Organization Config Aggregator to a delegated admin other than the Audit account. | Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account. | <ul><li>AWS Control Tower</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li></ul> |
138139
| [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption) | Configures the EC2 default EBS encryption to use the default KMS key within all provided regions. | | |

aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml

+177-1
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@ Metadata:
4545
Parameters:
4646
- pDeployAccountAlternateContactsSolution
4747
- pDeployCloudTrailSolution
48+
- pDeployConfigSolution
4849
- pDeployConfigManagementSolution
4950
- pDeployConfigConformancePackSolution
5051
- pDeployEC2DefaultEBSEncryptionSolution
@@ -88,6 +89,26 @@ Metadata:
8889
- pCloudTrailLogGroupRetention
8990
- pCreateCloudTrailLogGroup
9091
- pOrganizationCloudTrailKeyAlias
92+
- Label:
93+
default: AWS Config Solution (This solution is incompatible with the AWS Control Tower environment)
94+
Parameters:
95+
- pCommonPrerequisitesRegionsOnly
96+
- pConfigEnabledRegions
97+
- pRecorderName
98+
- pAllSupported
99+
- pIncludeGlobalResourceTypes
100+
- pResourceTypes
101+
- pDeliveryChannelName
102+
- pConfigOrgDeliveryBucketPrefix
103+
- pConfigOrgDeliveryKeyAlias
104+
- pFrequency
105+
- pConfigTopicName
106+
- pSubscribeToConfigurationTopic
107+
- pConfigurationEmail
108+
- pConfigOrgSnsKeyAlias
109+
- pAggregatorName
110+
- pAggregatorRoleName
111+
- pRegisterDelegatedAdminAccount
91112
- Label:
92113
default: AWS Config Management Solution
93114
Parameters:
@@ -298,6 +319,8 @@ Metadata:
298319
default: Deploy the CloudTrail Solution
299320
pDeployConfigConformancePackSolution:
300321
default: Deploy the AWS Config Conformance Pack Solution
322+
pDeployConfigSolution:
323+
default: Deploy the AWS Config Solution (This solution is incompatible with the AWS Control Tower environment)
301324
pDeployConfigManagementSolution:
302325
default: Deploy the AWS Config Management Solution
303326
pDeployEC2DefaultEBSEncryptionSolution:
@@ -437,6 +460,33 @@ Metadata:
437460
pVpcId:
438461
default: (Optional) Existing VPC ID
439462

463+
pCommonPrerequisitesRegionsOnly:
464+
default: Common Prerequisites Regions Only
465+
pConfigEnabledRegions:
466+
default: (Optional) Enabled Regions
467+
pRecorderName:
468+
default: Recorder Name
469+
pDeliveryChannelName:
470+
default: Delivery Channel Name
471+
pConfigOrgDeliveryBucketPrefix:
472+
default: Config Delivery Bucket Prefix
473+
pConfigOrgDeliveryKeyAlias:
474+
default: Config Delivery KMS Key Alias
475+
pConfigTopicName:
476+
default: Config SNS Topic Name
477+
pSubscribeToConfigurationTopic:
478+
default: Subscribe to Configuration Topic
479+
pConfigurationEmail:
480+
default: Configuration Email
481+
pConfigOrgSnsKeyAlias:
482+
default: Config SNS KMS Key Alias
483+
pAggregatorName:
484+
default: Config Aggregator Name
485+
pAggregatorRoleName:
486+
default: Config Aggregator Role Name
487+
pRegisterDelegatedAdminAccount:
488+
default: Register Delegated Admin Account
489+
440490
Parameters:
441491
pRepoURL:
442492
Default: https://github.com/aws-samples/aws-security-reference-architecture-examples.git
@@ -735,6 +785,11 @@ Parameters:
735785
Default: 'No'
736786
Description: Deploy the AWS Config Conformance Pack solution
737787
Type: String
788+
pDeployConfigSolution:
789+
AllowedValues: ['Yes', 'No']
790+
Default: 'No'
791+
Description: Deploy the AWS Config solution (This solution is incompatible with the AWS Control Tower environment)
792+
Type: String
738793
pDeployConfigManagementSolution:
739794
AllowedValues: ['Yes', 'No', 'Already Deployed']
740795
Default: 'No'
@@ -1072,7 +1127,7 @@ Parameters:
10721127
Description: You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).
10731128
Type: String
10741129
pResourceTypes:
1075-
AllowedPattern: '^$|^([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$|^(([a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+(,|, ))*[a-zA-Z]+::[a-zA-Z]+::[a-zA-Z]+)$'
1130+
AllowedPattern: '^$|^([0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+)$|^(([0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+(,|, ))*[0-9a-zA-Z]+::[0-9a-zA-Z]+::[0-9a-zA-Z]+)$'
10761131
Default: ''
10771132
Description:
10781133
(Optional) A list of valid AWS resource types to include in this recording group. Eg. AWS::CloudTrail::Trail. If 'All Supported' parameter is
@@ -1136,6 +1191,82 @@ Parameters:
11361191
Description: (Optional) Existing VPC ID for the Firewall Manager Security Groups. Required if Create VPC For Security Group is "false".
11371192
Type: String
11381193

1194+
pCommonPrerequisitesRegionsOnly:
1195+
AllowedValues: ['true', 'false']
1196+
Default: 'true'
1197+
Description: Only enable in the customer regions specified in Common Prerequisites solution
1198+
Type: String
1199+
pRecorderName:
1200+
AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
1201+
ConstraintDescription:
1202+
Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
1203+
Default: sra-ConfigRecorder
1204+
Description: Config recorder name
1205+
Type: String
1206+
pDeliveryChannelName:
1207+
AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
1208+
ConstraintDescription:
1209+
Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
1210+
Default: sra-config-s3-delivery
1211+
Description: Config delivery channel name
1212+
Type: String
1213+
pConfigOrgDeliveryBucketPrefix:
1214+
AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$'
1215+
ConstraintDescription:
1216+
S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
1217+
Default: sra-config-org-delivery
1218+
Description:
1219+
Config Delivery S3 bucket prefix. The account and region will get added to the end. e.g. sra-config-delivery-123456789012-us-east-1
1220+
Type: String
1221+
pConfigOrgDeliveryKeyAlias:
1222+
Default: sra-config-org-delivery-key
1223+
Description: Config Delivery KMS Key Alias
1224+
Type: String
1225+
pConfigTopicName:
1226+
AllowedPattern: '^[\w+=,.@-]{1,64}$'
1227+
Default: sra-ConfigNotifications
1228+
Description: Configuration Notification SNS Topic in Audit Account that AWS Config delivers notifications to.
1229+
Type: String
1230+
pSubscribeToConfigurationTopic:
1231+
AllowedValues: [true, false]
1232+
Default: false
1233+
Description: Indicates whether ConfigurationEmail will be subscribed to the Configuration Notification SNS Topic.
1234+
Type: String
1235+
pConfigurationEmail:
1236+
AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$'
1237+
ConstraintDescription: Email Validation as per RFC2822 standards.
1238+
Description: Email for receiving all AWS configuration events
1239+
Default: ''
1240+
Type: 'String'
1241+
pConfigOrgSnsKeyAlias:
1242+
Default: sra-config-org-sns-key
1243+
Description: Config SNS KMS Key Alias
1244+
Type: String
1245+
pAggregatorName:
1246+
AllowedPattern: '^[\w\-]+'
1247+
ConstraintDescription: Max 256 alphanumeric characters.
1248+
Default: sra-config-aggregator-org
1249+
MaxLength: 256
1250+
MinLength: 1
1251+
Type: String
1252+
pAggregatorRoleName:
1253+
AllowedPattern: '^[\w+=,.@-]{1,64}$'
1254+
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -].
1255+
Default: sra-config-aggregator-org
1256+
Type: String
1257+
pRegisterDelegatedAdminAccount:
1258+
AllowedValues: ['Yes', 'No']
1259+
Default: 'Yes'
1260+
Description: Register a delegated administrator account using the Common Register Delegated Administrator solution.
1261+
Type: String
1262+
pConfigEnabledRegions:
1263+
AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
1264+
ConstraintDescription:
1265+
Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
1266+
us-east-1,ap-southeast-2)
1267+
Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions.
1268+
Type: String
1269+
11391270
Rules:
11401271
BillingContactValidation:
11411272
RuleCondition: !And
@@ -1156,6 +1287,7 @@ Rules:
11561287
- Assert: !Or
11571288
- !Equals [!Ref pDeployConfigManagementSolution, 'Yes']
11581289
- !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed']
1290+
- !Equals [!Ref pDeployConfigSolution, 'Yes']
11591291
AssertDescription:
11601292
"'Deploy the AWS Config Management Solution' parameter must be set to 'Yes' or 'Already Deployed', if the 'Deploy the AWS Config Conformance
11611293
Pack Solution' parameter is set to 'Yes'."
@@ -1165,6 +1297,7 @@ Rules:
11651297
- Assert: !Or
11661298
- !Equals [!Ref pDeployConfigManagementSolution, 'Yes']
11671299
- !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed']
1300+
- !Equals [!Ref pDeployConfigSolution, 'Yes']
11681301
AssertDescription:
11691302
"'Deploy the AWS Config Management Solution' parameter must be set to 'Yes' or 'Already Deployed', if the 'Deploy the Security Hub Solution'
11701303
parameter is set to 'Yes'."
@@ -1194,6 +1327,16 @@ Rules:
11941327
AssertDescription:
11951328
"'Security Full Name', 'Security Title', 'Security Email' and 'Security Phone' parameters are required if the 'Security Alternate Contact
11961329
Action' parameter is set to 'add'."
1330+
EnabledRegionValidation:
1331+
RuleCondition: !Equals [!Ref pCommonPrerequisitesRegionsOnly, 'false']
1332+
Assertions:
1333+
- Assert: !Not [!Equals [!Ref pConfigEnabledRegions, '']]
1334+
AssertDescription: "'Enabled Regions' parameter has to have a value if 'Common Prerequisites Regions Only' parameter is set to 'false'."
1335+
ResourceTypesValidation:
1336+
RuleCondition: !Equals [!Ref pAllSupported, 'false']
1337+
Assertions:
1338+
- AssertDescription: "'Resource Types' parameter is required if 'All Supported' parameter is set to 'false'."
1339+
Assert: !Not [!Equals [!Ref pResourceTypes, '']]
11971340

11981341
Conditions:
11991342
cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
@@ -1214,12 +1357,14 @@ Conditions:
12141357
cCreateLambdaLogGroup: !Equals [!Ref pCreateLambdaLogGroup, 'Yes']
12151358
cDeployAccountAlternateContactsSolution: !Equals [!Ref pDeployAccountAlternateContactsSolution, 'Yes']
12161359
cDeployCloudTrailSolution: !Equals [!Ref pDeployCloudTrailSolution, 'Yes']
1360+
cDeployConfigSolution: !Equals [!Ref pDeployConfigSolution, 'Yes']
12171361
cDeployConfigManagementSolution: !Equals [!Ref pDeployConfigManagementSolution, 'Yes']
12181362
cDeployConfigManagementSolutionAlreadyDeployed: !Equals [!Ref pDeployConfigManagementSolution, 'Already Deployed']
12191363
cDeployConfigConformancePackSolution: !And
12201364
- !Or
12211365
- !Condition cDeployConfigManagementSolution
12221366
- !Condition cDeployConfigManagementSolutionAlreadyDeployed
1367+
- !Condition cDeployConfigSolution
12231368
- !Equals [!Ref pDeployConfigConformancePackSolution, 'Yes']
12241369
cDeployDetectiveSolution: !Equals [!Ref pDeployDetectiveSolution, 'Yes']
12251370
cDeployEC2DefaultEBSEncryptionSolution: !Equals [!Ref pDeployEC2DefaultEBSEncryptionSolution, 'Yes']
@@ -2083,3 +2228,34 @@ Resources:
20832228
pLambdaLogLevel: !Ref pLambdaLogLevel
20842229
pSRAAlarmEmail: !Ref pSRAAlarmEmail
20852230
pComplianceFrequency: !Ref pComplianceFrequency
2231+
2232+
rConfigSolutionStack:
2233+
Type: AWS::CloudFormation::Stack
2234+
DependsOn: rCommonPrerequisitesMainSsm
2235+
Condition: cDeployConfigSolution
2236+
DeletionPolicy: Delete
2237+
UpdateReplacePolicy: Delete
2238+
Properties:
2239+
TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-config-org/templates/sra-config-org-main-ssm.yaml
2240+
Parameters:
2241+
pControlTowerRegionsOnly: !Ref pCommonPrerequisitesRegionsOnly
2242+
pEnabledRegions: !Ref pConfigEnabledRegions
2243+
pRecorderName: !Ref pRecorderName
2244+
pDeliveryChannelName: !Ref pDeliveryChannelName
2245+
pConfigOrgDeliveryBucketPrefix: !Ref pConfigOrgDeliveryBucketPrefix
2246+
pConfigOrgDeliveryKeyAlias: !Ref pConfigOrgDeliveryKeyAlias
2247+
pConfigTopicName: !Ref pConfigTopicName
2248+
pSubscribeToConfigurationTopic: !Ref pSubscribeToConfigurationTopic
2249+
pConfigurationEmail: !Ref pConfigurationEmail
2250+
pConfigOrgSnsKeyAlias: !Ref pConfigOrgSnsKeyAlias
2251+
pAggregatorName: !Ref pAggregatorName
2252+
pAggregatorRoleName: !Ref pAggregatorRoleName
2253+
pRegisterDelegatedAdminAccount: !Ref pRegisterDelegatedAdminAccount
2254+
pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey
2255+
pLambdaLogLevel: !Ref pLambdaLogLevel
2256+
pSRAAlarmEmail: !Ref pSRAAlarmEmail
2257+
pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention
2258+
pFrequency: !Ref pFrequency
2259+
pAllSupported: !Ref pAllSupported
2260+
pIncludeGlobalResourceTypes: !Ref pIncludeGlobalResourceTypes
2261+
pResourceTypes: !Ref pResourceTypes

0 commit comments

Comments
 (0)