Adding Detective Organization solution to Easy Setup, Quick Setup, CFCT Easy Setup and Quick Setup (#155)

* adding Detective to Easy Setup, Quick Setup

* updated CHANGELOG

---------

Co-authored-by: ievgeniia ieromenko <ieviero@amazon.com>

Author: IevIe

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2023-07-01](#2023-07-01)
 - [2023-06-21](#2023-06-21)
 - [2023-06-20](#2023-06-20)
 - [2023-06-01](#2023-06-01)
@@ -40,8 +41,16 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## 2023-07-01
+
+### Changed<!-- omit in toc -->
+
+- Added [Detective Organization](aws_sra_examples/solutions/detective/detective_org) solution to [Easy Setup](aws_sra_examples/easy_setup) and [Quick Setup](aws_sra_examples/quick_setup/)
+
 ## 2023-06-21
 
+### Changed<!-- omit in toc -->
+
 - Added [GuardDuty Organization](aws_sra_examples/solutions/guardduty/guardduty_org) EKS, Malware, RDS, and Lambda protections to [Easy Setup](aws_sra_examples/easy_setup) and [Quick Setup](aws_sra_examples/quick_setup/) deployment options
 - Added [Inspector Organization](aws_sra_examples/solutions/inspector/inspector_org) solution to [Quick Setup](aws_sra_examples/quick_setup/) deployment option
 

README.md

@@ -98,7 +98,7 @@ Follow the instructions within the [Quick Setup](aws_sra_examples/quick_setup) t
 | [S3 Block Account Public Access](aws_sra_examples/solutions/s3/s3_block_account_public_access)        | Configures the account-level S3 BPA settings for all accounts within the organization.                                                                                                      | Configures S3 BPA settings on buckets created by Control Tower only.                                         |                                                                                                                                                                                                                                         |
 | [Security Hub](aws_sra_examples/solutions/securityhub/securityhub_org)                                | Configures Security Hub within a delegated admin account for all accounts and governed regions within the organization.                                                                     |                                                                                                              | <ul><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account)</li></ul>                                                                                                                              |
 | [Inspector](aws_sra_examples/solutions/inspector/inspector_org)                  | Configure Inspector within a delegated admin account for all accounts and governed regions within the organization.                                                                                    |                                                                                                              |                                                                                                                                                                                                                                      |
-| [Detective](aws_sra_examples/solutions/detective/detective)                  | The Detective Organization solution will automate enabling Amazon Detective by delegating administration to an account (e.g. Audit or Security Tooling) and configuring Detective for all the existing and future AWS Organization accounts.  **Note:** As of 06/07/2023, this solution is not included in the quick setup (it will be in a future code release)                                                                                  |                                                                                                              |          <ul><li>[GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org)</li></ul>                                                                                                                                                                                                                               |
+| [Detective](aws_sra_examples/solutions/detective/detective)                  | The Detective Organization solution will automate enabling Amazon Detective by delegating administration to an account (e.g. Audit or Security Tooling) and configuring Detective for all the existing and future AWS Organization accounts.                                                                                    |                                                                                                              |          <ul><li>[GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org)</li></ul>                                                                                                                                                                                                                               |
 ## Utils
 
 - packaging_scripts/stage-solution.sh (Package and stage all the AWS SRA example solutions. For more information see [Staging script details](aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md#staging-script-details))

aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml

@@ -21,6 +21,8 @@ resources:
         parameter_value: 'No'
       - parameter_key: pDeployConfigConformancePackSolution
         parameter_value: 'No'
+      - parameter_key: pDeployDetectiveSolution
+        parameter_value: 'No'
       - parameter_key: pDeployEC2DefaultEBSEncryptionSolution
         parameter_value: 'No'
       - parameter_key: pDeployFirewallManagerSolution
@@ -115,6 +117,12 @@ resources:
         parameter_value: ''
       - parameter_key: pConformancePackExcludedAccounts
         parameter_value: ''
+      
+      # Detective Solution
+      - parameter_key: pDatasourcePackages
+        parameter_value: 'ASFF_SECURITYHUB_FINDING, EKS_AUDIT'
+      - parameter_key: pGuarddutyEnabledForMoreThan48Hours
+        parameter_value: 'false'
 
       # EC2 Default EBS Encryption Solution
       - parameter_key: pExcludeEC2DefaultEBSEncryptionTags

aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml

@@ -39,6 +39,7 @@ Metadata:
           - pDeployConfigManagementSolution
           - pDeployConfigConformancePackSolution
           - pDeployEC2DefaultEBSEncryptionSolution
+          - pDeployDetectiveSolution
           - pDeployFirewallManagerSolution
           - pDeployGuardDutySolution
           - pDeployIAMAccessAnalyzerSolution
@@ -93,6 +94,11 @@ Metadata:
           - pConformancePackTemplateName
           - pDeliveryS3KeyPrefix
           - pConformancePackExcludedAccounts
+      - Label:
+          default: Detective Solution
+        Parameters:
+          - pDatasourcePackages
+          - pGuarddutyEnabledForMoreThan48Hours
       - Label:
           default: EC2 Default EBS Encryption Solution
         Parameters:
@@ -259,6 +265,8 @@ Metadata:
         default: Create Lambda Log Group
       pCreateVpcForSG:
         default: Create VPC For Security Group
+      pDatasourcePackages:
+        default: (Optional) Datasource packages to start
       pDeliveryS3KeyPrefix:
         default: (Optional) Delivery S3 Key Prefix
       pDeployAccountAlternateContactsSolution:
@@ -271,6 +279,8 @@ Metadata:
         default: Deploy the AWS Config Management Solution
       pDeployEC2DefaultEBSEncryptionSolution:
         default: Deploy the EC2 Default EBS Encryption Solution
+      pDeployDetectiveSolution:
+        default: Deploy the Detective Solution
       pDeployFirewallManagerSolution:
         default: Deploy the Firewall Manager Solution
       pDeployGuardDutySolution:
@@ -321,6 +331,8 @@ Metadata:
         default: (Optional) Exclude S3 Block Account Public Access Tags
       pFrequency:
         default: Frequency
+      pGuarddutyEnabledForMoreThan48Hours:
+        default: Guardduty Enabled More Than 48 Hours
       pGuardDutyFindingPublishingFrequency:
         default: GuardDuty Finding Publishing Frequency
       pGuardDutyOrgDeliveryBucketPrefix:
@@ -634,6 +646,11 @@ Parameters:
     Default: 'true'
     Description: Create a new VPC for the Firewall Manager Security Groups
     Type: String
+  pDatasourcePackages:
+    AllowedValues: [ASFF_SECURITYHUB_FINDING, EKS_AUDIT, '']
+    Default: ASFF_SECURITYHUB_FINDING, EKS_AUDIT
+    Description: Optional datasources used to populate the behavior graph. Valid values are ASFF_SECURITYHUB_FINDING and EKS_AUDIT
+    Type: CommaDelimitedList
   pDeliveryS3KeyPrefix:
     AllowedPattern: '^$|^[a-zA-Z][-a-zA-Z0-9]*$'
     ConstraintDescription:
@@ -661,6 +678,11 @@ Parameters:
     Default: 'No'
     Description: Deploy the AWS Config Management solution. Note, if solution was previously deployed, choose 'Already Deployed'.
     Type: String
+  pDeployDetectiveSolution:
+    AllowedValues: ['Yes', 'No']
+    Default: 'No'
+    Description: Deploy the Detective solution
+    Type: String
   pDeployEC2DefaultEBSEncryptionSolution:
     AllowedValues: ['Yes', 'No']
     Default: 'No'
@@ -797,6 +819,11 @@ Parameters:
     Default: 1hour
     Description: The frequency with which AWS Config delivers configuration snapshots.
     Type: String
+  pGuarddutyEnabledForMoreThan48Hours:
+    AllowedValues: ['true', 'false']
+    Default: 'false'
+    Description: Has Guardduty been enabled in the Organization for more than 48 hours?
+    Type: String
   pGuardDutyFindingPublishingFrequency:
     AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS]
     Default: FIFTEEN_MINUTES
@@ -1122,6 +1149,7 @@ Conditions:
       - !Condition cDeployConfigManagementSolution
       - !Condition cDeployConfigManagementSolutionAlreadyDeployed
     - !Equals [!Ref pDeployConfigConformancePackSolution, 'Yes']
+  cDeployDetectiveSolution: !Equals [!Ref pDeployDetectiveSolution, 'Yes']
   cDeployEC2DefaultEBSEncryptionSolution: !Equals [!Ref pDeployEC2DefaultEBSEncryptionSolution, 'Yes']
   cDeployFirewallManagerSolution: !Equals [!Ref pDeployFirewallManagerSolution, 'Yes']
   cDeployGuardDutySolution: !Equals [!Ref pDeployGuardDutySolution, 'Yes']
@@ -1730,6 +1758,31 @@ Resources:
         pSourceStackName: !If [cDeployConfigManagementSolution, !Ref rConfigManagementSolutionStack, '']
         # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName
 
+  rDetectiveSolutionStack:
+    Type: AWS::CloudFormation::Stack
+    DependsOn: rCommonPrerequisitesMainSsm
+    Condition: cDeployDetectiveSolution
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Properties:
+      TemplateURL: !Sub https://${pSRAStagingS3BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-detective-org/templates/sra-detective-org-main-ssm.yaml
+      Parameters:
+        pComplianceFrequency: !Ref pComplianceFrequency
+        # pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly
+        pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false]
+        pDatasourcePackages: !Join
+          - ','
+          - !Ref pDatasourcePackages
+        # pDelegatedAdminAccountId: !Ref pAuditAccountId
+        # pEnabledRegions: !Ref pEnabledRegions
+        pGuarddutyEnabledForMoreThan48Hours: !Ref pGuarddutyEnabledForMoreThan48Hours
+        pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey
+        pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention
+        pLambdaLogLevel: !Ref pLambdaLogLevel
+        # pOrganizationId: !Ref pOrganizationId
+        pSRAAlarmEmail: !Ref pSRAAlarmEmail
+        # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName
+  
   rEC2DefaultEBSEncryptionSolutionStack:
     Type: AWS::CloudFormation::Stack
     DependsOn: rCommonPrerequisitesMainSsm

aws_sra_examples/quick_setup/customizations_for_aws_control_tower/manifest-v2.yaml

@@ -95,6 +95,14 @@ resources:
       - parameter_key: pConformancePackExcludedAccounts
         parameter_value: ''
 
+      # Detective Solution
+      - parameter_key: pDeployDetectiveSolution
+        parameter_value: 'Yes'
+      - parameter_key: pDatasourcePackages
+        parameter_value: 'ASFF_SECURITYHUB_FINDING, EKS_AUDIT'
+      - parameter_key: pGuarddutyEnabledForMoreThan48Hours
+        parameter_value: 'false'
+
       # EC2 Default EBS Encryption Solution
       - parameter_key: pDeployEC2DefaultEBSEncryptionSolution
         parameter_value: 'Yes'

aws_sra_examples/quick_setup/templates/sra-quick-setup-ssm.yaml

@@ -64,6 +64,12 @@ Metadata:
           - pConformancePackTemplateName
           - pDeliveryS3KeyPrefix
           - pConformancePackExcludedAccounts
+      - Label:
+          default: Detective Solution
+        Parameters:
+          - pDeployDetectiveSolution
+          - pDatasourcePackages
+          - pGuarddutyEnabledForMoreThan48Hours
       - Label:
           default: EC2 Default EBS Encryption Solution
         Parameters:
@@ -217,6 +223,8 @@ Metadata:
         default: Create Lambda Log Group
       pCreateVpcForSG:
         default: Create VPC For Security Group
+      pDatasourcePackages:
+        default: (Optional) Datasource packages to start
       pDeliveryS3KeyPrefix:
         default: (Optional) Delivery S3 Key Prefix
       pDeployAccountAlternateContactsSolution:
@@ -227,6 +235,8 @@ Metadata:
         default: Deploy the AWS Config Conformance Pack Solution
       pDeployConfigManagementSolution:
         default: Deploy the AWS Config Management Solution
+      pDeployDetectiveSolution:
+         default: Deploy the Detective Solution
       pDeployEC2DefaultEBSEncryptionSolution:
         default: Deploy the EC2 Default EBS Encryption Solution
       pDeployFirewallManagerSolution:
@@ -283,6 +293,8 @@ Metadata:
         default: (Optional) Exclude S3 Block Account Public Access Tags
       pFrequency:
         default: Frequency
+      pGuarddutyEnabledForMoreThan48Hours:
+        default: Guardduty Enabled More Than 48 Hours
       pGuardDutyFindingPublishingFrequency:
         default: GuardDuty Finding Publishing Frequency
       pGuardDutyOrgDeliveryBucketPrefix:
@@ -534,6 +546,11 @@ Parameters:
     Default: 'true'
     Description: Create a new VPC for the Firewall Manager Security Groups
     Type: String
+  pDatasourcePackages:
+    AllowedValues: [ASFF_SECURITYHUB_FINDING, EKS_AUDIT, '']
+    Default: ASFF_SECURITYHUB_FINDING, EKS_AUDIT
+    Description: Optional datasources used to populate the behavior graph. Valid values are ASFF_SECURITYHUB_FINDING and EKS_AUDIT
+    Type: CommaDelimitedList
   pDeliveryS3KeyPrefix:
     AllowedPattern: '^$|^[a-zA-Z][-a-zA-Z0-9]*$'
     ConstraintDescription:
@@ -561,6 +578,11 @@ Parameters:
     Default: 'Yes'
     Description: Deploy the AWS Config Management solution. Note, if solution was previously deployed, choose 'Already Deployed'.
     Type: String
+  pDeployDetectiveSolution:
+    AllowedValues: ['Yes', 'No']
+    Default: 'Yes'
+    Description: Deploy the Detective solution
+    Type: String
   pDeployEC2DefaultEBSEncryptionSolution:
     AllowedValues: ['Yes', 'No']
     Default: 'Yes'
@@ -707,6 +729,11 @@ Parameters:
     Default: 1hour
     Description: The frequency with which AWS Config delivers configuration snapshots.
     Type: String
+  pGuarddutyEnabledForMoreThan48Hours:
+    AllowedValues: ['true', 'false']
+    Default: 'false'
+    Description: Has Guardduty been enabled in the Organization for more than 48 hours?
+    Type: String
   pGuardDutyFindingPublishingFrequency:
     AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS]
     Default: FIFTEEN_MINUTES
@@ -1026,6 +1053,7 @@ Conditions:
       - !Condition cDeployConfigManagementSolution
       - !Condition cDeployConfigManagementSolutionAlreadyDeployed
     - !Equals [!Ref pDeployConfigConformancePackSolution, 'Yes']
+  cDeployDetectiveSolution: !Equals [!Ref pDeployDetectiveSolution, 'Yes']
   cDeployEC2DefaultEBSEncryptionSolution: !Equals [!Ref pDeployEC2DefaultEBSEncryptionSolution, 'Yes']
   cDeployFirewallManagerSolution: !Equals [!Ref pDeployFirewallManagerSolution, 'Yes']
   cDeployGuardDutySolution: !Equals [!Ref pDeployGuardDutySolution, 'Yes']
@@ -1149,6 +1177,30 @@ Resources:
         pSourceStackName: !If [cDeployConfigManagementSolution, !Ref rConfigManagementSolutionStack, '']
         # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName
 
+  rDetectiveSolutionStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: cDeployDetectiveSolution
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Properties:
+      TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-detective-org/templates/sra-detective-org-main-ssm.yaml
+      Parameters:
+        pComplianceFrequency: !Ref pComplianceFrequency
+        # pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly
+        pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false]
+        pDatasourcePackages: !Join
+          - ','
+          - !Ref pDatasourcePackages
+        # pDelegatedAdminAccountId: !Ref pAuditAccountId
+        # pEnabledRegions: !Ref pEnabledRegions
+        pGuarddutyEnabledForMoreThan48Hours: !Ref pGuarddutyEnabledForMoreThan48Hours
+        pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey
+        pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention
+        pLambdaLogLevel: !Ref pLambdaLogLevel
+        # pOrganizationId: !Ref pOrganizationId
+        pSRAAlarmEmail: !Ref pSRAAlarmEmail
+        # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName
+
   rEC2DefaultEBSEncryptionSolutionStack:
     Type: AWS::CloudFormation::Stack
     Condition: cDeployEC2DefaultEBSEncryptionSolution