new staging script, all solutions refactored to use nested stacks, documentation consistency

Author: andywick-aws

.flake8

@@ -1,5 +1,7 @@
 [flake8]
 max-line-length = 150
+max-complexity = 10
+max-cognitive-complexity = 10
 max-parameters-amount = 7
 min_python_version = 3.9.0
 copyright-regexp = Copyright Amazon.com, Inc\..*
@@ -13,8 +15,9 @@ select = A,B,B9,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z,0,1,2,3,4,5,6,7,
 
 # disable below checks:
 ignore =
-    FS003  # f-string missing prefix (false positives with raw strings)
-    T003:  # add link on issue into TODO
+    FS003,  # f-string missing prefix (false positives with raw strings)
+    T003,  # add link on issue into TODO
+    W503  # Line break occurred before binary operator
 
 # disable flake8 checks for Lambda function source code that will be used inline. (max 4096 characters)
 per-file-ignores =

.github/ISSUE_TEMPLATE/bug.md

@@ -1,31 +1,37 @@
 ---
 name: Bug
 about: Report a bug
-title: "[BUG] "
+title: '[BUG] '
 labels: bug
 assignees: ''
-
 ---
 
 ### Describe the bug
+
 A clear and concise description of what the bug is.
 
 ### To Reproduce
+
 Steps to reproduce the behavior:
+
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
 4. See error
 
 ### Expected behavior
+
 A clear and concise description of what you expected to happen.
 
 ### Screenshots
+
 If applicable, add screenshots to help explain your problem.
 
-### Deployment Environment (please complete the following information):
- - Deployment Framework [e.g. Customizations for Control Tower and CloudFormation StackSets]: 
- - Deployment Framework Version [e.g. 1.0, 2.0]:
+### Deployment Environment (please complete the following information)
+
+- Deployment Framework [e.g. Customizations for Control Tower and CloudFormation StackSets]:
+- Deployment Framework Version [e.g. 1.0, 2.0]:
 
 ### Additional context
+
 Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,20 +1,23 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
-title: "[FEATURE] "
+title: '[FEATURE] '
 labels: feature
 assignees: ''
-
 ---
 
-### Is your feature request related to a problem? Please describe.
+### Is your feature request related to a problem? Please describe
+
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 
 ### Describe the solution you'd like
+
 A clear and concise description of what you want to happen.
 
 ### Describe alternatives you've considered
+
 A clear and concise description of any alternative solutions or features you've considered.
 
 ### Additional context
+
 Add any other context or screenshots about the feature request here. e.g. link to a new AWS feature

.github/ISSUE_TEMPLATE/guidance.md

@@ -1,10 +1,9 @@
 ---
 name: Guidance
 about: Ask a guidance question
-title: "[Guidance]"
+title: '[Guidance]'
 labels: question
 assignees: ''
-
 ---
 
 <!--
@@ -18,6 +17,7 @@ clarification, instead of filing a new issue.
 -->
 
 ### The Question
+
 <!--
 Ask your question here. Include any details relevant. Make sure you are not
 falling prey to the [X/Y problem][2]!
@@ -27,8 +27,9 @@ falling prey to the [X/Y problem][2]!
 
 ### Environment
 
-  - **Example:** <!-- Name of the example in question -->
-  - **Framework** <!-- [all | Customizations for Control Tower | CloudFormation StackSets | etc... ] -->
+- **Example:** <!-- Name of the example in question -->
+- **Framework** <!-- [all | Customizations for Control Tower | CloudFormation StackSets | etc... ] -->
+
+### Other information
 
-### Other information 
 <!-- e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,7 +1,8 @@
+<!-- markdownlint-disable MD041 -->
 <!--
 Explain what changed and why.
 
-Please read the [Contribution guidelines][1], use the [General Contributing Guidance] checklist, 
+Please read the [Contribution guidelines][1], use the [General Contributing Guidance] checklist,
 and follow the pull-request checklist.
 
 [1]: https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/master/CONTRIBUTING.md
@@ -14,4 +15,4 @@ Fixes # <!-- Please create a new issue if none exists yet -->
 
 By submitting this pull request, I confirm that my contribution is made under the terms of the [Apache 2.0 license].
 
-[Apache 2.0 license]: https://www.apache.org/licenses/LICENSE-2.0
+[Apache 2.0 License](https://www.apache.org/licenses/LICENSE-2.0)

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2022-03-14](#2022-03-14)
 - [2022-01-07](#2022-01-07)
 - [2021-12-16](#2021-12-16)
 - [2021-12-10](#2021-12-10)
@@ -20,6 +21,88 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## 2022-03-14
+
+### Added<!-- omit in toc -->
+
+- Added new document [DOWNLOAD-AND-STAGE-SOLUTIONS.md](aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md) to explain the steps for downloading the SRA example code and staging the solutions within the S3 staging bucket.
+- Added [Security Hub Organization](aws_sra_examples/solutions/securityhub/securityhub_org) solution to configure Security Hub using AWS Organizations. All existing accounts are added to the central admin account, standards are enabled/disabled per
+  provided parameters, a region aggregator is created per the provided paramenter, and a parameter is provided for disabling Security Hub within all accounts and regions via SNS fanout.
+
+### Changed<!-- omit in toc -->
+
+- Updated the [CFCT-DEPLOYMENT-INSTRUCTIONS.md](aws_sra_examples/docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md) document to remove references to the common_cfct_setup solution.
+- [CloudTrail](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/cloudtrail/cloudtrail_org) solution
+  - Added main templates to simplify deployments via nested stacks.
+  - Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
+  - Added integration with Secrets Manager to share CloudFormation output values with the management account.
+  - Updated the bucket policy to use aws:SourceArn to align with the updated documentation
+    [Organization Trail Bucket Policy](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#org-trail-bucket-policy).
+  - Updated the CFCT configuration to use the main templates and parameters.
+- [Common CFCT Setup](aws_sra_examples/solutions/common/common_cfct_setup) solution
+  - Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
+  - Removed the Lambda function that created a new OU and moved the management account. This is no longer required due to the latest version of the CFCT solution supporting deployments to the management account within the root OU.
+- [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) solution
+  - Added a template to create a KMS key for sharing CloudFormation outputs via Secrets Manager secrets.
+  - Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
+  - Updated the staging bucket policy to fix the reference to the AWSControlTowerExecution role ARN.
+  - Added SRA version parameter to main templates for triggering updates to StackSets.
+  - Added logic within the descriptions to reference the rControlTowerExecutionRoleStack resource if the cCreateAWSControlTowerExecutionRole condition is met. This logic avoids creating an empty stack when the condition is false.
+- [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator) solution
+  - Added main templates to simplify deployments via nested stacks.
+  - Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
+  - Updated the CFCT configuration to use the main templates and parameters.
+  - Added integration with Secrets Manager to share CloudFormation output values with the management account.
+  - Updated the Lambda function to align with latest coding standards.
+- [AWS Config Aggregator](aws_sra_examples/solutions/config/config_aggregator_org) solution
+  - Added main templates to simplify deployments via nested stacks.
+  - Updated the CFCT configuration to use the main templates and parameters.
+  - Added pRegisterDelegatedAdminAccount parameter to determine whether or not to register the delegated administrator account. This allows the ability to register the delegated admin accounts outside of this solution.
+- [AWS Config Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) solution
+  - Added main templates to simplify deployments via nested stacks.
+  - Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
+  - Updated the CFCT configuration to use the main templates and parameters.
+  - Added pRegisterDelegatedAdminAccount parameter to determine whether or not to register the delegated administrator account.
+  - Moved the list_config_recorder_status.py script from the utils/aws_control_tower/helper_scripts to the solution scripts folder.
+  - Updated and moved the Operational-Best-Practices-for-Encryption-and-Keys.yaml conformance pack template to the templates/aws_config_conformance_packs folder.
+- [AWS Config Management Account](aws_sra_examples/solutions/config/config_management_account) solution
+  - Added SRA version parameter to main templates for triggering updates to StackSets.
+  - Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
+- [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption) solution
+  - Added main templates to simplify deployments via nested stacks.
+  - Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
+- [Firewall Manager](aws_sra_examples/solutions/firewall_manager/firewall_manager_org) solution
+  - Added main templates to simplify deployments via nested stacks.
+  - Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
+- [GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org) solution
+  - Added main templates to simplify deployments via nested stacks.
+  - Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
+  - Added a parameter and logic to disable GuardDuty within all accounts and regions using SNS fanout.
+- [IAM Access Analyzer](aws_sra_examples/solutions/iam/iam_access_analyzer) solution
+  - Added main templates to simplify deployments via nested stacks.
+  - Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
+- [IAM Password Policy](aws_sra_examples/solutions/iam/iam_password_policy) solution
+  - Renamed solution and files to remove \_acct suffix
+  - Added main templates to simplify deployments via nested stacks.
+  - Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
+- [Macie](aws_sra_examples/solutions/macie/macie_org) solution
+  - Added main templates to simplify deployments via nested stacks.
+  - Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
+  - Added a parameter and logic to disable Macie within all accounts and regions using SNS fanout.
+- [S3 Block Account Public Access](aws_sra_examples/solutions/s3/s3_block_account_public_access) solution
+  - Added main templates to simplify deployments via nested stacks.
+  - Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
+
+### Removed<!-- omit in toc -->
+
+- The `Account Security Hub Enabler` solution was replaced with the [Security Hub Organization](aws_sra_examples/solutions/securityhub/securityhub_org) solution.
+- The `package-lambda.sh` script was replaced by the stage_solution.sh script.
+- The `Prerequisites for AWS Control Tower solutions` files were replaced with the [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) solution.
+
+### Fixed<!-- omit in toc -->
+
+- Fixed checkov metadata entries to use updated [check suppression via CFN Metadata](https://github.com/bridgecrewio/checkov/pull/2216).
+
 ## 2022-01-07
 
 ### Added<!-- omit in toc -->

README.md

@@ -17,9 +17,11 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 ## Introduction
 
 This repository contains code to help developers and engineers deploy AWS security-related services in an `AWS Control Tower` multi-account environment following patterns that align with the
-[AWS Security Reference Architecture](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/). The Amazon Web Services (AWS) Security Reference Architecture (AWS SRA) is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment.
+[AWS Security Reference Architecture](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/). The Amazon Web Services (AWS) Security Reference Architecture (AWS SRA) is a holistic set of guidelines for deploying
+the full complement of AWS security services in a multi-account environment.
 
-The AWS service configurations and resources (e.g. IAM roles and policies) deployed by these templates are deliberately very restrictive. They are intended to illustrate an implementation pattern rather than provide a complete solution. You may need to modify and tailor these solutions to suit your environment and security needs.
+The AWS service configurations and resources (e.g. IAM roles and policies) deployed by these templates are deliberately very restrictive. They are intended to illustrate an implementation pattern rather than provide a complete solution. You may need
+to modify and tailor these solutions to suit your environment and security needs.
 
 The examples within this repository have been deployed and tested within an `AWS Control Tower` environment using `AWS CloudFormation` as well as the `Customizations for AWS Control Tower (CFCT)` solution.
 
@@ -30,8 +32,8 @@ The examples within this repository have been deployed and tested within an `AWS
 1. Setup the environment to configure [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) within a new or existing AWS account.
 2. Deploy the [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) solution.
 3. Choose a deployment method:
-   - [AWS CloudFormation StackSets/Stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html)
-   - [Customizations for AWS Control Tower (CFCT)](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/)
+   - AWS CloudFormation StackSets/Stacks - [AWS Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html)
+   - Customizations for AWS Control Tower (CFCT) - [Solution Documentation](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/)
 4. (Optional) - Deploy the [Customizations for AWS Control Tower (CFCT) Setup](aws_sra_examples/solutions/common/common_cfct_setup) solution. **Note** Only implement if the CFCT deployment method was selected.
 5. Per your requirements select one or all of the [Example Solutions](aws_sra_examples/solutions) to implement via the selected deployment method.
 
@@ -53,26 +55,24 @@ The examples within this repository have been deployed and tested within an `AWS
   - [Organization GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org)
 - IAM
   - [Access Analyzer](aws_sra_examples/solutions/iam/iam_access_analyzer)
-  - [Account Password Policy](aws_sra_examples/solutions/iam/iam_password_policy_acct)
+  - [Account Password Policy](aws_sra_examples/solutions/iam/iam_password_policy)
 - Macie
   - [Organization Macie](aws_sra_examples/solutions/macie/macie_org)
 - S3
   - [S3 Block Account Public Access](aws_sra_examples/solutions/s3/s3_block_account_public_access)
 - SecurityHub
-  - [Account SecurityHub Enabler](aws_sra_examples/solutions/securityhub/securityhub_enabler_acct)
+  - [Organization Security Hub](aws_sra_examples/solutions/securityhub/securityhub_org)
 
 ## Utils
 
-- [Prerequisites for AWS Control Tower solutions](aws_sra_examples/utils/aws_control_tower/prerequisites)
-- packaging_scripts
-  - package-lambda.sh (Creates the Lambda zip file and uploads to an S3 bucket)
+- packaging_scripts/stage-solution.sh (Package and stage all the AWS SRA example solutions. For more information see [Staging script details](aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md#staging-script-details))
 
 ## Environment Setup
 
 Based on the deployment method selected these solutions are required to implement SRA solutions.
 
-- [Common Customizations for AWS Control Tower (CFCT) Setup](aws_sra_examples/solutions/common/common_cfct_setup)
 - [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites)
+- [Common Customizations for AWS Control Tower (CFCT) Setup](aws_sra_examples/solutions/common/common_cfct_setup)
 
 ## Repository and Solution Naming Convention
 
@@ -96,22 +96,14 @@ The repository is organized by AWS service solutions, which include deployment p
 │   │       │       ├── app.py
 │   │       │       └── requirements.txt
 │   │       └── templates
-│   │           ├── guardduty-org-configuration-role.yaml
-│   │           ├── guardduty-org-configuration.yaml
-│   │           ├── guardduty-org-delete-detector-role.yaml
-│   │           ├── guardduty-org-delivery-kms-key.yaml
-│   │           └── guardduty-org-delivery-s3-bucket.yaml
+│   │           ├── sra-guardduty-org-configuration-role.yaml
+│   │           ├── sra-guardduty-org-configuration.yaml
+│   │           ├── sra-guardduty-org-delete-detector-role.yaml
+│   │           ├── sra-guardduty-org-delivery-kms-key.yaml
+│   │           └── sra-guardduty-org-delivery-s3-bucket.yaml
 │   ├── ...
 ```
 
-The example solutions within this repository can be managed/deployed to accounts using AWS Organizations or directly within individual accounts. The suffix on the solution name identifies how the solution is managed/deployed.
-
-| Solution Suffix | Description                                                         |
-| --------------- | ------------------------------------------------------------------- |
-| acct            | The solution is managed/deployed within each account                |
-| org             | The solution is managed/deployed to accounts via AWS Organizations  |
-| ou              | The solution is managed/deployed to accounts via Organization Units |
-
 ## Frequently Asked Questions
 
 Q. How were these particular solutions chosen? A. All the examples in this repository are derived from common patterns that many customers ask us to help them deploy within their environments. We will be adding to the examples over time.