Migration from regional to global API identifiers (#8)

Author: igirardi

CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.0.0] - 2024-12-19
+### Breaking Changes
+- Migration from regional to global API identifiers
+
 ## [1.0.0] - 2023-06-22
 ### Added
 - Initial public release

README.md

@@ -3,7 +3,7 @@
 
 - [AWS Prescriptive Guidance](#aws-prescriptive-guidance)
 - [Goal](#goal)
-- [Prerequisites and limitations](#prerequisites-and-limitations)
+- [Prerequisites and Limitations](#prerequisites-and-limitations)
 - [Architecture](#architecture)
 - [Tools](#tools)
 - [Best practices](#best-practices)
@@ -37,15 +37,15 @@ Implementing AWS Control Tower controls helps establish a strong security founda
 
 To deploy AWS Control Tower controls as IaC, you can also use HashiCorp Terraform instead of AWS CDK. For more information, see [Deploy and manage AWS Control Tower controls by using Terraform](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-terraform.html).
 
-### Target Audience
+### Intended Audience
 
 This pattern is recommended for users who have experience with AWS Control Tower, CloudFormation, AWS CDK, and AWS Organizations.
 
-## Prerequisites and limitations
+## Prerequisites and Limitations
 
 ### Prerequisites
 
-- Active AWS accounts managed as an organization in AWS Organizations and an AWS Control Tower landing zone. For instructions, see [Create an account structure](https://www.wellarchitectedlabs.com/cost/100_labs/100_1_aws_account_setup/2_account_structure/) (AWS Well-Architected Labs).
+- Active AWS accounts managed as an organization in AWS Organizations and an AWS Control Tower landing zone. For instructions, see [Getting started](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) in the AWS Control Tower documentation.
 
 - AWS Command Line Interface (AWS CLI), [installed](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [configured](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).
 
@@ -63,6 +63,11 @@ This pattern is recommended for users who have experience with AWS Control Tower
 
 ### Limitations
 
+- For AWS Control Tower controls, this pattern requires the use of [global identifiers](https://docs.aws.amazon.com/controltower/latest/controlreference/all-global-identifiers.html) that are in the following format:
+`arn:<PARTITION>:controlcatalog:::control/<CONTROL_CATALOG_OPAQUE_ID>`
+**Note:** In most cases, the value for `<PARTITION>` is aws.
+Previous versions of this pattern used [regional identifiers](https://docs.aws.amazon.com/controltower/latest/controlreference/control-metadata-tables.html) that are no longer supported. We recommend that you migrate from regional identifiers to global identifiers. Global identifiers help you manage controls and expand the number of controls you can use.
+
 - This pattern provides instructions for deploying this solution across AWS accounts, from a deployment account to the organization’s management account. For testing purposes, you can deploy this solution directly in the management account, but instructions for this configuration are not explicitly provided.
 
 
@@ -76,7 +81,7 @@ AWS Control Tower controls are categorized according to their behavior and their
 
 There are three primary types of control behaviors:
 
-1. Preventive controls are designed to prevent actions from occurring. These are implemented with [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in AWS Organizations. The status of a preventive control is either enforced or not enabled. Preventive controls are supported in all AWS Regions.
+1.	Preventive controls are designed to prevent actions from occurring. These are implemented with [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) or [resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in AWS Organizations. The status of a preventive control is either enforced or not enabled. Preventive controls are supported in all AWS Regions.
 
 2. Detective controls are designed to detect specific events when they occur and log the action in CloudTrail. These are implemented with [AWS Config rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html). The status of a detective control is either clear, in violation, or not enabled. Detective controls apply only in those AWS Regions supported by AWS Control Tower.
 
@@ -136,7 +141,7 @@ To deploy this solution, you need
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_ct"></a> [AWS Control Tower](https://aws.amazon.com/controltower/) | >= 3.0 |
+| <a name="requirement_ct"></a> [AWS Control Tower](https://aws.amazon.com/controltower/) | >= 3.2 |
 | <a name="requirement_python"></a> [Python](https://www.python.org/) | >= 3.9 |
 | <a name="requirement_npm"></a> [npm](https://www.npmjs.com/) | >= 8.9.0 |
 
@@ -180,14 +185,14 @@ ROLE_ARN = "arn:aws:iam::111122223333:role/CT-Controls-Role"
 GUARDRAILS_CONFIGURATION = [
     {
         "Enable-Control": {
-            "AWS-GR_ENCRYPTED_VOLUMES",
+            "503uicglhjkokaajywfpt6ros",
             ...
         },
         "OrganizationalUnitIds": ["ou-1111-11111111", "ou-2222-22222222"...],
     },
     {
         "Enable-Control": {
-            "AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED",
+            "50z1ot237wl8u1lv5ufau6qqo",
             ...
         },
         "OrganizationalUnitIds": ["ou-2222-22222222"...],
@@ -203,14 +208,15 @@ GUARDRAILS_CONFIGURATION = [
 
 4. In the `ROLE_ARN` parameter, enter the ARN of the role you created in the management account.
 
-5. In the `GUARDRAILS_CONFIGURATION` section, in the `Enable-Control` parameter, enter the control API identifiers. Enter the identifier in double quotation marks, and separate multiple identifiers with commas. Each control has a unique API identifier for each Region in which AWS Control Tower is available. To find the control identifier, do the following:
-    - In [Tables of control metadata](https://docs.aws.amazon.com/controltower/latest/userguide/control-metadata-tables.html), locate the control you want to enable.
-    - In the Control API identifiers, by Region column, locate the API identifier for the Region in which you are making the API call, such as `arn:aws:controltower:us-east-1::control/AWS-GR_ENCRYPTED_VOLUMES`.
-    - Extract the control identifier from the Regional identifier, such as `AWS-GR_ENCRYPTED_VOLUMES`.
+5. Open [All global identifiers](https://docs.aws.amazon.com/controltower/latest/controlreference/all-global-identifiers.html) in the AWS Control Tower documentation.
+
+6. In the JSON-formatted list, locate the control that you want to implement, and then copy its global identifier (also known as the `{CONTROL_CATALOG_OPAQUE_ID}` value). For example, the global identifier for the `AWS-GR_ENCRYPTED_VOLUMES` control is `503uicglhjkokaajywfpt6ros`.
+
+7. In the `GUARDRAILS_CONFIGURATION` section, in the `Enable-Control` parameter, enter the global identifier that you copied. Enter the identifier in double quotation marks, and separate multiple identifiers with commas.
 
-6. In the `GUARDRAILS_CONFIGURATION` section, in the `OrganizationalUnitIds` parameter, enter the ID of the organizational unit where you want to enable the control, such as `ou-1111-11111111`. Enter the ID in double quotation marks, and separate multiple IDs with commas. For more information about how to retrieve OU IDs, see [Viewing the details of an OU](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_details.html#orgs_view_ou).
+8. In the `GUARDRAILS_CONFIGURATION` section, in the `OrganizationalUnitIds` parameter, enter the ID of the organizational unit where you want to enable the control, such as `ou-1111-11111111`. Enter the ID in double quotation marks, and separate multiple IDs with commas. For more information about how to retrieve OU IDs, see [Viewing the details of an OU](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_details.html#orgs_view_ou).
 
-7. Save and close the constants.py file. For an example of an updated constants.py file, see the [Additional information](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-aws-cdk-and-aws-cloudformation.html#deploy-and-manage-aws-control-tower-controls-by-using-aws-cdk-and-aws-cloudformation-additional) section of this pattern.
+9. Save and close the constants.py file. For an example of an updated constants.py file, see the [Additional information](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-aws-cdk-and-aws-cloudformation.html#deploy-and-manage-aws-control-tower-controls-by-using-aws-cdk-and-aws-cloudformation-additional) section of this pattern.
 
 
 ## Deployment

constants.py

@@ -34,41 +34,41 @@
 GUARDRAILS_CONFIGURATION = [
     {
         "Enable-Control": {
-            "AWS-GR_ENCRYPTED_VOLUMES",
-            "AWS-GR_EBS_OPTIMIZED_INSTANCE",
-            "AWS-GR_EC2_VOLUME_INUSE_CHECK",
-            "AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK",
-            "AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED",
-            "AWS-GR_RDS_STORAGE_ENCRYPTED",
-            "AWS-GR_RESTRICTED_COMMON_PORTS",
-            "AWS-GR_RESTRICTED_SSH",
-            "AWS-GR_RESTRICT_ROOT_USER",
-            "AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS",
-            "AWS-GR_ROOT_ACCOUNT_MFA_ENABLED",
-            "AWS-GR_S3_BUCKET_PUBLIC_READ_PROHIBITED",
-            "AWS-GR_S3_BUCKET_PUBLIC_WRITE_PROHIBITED",
+            "503uicglhjkokaajywfpt6ros",  # AWS-GR_ENCRYPTED_VOLUMES
+            "2j9gjxqfo040xtx8kd1jf4ni6",  # AWS-GR_EBS_OPTIMIZED_INSTANCE
+            "8c3i4catfgmyy1e19476v06rr",  # AWS-GR_EC2_VOLUME_INUSE_CHECK
+            "4jc77cq1lcr7g64xywwypykv8",  # AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK
+            "1h4eyqyyonp19dlrreqf1i3w0",  # AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED
+            "e34kieahgkm0lggs5g0s412jt",  # AWS-GR_RDS_STORAGE_ENCRYPTED
+            "df2ta5ytg2zatj1q7y5e09u32",  # AWS-GR_RESTRICTED_COMMON_PORTS
+            "6rilu41n0gb9w6mxrkyewoer4",  # AWS-GR_RESTRICTED_SSH
+            "5kvme4m5d2b4d7if2fs5yg2ui",  # AWS-GR_RESTRICT_ROOT_USER
+            "8ui9y3oace2513xarz8aqojl7",  # AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS
+            "24izmu4k16gv9tvd7sexnyrfy",  # AWS-GR_ROOT_ACCOUNT_MFA_ENABLED
+            "8sw3pbid15t9cbww8d2w2qwgf",  # AWS-GR_S3_BUCKET_PUBLIC_READ_PROHIBITED
+            "9j9nwxj789d82sypnukhyyowy",  # AWS-GR_S3_BUCKET_PUBLIC_WRITE_PROHIBITED
         },
         "OrganizationalUnitIds": ["ou-1111-11111111"],
     },
     {
         "Enable-Control": {
-            "AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED",
-            "AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED",
-            "AWS-GR_DISALLOW_CROSS_REGION_NETWORKING",
-            "AWS-GR_DISALLOW_VPC_INTERNET_ACCESS",
-            "AWS-GR_DISALLOW_VPN_CONNECTIONS",
-            "AWS-GR_DMS_REPLICATION_NOT_PUBLIC",
-            "AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK",
-            "AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP",
-            "AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS",
-            "AWS-GR_ELASTICSEARCH_IN_VPC_ONLY",
-            "AWS-GR_EMR_MASTER_NO_PUBLIC_IP",
-            "AWS-GR_LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED",
-            "AWS-GR_NO_UNRESTRICTED_ROUTE_TO_IGW",
-            "AWS-GR_REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK",
-            "AWS-GR_S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC",
-            "AWS-GR_SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS",
-            "AWS-GR_SSM_DOCUMENT_NOT_PUBLIC",
+            "50z1ot237wl8u1lv5ufau6qqo",  # AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED
+            "aemn4s3hxv9erree434pvjboi",  # AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
+            "dvuaav61i5cnfazfelmvn9m6k",  # AWS-GR_DISALLOW_CROSS_REGION_NETWORKING
+            "41ngl8m5c4eb1myoz0t707n7h",  # AWS-GR_DISALLOW_VPC_INTERNET_ACCESS
+            "5rlqt6yj6u0v0gb62pqdy4ae",  # AWS-GR_DISALLOW_VPN_CONNECTIONS
+            "dekrrxbiux86m6jdowdsbamze",  # AWS-GR_DMS_REPLICATION_NOT_PUBLIC
+            "87qo8rsoettjrxjevmjqcw1tu",  # AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
+            "4v7xtm83uvvyulk1wwpm4qm3s",  # AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP
+            "aeellyghb27pbehyzua1nyena",  # AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS
+            "2civrte1w8tqff4vbtzdl4abq",  # AWS-GR_ELASTICSEARCH_IN_VPC_ONLY
+            "5cnql6so7p7bs0khdjodjr9e2",  # AWS-GR_EMR_MASTER_NO_PUBLIC_IP
+            "b2gzofz99eb7nsuj5g8wcimse",  # AWS-GR_LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
+            "b8pjfqosgkgknznstduvel4rh",  # AWS-GR_NO_UNRESTRICTED_ROUTE_TO_IGW
+            "1oxkwnc4hwhi2ndv6ekwy7np7",  # AWS-GR_REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
+            "6wmutsohbkwhfw6sf7cbt5e81",  # AWS-GR_S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC
+            "66gfl06uj1v999z53szvu0exa",  # AWS-GR_SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
+            "dfanrd8y5p7oj8fjyugqnakfr",  # AWS-GR_SSM_DOCUMENT_NOT_PUBLIC
         },
         "OrganizationalUnitIds": ["ou-2222-22222222"],
     },

img/ctc-architecture.png

@@ -1,9 +1,9 @@
 -c requirements.in
 
 bandit
-black<=22.12.0 # latest version of safety requires a previous version of black
+black
 coverage
-flake8~=3.9
+flake8
 isort
 mypy
 pylint