aws-samples
diff --git a/‎CHANGELOG.md
Lines changed: 12 additions & 6 deletions b/‎CHANGELOG.md
Lines changed: 12 additions & 6 deletions
diff --git a/‎README.md
Lines changed: 73 additions & 38 deletions b/‎README.md
Lines changed: 73 additions & 38 deletions
diff --git a/‎aws_sra_examples/docs/artifacts/organizations-setup-process.png
140 KB b/‎aws_sra_examples/docs/artifacts/organizations-setup-process.png
140 KB
diff --git a/‎aws_sra_examples/docs/artifacts/where-to-start-process.pptx
88.7 KB b/‎aws_sra_examples/docs/artifacts/where-to-start-process.pptx
88.7 KB
diff --git a/‎aws_sra_examples/easy_setup/README.md
Lines changed: 18 additions & 1 deletion b/‎aws_sra_examples/easy_setup/README.md
Lines changed: 18 additions & 1 deletion
diff --git a/‎aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml
Lines changed: 4 additions & 0 deletions b/‎aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml
Lines changed: 4 additions & 0 deletions
diff --git a/‎aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml
Lines changed: 90 additions & 6 deletions b/‎aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml
Lines changed: 90 additions & 6 deletions
diff --git a/‎aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main-ssm.yaml
Lines changed: 25 additions & 4 deletions b/‎aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main-ssm.yaml
Lines changed: 25 additions & 4 deletions
@@ -3,6 +3,8 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2023-08-07](#2023-08-07)
+- [2023-07-07](#2023-07-07)
 - [2023-07-01](#2023-07-07)
 - [2023-07-01](#2023-07-01)
 - [2023-06-21](#2023-06-21)
@@ -42,22 +44,26 @@ All notable changes to this project will be documented in this file.
 
 ---
 
-## 2023-07-07
+## 2023-08-07
 
-### Changed<!-- omit in toc -->
+- Updated [Common Prerequisites](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/common/common_prerequisites) solution to make AWS Control Tower optional.
+- Updated [Security Hub](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/securityhub/securityhub_org) solution to make AWS Control Tower optional.
+- Updated [Inspector](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/inspector/inspector_org) solution to make AWS Control Tower optional.
+- Updated [GuardDuty](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/guardduty/guardduty_org) solution to make AWS Control Tower optional.
+- Updated [Easy Setup](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/easy_setup) to support solution updates for making AWS Control Tower optional.
+- Updated [CloudTrail](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/cloudtrail/cloudtrail_org) solution to make AWS Control Tower optional.
+- Updated [IAM Access Analyzer](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/iam/iam_access_analyzer) solution to make AWS Control Tower optional.
+
+## 2023-07-07
 
 - Updated [CloudTrail](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/cloudtrail/cloudtrail_org) solution to enable delegated administrator. 
 
 ## 2023-07-01
 
-### Changed<!-- omit in toc -->
-
 - Added [Detective Organization](aws_sra_examples/solutions/detective/detective_org) solution to [Easy Setup](aws_sra_examples/easy_setup) and [Quick Setup](aws_sra_examples/quick_setup/)
 
 ## 2023-06-21
 
-### Changed<!-- omit in toc -->
-
 - Added [GuardDuty Organization](aws_sra_examples/solutions/guardduty/guardduty_org) EKS, Malware, RDS, and Lambda protections to [Easy Setup](aws_sra_examples/easy_setup) and [Quick Setup](aws_sra_examples/quick_setup/) deployment options
 - Added [Inspector Organization](aws_sra_examples/solutions/inspector/inspector_org) solution to [Quick Setup](aws_sra_examples/quick_setup/) deployment option
 
 
@@ -77,6 +77,12 @@ In the CloudFormation service console, navigate to the stacks area.
 In the stacks area, create a stack, and then select the "Upload a template file" option.  Click on "Next", then follow the process to deploy the stack.
 Be sure to specify the appropriate parameters for the template as needed.
 
+- IMPORTANT: If `AWS Organizations` is being used without AWS Control Tower, you must also specify the following parameter values as you create the stack:
+  - `pControlTower` as `false`
+  - `pLogArchiveAccountId` as the AWS Account Id of the account designated to be the `Log Archive` account.
+  - `pSecurityAccountId` as the AWS Account Id of the account designated to be the `Security Tooling` account.
+  - `pGovernedRegions` as a list of AWS regions separated by commas
+
 #### II. (Option B) Deployment using the AWS CLI
 
 Deployment using the AWS CLI requires the template to be downloaded first.
@@ -100,15 +106,26 @@ Prepare and run the `aws cloudformation deploy` command to launch the template.
 - Be sure to alter the folder/path for the `sra-easy-setup.yaml` template-file appropriately (replace `[path to template file]`)
 - Be sure to put in the s3 bucket name (replace `[s3 bucket name from step 1]`)
 - Be sure to specify the proper parameter overrides and specify the alarm email address (`[email address]`)
+- If `AWS Organizations` is being used without AWS Control Tower, you must also specify the following parameter values as you create the stack:
+  - `pControlTower` as `false`
+  - `pLogArchiveAccountId` as the AWS Account Id of the account designated to be the `Log Archive` account.
+  - `pSecurityAccountId` as the AWS Account Id of the account designated to be the `Security Tooling` account.
+  - `pGovernedRegions` as a list of AWS regions separated by commas
 
 *NOTE: The example command below deploys The Guard Duty, Security Hub, and Config Management solutions (you can remove those 3 parameters or replace them with other solutions deployment parameters)*
 
-###### Example Command To Launch The Template<!-- omit in toc -->
+###### Example Command To Launch The Template in AWS Control Tower landing zone<!-- omit in toc -->
 
 ```bash
 aws cloudformation deploy --template-file [path to template file]/sra-easy-setup.yaml --stack-name sra-easy-setup --s3-bucket [s3 bucket name from step 1] --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pDeployGuardDutySolution=Yes pDeployConfigManagementSolution=Yes pDeploySecurityHubSolution=Yes pSRAAlarmEmail=[email address]
 ```
 
+###### Example Command To Launch The Template in AWS Organizations<!-- omit in toc -->
+
+```bash
+aws cloudformation deploy --template-file [path to template file]/sra-easy-setup.yaml --stack-name sra-easy-setup --s3-bucket [s3 bucket name from step 1] --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pControlTower=false pLogArchiveAccountId=<LOG_ARCHIVE_ACCOUNT_ID> pSecurityAccountId=<SECURITY_ACCOUNT_ID> pGovernedRegions=<COMMA_SEPARATED_REGIONS>
+```
+
 #### CloudFormation AWS SRA Removal Instructions
 
 From within the management account:
 
@@ -229,6 +229,10 @@ resources:
         parameter_value: 'false'
       - parameter_key: pEnableSecurityBestPracticesStandard
         parameter_value: 'true'
+      - parameter_key: pEnableNISTStandard
+        parameter_value: 'false'
+      - parameter_key: pNISTStandardVersion
+        parameter_value: 'false'
       - parameter_key: pRegionLinkingMode
         parameter_value: 'SPECIFIED_REGIONS'
 
 
@@ -21,6 +21,15 @@ Metadata:
           # - pOrganizationId
           - pSRAStagingS3BucketNamePrefix
           - pSRAStagingS3BucketStackName
+          - pRepoURL
+          - pRepoBranch
+      - Label:
+          default: Landing Zone
+        Parameters:
+          - pControlTower
+          - pGovernedRegions
+          - pSecurityAccountId
+          - pLogArchiveAccountId
       - Label:
           default: CodeBuild Properties
         Parameters:
@@ -166,6 +175,8 @@ Metadata:
           - pCISStandardVersion
           - pEnablePCIStandard
           - pEnableSecurityBestPracticesStandard
+          - pEnableNISTStandard
+          - pNISTStandardVersion
           - pRegionLinkingMode
       - Label:
           default: Inspector Solution
@@ -187,6 +198,18 @@ Metadata:
           - pLambdaLogLevel
 
     ParameterLabels:
+      pControlTower:
+        default: AWS Control Tower landing zone deployed/in-use
+      pGovernedRegions:
+        default: AWS regions (comma separated) if not using AWS Control Tower (leave set to ct-regions for AWS Control Tower environments)
+      pSecurityAccountId:
+        default: Security Tooling Account ID
+      pLogArchiveAccountId:
+        default: Log Archive Account ID
+      pRepoURL:
+        default: The AWS SRA public code repository HTTPS URL
+      pRepoBranch:
+        default: The AWS SRA public code repository branch name
       pSRASolutionName:
         default: SRA Solution Name
       pCodeBuildProjectName:
@@ -363,6 +386,10 @@ Metadata:
         default: Max Password Age
       pMinimumPasswordLength:
         default: Minimum Password Length
+      pEnableNISTStandard:
+        default: Enable NIST Standard
+      pNISTStandardVersion:
+        default: NIST Standard Version
       pOperationsContactAction:
         default: Operations Alternate Contact Action
       pOperationsEmail:
@@ -411,6 +438,41 @@ Metadata:
         default: (Optional) Existing VPC ID
 
 Parameters:
+  pRepoURL:
+    Default: https://github.com/aws-samples/aws-security-reference-architecture-examples.git
+    Description:
+      SRA Code Library Repository URL
+    Type: String
+  pRepoBranch:
+    Default: main
+    Description:
+      SRA Code Library Repository branch name
+    Type: String
+  pControlTower:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description:
+      Indicates whether AWS Control Tower is deployed and being used for this AWS environment.
+    Type: String
+  pGovernedRegions:
+    AllowedPattern: '^(ct-regions)|((\b(?<!@)(af-south-1|ap-east-1|ap-northeast-1|ap-northeast-2|ap-northeast-3|ap-south-1|ap-south-2|ap-southeast-1|ap-southeast-2|ap-southeast-3|ap-southeast-4|ca-central-1|cn-north-1|cn-northwest-1|eu-central-1|eu-central-2|eu-north-1|eu-south-1|eu-south-2|eu-west-1|eu-west-2|eu-west-3|me-central-1|me-south-1|sa-east-1|us-east-1|us-east-2|us-gov-east-1|us-gov-west-1|us-west-1|us-west-2)\b,{0,1})*)$'
+    ConstraintDescription:
+      For AWS Control Tower, set to ct-regions (default).  If not using AWS Control Tower, specify comma separated list of regions (e.g. us-west-2,us-east-1,ap-south-1) in lower case.
+    Default: ct-regions
+    Description: AWS regions (comma separated) if not using AWS Control Tower (leave set to ct-regions for AWS Control Tower environments)
+    Type: String
+  pSecurityAccountId:
+    AllowedPattern: '^\d{12}$'
+    Default: 111111111111
+    ConstraintDescription: Must be 12 digits.
+    Description: AWS Account ID of the Security Tooling account (ignored for AWS Control Tower environments).
+    Type: String
+  pLogArchiveAccountId:
+    AllowedPattern: '^\d{12}$'
+    Default: 222222222222
+    ConstraintDescription: Must be 12 digits.
+    Description: AWS Account ID of the Log Archive account (ignored for AWS Control Tower environments).
+    Type: String
   pSRASolutionName:
     AllowedValues: [sra-common-prerequisites]
     Default: sra-common-prerequisites
@@ -918,6 +980,16 @@ Parameters:
     MaxValue: 128
     MinValue: 6
     Type: Number
+  pEnableNISTStandard:
+    AllowedValues: ['true', 'false']
+    Default: 'false'
+    Description: Indicates whether to enable the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5.
+    Type: String
+  pNISTStandardVersion:
+    AllowedValues: [5.0.0]
+    Default: 5.0.0
+    Description: NIST Standard Version
+    Type: String
   pOperationsContactAction:
     AllowedValues: ['add', 'delete', 'ignore']
     Default: add
@@ -1182,8 +1254,10 @@ Resources:
             Value: !Ref AWS::Region
           - Name: AWS_ACCOUNT_ID
             Value: !Ref "AWS::AccountId"
-          - Name: SRA_DEPLOY_GUARDDUTY
-            Value: !Ref pDeployGuardDutySolution
+          - Name: SRA_REPO_URL
+            Value: !Ref pRepoURL
+          - Name: SRA_REPO_BRANCH_NAME
+            Value: !Ref pRepoBranch
           - Name: SRA_STAGING_S3_BUCKET_STACK_NAME
             Value: !Ref pSRAStagingS3BucketStackName
         Image: "aws/codebuild/standard:5.0"
@@ -1202,16 +1276,18 @@ Resources:
             build:
               commands:
                 - echo Build started on `date` in ${AWS::Region} region
-                - echo Cloning SRA repository...
-                - git clone https://github.com/aws-samples/aws-security-reference-architecture-examples.git
+                - echo Cloning SRA code repository from $SRA_REPO_URL...
+                - git clone $SRA_REPO_URL
                 - echo Listing current directory...
                 - ls
+                - cd aws-security-reference-architecture-examples
+                - git checkout $SRA_REPO_BRANCH_NAME
                 - echo Showing current caller identity...
                 - aws sts get-caller-identity
                 - echo Deploying SRA staging bucket cloudformation template...
-                - aws cloudformation deploy --template-file ./aws-security-reference-architecture-examples/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml --stack-name $SRA_STAGING_S3_BUCKET_STACK_NAME --capabilities CAPABILITY_NAMED_IAM
+                - aws cloudformation deploy --template-file ./aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml --stack-name $SRA_STAGING_S3_BUCKET_STACK_NAME --capabilities CAPABILITY_NAMED_IAM
                 - echo Staging SRA solutions...
-                - ./aws-security-reference-architecture-examples/aws_sra_examples/utils/packaging_scripts/stage_solution.sh
+                - ./aws_sra_examples/utils/packaging_scripts/stage_solution.sh
             post_build:
               commands:
                 - echo Build completed on `date`
@@ -1228,6 +1304,11 @@ Resources:
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName
+      Parameters:
+        pControlTower: !Ref pControlTower
+        pGovernedRegions: !Ref pGovernedRegions
+        pSecurityAccountId: !Ref pSecurityAccountId
+        pLogArchiveAccountId: !Ref pLogArchiveAccountId
 
   rCommonPrerequisitesMainSsm:
     Type: AWS::CloudFormation::Stack
@@ -1243,6 +1324,7 @@ Resources:
           Value: !Ref pSRASolutionName
       Parameters:
         pCreateAWSControlTowerExecutionRole: !Ref pCreateAWSControlTowerExecutionRole
+        pControlTower: !Ref pControlTower
 
   rCodeBuildRole:
     Type: AWS::IAM::Role
@@ -1979,6 +2061,8 @@ Resources:
         pSourceStackName: !If [cDeployConfigManagementSolution, !Ref rConfigManagementSolutionStack, '']
         pSRAAlarmEmail: !Ref pSRAAlarmEmail
         # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName
+        pEnableNISTStandard: !Ref pEnableNISTStandard
+        pNISTStandardVersion: !Ref pNISTStandardVersion
 
 
   rInspectorSolutionStack:
 
@@ -24,6 +24,13 @@ Metadata:
           - pAuditAccountId
           - pLogArchiveAccountId
           - pOrganizationId
+
+      - Label:
+          default: IAM Properties
+        Parameters:
+          - pStackSetAdminRole
+          - pStackExecutionRole
+
       - Label:
           default: CloudTrail Logging & Encryption Properties
         Parameters:
@@ -48,6 +55,10 @@ Metadata:
           - pLambdaLogLevel
 
     ParameterLabels:
+      pStackSetAdminRole:
+        default: Stack Set Role
+      pStackExecutionRole:
+        default: Stack execution role
       pAuditAccountId:
         default: Audit Account ID
       pBucketNamePrefix:
@@ -88,6 +99,16 @@ Metadata:
         default: SRA Staging S3 Bucket Name
 
 Parameters:
+  pStackSetAdminRole:
+    AllowedValues: [sra-stackset]
+    Default: sra-stackset
+    Description: The administration role name that is used in the stackset.
+    Type: String
+  pStackExecutionRole:
+    AllowedValues: [sra-execution]
+    Default: sra-execution
+    Description: The execution role name that is used in the stack.
+    Type: String
   pAuditAccountId:
     AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$
     ConstraintDescription:
@@ -213,10 +234,10 @@ Resources:
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: sra-cloudtrail-org-kms
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Description: !Sub ${pSRASolutionVersion} - Creates a KMS key within the Audit account for encrypting CloudTrail logs.
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences:
@@ -249,10 +270,10 @@ Resources:
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: sra-cloudtrail-org-bucket
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
       CallAs: SELF
       Description: !Sub ${pSRASolutionVersion} - Creates a S3 bucket within the Log Archive account for storing CloudTrail logs.
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !Ref pStackExecutionRole
       ManagedExecution:
         Active: true
       OperationPreferences: