Skip to content

Commit 968160b

Browse files
andywick-awsandywick-aws
authored
Merge pull request #95 from andywick-aws/documentation-updates
Documentation updates to clarify solutions and improve navigation
2 parents 58c5973 + 7585802 commit 968160b

File tree

4 files changed

+31
-35
lines changed

4 files changed

+31
-35
lines changed

README.md

+17-26
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
55
## Table of Contents<!-- omit in toc -->
66

77
- [Introduction](#introduction)
8-
- [Getting Started with SRA](#getting-started-with-sra)
8+
- [Getting Started with the SRA Code Examples](#getting-started-with-the-sra-code-examples)
99
- [Example Solutions](#example-solutions)
1010
- [Utils](#utils)
1111
- [Environment Setup](#environment-setup)
@@ -25,7 +25,7 @@ to modify and tailor these solutions to suit your environment and security needs
2525

2626
The examples within this repository have been deployed and tested within an `AWS Control Tower` environment using `AWS CloudFormation` as well as the `Customizations for AWS Control Tower (CFCT)` solution.
2727

28-
## Getting Started with SRA
28+
## Getting Started with the SRA Code Examples
2929

3030
![How to get started process diagram](./aws_sra_examples/docs/artifacts/where-to-start-process.png)
3131

@@ -35,33 +35,24 @@ The examples within this repository have been deployed and tested within an `AWS
3535
- AWS CloudFormation StackSets/Stacks - [AWS Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html)
3636
- Customizations for AWS Control Tower (CFCT) - [Solution Documentation](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/)
3737
4. (Optional) - Deploy the [Customizations for AWS Control Tower (CFCT) Setup](aws_sra_examples/solutions/common/common_cfct_setup) solution. **Note** Only implement if the CFCT deployment method was selected.
38-
5. Per your requirements select one or all of the [Example Solutions](aws_sra_examples/solutions) to implement via the selected deployment method.
38+
5. Per your requirements select one or all of the below Example Solutions to implement via the selected deployment method.
3939

4040
## Example Solutions
4141

42-
- Common
43-
- [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)
44-
- CloudTrail
45-
- [Organization CloudTrail](aws_sra_examples/solutions/cloudtrail/cloudtrail_org)
46-
- Config
47-
- [Config Management Account](aws_sra_examples/solutions/config/config_management_account)
48-
- [Organization Aggregator](aws_sra_examples/solutions/config/config_aggregator_org)
49-
- [Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org)
50-
- EC2
51-
- [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption)
52-
- Firewall Manager
53-
- [Organization Firewall Manager](aws_sra_examples/solutions/firewall_manager/firewall_manager_org)
54-
- GuardDuty
55-
- [Organization GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org)
56-
- IAM
57-
- [Access Analyzer](aws_sra_examples/solutions/iam/iam_access_analyzer)
58-
- [Account Password Policy](aws_sra_examples/solutions/iam/iam_password_policy)
59-
- Macie
60-
- [Organization Macie](aws_sra_examples/solutions/macie/macie_org)
61-
- S3
62-
- [S3 Block Account Public Access](aws_sra_examples/solutions/s3/s3_block_account_public_access)
63-
- SecurityHub
64-
- [Organization Security Hub](aws_sra_examples/solutions/securityhub/securityhub_org)
42+
| Example Solution | Solution Highlights | What does Control Tower provide? | Depends On |
43+
| :---------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :----------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
44+
| [CloudTrail](aws_sra_examples/solutions/cloudtrail/cloudtrail_org) | Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events. | CloudTrail enabled in each account with management events only. | |
45+
| [Config Management Account](aws_sra_examples/solutions/config/config_management_account) | Enables AWS Config in the Management account to allow resource compliance monitoring. | Configures AWS Config in all accounts except for the Management account in each governed region. | |
46+
| [Config Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) | Deploys a conformance pack to all accounts and provided regions within an organization. | | [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator), [Config Management Account](aws_sra_examples/solutions/config/config_management_account) |
47+
| [Config Organization Aggregator](aws_sra_examples/solutions/config/config_aggregator_org) | **Not required for most Control Tower environments.** Deploy an Organization Config Aggregator to a delegated admin other than the Audit account. | Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account. | [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator) |
48+
| [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption) | Configures the EC2 default EBS encryption to use the default KMS key within all provided regions. | | |
49+
| [Firewall Manager](aws_sra_examples/solutions/firewall_manager/firewall_manager_org) | Demonstrates configuring a security group policy and WAF policies for all accounts within an organization. | | |
50+
| [GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org) | Configures GuardDuty within a delegated admin account for all accounts within an organization. | | |
51+
| [IAM Access Analyzer](aws_sra_examples/solutions/iam/iam_access_analyzer) | Configures an organization analyzer within a delegated admin account and account level analyzer within each account. | | [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator) |
52+
| [IAM Account Password Policy](aws_sra_examples/solutions/iam/iam_password_policy) | Sets the account password policy for users to align with common compliance standards. | | |
53+
| [Macie](aws_sra_examples/solutions/macie/macie_org) | Configures Macie within a delegated admin account for all accounts within the organization. | | |
54+
| [S3 Block Account Public Access](aws_sra_examples/solutions/s3/s3_block_account_public_access) | Configures the account-level S3 BPA settings for all accounts within the organization. | Configures S3 BPA settings on buckets created by Control Tower only. | |
55+
| [Security Hub](aws_sra_examples/solutions/securityhub/securityhub_org) | Configures Security Hub within a delegated admin account for all accounts and governed regions within the organization. | | [Config Management Account](aws_sra_examples/solutions/config/config_management_account) |
6556

6657
## Utils
6758

aws_sra_examples/docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md

+9-9
Original file line numberDiff line numberDiff line change
@@ -18,15 +18,15 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
1818

1919
## Deploy Customizations for AWS Control Tower (CFCT) Solution<!-- omit in toc -->
2020

21-
Deploy the [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/) solution following the below instructions.
22-
23-
- In the `Management account (home region)`, deploy a new CloudFormation stack with the below recommended settings:
24-
<!-- markdownlint-disable-next-line MD034 -->
25-
- `Amazon S3 URL` = https://s3.amazonaws.com/solutions-reference/customizations-for-aws-control-tower/latest/custom-control-tower-initiation.template
26-
- `Stack name` = custom-control-tower-initiation
27-
- `AWS CodePipeline Source` = AWS CodeCommit
28-
- `Failure Tolerance Percentage` = 0
29-
- Acknowledge that AWS CloudFormation might create IAM resources with custom names
21+
- Option 1 (Recommended) Deploy the [Common CFCT Setup](../solutions/common/common_cfct_setup/) solution.
22+
- Option 2 Manually deploy the [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/) solution following the below instructions.
23+
- In the `Management account (home region)`, deploy a new CloudFormation stack with the below recommended settings:
24+
<!-- markdownlint-disable-next-line MD034 -->
25+
- `Amazon S3 URL` = https://s3.amazonaws.com/solutions-reference/customizations-for-aws-control-tower/latest/custom-control-tower-initiation.template
26+
- `Stack name` = custom-control-tower-initiation
27+
- `AWS CodePipeline Source` = AWS CodeCommit
28+
- `Failure Tolerance Percentage` = 0
29+
- Acknowledge that AWS CloudFormation might create IAM resources with custom names
3030

3131
### AWS CodeCommit Repo<!-- omit in toc -->
3232

aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md

+2
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,8 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
3535
sh $HOME/aws-sra-examples/aws_sra_examples/utils/packaging_scripts/stage_solution.sh --profile <AWS_MANAGEMENT_ACCOUNT_PROFILE>
3636
```
3737

38+
6. Return to the [Common Prerequisites Solution Deployment](../solutions/common/common_prerequisites#solution-deployment)
39+
3840
## Install the prerequisites<!-- omit in toc -->
3941

4042
1. Configure [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) within a new or existing AWS account (management account).

aws_sra_examples/solutions/config/config_aggregator_org/README.md

+3
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,9 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
1616
The AWS Config Aggregator Organization solution configures an AWS Config aggregator by delegating administration to a member account (e.g. Audit or Security Tooling) within the Organization Management account and then configuring AWS Config
1717
Aggregator within the delegated administrator account for all the existing and future AWS Organization accounts.
1818

19+
**Note:** This solution is not required for most AWS Control Tower environments due to the existing AWS Config Aggregator configured by the service within the `Audit account`. If configuring an organization AWS Config Aggregator within an account
20+
other than the `Audit account` is a requirement, this solution can meet the requirement.
21+
1922
---
2023

2124
## Deployed Resource Details

0 commit comments

Comments
 (0)