Updated Config conformance pack solution for CT optional (#176)

* Updated Config conformance pack solution for CT optional

* linting fixes

* linting fixes

---------

Co-authored-by: ievgeniia ieromenko <ieviero@amazon.com>

Author: IevIe

README.md

@@ -122,7 +122,7 @@ Follow the instructions within the [Quick Setup](aws_sra_examples/quick_setup) t
 | [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts)           | Sets the billing, operations, and security alternate contacts for all accounts within the organization.                                                                                                                                                                                                                                                          |                                                                                                              | <ul><li>AWS Control Tower</li></ul>                                                                                                                                                                                                                               |
 | [CloudTrail](aws_sra_examples/solutions/cloudtrail/cloudtrail_org)                                    | Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events.                                                                                                                                                                      | CloudTrail enabled in each account with management events only.                                              |                                                                                                                                                                                                                                |
 | [Config Management Account](aws_sra_examples/solutions/config/config_management_account)              | Enables AWS Config in the Management account to allow resource compliance monitoring.                                                                                                                                                                                                                                                                            | Configures AWS Config in all accounts except for the Management account in each governed region.             | <ul><li>AWS Control Tower</li></ul>                                                                                                                                                                                                                               |
-| [Config Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) | Deploys a conformance pack to all accounts and provided regions within an organization.                                                                                                                                                                                                                                                                          |                                                                                                              | <ul><li>AWS Control Tower</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account)</li></ul> |
+| [Config Organization Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) | Deploys a conformance pack to all accounts and provided regions within an organization.                                                                                                                                                                                                                                                                          |                                                                                                              | <ul><li>AWS Config in all Org Accounts</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account) in Control Tower environment</li></ul> |
 | [Config Organization Aggregator](aws_sra_examples/solutions/config/config_aggregator_org)             | **Not required for most Control Tower environments.** Deploy an Organization Config Aggregator to a delegated admin other than the Audit account.                                                                                                                                                                                                                | Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account. | <ul><li>AWS Control Tower</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li></ul>                                                                                                  |
 | [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption)               | Configures the EC2 default EBS encryption to use the default KMS key within all provided regions.                                                                                                                                                                                                                                                                |                                                                                                              | <ul><li>AWS Control Tower</li></ul>                                                                                                                                                                                                                               |
 | [Firewall Manager](aws_sra_examples/solutions/firewall_manager/firewall_manager_org)                  | Demonstrates configuring a security group policy and WAF policies for all accounts within an organization.                                                                                                                                                                                                                                                       |                                                                                                              | <ul><li>AWS Control Tower</li></ul>                                                                                                                                                                                                                               |

aws_sra_examples/solutions/config/config_conformance_pack_org/README.md

@@ -58,10 +58,9 @@ evaluate your AWS environment, use one of the sample conformance pack templates.
 
 ---
 
-### 3.0 Audit Account<!-- omit in toc -->
+### 3.0 Audit Account (Security Tooling)<!-- omit in toc -->
 
-The example solutions use `Audit Account` instead of `Security Tooling Account` to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the `Audit Account` SSM parameter is
-populated from the `SecurityAccountId` parameter within the `AWSControlTowerBP-BASELINE-CONFIG` StackSet.
+The example solutions use `Audit Account` instead of `Security Tooling Account` to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the `Audit Account`  can be determined from the `SecurityAccountId` parameter within the `AWSControlTowerBP-BASELINE-CONFIG` StackSet in AWS Control Tower environments, but is specified manually in other environments, and then stored in an SSM parameter (this is all done in the common prerequisites solution).
 
 #### 3.1 AWS CloudFormation<!-- omit in toc -->
 

aws_sra_examples/solutions/config/config_conformance_pack_org/scripts/list_config_recorder_status.py

@@ -26,6 +26,7 @@
 if TYPE_CHECKING:
     from mypy_boto3_cloudformation import CloudFormationClient
     from mypy_boto3_organizations import OrganizationsClient
+    from mypy_boto3_ssm.client import SSMClient
     from mypy_boto3_sts.client import STSClient
 
 # Logging Settings
@@ -34,18 +35,17 @@
 logging.getLogger("botocore").setLevel(logging.CRITICAL)
 
 # Global Variables
-CLOUDFORMATION_PAGE_SIZE = 20
-CLOUDFORMATION_THROTTLE_PERIOD = 0.2
 MAX_THREADS = 20
 ORG_PAGE_SIZE = 20  # Max page size for list_accounts
 ORG_THROTTLE_PERIOD = 0.2
-ASSUME_ROLE_NAME = "AWSControlTowerExecution"
+ASSUME_ROLE_NAME = "sra-execution"
 BOTO3_CONFIG = Config(retries={"max_attempts": 10, "mode": "standard"})
 
 try:
     MANAGEMENT_ACCOUNT_SESSION = boto3.Session()
     ORG_CLIENT: OrganizationsClient = MANAGEMENT_ACCOUNT_SESSION.client("organizations", config=BOTO3_CONFIG)
     CFN_CLIENT: CloudFormationClient = MANAGEMENT_ACCOUNT_SESSION.client("cloudformation", config=BOTO3_CONFIG)
+    SSM_CLIENT: SSMClient = MANAGEMENT_ACCOUNT_SESSION.client("ssm")
 except Exception as error:
     LOGGER.error({"Unexpected_Error": error})
     raise ValueError("Unexpected error executing Lambda function. Review CloudWatch logs for details.") from None
@@ -101,29 +101,14 @@ def get_all_organization_accounts() -> list:
 
 
 def get_control_tower_regions() -> list:  # noqa: CCR001
-    """Query 'AWSControlTowerBP-BASELINE-CLOUDWATCH' CloudFormation stack to identify customer regions.
+    """Query SSM Parameter Store to identify customer regions.
 
     Returns:
-        Customer regions chosen in Control Tower
+        Customer regions
     """
-    paginator = CFN_CLIENT.get_paginator("list_stack_instances")
-    customer_regions = set()
-    aws_account = ""
-    all_regions_identified = False
-    for page in paginator.paginate(StackSetName="AWSControlTowerBP-BASELINE-CLOUDWATCH", PaginationConfig={"PageSize": CLOUDFORMATION_PAGE_SIZE}):
-        for instance in page["Summaries"]:
-            if not aws_account:
-                aws_account = instance["Account"]
-                customer_regions.add(instance["Region"])
-                continue
-            if aws_account == instance["Account"]:
-                customer_regions.add(instance["Region"])
-                continue
-            all_regions_identified = True
-            break
-        if all_regions_identified:
-            break
-        sleep(CLOUDFORMATION_THROTTLE_PERIOD)
+    customer_regions = []
+    ssm_response = SSM_CLIENT.get_parameter(Name="/sra/regions/customer-control-tower-regions")
+    customer_regions = ssm_response["Parameter"]["Value"].split(",")
 
     return list(customer_regions)
 

aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-delivery-bucket.yaml

@@ -94,7 +94,7 @@ Resources:
               StringLike:
                 aws:PrincipalArn:
                   - !Sub arn:${AWS::Partition}:iam::*:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms
-                  - !Sub arn:${AWS::Partition}:iam::*:role/AWSControlTowerExecution
+                  - !Sub arn:${AWS::Partition}:iam::*:role/sra-execution
             Resource: !Sub arn:${AWS::Partition}:s3:::${rConformancePackBucket}
             Principal: '*'
 

aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main-ssm.yaml

@@ -20,6 +20,12 @@ Metadata:
           - pSRAStagingS3BucketName
           - pSourceStackName
 
+      - Label:
+          default: IAM Properties
+        Parameters:
+          - pStackSetAdminRole
+          - pStackExecutionRole
+
       - Label:
           default: Conformance Pack Properties
         Parameters:
@@ -38,6 +44,10 @@ Metadata:
           - pOrganizationId
 
     ParameterLabels:
+      pStackSetAdminRole:
+        default: Stack Set Role
+      pStackExecutionRole:
+        default: Stack execution role
       pAuditAccountId:
         default: Audit Account ID
       pConformancePackName:
@@ -66,6 +76,16 @@ Metadata:
         default: SRA Staging S3 Bucket Name
 
 Parameters:
+  pStackSetAdminRole:
+    AllowedValues: [sra-stackset]
+    Default: sra-stackset
+    Description: The administration role name that is used in the stackset.
+    Type: String
+  pStackExecutionRole:
+    AllowedValues: [sra-execution]
+    Default: sra-execution
+    Description: The execution role name that is used in the stack.
+    Type: String
   pAuditAccountId:
     AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$
     ConstraintDescription:
@@ -176,10 +196,10 @@ Resources:
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: sra-config-conformance-pack-org-delivery-bucket
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Description: !Sub ${pSRASolutionVersion} - Creates S3 bucket to store the conformance pack results
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences:
@@ -208,7 +228,7 @@ Resources:
     DependsOn: rConfigConformancePackOrgDeliveryBucketStackSet
     Properties:
       StackSetName: sra-config-conformance-pack-org-deployment
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Description: !If
         - cRegisterDelegatedAdmin
@@ -220,7 +240,7 @@ Resources:
           ]
         - !Sub ${pSRASolutionVersion} - This template creates an AWS Organizations Config Conformance Pack in the Control Tower Audit account. -
           'config_conformance_pack_org' solution in repo, https://github.com/aws-samples/aws-security-reference-architecture-examples.
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences:

aws_sra_examples/solutions/config/config_conformance_pack_org/templates/sra-config-conformance-pack-org-main.yaml

@@ -18,6 +18,12 @@ Metadata:
           - pSRAStagingS3BucketName
           - pSRASolutionVersion
 
+      - Label:
+          default: IAM Properties
+        Parameters:
+          - pStackSetAdminRole
+          - pStackExecutionRole
+
       - Label:
           default: Conformance Pack Properties
         Parameters:
@@ -36,6 +42,10 @@ Metadata:
           - pOrganizationId
 
     ParameterLabels:
+      pStackSetAdminRole:
+        default: Stack Set Role
+      pStackExecutionRole:
+        default: Stack execution role
       pAuditAccountId:
         default: Audit Account ID
       pConformancePackName:
@@ -62,6 +72,16 @@ Metadata:
         default: SRA Staging S3 Bucket Name
 
 Parameters:
+  pStackSetAdminRole:
+    AllowedValues: [sra-stackset]
+    Default: sra-stackset
+    Description: The administration role name that is used in the stackset.
+    Type: String
+  pStackExecutionRole:
+    AllowedValues: [sra-execution]
+    Default: sra-execution
+    Description: The execution role name that is used in the stack.
+    Type: String
   pAuditAccountId:
     AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$
     ConstraintDescription:
@@ -163,10 +183,10 @@ Resources:
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: sra-config-conformance-pack-org-delivery-bucket
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Description: !Sub ${pSRASolutionVersion} - Creates S3 bucket to store the conformance pack results
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences:
@@ -195,7 +215,7 @@ Resources:
     DependsOn: rConfigConformancePackOrgDeliveryBucketStackSet
     Properties:
       StackSetName: sra-config-conformance-pack-org-deployment
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Description: !If
         - cRegisterDelegatedAdmin
@@ -207,7 +227,7 @@ Resources:
           ]
         - !Sub ${pSRASolutionVersion} - This template creates an AWS Organizations Config Conformance Pack in the Control Tower Audit account. -
           'config_conformance_pack_org' solution in repo, https://github.com/aws-samples/aws-security-reference-architecture-examples.
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences: