aws-samples
diff --git a/‎CHANGELOG.md
Lines changed: 11 additions & 0 deletions b/‎CHANGELOG.md
Lines changed: 11 additions & 0 deletions
diff --git a/‎aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml
Lines changed: 46 additions & 4 deletions b/‎aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml
Lines changed: 46 additions & 4 deletions
diff --git a/‎aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml
Lines changed: 56 additions & 6 deletions b/‎aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml
Lines changed: 56 additions & 6 deletions
diff --git a/‎aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml
Lines changed: 45 additions & 6 deletions b/‎aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml
Lines changed: 45 additions & 6 deletions
diff --git a/‎aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py
Lines changed: 2 additions & 7 deletions b/‎aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py
Lines changed: 2 additions & 7 deletions
@@ -3,6 +3,8 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2024-05-03](#2024-05-03)
+- [2024-04-15](#2024-04-15)
 - [2024-02-12](#2024-02-12)
 - [2024-02-09](#2024-02-09)
 - [2024-01-29](#2024-01-29)
@@ -51,6 +53,15 @@
 All notable changes to this project will be documented in this file.
 
 ---
+## 2024-05-03
+
+- Updated [GuardDuty Organization](aws_sra_examples/solutions/guardduty/guardduty_org) solution to add Runtime Monitoring protection.
+- Updated [GuardDuty Organization](aws_sra_examples/solutions/guardduty/guardduty_org) solution default setting to deploy in all enabled regions.
+
+## 2024-04-15
+
+- Updated [Common CFCT Setup](aws_sra_examples/solutions/common/common_cfct_setup) solution to download the latest CfCT template.
+
 ## 2024-02-12
 
 - Added [AMI Bakery](aws_sra_examples/solutions/ami_bakery/ami_bakery_org) solution for AMI image management.
 
@@ -147,16 +147,21 @@ Metadata:
           default: GuardDuty Solution
         Parameters:
           - pDisableGuardDuty
+          - pGuardDutyCustomerGovernedRegionsOnly
+          - pGuardDutyEnabledRegions
           - pAutoEnableS3Logs
           - pAutoEnableKubernetesAuditLogs
           - pAutoEnableMalwareProtection
           - pEnableRdsLoginEvents
-          - pEnableEksRuntimeMonitoring
+          - pEnableRuntimeMonitoring
           - pEnableEksAddonManagement
+          - pEnableEcsFargateAgentManagement
+          - pEnableEc2AgentManagement
           - pEnableLambdaNetworkLogs
           - pGuardDutyFindingPublishingFrequency
           - pGuardDutyOrgDeliveryBucketPrefix
           - pGuardDutyOrgDeliveryKeyAlias
+
       - Label:
           default: IAM Access Analyzer Solution
         Parameters:
@@ -337,10 +342,14 @@ Metadata:
         default: Auto Enable Malware Protection
       pEnableRdsLoginEvents:
         default: Auto enable RDS Login Events
-      pEnableEksRuntimeMonitoring:
-        default: Auto enable EKS Runtime Monitoring
+      pEnableRuntimeMonitoring:
+        default: Auto enable Runtime Monitoring
       pEnableEksAddonManagement:
         default: Auto enable EKS Add-on Management
+      pEnableEcsFargateAgentManagement:
+        default: Auto enable ECS Fargate Agent Management
+      pEnableEc2AgentManagement:
+        default: Auto enable EC2 Agent Management
       pEnableLambdaNetworkLogs:
         default: Auto enable Lambda Network Logs
       pBillingContactAction:
@@ -443,6 +452,10 @@ Metadata:
         default: (Optional) Exclude EC2 Default EBS Encryption Tags
       pExcludeS3BlockAccountPublicAccessTags:
         default: (Optional) Exclude S3 Block Account Public Access Tags
+      pGuardDutyCustomerGovernedRegionsOnly:
+        default: Enable GuardDuty in Customer Governed Regions Only
+      pGuardDutyEnabledRegions:
+        default: (Optional) Enabled Regions
       pFrequency:
         default: Frequency
       pGuarddutyEnabledForMoreThan48Hours:
@@ -817,6 +830,16 @@ Parameters:
     Default: "true"
     Description: Auto enable EKS Add-on Management
     Type: String
+  pEnableEcsFargateAgentManagement:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable ECS Fargate Agent Management
+    Type: String
+  pEnableEc2AgentManagement:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable EC2 Agent Management
+    Type: String
   pEnableLambdaNetworkLogs:
     AllowedValues: ["true", "false"]
     Default: "true"
@@ -1129,6 +1152,21 @@ Parameters:
       '(Optional) Resource Tags that denote an Account should be excluded from this solution in JSON format: [{"Key": "string", "Value": "string"},
       ... ]. For example, [{"Key": "exclude-s3-block-account-public-access", "Value": "true"}].'
     Type: String
+  pGuardDutyCustomerGovernedRegionsOnly:
+    AllowedValues: ['true', 'false']
+    Default: 'false'
+    Description: Indicates whether to enable GuardDuty in the customer's Goverened Regions only. Example - Control Tower regions, or Common Prerequisites regions.
+    Type: String
+  pGuardDutyEnabledRegions:
+    AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
+    ConstraintDescription:
+      Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
+      us-east-1,ap-southeast-2)
+    Default: ''
+    Description:
+      (Optional) Enabled regions (AWS regions, separated by commas).
+    Type: String
+      
   pFrequency:
     AllowedValues: [1hour, 3hours, 6hours, 12hours, 24hours]
     Default: 1hour
@@ -2608,8 +2646,12 @@ Resources:
         pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs
         pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection
         pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents
-        pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring
+        pControlTowerRegionsOnly: !Ref pGuardDutyCustomerGovernedRegionsOnly
+        pEnabledRegions: !Ref pGuardDutyEnabledRegions
+        pEnableRuntimeMonitoring: !Ref pEnableRuntimeMonitoring
         pEnableEksAddonManagement: !Ref pEnableEksAddonManagement
+        pEnableEcsFargateAgentManagement: !Ref pEnableEcsFargateAgentManagement
+        pEnableEc2AgentManagement: !Ref pEnableEc2AgentManagement
         pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs
         pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false]
         pDisableGuardDuty: !If [cDisableGuardDuty, true, false]
 
@@ -53,11 +53,15 @@ Metadata:
           default: GuardDuty
         Parameters:
           - pDisableGuardDuty
+          - pControlTowerRegionsOnly
+          - pEnabledRegions
           - pAutoEnableS3Logs
           - pAutoEnableKubernetesAuditLogs
           - pAutoEnableMalwareProtection
           - pEnableRdsLoginEvents
-          - pEnableEksRuntimeMonitoring
+          - pEnableRuntimeMonitoring
+          - pEnableEcsFargateAgentManagement
+          - pEnableEc2AgentManagement
           - pEnableEksAddonManagement
           - pEnableLambdaNetworkLogs
           - pGuardDutyFindingPublishingFrequency
@@ -119,10 +123,14 @@ Metadata:
         default: pAutoEnableMalwareProtection
       pEnableRdsLoginEvents:
         default: pEnableRdsLoginEvents
-      pEnableEksRuntimeMonitoring:
-        default: pEnableEksRuntimeMonitoring
+      pEnableRuntimeMonitoring:
+        default: pEnableRuntimeMonitoring
       pEnableEksAddonManagement:
         default: pEnableEksAddonManagement
+      pEnableEcsFargateAgentManagement:
+        default: Auto enable ECS Fargate Agent Management
+      pEnableEc2AgentManagement:
+        default: Auto enable EC2 Agent Management
       pEnableLambdaNetworkLogs:
         default: pEnableLambdaNetworkLogs
       pGuardDutyFindingPublishingFrequency:
@@ -133,6 +141,10 @@ Metadata:
         default: pGuardDutyOrgDeliveryKeyAlias
       pCreateAWSControlTowerExecutionRole:
         default: Create AWS Control Tower Execution Role
+      pControlTowerRegionsOnly:
+        default: Control Tower Regions Only
+      pEnabledRegions:
+        default: (Optional) Enabled Regions
 
 Parameters:
   pSRAHelperBucketNamePrefix:
@@ -257,6 +269,19 @@ Parameters:
     Default: "1"
     Description: Random parameter
     Type: String
+  pControlTowerRegionsOnly:
+    Type: String
+    Description: Only enable in the Control Tower governed regions (set to true for environments without AWS Control Tower)
+    Default: 'false'
+    AllowedValues: ['true', 'false']
+  pEnabledRegions:
+    AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
+    ConstraintDescription:
+      Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
+      us-east-1,ap-southeast-2)
+    Default: ''
+    Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions.
+    Type: String
 
 
   pCreateLambdaLogGroup:
@@ -292,16 +317,26 @@ Parameters:
     Default: 'true'
     Description: Auto enable RDS Login Events
     Type: String   
-  pEnableEksRuntimeMonitoring:
+  pEnableRuntimeMonitoring:
     AllowedValues: ['true', 'false']
     Default: 'true'
-    Description: Auto enable EKS Runtime Monitoring
+    Description: Auto enable Runtime Monitoring
     Type: String   
   pEnableEksAddonManagement:
     AllowedValues: ['true', 'false']
     Default: 'true'
     Description: Auto enable EKS Add-on Management
     Type: String
+  pEnableEcsFargateAgentManagement:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable ECS Fargate Agent Management
+    Type: String
+  pEnableEc2AgentManagement:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable EC2 Agent Management
+    Type: String
   pEnableLambdaNetworkLogs:
     AllowedValues: ['true', 'false']
     Default: 'true'
@@ -331,6 +366,17 @@ Parameters:
     Description: (Optional) Email address for receiving SRA alarms
     Type: String
 
+Rules:
+  CheckGuardDutyRuntimeEnabled:
+    RuleCondition: !Equals [!Ref pEnableRuntimeMonitoring, 'false']
+    Assertions:
+      - Assert: !Not [!Equals [!Ref pEnableEksAddonManagement, 'true']]
+        AssertDescription: "'Enable EKS Addon Management' requires Guardduty Runtime Monitoring to be enabled"
+      - Assert: !Not [!Equals [!Ref pEnableEcsFargateAgentManagement, 'true']]
+        AssertDescription: "'Enable Ecs Fargate Agent Management' requires Guardduty Runtime Monitoring to be enabled"
+      - Assert: !Not [!Equals [!Ref pEnableEc2AgentManagement, 'true']]
+        AssertDescription: "'Enable Ec2 Agent Management' requires Guardduty Runtime Monitoring to be enabled"
+
 Conditions:
   cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
   cUseGraviton: !Or
@@ -1125,8 +1171,10 @@ Resources:
         pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs
         pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection
         pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents
-        pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring
+        pEnableRuntimeMonitoring: !Ref pEnableRuntimeMonitoring
         pEnableEksAddonManagement: !Ref pEnableEksAddonManagement
+        pEnableEcsFargateAgentManagement: !Ref pEnableEcsFargateAgentManagement
+        pEnableEc2AgentManagement: !Ref pEnableEc2AgentManagement
         pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs
         pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup
         pDisableGuardDuty: !Ref pDisableGuardDuty
@@ -1145,6 +1193,8 @@ Resources:
         pSecurityAccountId: !Ref pSecurityAccountId
         pLogArchiveAccountId: !Ref pLogArchiveAccountId
         pCreateAWSControlTowerExecutionRole: !Ref pCreateAWSControlTowerExecutionRole
+        pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly
+        pEnabledRegions: !Ref pEnabledRegions
 
 Outputs:
   oPublishingDestinationBucketName:
 
@@ -48,12 +48,16 @@ Metadata:
           default: GuardDuty Solution
         Parameters:
           - pDisableGuardDuty
+          - pControlTowerRegionsOnly
+          - pEnabledRegions
           - pAutoEnableS3Logs
           - pAutoEnableKubernetesAuditLogs
           - pAutoEnableMalwareProtection
           - pEnableRdsLoginEvents
-          - pEnableEksRuntimeMonitoring
+          - pEnableRuntimeMonitoring
           - pEnableEksAddonManagement
+          - pEnableEcsFargateAgentManagement
+          - pEnableEc2AgentManagement
           - pEnableLambdaNetworkLogs
           - pGuardDutyFindingPublishingFrequency
           - pGuardDutyOrgDeliveryBucketPrefix
@@ -129,10 +133,14 @@ Metadata:
         default: Auto Enable Malware Protection
       pEnableRdsLoginEvents:
         default: Auto enable RDS Login Events
-      pEnableEksRuntimeMonitoring:
-        default: Auto enable EKS Runtime Monitoring
+      pEnableRuntimeMonitoring:
+        default: Auto enable Runtime Monitoring
       pEnableEksAddonManagement:
         default: Auto enable EKS Add-on Management
+      pEnableEcsFargateAgentManagement:
+        default: Auto enable ECS Fargate Agent Management
+      pEnableEc2AgentManagement:
+        default: Auto enable EC2 Agent Management
       pEnableLambdaNetworkLogs:
         default: Auto enable Lambda Network Logs
       pGuardDutyFindingPublishingFrequency:
@@ -141,6 +149,10 @@ Metadata:
         default: GuardDuty Delivery Bucket Prefix
       pGuardDutyOrgDeliveryKeyAlias:
         default: GuardDuty Delivery KMS Key Alias
+      pControlTowerRegionsOnly:
+        default: Control Tower Regions Only
+      pEnabledRegions:
+        default: (Optional) Enabled Regions
 
 Parameters:
   pRepoURL:
@@ -302,16 +314,26 @@ Parameters:
     Default: 'true'
     Description: Auto enable RDS Login Events
     Type: String   
-  pEnableEksRuntimeMonitoring:
+  pEnableRuntimeMonitoring:
     AllowedValues: ['true', 'false']
     Default: 'true'
-    Description: Auto enable EKS Runtime Monitoring
+    Description: Auto enable Runtime Monitoring
     Type: String   
   pEnableEksAddonManagement:
     AllowedValues: ['true', 'false']
     Default: 'true'
     Description: Auto enable EKS Add-on Management
     Type: String
+  pEnableEcsFargateAgentManagement:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable ECS Fargate Agent Management
+    Type: String
+  pEnableEc2AgentManagement:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable EC2 Agent Management
+    Type: String
   pEnableLambdaNetworkLogs:
     AllowedValues: ['true', 'false']
     Default: 'true'
@@ -334,6 +356,19 @@ Parameters:
     Default: sra-guardduty-org-delivery-key
     Description: GuardDuty Delivery KMS Key Alias
     Type: String
+  pControlTowerRegionsOnly:
+    Type: String
+    Description: Only enable in the Control Tower governed regions (set to true for environments without AWS Control Tower)
+    Default: 'false'
+    AllowedValues: ['true', 'false']
+  pEnabledRegions:
+    AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
+    ConstraintDescription:
+      Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
+      us-east-1,ap-southeast-2)
+    Default: ''
+    Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions.
+    Type: String
 
 # Rules:
 
@@ -846,8 +881,10 @@ Resources:
         pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs
         pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection
         pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents
-        pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring
+        pEnableRuntimeMonitoring: !Ref pEnableRuntimeMonitoring
         pEnableEksAddonManagement: !Ref pEnableEksAddonManagement
+        pEnableEcsFargateAgentManagement: !Ref pEnableEcsFargateAgentManagement
+        pEnableEc2AgentManagement: !Ref pEnableEc2AgentManagement
         pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs
         pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false]
         pDisableGuardDuty: !If [cDisableGuardDuty, true, false]
@@ -858,6 +895,8 @@ Resources:
         pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention
         pLambdaLogLevel: !Ref pLambdaLogLevel
         pSRAAlarmEmail: !Ref pSRAAlarmEmail
+        pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly
+        pEnabledRegions: !Ref pEnabledRegions
 
   CommonPrerequisitesMainSsmWaitHandle: 
     Condition: cCommonPrerequisitesNotInstalled
 
@@ -18,14 +18,9 @@
 
 if TYPE_CHECKING:
     from mypy_boto3_codecommit.client import CodeCommitClient
-    from mypy_boto3_codecommit.type_defs import (
-        CreateRepositoryOutputTypeDef,
-        DeleteRepositoryOutputTypeDef,
-        EmptyResponseMetadataTypeDef,
-        PutFileOutputTypeDef,
-    )
+    from mypy_boto3_codecommit.type_defs import CreateRepositoryOutputTypeDef, DeleteRepositoryOutputTypeDef, PutFileOutputTypeDef
     from mypy_boto3_codepipeline.client import CodePipelineClient
-    from mypy_boto3_codepipeline.type_defs import CreatePipelineOutputTypeDef, PipelineDeclarationTypeDef
+    from mypy_boto3_codepipeline.type_defs import CreatePipelineOutputTypeDef, EmptyResponseMetadataTypeDef, PipelineDeclarationTypeDef
 
 LOGGER = logging.getLogger("sra")