You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Customizations for Control Tower (CfCT) is a controlled means of deploying change (CloudFormation StackSets and SCPs) across a Control Tower landing zone. It supports lifecycle events (e.g new account creation) as a trigger to ensure that deployments remain synchronised across the entire landing zone.
It is used by many AWS solutions, such as the Security Reference Architecture (SRA) as a means of deploying those solutions, reducing complexity, and providing an audited, automated means of deploying change across a whole Organization.
Describe the feature you'd like
An enhancement for the sharr solution would be to provide a documented CfCT deployment mechanism for the solution. Below are the manifest.yaml entries I used to perform my deployment of the solution, utilising the #204 enhancement to store a single set of shared KMS keys in the Control Tower audit account.
Note that this solution does not include delegation of the SecurityHub management account, nor does it include deployment of SecurityHub itself. If using the SRA, it provides a mechanism to delegate SecurityHub management to the CT audit account and deployment the SecurityHub solution there.
The scripts below use the Alfred Helper to read parameters from SSM parameters which are stored in the management account. The is available as part of the CfCT solution, although parameters used below are created by the SRA. Even without using the Alfred Helper, parameters could be provided as account IDs.
The resource_file parameter allows for CloudFormation templates to be loaded from https:// or s3:// URLs. While this is how I deployed the solution, those URLs have been removed for berevity below and instead the files are being loaded from the templates/ folder within the CfCT Git repo.
- name: aws-sharr-org-shared-key
description: Deploy the Automated Security Response on AWS solution shared KMS key to each CT region
resource_file: templates/aws-sharr-org-shared-key.template
parameters:
- parameter_key: 'OrganizationId'
parameter_value: '$[alfred_ssm_/sra/control-tower/organization-id]'
deploy_method: stack_set
deployment_targets:
accounts:
- <e.g. audit account name or ID>
regions:
- <list each region where the solution is to be deployed to>
- name: aws-sharr-deploy
description: Deploy the main SecurityHub solution for the Automated Security Response on AWS. Deployed to
resource_file: templates/aws-sharr-deploy.template
deploy_method: stack_set
deployment_targets:
accounts:
- <SecurityHub account name or ID>
- name: aws-sharr-member-roles
description: Deploy the member roles for the Automated Security Response on AWS. Deploy to every account, but only to the CT home region
resource_file: templates/aws-sharr-member-roles.template
parameters:
- parameter_key: 'SecHubAdminAccount'
parameter_value: '$[alfred_ssm_/sra/control-tower/audit-account-id]'
deploy_method: stack_set
deployment_targets:
organizational_units:
- Root
- name: aws-sharr-member
description: Deploy the member solution for the Automated Security Response on AWS to every account and region
resource_file: templates/aws-sharr-member.template
parameters:
- parameter_key: 'SecHubAdminAccount'
parameter_value: '$[alfred_ssm_/sra/control-tower/audit-account-id]'
- parameter_key: 'KeyMgmtAdminAccount'
parameter_value: '$[alfred_ssm_/sra/control-tower/audit-account-id]'
- parameter_key: 'LogGroupName'
parameter_value: '/Solutions/SO0111/Metrics_LogGroupName'
deploy_method: stack_set
deployment_targets:
organizational_units:
- Root
regions:
- <list each region where the solution is to be deployed to>
The text was updated successfully, but these errors were encountered:
Customizations for Control Tower (CfCT) is a controlled means of deploying change (CloudFormation StackSets and SCPs) across a Control Tower landing zone. It supports lifecycle events (e.g new account creation) as a trigger to ensure that deployments remain synchronised across the entire landing zone.
It is used by many AWS solutions, such as the Security Reference Architecture (SRA) as a means of deploying those solutions, reducing complexity, and providing an audited, automated means of deploying change across a whole Organization.
Describe the feature you'd like
An enhancement for the sharr solution would be to provide a documented CfCT deployment mechanism for the solution. Below are the
manifest.yaml
entries I used to perform my deployment of the solution, utilising the #204 enhancement to store a single set of shared KMS keys in the Control Tower audit account.The scripts below use the Alfred Helper to read parameters from SSM parameters which are stored in the management account. The is available as part of the CfCT solution, although parameters used below are created by the SRA. Even without using the Alfred Helper, parameters could be provided as account IDs.
The
resource_file
parameter allows for CloudFormation templates to be loaded from https:// or s3:// URLs. While this is how I deployed the solution, those URLs have been removed for berevity below and instead the files are being loaded from the templates/ folder within the CfCT Git repo.The text was updated successfully, but these errors were encountered: