Merge pull request #46 from aws-samples/feature/iam-access-analyzer

Feature/iam access analyzer

Author: andywick-aws

README.md

@@ -26,6 +26,8 @@ platform (e.g. AWS Landing Zone, AWS Control Tower, AWS CloudFormation StackSets
     * [Organization Firewall Manager](solutions/firewall-manager/firewall-manager-org)
 * GuardDuty
     * [Organization GuardDuty](solutions/guardduty/guardduty-org)
+* IAM
+    * [Access Analyzer](solutions/iam/access-analyzer)
 * Macie
     * [Organization Macie](solutions/macie/macie-org)
 * SecurityHub

solutions/iam/access-analyzer/README.md

@@ -0,0 +1,160 @@
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
+
+# Access Analyzer
+
+The IAM Access Analyzer solution enables AWS IAM Access Analyzer by delegating administration to a member account
+within the Organization management account. It then configures Access Analyzer within the delegated administrator account 
+for all the existing and future AWS Organization accounts.
+
+In addition to the organization deployment, the solution deploys AWS Access Analyzer to all the member accounts
+and regions for analyzing account level permissions.
+
+----
+
+# Table of Contents
+* [Deployed Resource Details](#deployed-resource-details)
+* [Implementation Instructions](#implementation-instructions)
+* [References](#references)
+
+----
+
+# Deployed Resource Details
+
+![Architecture](./documentation/Access-Analyzer-Architecture.png "Architecture")
+
+## 1.0 Organization Management Account
+
+### 1.1 AWS CloudFormation
+
+**Description:**
+
+All resources deployed via CloudFormation StackSet and Stacks within member accounts
+
+**Configuration:**
+
+* StackSet Names:
+    * AccessAnalyzerOrganization
+    * AccessAnalyzerAccount
+
+### 1.2 AWS Organizations
+
+**Description:**
+
+AWS Organizations is used to delegate an administrator account for AWS Access Analyzer
+
+**Configuration:**
+
+* Delegated Administrator Account - See [Common Register Delegated Administrator](../../common/register-delegated-administrator)
+    
+
+### 1.3 Account AWS IAM Access Analyzer
+
+**Description:**
+
+AWS IAM Access Analyzer is configured to monitor supported resources for the AWS Account zone of trust.
+
+**Configuration:**
+
+* Access Analyzer Name Prefix: Default = account-access-analyzer
+* Tag Key = Access Analyzer Tag Key 
+* Tag Value = Access Analyzer Tag Value 
+
+----
+
+## 2.0 Security Tooling Account
+
+### 2.1 AWS CloudFormation
+
+**Description:**
+
+All resources are deployed via CloudFormation Stack created by the Management account StackSet
+
+**Configuration:**
+
+* Stack Names: 
+    * StackSet-...-AccessAnalyzerAccount-...
+    * StackSet-...-AccessAnalyzerOrganization-...
+
+### 2.2 Account AWS IAM Access Analyzer
+
+**Description:**
+
+AWS IAM Access Analyzer is configured to monitor supported resources for the AWS Account zone of trust.
+
+**Configuration:**
+
+* Access Analyzer Name Prefix: Default = account-access-analyzer
+* Tag Key = Access Analyzer Tag Key 
+* Tag Value = Access Analyzer Tag Value
+
+### 2.3 Organization AWS IAM Access Analyzer
+
+**Description:**
+
+AWS IAM Access Analyzer is configured to monitor supported resources for the AWS Organization zone of trust.
+
+**Configuration:**
+
+* Access Analyzer Name Prefix: Default = organization-access-analyzer
+* Tag Key = Access Analyzer Tag Key 
+* Tag Value = Access Analyzer Tag Value
+
+----
+
+## 3.0 All Existing and Future Organization Member Accounts
+
+### 3.1 AWS CloudFormation
+
+**Description:**
+
+All resources are deployed via CloudFormation Stack created by the Management account StackSet
+
+**Configuration:**
+
+* Stack Names: 
+    * StackSet-...-AccessAnalyzerAccount-...
+
+### 3.2 Account AWS IAM Access Analyzer
+
+**Description:**
+
+AWS IAM Access Analyzer is configured to monitor 
+[supported resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html) for the 
+AWS Account zone of trust.
+
+**Configuration:**
+
+* Access Analyzer Name Prefix: Default = account-access-analyzer
+* Tag Key = Access Analyzer Tag Key 
+* Tag Value = Access Analyzer Tag Value
+
+----
+
+# Implementation Instructions
+
+### [AWS Control Tower](./aws-control-tower)
+### CloudFormation StackSets
+
+#### Pre-requisites
+1. Register a delegated administrator using the
+ [Common Register Delegated Administrator](../../common/register-delegated-administrator) solution
+   1. pServicePrincipalList = "access-analyzer.amazonaws.com" 
+   
+#### Instructions
+
+> **Solution Deployment Order:**
+> 1. Security Account (AccessAnalyzerOrganization)
+> 2. All Accounts (AccessAnalyzerAccount)
+
+1. Create CloudFormation StackSets using the following templates
+   
+   |     Account     |   StackSet Name   |  Template  |
+   | --------------- | ----------------- | ---------- |
+   | Management | CommonRegisterDelegatedAdmin | templates/common-register-delegated-administrator.yaml |
+   | Security | AccessAnalyzerOrganization | templates/access-analyzer-org.yaml |
+   | All Accounts | AccessAnalyzerAccount | templates/access-analyzer-acct.yaml |
+   
+----
+
+# References
+* [Using AWS IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)

solutions/iam/access-analyzer/aws-control-tower/README.md

@@ -0,0 +1,73 @@
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
+
+----
+   
+# Implementation Instructions
+
+1. Make sure the required [prerequisites](../../../../extras/aws-control-tower/prerequisites/README.md) are completed
+2. Package and upload the common-register-delegated-administrator Lambda function
+   ```shell
+    export AWS_ACCESS_KEY_ID=INSERT_AWS_ACCESS_KEY_ID
+    export AWS_SECRET_ACCESS_KEY=INSERT_AWS_SECRET_ACCESS_KEY
+    export AWS_SESSION_TOKEN=INSERT_AWS_SESSION_TOKEN
+   
+    export BUCKET=lambda-zips-CHANGE_ME_ACCOUNT_ID-CHANGE_ME_REGION
+    sh ~/aws-security-reference-architecture-examples/extras/packaging-scripts/package-lambda.sh \
+    --file_name common-register-delegated-admin.zip \
+    --bucket $BUCKET \
+    --src_dir ~/aws-security-reference-architecture-examples/solutions/common/register-delegated-admninistrator/code/src
+   ```
+3. Copy the files to the Customizations for AWS Control Tower configuration 
+   1. customizations-for-control-tower-configuration
+       1. [manifest.yaml](manifest.yaml) -> manifest.yaml 
+       2. [common/register-delegated-administrator/aws-control-tower/parameters/common-register-delegated-administrator.json](../../../common/register-delegated-administrator/aws-control-tower/parameters/common-register-delegated-administrator.json) 
+          -> parameters/common-register-delegated-administrator.json
+       3. [parameters/access-analyzer-acct.json](parameters/access-analyzer-acct.json) 
+          -> parameters/access-analyzer-acct.json
+       4. [parameters/access-analyzer-org.json](parameters/access-analyzer-org.json) 
+          -> parameters/access-analyzer-org.json
+       5. [common/register-delegated-administrator/templates/common-register-delegated-administrator.yaml](../../../common/register-delegated-administrator/common-register-delegated-administrator.yaml) 
+          -> templates/common-register-delegated-administrator.yaml
+       6. [templates/access-analyzer-acct.yaml](../templates/access-analyzer-acct.yaml) 
+          -> templates/access-analyzer-acct.yaml
+       7. [templates/access-analyzer-org.yaml](../templates/access-analyzer-org.yaml) 
+          -> templates/access-analyzer-org.yaml
+        
+4. Update the parameter files with any specific values for your environment
+5. Add "access-analyzer.amazonaws.com" to the pServicePrincipalList parameter in the parameters/common-register-delegated-administrator.json
+6. Add the [common/register-delegated-administrator/aws-control-tower/manifest.yaml](../../../common/register-delegated-administrator/aws-control-tower)
+   resource configuration to your manifest.yaml file.
+   ```yaml
+   ...
+   cloudformation_resources:
+   # -----------------------------------------------------------------------------
+   # Common Register Delegated Administrator
+   # -----------------------------------------------------------------------------
+   - name: CommonRegisterDelegatedAdmin
+     template_file: templates/common-register-delegated-administrator.yaml
+     parameter_file: parameters/common-register-delegated-administrator.json
+     deploy_method: stack_set
+     deploy_to_account:
+       - REPLACE_ME_ORG_MANAGEMENT_ACCOUNT_NAME
+   ...
+   ```
+7. Update the manifest.yaml file with your account names and SSM parameters
+8. Deploy the Customizations for AWS Control Tower configuration
+9. How to verify after the pipeline completes?
+   1. Log into the Audit account and navigate to the IAM Access Analyzer page
+      1. Verify that there are 2 Access Analyzers (account and organization)
+      2. Verify all existing accounts/regions have an account Access Analyzer
+      
+# Delete Instructions
+
+1. Within the Customizations for AWS Control Tower configuration
+   1. Remove the Access Analyzer configuration from the manifest.yaml file
+   2. (Optional) Delete the parameter and template files for the Access Analyzer solution
+2. Deploy the Customizations for AWS Control Tower configuration
+3. After the pipeline completes, log into the Management account and navigate to the CloudFormation StackSet page
+   1. Delete the Stack Instances from the CustomControlTower-AccessAnalyzerOrganization CloudFormation StackSet
+   2. After the Stack Instance deletes, delete the CustomControlTower-AccessAnalyzerOrganization CloudFormation StackSet
+   3. Delete the Stack Instances from the CustomControlTower-AccessAnalyzerAccount CloudFormation StackSet
+   4. After the Stack Instance deletes, delete the CustomControlTower-AccessAnalyzerAccount CloudFormation StackSet
+   5. Remove the access-analyzer.amazonaws.com service principle from the 
+      parameters/common-register-delegated-administrator.json file

solutions/iam/access-analyzer/aws-control-tower/manifest-v2.yaml

@@ -0,0 +1,51 @@
+---
+#Default region for deploying Custom Control Tower: Code Pipeline, Step functions, Lambda, SSM parameters, and StackSets
+region: us-east-1
+version: 2021-03-15
+
+# Control Tower Custom Resources (Service Control Policies or CloudFormation)
+resources:
+# -----------------------------------------------------------------------------
+# IAM Access Analyzer Solution
+# -----------------------------------------------------------------------------
+  - name: AccessAnalyzerOrganization
+    resource_file: templates/access-analyzer-org.yaml
+    parameters:
+      - parameter_key: pAccessAnalyzerName
+        parameter_value: cfct-organization-access-analyzer
+      - parameter_key: pTagKey1
+        parameter_value: cfct
+      - parameter_key: pTagValue1
+        parameter_value: managed-by-cfct
+    deploy_method: stack_set
+    deployment_targets:
+      accounts:
+        - Audit
+    regions:
+      - ap-southeast-2
+      - eu-west-1
+      - us-east-1
+      - us-east-2
+      - us-west-2
+
+  - name: AccessAnalyzerAccount
+    resource_file: templates/access-analyzer-acct.yaml
+    parameters:
+      - parameter_key: pAccessAnalyzerNamePrefix
+        parameter_value: cfct-account-access-analyzer
+      - parameter_key: pTagKey1
+        parameter_value: cfct
+      - parameter_key: pTagValue1
+        parameter_value: managed-by-cfct
+    deploy_method: stack_set
+    deployment_targets:
+      organizational_units:
+        - Core
+        - management
+        - workloads
+    regions:
+      - ap-southeast-2
+      - eu-west-1
+      - us-east-1
+      - us-east-2
+      - us-west-2

solutions/iam/access-analyzer/aws-control-tower/manifest.yaml

@@ -0,0 +1,40 @@
+---
+#Default region for deploying Custom Control Tower: Code Pipeline, Step functions, Lambda, SSM parameters, and StackSets
+region: us-east-1
+version: 2020-01-01
+
+# Control Tower Custom Service Control Policies
+organization_policies: []
+
+# Control Tower Custom CloudFormation Resources
+cloudformation_resources:
+  # -----------------------------------------------------------------------------
+  # IAM Access Analyzer Solution
+  # -----------------------------------------------------------------------------
+  - name: AccessAnalyzerOrganization
+    template_file: templates/access-analyzer-org.yaml
+    parameter_file: parameters/access-analyzer-org.json
+    deploy_method: stack_set
+    deploy_to_account:
+      - Audit
+    regions:
+      - ap-southeast-2
+      - eu-west-1
+      - us-east-1
+      - us-east-2
+      - us-west-2
+
+  - name: AccessAnalyzerAccount
+    template_file: templates/access-analyzer-acct.yaml
+    parameter_file: parameters/access-analyzer-acct.json
+    deploy_method: stack_set
+    deploy_to_ou:
+      - Core
+      - management
+      - workloads
+    regions:
+      - ap-southeast-2
+      - eu-west-1
+      - us-east-1
+      - us-east-2
+      - us-west-2

solutions/iam/access-analyzer/aws-control-tower/parameters/access-analyzer-acct.json

@@ -0,0 +1,14 @@
+[
+    {
+      "ParameterKey": "pAccessAnalyzerNamePrefix",
+      "ParameterValue": "cfct-account-access-analyzer"
+    },
+    {
+      "ParameterKey": "pTagKey1",
+      "ParameterValue": "cfct"
+    },
+    {
+      "ParameterKey": "pTagValue1",
+      "ParameterValue": "managed-by-cfct"
+    }
+]

solutions/iam/access-analyzer/aws-control-tower/parameters/access-analyzer-org.json

@@ -0,0 +1,14 @@
+[
+  {
+    "ParameterKey": "pAccessAnalyzerName",
+    "ParameterValue": "cfct-organization-access-analyzer"
+  },
+  {
+    "ParameterKey": "pTagKey1",
+    "ParameterValue": "cfct"
+  },
+  {
+    "ParameterKey": "pTagValue1",
+    "ParameterValue": "managed-by-cfct"
+  }
+]