Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Customizations for Control Tower (CfCT) deployments #206

Open
julian-price opened this issue Oct 16, 2024 · 1 comment
Open

Customizations for Control Tower (CfCT) deployments #206

julian-price opened this issue Oct 16, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@julian-price
Copy link

Customizations for Control Tower (CfCT) is a controlled means of deploying change (CloudFormation StackSets and SCPs) across a Control Tower landing zone. It supports lifecycle events (e.g new account creation) as a trigger to ensure that deployments remain synchronised across the entire landing zone.

It is used by many AWS solutions, such as the Security Reference Architecture (SRA) as a means of deploying those solutions, reducing complexity, and providing an audited, automated means of deploying change across a whole Organization.

Describe the feature you'd like

An enhancement for the sharr solution would be to provide a documented CfCT deployment mechanism for the solution. Below are the manifest.yaml entries I used to perform my deployment of the solution, utilising the #204 enhancement to store a single set of shared KMS keys in the Control Tower audit account.

Note that this solution does not include delegation of the SecurityHub management account, nor does it include deployment of SecurityHub itself. If using the SRA, it provides a mechanism to delegate SecurityHub management to the CT audit account and deployment the SecurityHub solution there.

The scripts below use the Alfred Helper to read parameters from SSM parameters which are stored in the management account. The is available as part of the CfCT solution, although parameters used below are created by the SRA. Even without using the Alfred Helper, parameters could be provided as account IDs.

The resource_file parameter allows for CloudFormation templates to be loaded from https:// or s3:// URLs. While this is how I deployed the solution, those URLs have been removed for berevity below and instead the files are being loaded from the templates/ folder within the CfCT Git repo.

  - name: aws-sharr-org-shared-key
    description: Deploy the Automated Security Response on AWS solution shared KMS key to each CT region
    resource_file: templates/aws-sharr-org-shared-key.template
    parameters:
      - parameter_key: 'OrganizationId'
        parameter_value: '$[alfred_ssm_/sra/control-tower/organization-id]'
    deploy_method: stack_set
    deployment_targets:
      accounts:
        - <e.g. audit account name or ID>
    regions:
      - <list each region where the solution is to be deployed to>

  - name: aws-sharr-deploy
    description: Deploy the main SecurityHub solution for the Automated Security Response on AWS. Deployed to  
    resource_file: templates/aws-sharr-deploy.template
    deploy_method: stack_set
    deployment_targets:
      accounts:
        - <SecurityHub account name or ID>

  - name: aws-sharr-member-roles
    description: Deploy the member roles for the Automated Security Response on AWS. Deploy to every account, but only to the CT home region
    resource_file: templates/aws-sharr-member-roles.template
    parameters:
      - parameter_key: 'SecHubAdminAccount'
        parameter_value: '$[alfred_ssm_/sra/control-tower/audit-account-id]'
    deploy_method: stack_set
    deployment_targets:
      organizational_units:
        - Root

  - name: aws-sharr-member
    description: Deploy the member solution for the Automated Security Response on AWS to every account and region
    resource_file: templates/aws-sharr-member.template
    parameters:
      - parameter_key: 'SecHubAdminAccount'
        parameter_value: '$[alfred_ssm_/sra/control-tower/audit-account-id]'
      - parameter_key: 'KeyMgmtAdminAccount'
        parameter_value: '$[alfred_ssm_/sra/control-tower/audit-account-id]'
      - parameter_key: 'LogGroupName'
        parameter_value: '/Solutions/SO0111/Metrics_LogGroupName'
    deploy_method: stack_set
    deployment_targets:
      organizational_units:
        - Root
    regions:
      - <list each region where the solution is to be deployed to>
@julian-price julian-price added the enhancement New feature or request label Oct 16, 2024
@jrgaray27
Copy link
Member

Hi Julian,
We appreciate the detailed feature request! We will add this to our backlog to evaluate for future enhancement releases.

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants