Updated Detective Organization solution to make AWS Control Tower optional (#180)

* Updated Detective Organization solution to make AWS Control Tower optional

* Updated documentation

* linting fixes

---------

Co-authored-by: ievgeniia ieromenko <ieviero@amazon.com>

Author: IevIe

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2023-09-22](#2023-09-22)
 - [2023-08-07](#2023-08-07)
 - [2023-07-07](#2023-07-07)
 - [2023-07-01](#2023-07-07)
@@ -44,6 +45,10 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## 2023-09-22
+
+- Updated [Detective Organization](aws_sra_examples/solutions/detective/detective_org) solution to make AWS Control Tower optional.
+
 ## 2023-08-07
 
 - Updated [Common Prerequisites](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/common/common_prerequisites) solution to make AWS Control Tower optional.

README.md

@@ -133,7 +133,7 @@ Follow the instructions within the [Quick Setup](aws_sra_examples/quick_setup) t
 | [S3 Block Account Public Access](aws_sra_examples/solutions/s3/s3_block_account_public_access)        | Configures the account-level S3 BPA settings for all accounts within the organization.                                                                                                                                                                                                                                                                           | Configures S3 BPA settings on buckets created by Control Tower only.                                         | <ul><li>AWS Control Tower</li></ul>                                                                                                                                                                                                                               |
 | [Security Hub](aws_sra_examples/solutions/securityhub/securityhub_org)                                | Configures Security Hub within a delegated admin account for all accounts and governed regions within the organization.                                                                                                                                                                                                                                          |                                                                                                              | <ul><li>AWS Config in all Org Accounts</li><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account) (*if using AWS Control Tower*)</li></ul>                                                                                  |
 | [Inspector](aws_sra_examples/solutions/inspector/inspector_org)                                       | Configure Inspector within a delegated admin account for all accounts and governed regions within the organization.                                                                                                                                                                                                                                              |                                                                                                              |                                                                                                                                                                                                                                                                   |
-| [Detective](aws_sra_examples/solutions/detective/detective)                                           | The Detective Organization solution will automate enabling Amazon Detective by delegating administration to an account (e.g. Audit or Security Tooling) and configuring Detective for all the existing and future AWS Organization accounts.  **Note:** As of 06/07/2023, this solution is not included in the quick setup (it will be in a future code release) |                                                                                                              | <ul><li>AWS Control Tower</li><li>[GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org)</li></ul>                                                                                                                                                       |
+| [Detective](aws_sra_examples/solutions/detective/detective)                                           | The Detective Organization solution will automate enabling Amazon Detective by delegating administration to an account (e.g. Audit or Security Tooling) and configuring Detective for all the existing and future AWS Organization accounts.   |                                                                                                              | <ul><li>[GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org)</li></ul>                                                                                                                                                       |
 ## Utils
 
 - packaging_scripts/stage-solution.sh (Package and stage all the AWS SRA example solutions. For more information see [Staging script details](aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md#staging-script-details))

aws_sra_examples/solutions/detective/detective_org/README.md

@@ -78,11 +78,11 @@ The Detective Organization solution will automate enabling Amazon Detective by d
 
 ---
 
-### 2.0 Audit Account<!-- omit in toc -->
+### 2.0 Audit Account (Security Tooling)<!-- omit in toc -->
 
 The example solutions use `Audit Account` instead of `Security Tooling Account` to align with the default account name used within the AWS Control Tower 
 setup process for the Security Account. The Account ID for the `Audit Account` SSM parameter is 
-populated from the `SecurityAccountId` parameter within the `AWSControlTowerBP-BASELINE-CONFIG` StackSet.
+populated from the `SecurityAccountId` parameter within the `AWSControlTowerBP-BASELINE-CONFIG` StackSet, but is specified manually in other environments, and then stored in an SSM parameter (this is all done in the common prerequisites solution).
 
 #### 2.1 AWS CloudFormation<!-- omit in toc -->
 

aws_sra_examples/solutions/detective/detective_org/lambda/src/common.py

@@ -16,9 +16,9 @@
 from botocore.exceptions import ClientError, EndpointConnectionError
 
 if TYPE_CHECKING:
-    from mypy_boto3_cloudformation import CloudFormationClient
     from mypy_boto3_iam.client import IAMClient
     from mypy_boto3_organizations import OrganizationsClient
+    from mypy_boto3_ssm.client import SSMClient
     from mypy_boto3_sts.client import STSClient
 
 # Setup Default Logger
@@ -27,15 +27,13 @@
 LOGGER.setLevel(log_level)
 
 # Global variables
-CLOUDFORMATION_PAGE_SIZE = 20
-CLOUDFORMATION_THROTTLE_PERIOD = 0.2
 ORGANIZATIONS_PAGE_SIZE = 20
 ORGANIZATIONS_THROTTLE_PERIOD = 0.2
 
 try:
     MANAGEMENT_ACCOUNT_SESSION = boto3.Session()
-    CLOUDFORMATION_CLIENT: CloudFormationClient = MANAGEMENT_ACCOUNT_SESSION.client("cloudformation")
     ORG_CLIENT: OrganizationsClient = MANAGEMENT_ACCOUNT_SESSION.client("organizations")
+    SSM_CLIENT: SSMClient = MANAGEMENT_ACCOUNT_SESSION.client("ssm")
 except Exception as error:
     LOGGER.error({"Unexpected_Error": error})
     raise ValueError("Unexpected error executing Lambda function. Review CloudWatch logs for details.") from None
@@ -101,32 +99,13 @@ def get_active_organization_accounts(exclude_accounts: list = None) -> list:
 
 
 def get_control_tower_regions() -> list:  # noqa: CCR001
-    """Query 'AWSControlTowerBP-BASELINE-CLOUDWATCH' CloudFormation stack to identify customer regions.
+    """Query SSM Parameter Store to identify customer regions.
 
     Returns:
-        Customer regions chosen in Control Tower
+        Customer regions
     """
-    paginator = CLOUDFORMATION_CLIENT.get_paginator("list_stack_instances")
-    customer_regions = []
-    aws_account = ""
-    all_regions_identified = False
-    for page in paginator.paginate(
-        StackSetName="AWSControlTowerBP-BASELINE-CLOUDWATCH",
-        PaginationConfig={"PageSize": CLOUDFORMATION_PAGE_SIZE},
-    ):
-        for instance in page["Summaries"]:
-            if not aws_account:
-                aws_account = instance["Account"]
-                customer_regions.append(instance["Region"])
-                continue
-            if aws_account == instance["Account"]:
-                customer_regions.append(instance["Region"])
-                continue
-            all_regions_identified = True
-            break
-        if all_regions_identified:
-            break
-        sleep(CLOUDFORMATION_THROTTLE_PERIOD)
+    ssm_response = SSM_CLIENT.get_parameter(Name="/sra/regions/customer-control-tower-regions")
+    customer_regions = ssm_response["Parameter"]["Value"].split(",")
 
     return list(customer_regions)
 

aws_sra_examples/solutions/detective/detective_org/templates/sra-detective-org-configuration.yaml

@@ -281,6 +281,18 @@ Resources:
                   - detective:DisableOrganizationAdminAccount
                   - detective:ListOrganizationAdminAccount
                 Resource: '*'
+
+        - PolicyName: "ssm-access"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Action:
+                  - ssm:GetParameter
+                  - ssm:GetParameters
+                Resource:
+                  - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/sra*"
+
         - PolicyName: sra-detective-org-policy-iam
           PolicyDocument:
             Version: 2012-10-17