-
Notifications
You must be signed in to change notification settings - Fork 0
/
sra-config-aggregator-org-main-ssm.yaml
150 lines (144 loc) · 6.42 KB
/
sra-config-aggregator-org-main-ssm.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
########################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
########################################################################
AWSTemplateFormatVersion: 2010-09-09
Description:
This template enables an AWS Organizations Config Aggregator in the Control Tower Audit account. - 'config_aggregator_org' solution in the repo,
https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse3a)
Metadata:
SRA:
Version: 1.2
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: General Properties
Parameters:
- pSRASolutionName
- pSRASolutionVersion
- pSRAStagingS3BucketName
- pAuditAccountId
- Label:
default: Config Aggregator Properties
Parameters:
- pAggregatorName
- pAggregatorRoleName
- pRegisterDelegatedAdminAccount
ParameterLabels:
pAggregatorName:
default: Config Aggregator Name
pAggregatorRoleName:
default: Config Aggregator Role Name
pAuditAccountId:
default: Audit Account ID
pRegisterDelegatedAdminAccount:
default: Register Delegated Admin Account
pSRASolutionName:
default: SRA Solution Name
pSRASolutionVersion:
default: SRA Solution Version
pSRAStagingS3BucketName:
default: SRA Staging S3 Bucket Name
Parameters:
pAggregatorName:
AllowedPattern: '^[\w\-]+'
ConstraintDescription: Max 256 alphanumeric characters.
Default: sra-config-aggregator-org
MaxLength: 256
MinLength: 1
Type: String
pAggregatorRoleName:
AllowedPattern: '^[\w+=,.@-]{1,64}$'
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -].
Default: sra-config-aggregator-org
Type: String
pAuditAccountId:
AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$
ConstraintDescription:
Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
Default: /sra/control-tower/audit-account-id
Description: SSM Parameter for AWS Account ID of the Control Tower Audit account.
Type: AWS::SSM::Parameter::Value<String>
pRegisterDelegatedAdminAccount:
AllowedValues: ['Yes', 'No']
Default: 'Yes'
Description: Register a delegated administrator account using the Common Register Delegated Administrator solution.
Type: String
pSRASolutionName:
AllowedValues: [sra-config-aggregator-org]
Default: sra-config-aggregator-org
Description: The SRA solution name. The default value is the folder name of the solution
Type: String
pSRASolutionVersion:
AllowedValues: [v1.2]
Default: v1.2
Description: The SRA solution version. Used to trigger updates on the nested StackSets.
Type: String
pSRAStagingS3BucketName:
AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
ConstraintDescription:
Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
Default: /sra/staging-s3-bucket-name
Description:
SSM Parameter for SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket
name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
Type: AWS::SSM::Parameter::Value<String>
Conditions:
cRegisterDelegatedAdmin: !Equals [!Ref pRegisterDelegatedAdminAccount, 'Yes']
Resources:
rCommonRegisterDelegatedAdminStack:
Type: AWS::CloudFormation::Stack
Condition: cRegisterDelegatedAdmin
DeletionPolicy: Delete
UpdateReplacePolicy: Delete
Properties:
TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-common-register-delegated-administrator/templates/sra-common-register-delegated-administrator-ssm.yaml
Tags:
- Key: sra-solution
Value: !Ref pSRASolutionName
Parameters:
pLambdaLogGroupKmsKey: ''
pRegisterDelegatedAdminLambdaRoleName: sra-config-aggregator-register-delegated-admin-lambda
pRegisterDelegatedAdminLambdaFunctionName: sra-config-aggregator-register-delegated-admin
pServicePrincipalList: config.amazonaws.com
rConfigAggregatorOrgStackSet:
Type: AWS::CloudFormation::StackSet
Properties:
StackSetName: sra-config-aggregator-org-configuration
AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
CallAs: SELF
Description: !If
- cRegisterDelegatedAdmin
- !Sub [
"${pSRASolutionVersion} - This template enables an AWS Organizations Config Aggregator in the Control Tower Audit account. -
'config_aggregator_org' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples. Delegated Admin
Solution - ${SolutionName}",
SolutionName: !GetAtt rCommonRegisterDelegatedAdminStack.Outputs.oSRASolutionName,
]
- !Sub ${pSRASolutionVersion} - This template enables an AWS Organizations Config Aggregator in the Control Tower Audit account. -
'config_aggregator_org' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples.
ExecutionRoleName: AWSControlTowerExecution
ManagedExecution:
Active: true
OperationPreferences:
FailureTolerancePercentage: 0
MaxConcurrentPercentage: 100
RegionConcurrencyType: PARALLEL
PermissionModel: SELF_MANAGED
Capabilities:
- CAPABILITY_NAMED_IAM
StackInstancesGroup:
- DeploymentTargets:
Accounts:
- !Ref pAuditAccountId
Regions:
- !Ref AWS::Region
TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-config-aggregator-org-configuration.yaml
Tags:
- Key: sra-solution
Value: !Ref pSRASolutionName
Parameters:
- ParameterKey: pAggregatorName
ParameterValue: !Ref pAggregatorName
- ParameterKey: pAggregatorRoleName
ParameterValue: !Ref pAggregatorRoleName