/aws-control-tower-org-setup-sample

Automated AWS Organizations configuration for security operations

Primary LanguagePythonMIT No AttributionMIT-0

Automate the set up of security services with AWS Control Tower

Table of contents

  1. Introduction
  2. Architecture
  3. Prerequisites
  4. Tools and services
  5. Usage
  6. Clean up
  7. Reference
  8. Contributing
  9. License

Introduction

This project configures the following AWS Organizations functionality:

  1. Set up the AWS Control Tower "Audit" account to be the delegated administrator for:
  1. Enables organizational sharing for AWS Service Catalog and AWS Resource Access Manager (RAM)
  2. Optionally, configures an AI opt-out policy at the organization root

Architecture

architecture

  1. When an AWS Control Tower landing zone is created, a SetupLandingZone event is sent to the Amazon EventBridge default event bus.
  2. An Amazon EventBridge rule matches the SetupLandingZone event and triggers the OrganizationSetup AWS Lambda function.
  3. The AWS Lambda function will coordinate the various services to set up the security operations account

Prerequisites

Tools and services

  • AWS SAM - The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, and event source mappings.
  • AWS Lambda - AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers, creating workload-aware cluster scaling logic, maintaining event integrations, or managing runtimes.
  • AWS Control Tower - AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone.
  • AWS Organizations - AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources.
  • Amazon GuardDuty - Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.
  • AWS Security Hub - AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts.
  • Amazon EventBridge - Amazon EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources.
  • Amazon Macie - Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
  • AWS Firewall Manager - AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations.
  • AWS Service Catalog - AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.
  • AWS Resource Access Manager - AWS Resource Access Manager (RAM) helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs) in AWS Organizations, and with IAM roles and IAM users for supported resource types.
  • AWS IAM Access Analyzer - IAM Access Analyzer helps you review existing access so that you can identify and remove unintended external or unused permissions.
  • Amazon Inspector - Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.
  • Amazon Detective - Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.
  • Amazon Security Lake - Amazon Security Lake automatically centralizes security data from cloud, on-premises, and custom sources into a purpose-built data lake stored in your account.

Usage

Parameters

Parameter Type Default Description
Regions String us-east-1 Comma-delimited list of regions to enable for GuardDuty and Security Hub
ExecutionRoleName String AWSControlTowerExecution IAM execution role in each new account
AdministratorAccountName String Audit Name of the AWS account to use for security operations
ExecutionCount Number 1 Increment value to re-execute OrganizationSetup Lambda function
EnableAIOptOutPolicy String false Optionally opt-out of AI-service improvement
SigningProfileVersionArn String None Code Signing Profile Version ARN

Installation

The CloudFormation stack must be deployed in the same AWS account where the AWS Control Tower landing zone will be created. This is usually the AWS Organizations Management account.

git clone https://github.com/aws-samples/aws-control-tower-org-setup-sample
cd aws-control-tower-org-setup-sample
aws signer put-signing-profile --platform-id "AWSLambda-SHA384-ECDSA" --profile-name OrganizationSetupProfile
sam build
sam deploy \
  --guided \
  --signing-profiles OrganizationSetupFunction=OrganizationSetupProfile \
  --tags "GITHUB_ORG=aws-samples GITHUB_REPO=aws-control-tower-org-setup-sample"

Clean up

Deleting the CloudFormation Stack will remove the Lambda function and EventBridge rule. All of the administrator delegations will not be removed.

sam delete

Reference

This solution is inspired by these references:

Contributing

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.