updated Macie solution for Control Tower optional (#175)

Co-authored-by: ievgeniia ieromenko <ieviero@amazon.com>

Author: IevIe

README.md

@@ -129,7 +129,7 @@ Follow the instructions within the [Quick Setup](aws_sra_examples/quick_setup) t
 | [GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org)                                       | Configures GuardDuty within a delegated admin account for all accounts within an organization.                                                                                                                                                                                                                                                                   |                                                                                                              |                                                                                                                                                                                                                                                                   |
 | [IAM Access Analyzer](aws_sra_examples/solutions/iam/iam_access_analyzer)                             | Configures an organization analyzer within a delegated admin account and account level analyzer within each account.                                                                                                                                                                                                                                             |                                                                                                              | [Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li></ul>                                                                                                  |
 | [IAM Account Password Policy](aws_sra_examples/solutions/iam/iam_password_policy)                     | Sets the account password policy for users to align with common compliance standards.                                                                                                                                                                                                                                                                            |                                                                                                              | <ul><li>AWS Control Tower</li></ul>                                                                                                                                                                                                                               |
-| [Macie](aws_sra_examples/solutions/macie/macie_org)                                                   | Configures Macie within a delegated admin account for all accounts within the organization.                                                                                                                                                                                                                                                                      |                                                                                                              | <ul><li>AWS Control Tower</li></ul>                                                                                                                                                                                                                               |
+| [Macie](aws_sra_examples/solutions/macie/macie_org)                                                   | Configures Macie within a delegated admin account for all accounts within the organization.                                                                                                                                                                                                                                                                      |                                                                                                                                                                                                                                                                                                                                             |
 | [S3 Block Account Public Access](aws_sra_examples/solutions/s3/s3_block_account_public_access)        | Configures the account-level S3 BPA settings for all accounts within the organization.                                                                                                                                                                                                                                                                           | Configures S3 BPA settings on buckets created by Control Tower only.                                         | <ul><li>AWS Control Tower</li></ul>                                                                                                                                                                                                                               |
 | [Security Hub](aws_sra_examples/solutions/securityhub/securityhub_org)                                | Configures Security Hub within a delegated admin account for all accounts and governed regions within the organization.                                                                                                                                                                                                                                          |                                                                                                              | <ul><li>AWS Config in all Org Accounts</li><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account) (*if using AWS Control Tower*)</li></ul>                                                                                  |
 | [Inspector](aws_sra_examples/solutions/inspector/inspector_org)                                       | Configure Inspector within a delegated admin account for all accounts and governed regions within the organization.                                                                                                                                                                                                                                              |                                                                                                              |                                                                                                                                                                                                                                                                   |

aws_sra_examples/solutions/macie/macie_org/README.md

@@ -78,10 +78,9 @@ The Lambda function is required to register the Macie delegated administrator ac
 
 ---
 
-### 3.0 Audit Account<!-- omit in toc -->
+### 3.0 Audit Account (Security Tooling)<!-- omit in toc -->
 
-The example solutions use `Audit Account` instead of `Security Tooling Account` to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the `Audit Account` SSM parameter is
-populated from the `SecurityAccountId` parameter within the `AWSControlTowerBP-BASELINE-CONFIG` StackSet.
+The example solutions use `Audit Account` instead of `Security Tooling Account` to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the `Audit Account`  can be determined from the `SecurityAccountId` parameter within the `AWSControlTowerBP-BASELINE-CONFIG` StackSet in AWS Control Tower environments, but is specified manually in other environments, and then stored in an SSM parameter (this is all done in the common prerequisites solution).
 
 #### 3.1 AWS CloudFormation<!-- omit in toc -->
 

aws_sra_examples/solutions/macie/macie_org/lambda/src/common.py

@@ -17,9 +17,9 @@
 from botocore.exceptions import ClientError
 
 if TYPE_CHECKING:
-    from mypy_boto3_cloudformation import CloudFormationClient
     from mypy_boto3_iam.client import IAMClient
     from mypy_boto3_organizations import OrganizationsClient
+    from mypy_boto3_ssm.client import SSMClient
     from mypy_boto3_sts.client import STSClient
 
 # Setup Default Logger
@@ -33,6 +33,15 @@
 ORG_PAGE_SIZE = 20  # Max page size for list_accounts
 ORG_THROTTLE_PERIOD = 0.2
 BOTO3_CONFIG = Config(retries={"max_attempts": 10, "mode": "standard"})
+UNEXPECTED = "Unexpected!"
+
+
+try:
+    MANAGEMENT_ACCOUNT_SESSION = boto3.Session()
+    SSM_CLIENT: SSMClient = MANAGEMENT_ACCOUNT_SESSION.client("ssm")
+except Exception:
+    LOGGER.exception(UNEXPECTED)
+    raise ValueError("Unexpected error executing Lambda function. Review CloudWatch logs for details.") from None
 
 
 def assume_role(role: str, role_session_name: str, account: str = None, session: boto3.Session = None) -> boto3.Session:
@@ -112,32 +121,14 @@ def get_account_ids(accounts: list, exclude_accounts: list = None) -> list:
 
 
 def get_control_tower_regions() -> list:  # noqa: CCR001
-    """Query 'AWSControlTowerBP-BASELINE-CLOUDWATCH' CloudFormation stack to identify customer regions.
+    """Query SSM Parameter Store to identify customer regions.
 
     Returns:
         Customer regions chosen in Control Tower
     """
-    management_account_session = boto3.Session()
-    cfn_client: CloudFormationClient = management_account_session.client("cloudformation", config=BOTO3_CONFIG)
-    paginator = cfn_client.get_paginator("list_stack_instances")
-    customer_regions = set()
-    aws_account = ""
-    all_regions_identified = False
-    for page in paginator.paginate(StackSetName="AWSControlTowerBP-BASELINE-CLOUDWATCH", PaginationConfig={"PageSize": CLOUDFORMATION_PAGE_SIZE}):
-        for instance in page["Summaries"]:
-            if not aws_account:
-                aws_account = instance["Account"]
-                customer_regions.add(instance["Region"])
-                continue
-            if aws_account == instance["Account"]:
-                customer_regions.add(instance["Region"])
-                continue
-            all_regions_identified = True
-            break
-        if all_regions_identified:
-            break
-        sleep(CLOUDFORMATION_THROTTLE_PERIOD)
-
+    customer_regions = []
+    ssm_response = SSM_CLIENT.get_parameter(Name="/sra/regions/customer-control-tower-regions")
+    customer_regions = ssm_response["Parameter"]["Value"].split(",")
     return list(customer_regions)
 
 

aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml

@@ -261,6 +261,17 @@ Resources:
                   - logs:PutLogEvents
                 Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${pMacieOrgLambdaFunctionName}:log-stream:*
 
+        - PolicyName: "ssm-access"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Action:
+                  - ssm:GetParameter
+                  - ssm:GetParameters
+                Resource:
+                  - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/sra*"
+
         - PolicyName: sra-macie-org-policy-organizations
           PolicyDocument:
             Version: 2012-10-17

aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml

@@ -25,6 +25,12 @@ Metadata:
           - pAuditAccountId
           - pLogArchiveAccountId
           - pRootOrganizationalUnitId
+      
+      - Label:
+          default: IAM Properties
+        Parameters:
+          - pStackSetAdminRole
+          - pStackExecutionRole
 
       - Label:
           default: Macie Delivery Properties
@@ -50,6 +56,10 @@ Metadata:
           - pLambdaLogLevel
 
     ParameterLabels:
+      pStackSetAdminRole:
+        default: Stack Set Role
+      pStackExecutionRole:
+        default: Stack execution role
       pAuditAccountId:
         default: Audit Account ID
       pControlTowerRegionsOnly:
@@ -88,6 +98,16 @@ Metadata:
         default: SRA Staging S3 Bucket Name
 
 Parameters:
+  pStackSetAdminRole:
+    AllowedValues: [sra-stackset]
+    Default: sra-stackset
+    Description: The administration role name that is used in the stackset.
+    Type: String
+  pStackExecutionRole:
+    AllowedValues: [sra-execution]
+    Default: sra-execution
+    Description: The execution role name that is used in the stack.
+    Type: String
   pAuditAccountId:
     AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
     ConstraintDescription:
@@ -253,12 +273,12 @@ Resources:
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: sra-macie-org-configuration-role
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Capabilities:
         - CAPABILITY_NAMED_IAM
       Description: !Sub ${pSRASolutionVersion} - Deploys an IAM role via ${pSRASolutionName} for configuring Macie
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences:
@@ -284,10 +304,10 @@ Resources:
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: sra-macie-org-delivery-kms-key
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Description: !Sub ${pSRASolutionVersion} - Deploys a KMS Key via ${pSRASolutionName} for encrypting Macie findings
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences:
@@ -320,10 +340,10 @@ Resources:
     DependsOn: rMacieDeliveryKMSKeyStackSet
     Properties:
       StackSetName: sra-macie-org-delivery-s3-bucket
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Description: !Sub ${pSRASolutionVersion} - Deploys an S3 bucket via ${pSRASolutionName} for storing Macie findings
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences:

aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main.yaml

@@ -25,6 +25,12 @@ Metadata:
           - pAuditAccountId
           - pLogArchiveAccountId
           - pRootOrganizationalUnitId
+      
+      - Label:
+          default: IAM Properties
+        Parameters:
+          - pStackSetAdminRole
+          - pStackExecutionRole
 
       - Label:
           default: Macie Delivery Properties
@@ -50,6 +56,10 @@ Metadata:
           - pLambdaLogLevel
 
     ParameterLabels:
+      pStackSetAdminRole:
+        default: Stack Set Role
+      pStackExecutionRole:
+        default: Stack execution role
       pAuditAccountId:
         default: Audit Account ID
       pControlTowerRegionsOnly:
@@ -88,6 +98,16 @@ Metadata:
         default: SRA Staging S3 Bucket Name
 
 Parameters:
+  pStackSetAdminRole:
+    AllowedValues: [sra-stackset]
+    Default: sra-stackset
+    Description: The administration role name that is used in the stackset.
+    Type: String
+  pStackExecutionRole:
+    AllowedValues: [sra-execution]
+    Default: sra-execution
+    Description: The execution role name that is used in the stack.
+    Type: String
   pAuditAccountId:
     AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$
     ConstraintDescription:
@@ -246,12 +266,12 @@ Resources:
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: sra-macie-org-configuration-role
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Capabilities:
         - CAPABILITY_NAMED_IAM
       Description: !Sub ${pSRASolutionVersion} - Deploys an IAM role via ${pSRASolutionName} for configuring Macie
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences:
@@ -277,10 +297,10 @@ Resources:
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: sra-macie-org-delivery-kms-key
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Description: !Sub ${pSRASolutionVersion} - Deploys a KMS Key via ${pSRASolutionName} for encrypting Macie findings
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences:
@@ -313,10 +333,10 @@ Resources:
     DependsOn: rMacieDeliveryKMSKeyStackSet
     Properties:
       StackSetName: sra-macie-org-delivery-s3-bucket
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Description: !Sub ${pSRASolutionVersion} - Deploys an S3 bucket via ${pSRASolutionName} for storing Macie findings
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences: