Landing Zone Accelerator on AWS - Part Three Modifying
Landing Zone Accelerator - Introduction
Welcome back to the final in our series covering the Landing Zone Accelerator on AWS. In the previous posts I have discussed what the Landing Zone Accelerator is and how to successfully deploy the Landing Zone Accelerator on AWS. In the third part we will discuss how to modify the Landing Zone Accelerator to turn on services and implement your Organisations’ cloud policies such as tagging or budget alerts.
Warning Costs
You are responsible for the cost of the AWS services used while running this solution. As of August 2022, the cost for running this solution using the Landing Zone Accelerator on AWS best practices configuration with AWS Control Tower in the US East (N. Virginia) Region within a test environment with no active workloads is approximately $357.87 per month.
| AWS Service | Cost per month |
|---|---|
| AWS CloudTrail | $4.30 |
| Amazon CloudWatch | $8.56 |
| AWS Config | $24.40 |
| Amazon GuardDuty | $4.27 |
| AWS Key Management Service (AWS KMS) | $110.06 |
| Amazon Macie | $5.50 |
| Amazon Route 53 | $2.00 |
| Amazon Simple Storage Service (Amazon S3) | $1.48 |
| Amazon Virtual Private Cloud (Amazon VPC) | $157.94 |
| AWS Security Hub | $38.97 |
| AWS Secrets Manager | $0.39 |
| Amazon Simple Notification Service (Amazon SNS) | $0.21 |
Landing Zone Previous Steps
In part two of this series we explained how to deploy the Landing Zone Accelerator. Below are the three steps that need to be completed before moving on to modify the configuration files.
-
The AWSAccelerator-Installer pipeline should show a status of Complete.
-
When the AWSAccelerator-Installer pipeline has completed, a new AWSAccelerator-Pipeline pipeline is created that is now In Progress. Refresh the AWS CodePipeline console if the new pipeline is not visible. The AWSAccelerator-Pipeline pipeline will take approximately 45 minutes to complete. This initial deployment will prepare your environment for Landing Zone Accelerator on AWS and deploy a minimal configuration. Resources deployed include AWS CloudFormation custom resources, CloudWatch Logs log groups for the custom resources, AWS KMS keys for encryption at rest, and Amazon S3 buckets for AWS service logging.
-
After completion of the above steps, your environment is ready to modify.
Landing Zone Configuration Files
In AWS CodeCommit you will see a repository called which contains six files that need to be modified with your required settings. Below are the six files as they will appear after the initial CloudFormation and CodePipeline deployment.
Global Config
homeRegion: eu-west-1
enabledRegions:
- eu-west-1
managementAccountAccessRole: AWSControlTowerExecution
cloudwatchLogRetentionInDays: 3653
centralizeCdkBuckets:
enable: true
terminationProtection: true
controlTower:
enable: true
logging:
account: LogArchive
cloudtrail:
enable: false
organizationTrail: false
organizationTrailSettings:
multiRegionTrail: true
globalServiceEvents: true
managementEvents: true
s3DataEvents: true
lambdaDataEvents: true
sendToCloudWatchLogs: true
apiErrorRateInsight: false
apiCallRateInsight: false
accountTrails: []
lifecycleRules: []
sessionManager:
sendToCloudWatchLogs: false
sendToS3: false
excludeRegions: []
excludeAccounts: []
lifecycleRules: []
errors: []
ouIdNames:
- Root
accountNames: []
Organization Config
enable: true
organizationalUnits:
- name: Security
- name: Infrastructure
serviceControlPolicies: []
taggingPolicies: []
backupPolicies: []
errors: []
Accounts Config
mandatoryAccounts:
- name: Management
description: >-
The management (primary) account. Do not change the name field for this
mandatory account. Note, the account name key does not need to match the
AWS account name.
email: example@example.com
organizationalUnit: Root
- name: LogArchive
description: >-
The log archive account. Do not change the name field for this mandatory
account. Note, the account name key does not need to match the AWS account
name.
email: example@example.com
organizationalUnit: Security
- name: Audit
description: >-
The security audit account (also referred to as the audit account). Do not
change the name field for this mandatory account. Note, the account name
key does not need to match the AWS account name.
email: example@example.com
organizationalUnit: Security
workloadAccounts: []
errors: []
ouIdNames:
- Root
IAM Config
providers: []
policySets: []
roleSets: []
groupSets: []
userSets: []
errors: []
ouIdNames:
- Root
accountNames: []
Security Config
centralSecurityServices:
delegatedAdminAccount: Audit
ebsDefaultVolumeEncryption:
enable: false
excludeRegions: []
s3PublicAccessBlock:
enable: false
excludeAccounts: []
snsSubscriptions: []
macie:
enable: false
excludeRegions: []
policyFindingsPublishingFrequency: FIFTEEN_MINUTES
publishSensitiveDataFindings: true
guardduty:
enable: false
excludeRegions: []
s3Protection:
enable: false
excludeRegions: []
exportConfiguration:
enable: false
destinationType: S3
exportFrequency: FIFTEEN_MINUTES
securityHub:
enable: false
regionAggregation: false
excludeRegions: []
standards: []
ssmAutomation:
excludeRegions: []
documentSets: []
accessAnalyzer:
enable: false
iamPasswordPolicy:
allowUsersToChangePassword: true
hardExpiry: false
requireUppercaseCharacters: true
requireLowercaseCharacters: true
requireSymbols: true
requireNumbers: true
minimumPasswordLength: 14
passwordReusePrevention: 24
maxPasswordAge: 90
awsConfig:
enableConfigurationRecorder: true
enableDeliveryChannel: true
ruleSets: []
cloudWatch:
metricSets: []
alarmSets: []
keyManagementService:
keySets: []
errors: []
ssmDocuments: []
ouIdNames:
- Root
accountNames: []
Network Config
defaultVpc:
delete: false
excludeAccounts: []
transitGateways: []
endpointPolicies: []
vpcs: []
vpcFlowLogs:
trafficType: ALL
maxAggregationInterval: 600
destinations:
- s3
- cloud-watch-logs
destinationsConfig:
s3:
lifecycleRules: []
cloudWatchLogs:
retentionInDays: 3653
defaultFormat: false
customFields:
- version
- account-id
- interface-id
- srcaddr
- dstaddr
- srcport
- dstport
- protocol
- packets
- bytes
- start
- end
- action
- log-status
- vpc-id
- subnet-id
- instance-id
- tcp-flags
- type
- pkt-srcaddr
- pkt-dstaddr
- region
- az-id
- pkt-src-aws-service
- pkt-dst-aws-service
- flow-direction
- traffic-path
errors: []
domainLists: []
ouIdNames:
- Root
accountNames: []
Modifying the YAML Files
-
Sign in to the AWS Management Console and navigate to the AWS CodeCommit console. Navigate to the repository named aws-accelerator-configuration. You will be presented with the Landing Zone Accelerator on AWS configuration files.
-
Each configuration file is named based on its purpose in Landing Zone Accelerator on AWS. You need to modify each configuration file to deploy the additional AWS services and infrastructure required. You can use the CodeCommit console or a compatible Git client to manipulate these files. See the appendix for some sample configurations of each file.
-
When finished modifying the configuration files, navigate to the AWS CodePipeline console. Select AWSAccelerator-Pipeline, then Release change. This will kick off a new pipeline instantiation and deploy the configuration changes to your environment.
-
You now need to wait successful completion of the pipeline. If any failures occur, the CodePipeline console displays the failure stage and action in red. To troubleshoot any errors, choose Details on the CodeBuild action to navigate to the failed action. In the CodeBuild console, you can view the Build logs, which will indicate the error encountered during deployment.
Conclusion
At this stage the Landing Zone Accelerator on AWS has been deployed. You have modified the initial deployed configuration with some best practices. This is just the initial building blocks from which you should grow your footprint in AWS. Everything is customisable to meet your requirements. The appendix below has some sample configurations that you can test with. Please see the AWS Solutions page for future updates to this solution. Check back soon for more content and exciting announcement.
Appendix Sample Configuration Files
Global Config
homeRegion: &HOME_REGION us-east-1
enabledRegions:
- *HOME_REGION
managementAccountAccessRole: AWSControlTowerExecution
cloudwatchLogRetentionInDays: 3653
terminationProtection: true
centralizeCdkBuckets:
enable: true
controlTower:
enable: true
logging:
account: LogArchive
cloudtrail:
enable: false
organizationTrail: false
organizationTrailSettings:
multiRegionTrail: true
globalServiceEvents: true
managementEvents: true
s3DataEvents: true
lambdaDataEvents: true
sendToCloudWatchLogs: true
apiErrorRateInsight: false
apiCallRateInsight: false
accountTrails:
- name: AccountTrail
regions:
- *HOME_REGION
deploymentTargets:
accounts: []
organizationalUnits:
- Root
settings:
multiRegionTrail: true
globalServiceEvents: true
managementEvents: true
s3DataEvents: true
lambdaDataEvents: true
sendToCloudWatchLogs: true
apiErrorRateInsight: false
apiCallRateInsight: false
sessionManager:
sendToCloudWatchLogs: false
sendToS3: true
cloudwatchLogs:
dynamicPartitioning: dynamic-partitioning/log-filters.json
reports:
costAndUsageReport:
compression: Parquet
format: Parquet
reportName: accelerator-cur
s3Prefix: cur
timeUnit: DAILY
refreshClosedReports: true
reportVersioning: CREATE_NEW_REPORT
budgets:
- deploymentTargets:
accounts:
- Management
name: accel-budget
timeUnit: MONTHLY
type: COST
amount: 2000
includeUpfront: true
includeTax: true
includeSupport: true
includeSubscription: true
includeRecurring: true
includeOtherSubscription: true
includeDiscount: true
includeCredit: false
includeRefund: false
useBlended: false
useAmortized: false
unit: USD
notifications:
- type: ACTUAL
thresholdType: PERCENTAGE
threshold: 100
comparisonOperator: GREATER_THAN
subscriptionType: EMAIL
address: <budget-notifications>@example.com <----- UPDATE EMAIL ADDRESS
- type: ACTUAL
thresholdType: PERCENTAGE
threshold: 90
comparisonOperator: GREATER_THAN
subscriptionType: EMAIL
address: <budget-notifications>@example.com <----- UPDATE EMAIL ADDRESS
- type: ACTUAL
thresholdType: PERCENTAGE
threshold: 80
comparisonOperator: GREATER_THAN
subscriptionType: EMAIL
address: <budget-notifications>@example.com <----- UPDATE EMAIL ADDRESS
- type: ACTUAL
thresholdType: PERCENTAGE
threshold: 75
comparisonOperator: GREATER_THAN
subscriptionType: EMAIL
address: <budget-notifications>@example.com <----- UPDATE EMAIL ADDRESS
- type: ACTUAL
thresholdType: PERCENTAGE
threshold: 50
comparisonOperator: GREATER_THAN
subscriptionType: EMAIL
address: <budget-notifications>@example.com <----- UPDATE EMAIL ADDRESS
backupVaults:
- name: BackupVault
deploymentTargets:
organizationalUnits:
- Root
Accounts Config
mandatoryAccounts:
# We recommend you do not change mandatory account names. These are used within Landing Zone Accelerator to reference the accounts from other config files.
# The "name" value does not currently support spaces
# The "name" value DOES NOT need to match the account name
- name: Management
description: The management (primary) account. Do not change the name field for this mandatory account. Note, the account name key does not need to match the AWS account name.
email: <management-account>@example.com <----- UPDATE EMAIL ADDRESS
organizationalUnit: Root
- name: LogArchive
description: The log archive account. Do not change the name field for this mandatory account. Note, the account name key does not need to match the AWS account name.
email: <log-archive>@example.com <----- UPDATE EMAIL ADDRESS
organizationalUnit: Security
- name: Audit
description: The security audit account (also referred to as the audit account). Do not change the name field for this mandatory account. Note, the account name key does not need to match the AWS account name.
email: <audit>@example.com <----- UPDATE EMAIL ADDRESS
organizationalUnit: Security
workloadAccounts:
# The "name" will be used to set the AWS Account name
# The "name" value does not currently support spaces
# The "name" value DOES NOT need to match the account name
- name: SharedServices
description: The SharedServices account
email: <shared-services>@example.com <----- UPDATE EMAIL ADDRESS
organizationalUnit: Infrastructure
- name: Network
description: The Network account
email: <network>@example.com <----- UPDATE EMAIL ADDRESS
organizationalUnit: Infrastructure
IAM Config
policySets:
- deploymentTargets:
organizationalUnits:
- Root
policies:
- name: Default-Boundary-Policy
policy: iam-policies/boundary-policy.json
roleSets:
- deploymentTargets:
organizationalUnits:
- Root
roles:
- name: EC2-Default-SSM-AD-Role
instanceProfile: true
assumedBy:
- type: service
principal: ec2.amazonaws.com
policies:
awsManaged:
- AmazonSSMManagedInstanceCore
- AmazonSSMDirectoryServiceAccess
- CloudWatchAgentServerPolicy
boundaryPolicy: Default-Boundary-Policy
# This role is utilized by the Backup Plans defined in global-config.yaml
# We create this role in every account where we plan to have Backup Plans
# and Backup Vaults
- name: Backup-Role
assumedBy:
- type: service
principal: backup.amazonaws.com
policies:
awsManaged:
- service-role/AWSBackupServiceRolePolicyForBackup
- service-role/AWSBackupServiceRolePolicyForRestores
groupSets:
- deploymentTargets:
organizationalUnits:
- Root
groups:
- name: Administrators
policies:
awsManaged:
- AdministratorAccess
userSets:
- deploymentTargets:
accounts:
- Management
users:
- username: breakGlassUser01
group: Administrators
boundaryPolicy: Default-Boundary-Policy
- username: breakGlassUser02
group: Administrators
boundaryPolicy: Default-Boundary-Policy
Organisation Config
# If using AWS Control Tower, ensure that all the specified Organizational Units (OU)
# have been created and enrolled as the accelerator will verify that the OU layout
# matches before continuing to execute the deployment pipeline.
enable: true
organizationalUnits:
- name: Security
- name: Infrastructure
quarantineNewAccounts:
enable: true
scpPolicyName: Quarantine
serviceControlPolicies:
- name: AcceleratorGuardrails1
description: >
Accelerator GuardRails 1
policy: service-control-policies/guardrails-1.json
type: customerManaged
deploymentTargets:
organizationalUnits:
- Infrastructure
- name: AcceleratorGuardrails2
description: >
Accelerator GuardRails 2
policy: service-control-policies/guardrails-2.json
type: customerManaged
deploymentTargets:
organizationalUnits:
- Infrastructure
- name: Quarantine
description: >
This SCP is used to prevent changes to new accounts until the Accelerator
has been executed successfully.
This policy will be applied upon account creation if enabled.
policy: service-control-policies/quarantine.json
type: customerManaged
deploymentTargets:
organizationalUnits: []
taggingPolicies:
- name: TagPolicy
description: Organization Tagging Policy
policy: tagging-policies/org-tag-policy.json
deploymentTargets:
organizationalUnits:
- Root
backupPolicies:
- name: BackupPolicy
description: Organization Backup Policy
policy: backup-policies/backup-plan.json
deploymentTargets:
organizationalUnits:
- Root
Security Config
homeRegion: &HOME_REGION us-east-1
centralSecurityServices:
delegatedAdminAccount: Audit
ebsDefaultVolumeEncryption:
enable: true
excludeRegions: []
s3PublicAccessBlock:
enable: true
excludeAccounts: []
snsSubscriptions:
- level: High
email: <notify-high>@example.com <----- UPDATE EMAIL ADDRESS
- level: Medium
email: <notify-medium>@example.com <----- UPDATE EMAIL ADDRESS
- level: Low
email: <notify-low>@example.com <----- UPDATE EMAIL ADDRESS
macie:
enable: true
excludeRegions: []
policyFindingsPublishingFrequency: FIFTEEN_MINUTES
publishSensitiveDataFindings: true
guardduty:
enable: true
excludeRegions: []
s3Protection:
enable: true
excludeRegions: []
exportConfiguration:
enable: true
destinationType: S3
exportFrequency: FIFTEEN_MINUTES
auditManager:
enable: true
excludeRegions: []
defaultReportsConfiguration:
enable: true
destinationType: S3
detective:
enable: false
excludeRegions: []
securityHub:
enable: true
regionAggregation: true
excludeRegions: []
standards:
- name: AWS Foundational Security Best Practices v1.0.0
enable: true
controlsToDisable:
- IAM.1
- EC2.10
- Lambda.4
- name: PCI DSS v3.2.1
enable: true
controlsToDisable:
- PCI.IAM.3
- PCI.S3.3
- PCI.EC2.3
- PCI.Lambda.2
- name: CIS AWS Foundations Benchmark v1.2.0
enable: true
controlsToDisable:
- CIS.1.20
- CIS.1.22
- CIS.2.6
ssmAutomation:
documentSets:
- shareTargets:
organizationalUnits:
- Root
documents:
# Calls the AWS CLI to enable access logs on a specified ELB
- name: SSM-ELB-Enable-Logging
template: ssm-documents/ssm-elb-enable-logging.yaml
# Enables S3 encryption using KMS
- name: Put-S3-Encryption
template: ssm-documents/s3-encryption.yaml
# Attaches instance profiles to an EC2 instance
- name: Attach-IAM-Instance-Profile
template: ssm-documents/attach-iam-instance-profile.yaml
# Attaches Aws IAM Managed Policy to IAM Role
- name: Attach-IAM-Role-Policy
template: ssm-documents/attach-iam-role-policy.yaml
accessAnalyzer:
enable: true
iamPasswordPolicy:
allowUsersToChangePassword: true
hardExpiry: false
requireUppercaseCharacters: true
requireLowercaseCharacters: true
requireSymbols: true
requireNumbers: true
minimumPasswordLength: 14
passwordReusePrevention: 24
maxPasswordAge: 90
awsConfig:
enableConfigurationRecorder: true
enableDeliveryChannel: true
ruleSets:
- deploymentTargets:
organizationalUnits:
- Root
rules:
- name: accelerator-attach-ec2-instance-profile
type: Custom
description: Custom rule for checking EC2 instance IAM profile attachment
inputParameters:
customRule:
lambda:
sourceFilePath: custom-config-rules/attach-ec2-instance-profile.zip
handler: index.handler
runtime: nodejs14.x
rolePolicyFile: custom-config-rules/attach-ec2-instance-profile-detection-role.json
periodic: true
maximumExecutionFrequency: Six_Hours
configurationChanges: true
triggeringResources:
lookupType: ResourceTypes
lookupKey: ResourceTypes
lookupValue:
- AWS::EC2::Instance
remediation:
rolePolicyFile: custom-config-rules/attach-ec2-instance-profile-remediation-role.json
automatic: true
targetId: Attach-IAM-Instance-Profile
retryAttemptSeconds: 60
maximumAutomaticAttempts: 5
parameters:
- name: InstanceId
value: RESOURCE_ID
type: String
- name: IamInstanceProfile
value: ${ACCEL_LOOKUP::InstanceProfile:EC2-Default-SSM-AD-Role}
type: StringList
- name: accelerator-ec2-instance-profile-permission
type: Custom
description: Custom role to remediate EC2 instance profile permission
inputParameters:
AWSManagedPolicies: AmazonSSMManagedInstanceCore,AmazonSSMDirectoryServiceAccess,CloudWatchAgentServerPolicy
# CustomerManagedPolicies: ${ACCEL_LOOKUP::CustomerManagedPolicy:<POLICY_NAME>},${ACCEL_LOOKUP::CustomerManagedPolicy:<POLICY_NAME>}
ResourceId: RESOURCE_ID
customRule:
lambda:
sourceFilePath: custom-config-rules/ec2-instance-profile-permissions.zip
handler: index.handler
runtime: nodejs14.x
rolePolicyFile: custom-config-rules/ec2-instance-profile-permissions-detection-role.json
periodic: true
maximumExecutionFrequency: Six_Hours
configurationChanges: true
triggeringResources:
lookupType: ResourceTypes
lookupKey: ResourceTypes
lookupValue:
- AWS::IAM::Role
remediation:
rolePolicyFile: custom-config-rules/ec2-instance-profile-permissions-remediation-role.json
automatic: true
targetId: Attach-IAM-Role-Policy
targetAccountName: Audit
retryAttemptSeconds: 60
maximumAutomaticAttempts: 5
parameters:
- name: ResourceId
value: RESOURCE_ID
type: String
- name: AWSManagedPolicies
value: AmazonSSMManagedInstanceCore,AmazonSSMDirectoryServiceAccess,CloudWatchAgentServerPolicy
type: StringList
# - name: CustomerManagedPolicies
# value: ${ACCEL_LOOKUP::CustomerManagedPolicy:policy-00},${ACCEL_LOOKUP::CustomerManagedPolicy:policy-01}
# type: StringList
- name: accelerator-s3-bucket-server-side-encryption-enabled
identifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
complianceResourceTypes:
- AWS::S3::Bucket
remediation:
rolePolicyFile: custom-config-rules/bucket-sse-enabled-remediation-role.json
automatic: true
targetId: Put-S3-Encryption
retryAttemptSeconds: 60
maximumAutomaticAttempts: 5
parameters:
- name: BucketName
value: RESOURCE_ID
type: String
- name: KMSMasterKey
value: ${ACCEL_LOOKUP::KMS}
type: StringList
- name: accelerator-elb-logging-enabled
identifier: ELB_LOGGING_ENABLED
complianceResourceTypes:
- AWS::ElasticLoadBalancing::LoadBalancer
- AWS::ElasticLoadBalancingV2::LoadBalancer
inputParameters:
s3BucketNames: ${ACCEL_LOOKUP::Bucket:elbLogs}
remediation:
rolePolicyFile: custom-config-rules/elb-logging-enabled-remediation-role.json
automatic: true
targetId: SSM-ELB-Enable-Logging
retryAttemptSeconds: 60
maximumAutomaticAttempts: 5
parameters:
- name: LoadBalancerArn
value: RESOURCE_ID
type: String
- name: LogDestination
value: ${ACCEL_LOOKUP::Bucket:elbLogs}
type: StringList
- name: accelerator-iam-user-group-membership-check
complianceResourceTypes:
- AWS::IAM::User
identifier: IAM_USER_GROUP_MEMBERSHIP_CHECK
- name: accelerator-securityhub-enabled
identifier: SECURITYHUB_ENABLED
- name: accelerator-cloudtrail-enabled
identifier: CLOUD_TRAIL_ENABLED
- name: accelerator-rds-logging-enabled
complianceResourceTypes:
- AWS::RDS::DBInstance
identifier: RDS_LOGGING_ENABLED
- name: accelerator-cloudwatch-alarm-action-check
complianceResourceTypes:
- AWS::CloudWatch::Alarm
inputParameters:
alarmActionRequired: "TRUE"
insufficientDataActionRequired: "TRUE"
okActionRequired: "FALSE"
identifier: CLOUDWATCH_ALARM_ACTION_CHECK
- name: accelerator-redshift-cluster-configuration-check
inputParameters:
clusterDbEncrypted: "TRUE"
loggingEnabled: "TRUE"
complianceResourceTypes:
- AWS::Redshift::Cluster
identifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK
- name: accelerator-cloudtrail-s3-dataevents-enabled
identifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED
- name: accelerator-emr-kerberos-enabled
identifier: EMR_KERBEROS_ENABLED
- name: accelerator-iam-group-has-users-check
complianceResourceTypes:
- AWS::IAM::Group
identifier: IAM_GROUP_HAS_USERS_CHECK
- name: accelerator-s3-bucket-policy-grantee-check
complianceResourceTypes:
- AWS::S3::Bucket
identifier: S3_BUCKET_POLICY_GRANTEE_CHECK
- name: accelerator-lambda-inside-vpc
complianceResourceTypes:
- AWS::Lambda::Function
identifier: LAMBDA_INSIDE_VPC
- name: accelerator-ec2-instances-in-vpc
complianceResourceTypes:
- AWS::EC2::Instance
identifier: INSTANCES_IN_VPC
- name: accelerator-vpc-sg-open-only-to-authorized-ports
inputParameters:
authorizedTcpPorts: "443"
authorizedUdpPorts: "1020-1025"
complianceResourceTypes:
- AWS::EC2::SecurityGroup
identifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
- name: accelerator-ec2-instance-no-public-ip
complianceResourceTypes:
- AWS::EC2::Instance
identifier: EC2_INSTANCE_NO_PUBLIC_IP
- name: accelerator-elasticsearch-in-vpc-only
identifier: ELASTICSEARCH_IN_VPC_ONLY
- name: accelerator-internet-gateway-authorized-vpc-only
complianceResourceTypes:
- AWS::EC2::InternetGateway
identifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY
- name: accelerator-iam-no-inline-policy-check
complianceResourceTypes:
- AWS::IAM::User
- AWS::IAM::Role
- AWS::IAM::Group
identifier: IAM_NO_INLINE_POLICY_CHECK
- name: accelerator-elb-acm-certificate-required
complianceResourceTypes:
- AWS::ElasticLoadBalancing::LoadBalancer
identifier: ELB_ACM_CERTIFICATE_REQUIRED
- name: accelerator-alb-http-drop-invalid-header-enabled
complianceResourceTypes:
- AWS::ElasticLoadBalancingV2::LoadBalancer
identifier: ALB_HTTP_DROP_INVALID_HEADER_ENABLED
- name: accelerator-elb-tls-https-listeners-only
complianceResourceTypes:
- AWS::ElasticLoadBalancing::LoadBalancer
identifier: ELB_TLS_HTTPS_LISTENERS_ONLY
- name: accelerator-api-gw-execution-logging-enabled
complianceResourceTypes:
- AWS::ApiGateway::Stage
- AWS::ApiGatewayV2::Stage
identifier: API_GW_EXECUTION_LOGGING_ENABLED
- name: accelerator-cloudwatch-log-group-encrypted
identifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED
- name: accelerator-s3-bucket-replication-enabled
complianceResourceTypes:
- AWS::S3::Bucket
identifier: S3_BUCKET_REPLICATION_ENABLED
- name: accelerator-cw-loggroup-retention-period-check
identifier: CW_LOGGROUP_RETENTION_PERIOD_CHECK
- name: accelerator-ec2-instance-detailed-monitoring-enabled
complianceResourceTypes:
- AWS::EC2::Instance
identifier: EC2_INSTANCE_DETAILED_MONITORING_ENABLED
- name: accelerator-ec2-volume-inuse-check
inputParameters:
deleteOnTermination: "TRUE"
complianceResourceTypes:
- AWS::EC2::Volume
identifier: EC2_VOLUME_INUSE_CHECK
- name: accelerator-elb-deletion-protection-enabled
complianceResourceTypes:
- AWS::ElasticLoadBalancingV2::LoadBalancer
identifier: ELB_DELETION_PROTECTION_ENABLED
- name: accelerator-cloudtrail-security-trail-enabled
identifier: CLOUDTRAIL_SECURITY_TRAIL_ENABLED
- name: accelerator-elasticache-redis-cluster-automatic-backup-check
identifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK
- name: accelerator-s3-bucket-versioning-enabled
complianceResourceTypes:
- AWS::S3::Bucket
identifier: S3_BUCKET_VERSIONING_ENABLED
- name: accelerator-vpc-vpn-2-tunnels-up
complianceResourceTypes:
- AWS::EC2::VPNConnection
identifier: VPC_VPN_2_TUNNELS_UP
- name: accelerator-elb-cross-zone-load-balancing-enabled
complianceResourceTypes:
- AWS::ElasticLoadBalancing::LoadBalancer
identifier: ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED
- name: accelerator-iam-user-mfa-enabled
identifier: IAM_USER_MFA_ENABLED
- name: accelerator-guardduty-non-archived-findings
inputParameters:
daysHighSev: "1"
daysLowSev: "30"
daysMediumSev: "7"
identifier: GUARDDUTY_NON_ARCHIVED_FINDINGS
- name: accelerator-elasticsearch-node-to-node-encryption-check
complianceResourceTypes:
- AWS::Elasticsearch::Domain
identifier: ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
- name: accelerator-kms-cmk-not-scheduled-for-deletion
complianceResourceTypes:
- AWS::KMS::Key
identifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION
- name: accelerator-api-gw-cache-enabled-and-encrypted
complianceResourceTypes:
- AWS::ApiGateway::Stage
identifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED
- name: accelerator-sagemaker-endpoint-configuration-kms-key-configured
identifier: SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED
- name: accelerator-sagemaker-notebook-instance-kms-key-configured
identifier: SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED
- name: accelerator-dynamodb-table-encrypted-kms
complianceResourceTypes:
- AWS::DynamoDB::Table
identifier: DYNAMODB_TABLE_ENCRYPTED_KMS
- name: accelerator-s3-bucket-default-lock-enabled
complianceResourceTypes:
- AWS::S3::Bucket
identifier: S3_BUCKET_DEFAULT_LOCK_ENABLED
cloudWatch:
metricSets:
- regions:
- *HOME_REGION
#####################################
# With landing zone version 3.0, AWS Control Tower now supports organization-level AWS CloudTrail trails. #
# Going forward from landing zone 3.0, AWS Control Tower no longer will support account-level trails that AWS manages. #
# If your environment runs on prior version (3.0) of landing zone, you can change deployment targets for the metrics to Root organizational units #
# Metrics deployment target should be management account for environment with landing zone version 3.0 #
# Please refer https://docs.aws.amazon.com/controltower/latest/userguide/2022-all.html#version-3.0 for more information #
#####################################
deploymentTargets:
accounts:
- Management
metrics:
# CIS 1.1 – Avoid the use of the "root" account
- filterName: RootAccountMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: '{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}'
metricNamespace: LogMetrics
metricName: RootAccount
metricValue: "1"
# CIS 3.1 – Ensure a log metric filter and alarm exist for unauthorized API calls
- filterName: UnauthorizedAPICallsMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: '{($.errorCode="*UnauthorizedOperation") || ($.errorCode="AccessDenied*")}'
metricNamespace: LogMetrics
metricName: UnauthorizedAPICalls
metricValue: "1"
# CIS 3.2 – Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
- filterName: ConsoleSigninWithoutMFAMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: '{($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.userIdentity.type = "IAMUser") && ($.responseElements.ConsoleLogin = "Success")}'
metricNamespace: LogMetrics
metricName: ConsoleSigninWithoutMFA
metricValue: "1"
# CIS 3.3 – Ensure a log metric filter and alarm exist for usage of "root" account
- filterName: MetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: '{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}'
metricNamespace: LogMetrics
metricName: RootAccountUsage
metricValue: "1"
# CIS 3.4 – Ensure a log metric filter and alarm exist for IAM policy changes
- filterName: IAMPolicyChangesMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: "{($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy)}"
metricNamespace: LogMetrics
metricName: IAMPolicyChanges
metricValue: "1"
# CIS 3.5 – Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- filterName: CloudTrailChangesMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: "{($.eventName=CreateTrail) || ($.eventName=UpdateTrail) || ($.eventName=DeleteTrail) || ($.eventName=StartLogging) || ($.eventName=StopLogging)}"
metricNamespace: LogMetrics
metricName: CloudTrailChanges
metricValue: "1"
# CIS 3.6 – Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- filterName: ConsoleAuthenticationFailureMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: '{($.eventName=ConsoleLogin) && ($.errorMessage="Failed authentication")}'
metricNamespace: LogMetrics
metricName: ConsoleAuthenticationFailure
metricValue: "1"
# CIS 3.7 – Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
- filterName: DisableOrDeleteCMKMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: "{($.eventSource=kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))}"
metricNamespace: LogMetrics
metricName: DisableOrDeleteCMK
metricValue: "1"
# CIS 3.8 – Ensure a log metric filter and alarm exist for S3 bucket policy changes
- filterName: S3BucketPolicyChangesMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: "{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}"
metricNamespace: LogMetrics
metricName: S3BucketPolicyChanges
metricValue: "1"
# CIS 3.9 – Ensure a log metric filter and alarm exist for AWS Config configuration changes
- filterName: AWSConfigChangesMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: "{($.eventSource=config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))}"
metricNamespace: LogMetrics
metricName: AWSConfigChanges
metricValue: "1"
# CIS 3.10 – Ensure a log metric filter and alarm exist for security group changes
- filterName: SecurityGroupChangesMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: "{($.eventName=AuthorizeSecurityGroupIngress) || ($.eventName=AuthorizeSecurityGroupEgress) || ($.eventName=RevokeSecurityGroupIngress) || ($.eventName=RevokeSecurityGroupEgress) || ($.eventName=CreateSecurityGroup) || ($.eventName=DeleteSecurityGroup)}"
metricNamespace: LogMetrics
metricName: SecurityGroupChanges
metricValue: "1"
# CIS 3.11 – Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- filterName: NetworkACLChangesMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: "{($.eventName=CreateNetworkAcl) || ($.eventName=CreateNetworkAclEntry) || ($.eventName=DeleteNetworkAcl) || ($.eventName=DeleteNetworkAclEntry) || ($.eventName=ReplaceNetworkAclEntry) || ($.eventName=ReplaceNetworkAclAssociation)}"
metricNamespace: LogMetrics
metricName: NetworkACLChanges
metricValue: "1"
# CIS 3.12 – Ensure a log metric filter and alarm exist for changes to network gateways
- filterName: NetworkGatewayChangesMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: "{($.eventName=CreateCustomerGateway) || ($.eventName=DeleteCustomerGateway) || ($.eventName=AttachInternetGateway) || ($.eventName=CreateInternetGateway) || ($.eventName=DeleteInternetGateway) || ($.eventName=DetachInternetGateway)}"
metricNamespace: LogMetrics
metricName: NetworkGatewayChanges
metricValue: "1"
# CIS 3.13 – Ensure a log metric filter and alarm exist for route table changes
- filterName: RouteTableChangesMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: "{($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable)}"
metricNamespace: LogMetrics
metricName: RouteTableChanges
metricValue: "1"
# CIS 3.14 – Ensure a log metric filter and alarm exist for VPC changes
- filterName: VPCChangesMetricFilter
logGroupName: aws-controltower/CloudTrailLogs
filterPattern: "{($.eventName=CreateVpc) || ($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || ($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || ($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || ($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || ($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)}"
metricNamespace: LogMetrics
metricName: VPCChanges
metricValue: "1"
alarmSets:
- regions:
- *HOME_REGION
#####################################
# With landing zone version 3.0, AWS Control Tower now supports organization-level AWS CloudTrail trails. #
# Going forward from landing zone 3.0, AWS Control Tower no longer will support account-level trails that AWS manages. #
# If your environment runs on prior version (3.0) of landing zone, you can change deployment targets for the metrics to Root organizational units #
# Metrics deployment target should be management account for environment with landing zone version 3.0 #
# Please refer https://docs.aws.amazon.com/controltower/latest/userguide/2022-all.html#version-3.0 for more information #
#####################################
deploymentTargets:
accounts:
- Management
alarms:
# CIS 1.1 – Avoid the use of the "root" account
- alarmName: CIS-1.1-RootAccountUsage
alarmDescription: Alarm for usage of "root" account
snsAlertLevel: Low
metricName: RootAccountUsage
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 3.1 – Ensure a log metric filter and alarm exist for unauthorized API calls
- alarmName: CIS-3.1-UnauthorizedAPICalls
alarmDescription: Alarm for unauthorized API calls
snsAlertLevel: Low
metricName: UnauthorizedAPICalls
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Average
threshold: 5
treatMissingData: notBreaching
# CIS 3.2 – Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
- alarmName: CIS-3.2-ConsoleSigninWithoutMFA
alarmDescription: Alarm for AWS Management Console sign-in without MFA
snsAlertLevel: Low
metricName: ConsoleSigninWithoutMFA
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 3.3 – Ensure a log metric filter and alarm exist for usage of "root" account
- alarmName: CIS-3.3-RootAccountUsage
alarmDescription: Alarm for usage of "root" account
snsAlertLevel: Low
metricName: RootAccountUsage
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 3.4 – Ensure a log metric filter and alarm exist for IAM policy changes
- alarmName: CIS-3.4-IAMPolicyChanges
alarmDescription: Alarm for IAM policy changes
snsAlertLevel: Low
metricName: IAMPolicyChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Average
threshold: 1
treatMissingData: notBreaching
# CIS 3.5 – Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- alarmName: CIS-3.5-CloudTrailChanges
alarmDescription: Alarm for CloudTrail configuration changes
snsAlertLevel: Low
metricName: CloudTrailChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 3.6 – Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- alarmName: CIS-3.6-ConsoleAuthenticationFailure
alarmDescription: Alarm exist for AWS Management Console authentication failures
snsAlertLevel: Low
metricName: ConsoleAuthenticationFailure
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 3.7 – Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
- alarmName: CIS-3.7-DisableOrDeleteCMK
alarmDescription: Alarm for disabling or scheduled deletion of customer created CMKs
snsAlertLevel: Low
metricName: DisableOrDeleteCMK
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 3.8 – Ensure a log metric filter and alarm exist for S3 bucket policy changes
- alarmName: CIS-3.8-S3BucketPolicyChanges.
alarmDescription: Alarm for S3 bucket policy changes
snsAlertLevel: Low
metricName: S3BucketPolicyChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Average
threshold: 1
treatMissingData: notBreaching
# CIS 3.9 – Ensure a log metric filter and alarm exist for AWS Config configuration changes
- alarmName: CIS-3.9-AWSConfigChanges
alarmDescription: Alarm for AWS Config configuration changes
snsAlertLevel: Low
metricName: AWSConfigChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 3.10 – Ensure a log metric filter and alarm exist for security group changes
- alarmName: CIS-3.10-SecurityGroupChanges
alarmDescription: Alarm for security group changes
snsAlertLevel: Low
metricName: SecurityGroupChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 3.11 – Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- alarmName: CIS-3.11-NetworkACLChanges
alarmDescription: Alarm for changes to Network Access Control Lists (NACL)
snsAlertLevel: Low
metricName: NetworkACLChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 3.12 – Ensure a log metric filter and alarm exist for changes to network gateways
- alarmName: CIS-3.12-NetworkGatewayChanges
alarmDescription: Alarm for changes to network gateways
snsAlertLevel: Low
metricName: NetworkGatewayChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
# CIS 3.13 – Ensure a log metric filter and alarm exist for route table changes
- alarmName: CIS-3.13-RouteTableChanges
alarmDescription: Alarm for route table changes
snsAlertLevel: Low
metricName: RouteTableChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Average
threshold: 1
treatMissingData: notBreaching
# CIS 3.14 – Ensure a log metric filter and alarm exist for VPC changes
- alarmName: CIS-3.14-VPCChanges
alarmDescription: Alarm for VPC changes
snsAlertLevel: Low
metricName: VPCChanges
namespace: LogMetrics
comparisonOperator: GreaterThanOrEqualToThreshold
evaluationPeriods: 1
period: 300
statistic: Sum
threshold: 1
treatMissingData: notBreaching
Network Config
homeRegion: &HOME_REGION us-east-1
#####################################
# Delete default VPCs-- use this #
# object to delete default VPCs in #
# any non-excluded accounts #
#####################################
defaultVpc:
delete: true
excludeAccounts: []
#####################################
# Transit Gateways-- use this object #
# to deploy transit gateways #
#####################################
transitGateways:
- name: Network-Main
account: Network
region: *HOME_REGION
shareTargets:
organizationalUnits:
- Infrastructure
asn: 65521
dnsSupport: enable
vpnEcmpSupport: enable
defaultRouteTableAssociation: disable
defaultRouteTablePropagation: disable
autoAcceptSharingAttachments: enable
routeTables:
- name: Network-Main-Core
routes: []
# Use routes to define static routes for TGW route tables.
# - destinationCidrBlock: 10.100.0.0/16
# attachment:
# vpcName: Network-Endpoints
# account: Network
# - destinationCidrBlock: 10.200.0.0/16
# attachment:
# directConnectGatewayName: Network-DXGW
# - destinationCidrBlock: 1.1.1.1/32
# blackhole: true
# - destinationPrefixList: accelerator-prefix-list
# attachment:
# vpcName: Network-Endpoints
# account: Network
- name: Network-Main-Segregated
routes: []
- name: Network-Main-Shared
routes: []
- name: Network-Main-Standalone
routes: []
#####################################
# DHCP options -- use this object #
# to define DHCP options sets to use #
# for VPCs. #
#####################################
# dhcpOptions:
# - name: accelerator-dhcp-opts
# accounts:
# - Network
# regions:
# - *HOME_REGION
# domainName: example.com
# domainNameServers:
# - 1.1.1.1
# - 2.2.2.2
# netbiosNameServers:
# - 1.1.1.1
# - 2.2.2.2
# netbiosNodeType: 2
# ntpServers:
# - 1.1.1.1
# - 2.2.2.2
#####################################
# Central network services -- use #
# this object to define a delegated #
# admin account and configure #
# advanced networking services #
#####################################
# centralNetworkServices:
# delegatedAdminAccount: Network
# ipams:
# - name: accelerator-ipam
# region: *HOME_REGION
# description: Accelerator IPAM
# operatingRegions:
# - *HOME_REGION
# - us-west-2
# pools:
# - name: &BASE_POOL base-pool
# description: accelerator-base
# provisionedCidrs:
# - 10.0.0.0/8
# - 172.16.0.0/12
# - 192.168.0.0/16
# - name: home-region-pool
# description: Pool for us-east-1
# locale: *HOME_REGION
# provisionedCidrs:
# - 10.0.0.0/16
# sourceIpamPool: *BASE_POOL
# - name: home-region-prod-pool
# description: Pool for prod environment
# allocationResourceTags:
# - key: env
# value: prod
# locale: *HOME_REGION
# provisionedCidrs:
# - 10.0.0.0/24
# shareTargets:
# organizationalUnits:
# - Infrastructure
# sourceIpamPool: home-region-pool
# - name: west-region-pool
# description: Pool for us-west-2
# locale: us-west-2
# provisionedCidrs:
# - 10.1.0.0/16
# sourceIpamPool: *BASE_POOL
#
# networkFirewall:
# firewalls:
# - name: accelerator-firewall
# region: *HOME_REGION
# firewallPolicy: accelerator-policy
# subnets:
# - Network-Inspection-Firewall-A
# - Network-Inspection-Firewall-B
# vpc: Network-Inspection
# loggingConfiguration:
# - destination: s3
# type: ALERT
# - destination: cloud-watch-logs
# type: FLOW
# policies:
# - name: accelerator-policy
# regions:
# - *HOME_REGION
# firewallPolicy:
# statelessDefaultActions: ['aws:forward_to_sfe']
# statelessFragmentDefaultActions: ['aws:forward_to_sfe']
# statefulRuleGroups:
# - name: accelerator-rule-group
# - name: domain-list-group
# shareTargets:
# organizationalUnits:
# - Infrastructure
# rules:
# - name: accelerator-rule-group
# regions:
# - *HOME_REGION
# capacity: 100
# type: STATEFUL
# ruleGroup:
# rulesSource:
# statefulRules:
# - action: PASS
# header:
# destination: 10.0.0.0/16
# destinationPort: ANY
# direction: FORWARD
# protocol: IP
# source: 10.1.0.0/16
# sourcePort: ANY
# ruleOptions:
# - keyword: sid
# settings: ['100']
# - action: DROP
# header:
# destination: ANY
# destinationPort: ANY
# direction: ANY
# protocol: IP
# source: ANY
# sourcePort: ANY
# ruleOptions:
# - keyword: sid
# settings: ['101']
# - action: ALERT
# header:
# destination: 1.1.1.1/32
# destinationPort: '80'
# direction: FORWARD
# protocol: TCP
# source: ANY
# sourcePort: ANY
# ruleOptions:
# - keyword: msg
# settings: ['"example message"']
# - keyword: sid
# settings: ['102']
# - name: domain-list-group
# regions:
# - *HOME_REGION
# capacity: 10
# type: STATEFUL
# ruleGroup:
# rulesSource:
# rulesSourceList:
# generatedRulesType: DENYLIST
# targets: ['.example.com']
# targetTypes: ['TLS_SNI', 'HTTP_HOST']
# ruleVariables:
# ipSets:
# name: HOME_NET
# definition:
# - 10.0.0.0/16
# - 10.1.0.0/16
# portSets:
# name: HOME_NET
# definition:
# - '80'
# - '443'
#
# gatewayLoadBalancers:
# - name: Accelerator-GWLB
# subnets:
# - Network-Inspection-A
# - Network-Inspection-B
# vpc: Network-Inspection
# deletionProtection: true
# endpoints:
# - name: Endpoint-A
# account: Network
# subnet: Network-Inspection-A
# vpc: Network-Inspection
# - name: Endpoint-B
# account: Network
# subnet: Network-Inspection-B
# vpc: Network-Inspection
#
# route53Resolver:
# endpoints:
# - name: accelerator-inbound
# type: INBOUND
# vpc: Network-Endpoints
# subnets:
# - Network-Endpoints-A
# - Network-Endpoints-B
# - name: accelerator-outbound
# type: OUTBOUND
# vpc: Network-Endpoints
# subnets:
# - Network-Endpoints-A
# - Network-Endpoints-B
# rules:
# - name: example-rule
# domainName: example.com
# targetIps:
# - ip: 1.1.1.1
# port: '5353' # only include if targeting a non-standard DNS port
# - ip: 2.2.2.2
# shareTargets:
# organizationalUnits:
# - Infrastructure
# - name: inbound-target-rule
# domainName: aws.internal.domain
# inboundEndpointTarget: accelerator-inbound # This endpoint must be listed in the configuration before the outbound endpoint
# queryLogs:
# name: accelerator-query-logs
# destinations:
# - s3
# - cloud-watch-logs
# shareTargets:
# organizationalUnits:
# - Infrastructure
# firewallRuleGroups:
# - name: accelerator-block-group
# regions:
# - *HOME_REGION
# rules:
# - name: nxdomain-block-rule
# action: BLOCK
# customDomainList: dns-firewall-domain-lists/domain-list-1.txt
# priority: 100
# blockResponse: NXDOMAIN
# - name: override-block-rule
# action: BLOCK
# customDomainList: dns-firewall-domain-lists/domain-list-2.txt
# priority: 200
# blockResponse: OVERRIDE
# blockOverrideDomain: amazon.com
# blockOverrideTtl: 3600
# - name: managed-rule
# action: BLOCK
# managedDomainList: AWSManagedDomainsBotnetCommandandControl
# priority: 300
# blockResponse: NODATA
# shareTargets:
# organizationalUnits:
# - Infrastructure
#####################################
# Prefix lists -- use this object to #
# deploy prefix lists to be used for #
# security groups, subnet routes, #
# and/or TGW static routes #
#####################################
# prefixLists:
# - name: accelerator-prefix-list
# accounts:
# - Network
# regions:
# - *HOME_REGION
# addressFamily: 'IPv4'
# maxEntries: 1
# entries:
# - 10.1.0.1/32
#####################################
# Endpoint policies -- use this #
# object to define standard policies #
# for VPC endpoints #
#####################################
endpointPolicies:
- name: Default
document: vpc-endpoint-policies/default.json
- name: Ec2
document: vpc-endpoint-policies/ec2.json
#####################################
# VPC templates -- use this object #
# to deploy standard VPCs across #
# multiple accounts/OUs #
#####################################
# vpcTemplates:
# - name: Accelerator-Template
# region: *HOME_REGION
# deploymentTargets:
# organizationalUnits:
# - Infrastructure
# ipamAllocations:
# - ipamPoolName: home-region-prod-pool
# netmaskLength: 25
# internetGateway: false
# enableDnsHostnames: true
# enableDnsSupport: true
# instanceTenancy: default
# routeTables:
# - name: Accelerator-Template-Tgw-A
# routes: []
# - name: Accelerator-Template-Tgw-B
# routes: []
# - name: Accelerator-Template-A
# routes:
# - name: TgwRoute
# destination: 0.0.0.0/0
# type: transitGateway
# target: Network-Main
# - name: Accelerator-Template-B
# routes:
# - name: TgwRoute
# destination: 0.0.0.0/0
# type: transitGateway
# target: Network-Main
# subnets:
# - name: Accelerator-Template-A
# availabilityZone: a
# routeTable: Accelerator-Template-A
# ipamAllocation:
# ipamPoolName: home-region-prod-pool
# netmaskLength: 27
# - name: Accelerator-Template-B
# availabilityZone: b
# routeTable: Accelerator-Template-B
# ipamAllocation:
# ipamPoolName: home-region-prod-pool
# netmaskLength: 27
# - name: Accelerator-TemplateTgwAttach-A
# availabilityZone: a
# routeTable: Accelerator-Template-Tgw-A
# ipamAllocation:
# ipamPoolName: home-region-prod-pool
# netmaskLength: 27
# - name: Accelerator-TemplateTgwAttach-B
# availabilityZone: b
# routeTable: Accelerator-Template-Tgw-B
# ipamAllocation:
# ipamPoolName: home-region-prod-pool
# netmaskLength: 27
# transitGatewayAttachments:
# - name: Accelerator-Template
# transitGateway:
# name: Network-Main
# account: Network
# routeTableAssociations:
# - Network-Main-Shared
# routeTablePropagations:
# - Network-Main-Core
# - Network-Main-Shared
# - Network-Main-Segregated
# subnets:
# - Accelerator-TemplateTgwAttach-A
# - Accelerator-TemplateTgwAttach-B
# tags:
# - key: env
# value: prod
#####################################
# VPCs-- use this object to deploy #
# a VPC in a single account and #
# region. #
#####################################
vpcs:
- name: Network-Endpoints
account: Network
region: *HOME_REGION
cidrs:
- 10.1.0.0/22
# ipamAllocations:
# - ipamPoolName: home-region-prod-pool
# netmaskLength: 25
internetGateway: false
# dhcpOptions: accelerator-dhcp-opts
enableDnsHostnames: true
enableDnsSupport: true
instanceTenancy: default
# dnsFirewallRuleGroups:
# - name: accelerator-block-group
# priority: 101
# queryLogs:
# - accelerator-query-logs
# resolverRules:
# - example-rule
routeTables:
- name: Network-Endpoints-Tgw-A
routes: []
- name: Network-Endpoints-Tgw-B
routes: []
- name: Network-Endpoints-A
routes:
- name: TgwRoute
destination: 0.0.0.0/0
type: transitGateway
target: Network-Main
- name: S3Gateway
type: gatewayEndpoint
target: s3
- name: DynamoDBGateway
type: gatewayEndpoint
target: dynamodb
# - name: PlRoute
# destinationPrefixList: accelerator-prefix-list
# type: transitGateway
# target: Network-Main
- name: Network-Endpoints-B
routes:
- name: TgwRoute
destination: 0.0.0.0/0
type: transitGateway
target: Network-Main
- name: S3Gateway
type: gatewayEndpoint
target: s3
- name: DynamoDBGateway
type: gatewayEndpoint
target: dynamodb
# - name: PlRoute
# destinationPrefixList: accelerator-prefix-list
# type: transitGateway
# target: Network-Main
subnets:
- name: Network-Endpoints-A
availabilityZone: a
routeTable: Network-Endpoints-A
ipv4CidrBlock: 10.1.0.0/24
# ipamAllocation:
# ipamPoolName: home-region-prod-pool
# netmaskLength: 27
- name: Network-Endpoints-B
availabilityZone: b
routeTable: Network-Endpoints-B
ipv4CidrBlock: 10.1.1.0/24
- name: Network-EndpointsTgwAttach-A
availabilityZone: a
routeTable: Network-Endpoints-Tgw-A
ipv4CidrBlock: 10.1.3.208/28
- name: Network-EndpointsTgwAttach-B
availabilityZone: b
routeTable: Network-Endpoints-Tgw-B
ipv4CidrBlock: 10.1.3.224/28
transitGatewayAttachments:
- name: Network-Endpoints
transitGateway:
name: Network-Main
account: Network
routeTableAssociations:
- Network-Main-Shared
routeTablePropagations:
- Network-Main-Core
- Network-Main-Shared
- Network-Main-Segregated
subnets:
- Network-EndpointsTgwAttach-A
- Network-EndpointsTgwAttach-B
gatewayEndpoints:
defaultPolicy: Default
endpoints:
- service: s3
- service: dynamodb
interfaceEndpoints:
central: true
defaultPolicy: Default
subnets:
- Network-Endpoints-A
- Network-Endpoints-B
endpoints:
- service: ec2
- service: ec2messages
- service: ssm
- service: ssmmessages
- service: kms
- service: logs
# - service: secretsmanager
# - service: cloudformation
# - service: access-analyzer
# - service: application-autoscaling
# - service: appmesh-envoy-management
# - service: athena
# - service: autoscaling
# - service: autoscaling-plans
# - service: clouddirectory
# - service: cloudtrail
# - service: codebuild
# - service: codecommit
# - service: codepipeline
# - service: config
# - service: datasync
# - service: ecr.dkr
# - service: ecs
# - service: ecs-agent
# - service: ecs-telemetry
# - service: elasticfilesystem
# - service: elasticloadbalancing
# - service: elasticmapreduce
# - service: events
# - service: execute-api
# - service: git-codecommit
# - service: glue
# - service: kinesis-streams
# - service: kms
# - service: logs
# - service: monitoring
# - service: sagemaker.api
# - service: sagemaker.runtime
# - service: servicecatalog
# - service: sms
# - service: sns
# - service: sqs
# - service: storagegateway
# - service: sts
# - service: transfer
# - service: workspaces
# - service: awsconnector
# - service: ecr.api
# - service: kinesis-firehose
# - service: states
# - service: acm-pca
# - service: cassandra
# - service: ebs
# - service: elasticbeanstalk
# - service: elasticbeanstalk-health
# - service: email-smtp
# - service: license-manager
# - service: macie2
# - service: notebook
# - service: synthetics
# - service: transfer.server
- name: Network-Inspection
account: Network
region: *HOME_REGION
cidrs:
- 10.2.0.0/22
routeTables:
- name: Network-Inspection-Tgw-A
routes: []
- name: Network-Inspection-Tgw-B
routes: []
- name: Network-Inspection-A
routes:
- name: TgwRoute
destination: 0.0.0.0/0
type: transitGateway
target: Network-Main
- name: S3Gateway
type: gatewayEndpoint
target: s3
- name: DynamoDBGateway
type: gatewayEndpoint
target: dynamodb
- name: Network-Inspection-B
routes:
- name: TgwRoute
destination: 0.0.0.0/0
type: transitGateway
target: Network-Main
- name: S3Gateway
type: gatewayEndpoint
target: s3
- name: DynamoDBGateway
type: gatewayEndpoint
target: dynamodb
# - name: Network-Inspection-Tgw-A
# routes:
# - name: NfwRoute
# destination: 0.0.0.0/0
# type: networkFirewall
# target: accelerator-firewall
# targetAvailabilityZone: a
# - name: GwlbRoute
# destination: 0.0.0.0/0
# type: gatewayLoadBalancerEndpoint
# target: Endpoint-A
# - name: Network-Inspection-Tgw-B
# routes:
# - name: NfwRoute
# destination: 0.0.0.0/0
# type: networkFirewall
# target: accelerator-firewall
# targetAvailabilityZone: b
# - name: GwlbRoute
# destination: 0.0.0.0/0
# type: gatewayLoadBalancerEndpoint
# target: Endpoint-B
subnets:
- name: Network-Inspection-A
availabilityZone: a
routeTable: Network-Inspection-A
ipv4CidrBlock: 10.2.0.0/24
- name: Network-Inspection-B
availabilityZone: b
routeTable: Network-Inspection-B
ipv4CidrBlock: 10.2.1.0/24
- name: Network-InspectionTgwAttach-A
availabilityZone: a
routeTable: Network-Inspection-Tgw-A
ipv4CidrBlock: 10.2.3.208/28
- name: Network-InspectionTgwAttach-B
availabilityZone: b
routeTable: Network-Inspection-Tgw-B
ipv4CidrBlock: 10.2.3.224/28
- name: Network-Inspection-Firewall-A
availabilityZone: a
routeTable: Network-Inspection-A
ipv4CidrBlock: 10.2.3.0/28
- name: Network-Inspection-Firewall-B
availabilityZone: b
routeTable: Network-Inspection-B
ipv4CidrBlock: 10.2.3.16/28
transitGatewayAttachments:
- name: Network-Inspection
transitGateway:
name: Network-Main
account: Network
options:
applianceModeSupport: enable
routeTableAssociations:
- Network-Main-Shared
routeTablePropagations:
- Network-Main-Core
- Network-Main-Shared
- Network-Main-Segregated
subnets:
- Network-InspectionTgwAttach-A
- Network-InspectionTgwAttach-B
gatewayEndpoints:
defaultPolicy: Default
endpoints:
- service: s3
- service: dynamodb
useCentralEndpoints: true
- name: SharedServices-Main
account: SharedServices
region: *HOME_REGION
cidrs:
- 10.4.0.0/16
routeTables:
- name: SharedServices-Tgw-A
routes: []
- name: SharedServices-Tgw-B
routes: []
- name: SharedServices-App-A
routes:
- name: TgwRoute
destination: 0.0.0.0/0
type: transitGateway
target: Network-Main
- name: S3Gateway
type: gatewayEndpoint
target: s3
- name: DynamoDBGateway
type: gatewayEndpoint
target: dynamodb
- name: SharedServices-App-B
routes:
- name: TgwRoute
destination: 0.0.0.0/0
type: transitGateway
target: Network-Main
- name: S3Gateway
type: gatewayEndpoint
target: s3
- name: DynamoDBGateway
type: gatewayEndpoint
target: dynamodb
subnets:
- name: SharedServices-App-A
availabilityZone: a
routeTable: SharedServices-App-A
ipv4CidrBlock: 10.4.0.0/24
- name: SharedServices-App-B
availabilityZone: b
routeTable: SharedServices-App-B
ipv4CidrBlock: 10.4.1.0/24
- name: SharedServices-MainTgwAttach-A
availabilityZone: a
routeTable: SharedServices-Tgw-A
ipv4CidrBlock: 10.4.255.208/28
- name: SharedServices-MainTgwAttach-B
availabilityZone: b
routeTable: SharedServices-Tgw-B
ipv4CidrBlock: 10.4.255.224/28
transitGatewayAttachments:
- name: SharedServices-Main
transitGateway:
name: Network-Main
account: Network
routeTableAssociations:
- Network-Main-Shared
routeTablePropagations:
- Network-Main-Core
- Network-Main-Shared
- Network-Main-Segregated
subnets:
- SharedServices-MainTgwAttach-A
- SharedServices-MainTgwAttach-B
gatewayEndpoints:
defaultPolicy: Default
endpoints:
- service: s3
- service: dynamodb
useCentralEndpoints: true
##############################################################
# Global configuration for VPC flow logs #
# Where there is no flow log configuration defined with VPC #
# this configuration will be used for flow log configuration #
##############################################################
vpcFlowLogs:
trafficType: ALL
maxAggregationInterval: 600
destinations:
- s3
- cloud-watch-logs
defaultFormat: false
customFields:
- version
- account-id
- interface-id
- srcaddr
- dstaddr
- srcport
- dstport
- protocol
- packets
- bytes
- start
- end
- action
- log-status
- vpc-id
- subnet-id
- instance-id
- tcp-flags
- type
- pkt-srcaddr
- pkt-dstaddr
- region
- az-id
- pkt-src-aws-service
- pkt-dst-aws-service
- flow-direction
- traffic-path
#####################################
# Direct Connect Gateways-- use this #
# object to deploy DX Gateways, #
# virtual interfaces, and #
# associations to transit gateways #
#####################################
# directConnectGateways:
# - name: Network-DXGW
# account: Network
# asn: 65000
# gatewayName: Network-DXGW
# virtualInterfaces:
# - name: Accelerator-VIF
# connectionId: dxcon-test1234
# customerAsn: 65002
# interfaceName: Accelerator-VIF
# ownerAccount: Network
# region: us-east-1
# type: transit
# vlan: 575
# enableSiteLink: true
# jumboFrames: true
# transitGatewayAssociations:
# - name: Network-Main
# account: Network
# allowedPrefixes:
# - 10.0.0.0/8
# - 192.168.0.0/16
# routeTableAssociations:
# - Network-Main-Core
# routeTablePropagations:
# - Network-Main-Core
#####################################
# VPC peering-- use this object to #
# deploy peering between two VPCs #
#####################################
# vpcPeering:
# - name: VpcAtoVpcB
# vpcs:
# - VPC-A
# - VPC-B
Written on October 18, 2022