Merge pull request #41 from aws-samples/feature/macie-refactor

Feature/macie refactor

Author: andywick-aws

solutions/macie/macie-org/README.md

@@ -42,7 +42,7 @@ All resources are deployed via CloudFormation StackSet and Stack
 **Description:**
 
 The custom CloudFormation Lambda resource is required to delegate an administrator account because this capability 
-is not supported by CloudFormation (December 2020)
+is not supported by CloudFormation (August 2021)
 
 **Configuration:**
 
@@ -54,6 +54,8 @@ is not supported by CloudFormation (December 2020)
     * DELEGATED_ADMIN_ACCOUNT_ID - Organization Member Account ID which is typically the Security account
     * DISABLE_MACIE_ROLE_NAME - Role within each member account used to disable Macie
     * ENABLED_REGIONS - Comma delimited list of regions to enable Macie in. Leave blank for all supported regions.
+    * FINDING_PUBLISHING_FREQUENCY - Specifies how often to publish updates to policy findings for the account. 
+      Default = 'FIFTEEN_MINUTES', Valid values = 'FIFTEEN_MINUTES', 'ONE_HOUR', 'SIX_HOURS'
     * KMS_KEY_ARN - KMS Key ARN to encrypt the Macie classifications sent to S3
     * S3_BUCKET_NAME - S3 bucket ARN to send the Macie classifications
 
@@ -69,7 +71,6 @@ Contains Lambda function execution logs
 
 **Configuration:**
 
-* Retention = Default 2 weeks (14 days)
 * Log group name = /aws/lambda/[Lambda Function Name]
 
 ### 1.4 Lambda Execution IAM Role
@@ -114,7 +115,7 @@ to configure Macie with the below configurations.
 
 **Description:**
 
-All resources are deployed via CloudFormation Stack created by the management account StackSet
+All resources are deployed via CloudFormation Stack created by the Management account StackSet
 
 **Configuration:**
 
@@ -155,7 +156,7 @@ Macie is enabled for existing accounts within each member account and region dur
 
 **Description:**
 
-All resources are deployed via CloudFormation Stack created by the management account StackSet
+All resources are deployed via CloudFormation Stack created by the Management account StackSet
 
 **Configuration:**
 
@@ -171,7 +172,7 @@ Customer managed KMS key used for encrypting exported Macie findings
 **Configuration:**
 
 * Key alias
-* Organization Primary Account ID
+* Organization Management Account ID
 * Logging Account ID
 * KMS Key Tag
 

solutions/macie/macie-org/aws-control-tower/README.md

@@ -22,7 +22,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 4. Update the manifest.yaml file with your account names
 5. Deploy the Customizations for AWS Control Tower configuration
 6. How to verify after the pipeline completes?
-   1. Log into the Primary account and navigate to the Macie page
+   1. Log into the Management account and navigate to the Macie page
       1. Validate that the delegated admin account is set for each region
    2. Log into the Audit account and navigate to the Macie page
       1. Verify the correct Macie configurations have been applied to each region
@@ -40,7 +40,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
    1. Remove the Macie configurations from the manifest.yaml file
    2. (Optional) Delete the parameter and template files for the Macie solution
 3. Deploy the Customizations for AWS Control Tower configuration
-4. After the pipeline completes, log into the Primary account and navigate to the CloudFormation page 
+4. After the pipeline completes, log into the Management account and navigate to the CloudFormation page 
    1. Delete the CustomControlTower-MacieOrgDeliveryS3Bucket CloudFormation StackSet
    2. Log into the Log Archive account and delete the Macie S3 bucket
    3. Delete the Stack Instance from the CustomControlTower-MacieOrgDeliveryS3Bucket CloudFormation StackSet
@@ -49,6 +49,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
    6. After the Stack Instance deletes, delete the CustomControlTower-MacieOrgDeliveryKMSKey CloudFormation StackSet
    7. Delete the Stack Instances from the CustomControlTower-MacieOrgMemberDisableRole CloudFormation StackSet
    8. After the Stack Instance deletes, delete the CustomControlTower-MacieOrgMemberDisableRole CloudFormation StackSet
+   9. Delete the Lambda CloudWatch Log Group within the Management account
 
 
 

solutions/macie/macie-org/aws-control-tower/manifest-v2.yaml

@@ -0,0 +1,132 @@
+---
+#Default region for deploying Custom Control Tower: Code Pipeline, Step functions, Lambda, SSM parameters, and StackSets
+region: us-east-1
+version: 2021-03-15
+
+# Control Tower Custom Resources (Service Control Policies or CloudFormation)
+resources:
+  # -----------------------------------------------------------------------------
+  # Amazon Macie
+  # -----------------------------------------------------------------------------
+  - name: MacieOrgConfigurationRole
+    resource_file: templates/macie-org-configuration-role.yaml
+    parameters:
+      - parameter_key: pConfigurationRoleName
+        parameter_value: "cfct-macie-configuration"
+      - parameter_key: pOrgManagementAccountId
+        parameter_value: $[alfred_ssm_/org/member/Control-Tower-Management/account_id]
+      - parameter_key: pOrgPrimaryLambdaRoleName
+        parameter_value: "cfct-macie-org-lambda"
+      - parameter_key: pTagKey1
+        parameter_value: "cfct"
+      - parameter_key: pTagValue1
+        parameter_value: "managed-by-cfct"
+    deploy_method: stack_set
+    deployment_targets:
+      accounts:
+        - Audit
+
+  - name: MacieOrgDeliveryKMSKey
+    resource_file: templates/macie-org-kms-key.yaml
+    parameters:
+      - parameter_key: pMacieDeliveryKeyAlias
+        parameter_value: "MacieDeliveryKMSKey"
+      - parameter_key: pLoggingAccountId
+        parameter_value: $[alfred_ssm_/org/member/Log-archive/account_id]
+      - parameter_key: pOrgManagementAccountId
+        parameter_value: $[alfred_ssm_/org/member/Control-Tower-Management/account_id]
+      - parameter_key: pTagKey1
+        parameter_value: "cfct"
+      - parameter_key: pTagValue1
+        parameter_value: "managed-by-cfct"
+    deploy_method: stack_set
+    export_outputs:
+      - name: /org/macie/kms_key_arn
+        value: $[output_oMacieDeliveryKeyArn]
+    deployment_targets:
+      accounts:
+        - Audit
+
+  - name: MacieOrgDeliveryS3Bucket
+    resource_file: templates/macie-org-s3-bucket.yaml
+    parameters:
+      - parameter_key: pDelegatedAdminAccountId
+        parameter_value: $[alfred_ssm_/org/member/Audit/account_id]
+      - parameter_key: pMacieDeliveryBucketPrefix
+        parameter_value: "macie-delivery"
+      - parameter_key: pMacieDeliveryKMSKeyArn
+        parameter_value: $[alfred_ssm_/org/macie/kms_key_arn]
+      - parameter_key: pOrganizationId
+        parameter_value: $[alfred_ssm_/org/primary/organization_id]
+      - parameter_key: pTagKey1
+        parameter_value: "cfct"
+      - parameter_key: pTagValue1
+        parameter_value: "managed-by-cfct"
+    deploy_method: stack_set
+    export_outputs:
+      - name: /org/macie/s3_bucket
+        value: $[output_oMacieDeliveryS3Bucket]
+    deployment_targets:
+      accounts:
+        - Log archive
+
+  - name: MacieOrgConfiguration
+    resource_file: templates/macie-org-configuration.yaml
+    parameters:
+      - parameter_key: pConfigurationRoleName
+        parameter_value: "cfct-macie-configuration"
+      - parameter_key: pControlTowerRegionsOnly
+        parameter_value: "true"
+      - parameter_key: pDelegatedAdminAccountId
+        parameter_value: $[alfred_ssm_/org/member/Audit/account_id]
+      - parameter_key: pDisableMacieRoleName
+        parameter_value: "cfct-disable-macie"
+      - parameter_key: pEnabledRegions
+        parameter_value: ""
+      - parameter_key: pFindingPublishingFrequency
+        parameter_value: "FIFTEEN_MINUTES"
+      - parameter_key: pKMSKeyArn
+        parameter_value: "$[alfred_ssm_/org/macie/kms_key_arn]"
+      - parameter_key: pLambdaExecutionRoleName
+        parameter_value: "cfct-macie-org-lambda"
+      - parameter_key: pLambdaFunctionName
+        parameter_value: "cfct-macie-org-configuration"
+      - parameter_key: pLambdaS3BucketName
+        parameter_value: $[alfred_ssm_/org/primary/lambda_zips_bucket/us-east-1]
+      - parameter_key: pLambdaZipFileName
+        parameter_value: "macie-org-configuration.zip"
+      - parameter_key: pLogLevel
+        parameter_value: "debug"
+      - parameter_key: pOrganizationId
+        parameter_value: $[alfred_ssm_/org/primary/organization_id]
+      - parameter_key: pPublishingDestinationBucketName
+        parameter_value: "$[alfred_ssm_/org/macie/s3_bucket]"
+      - parameter_key: pTagKey1
+        parameter_value: "cfct"
+      - parameter_key: pTagValue1
+        parameter_value: "managed-by-cfct"
+    deploy_method: stack_set
+    deployment_targets:
+      accounts:
+        - Management
+
+  - name: MacieOrgMemberDisableRole
+    resource_file: templates/macie-org-member-disable-role.yaml
+    parameters:
+      - parameter_key: pDisableMacieRoleName
+        parameter_value: "cfct-disable-macie"
+      - parameter_key: pOrgManagementAccountId
+        parameter_value: $[alfred_ssm_/org/member/Control-Tower-Management/account_id]
+      - parameter_key: pLambdaRoleName
+        parameter_value: "cfct-macie-org-lambda"
+      - parameter_key: pTagKey1
+        parameter_value: "cfct"
+      - parameter_key: pTagValue1
+        parameter_value: "managed-by-cfct"
+    deploy_method: stack_set
+    deployment_targets:
+      organizational_units:
+        # ALL OU s
+        - Core
+        - management
+        - workloads

solutions/macie/macie-org/aws-control-tower/manifest.yaml

@@ -40,13 +40,13 @@ cloudformation_resources:
     parameter_file: parameters/macie-org-configuration.json
     deploy_method: stack_set
     deploy_to_account:
-      - Control Tower Primary
+      - Control Tower Management
 
   - name: MacieOrgMemberDisableRole
     template_file: templates/macie-org-member-disable-role.yaml
     parameter_file: parameters/macie-org-member-disable-role.json
     deploy_method: stack_set
     deploy_to_ou:
       - Core
-      - primary
+      - management
       - workloads

solutions/macie/macie-org/aws-control-tower/parameters/macie-org-configuration-role.json

@@ -4,11 +4,11 @@
         "ParameterValue": "cfct-macie-configuration"
     },
     {
-        "ParameterKey": "pOrgPrimaryAccountId",
-        "ParameterValue": "$[alfred_ssm_/org/member/Control-Tower-Primary/account_id]"
+        "ParameterKey": "pOrgManagementAccountId",
+        "ParameterValue": "$[alfred_ssm_/org/member/Control-Tower-Management/account_id]"
     },
     {
-        "ParameterKey": "pOrgPrimaryLambdaRoleName",
+        "ParameterKey": "pLambdaRoleName",
         "ParameterValue": "cfct-macie-org-lambda"
     },
     {

solutions/macie/macie-org/aws-control-tower/parameters/macie-org-configuration.json

@@ -7,10 +7,6 @@
         "ParameterKey": "pControlTowerRegionsOnly",
         "ParameterValue": "true"
     },
-    {
-        "ParameterKey": "pDefaultLogGroupRetention",
-        "ParameterValue": "30"
-    },
     {
         "ParameterKey": "pDelegatedAdminAccountId",
         "ParameterValue": "$[alfred_ssm_/org/member/Audit/account_id]"
@@ -23,6 +19,10 @@
         "ParameterKey": "pEnabledRegions",
         "ParameterValue": ""
     },
+    {
+        "ParameterKey": "pFindingPublishingFrequency",
+        "ParameterValue": "FIFTEEN_MINUTES"
+    },
     {
         "ParameterKey": "pKMSKeyArn",
         "ParameterValue": "$[alfred_ssm_/org/macie/kms_key_arn]"
@@ -41,7 +41,7 @@
     },
     {
         "ParameterKey": "pLambdaZipFileName",
-        "ParameterValue": "macie-org-configuration-v1.zip"
+        "ParameterValue": "macie-org-configuration.zip"
     },
     {
         "ParameterKey": "pLogLevel",

solutions/macie/macie-org/aws-control-tower/parameters/macie-org-kms-key.json

@@ -1,15 +1,15 @@
 [
     {
-        "ParameterKey": "pMacieDeliveryKeyAlias",
-        "ParameterValue": "MacieDeliveryKMSKey"
+        "ParameterKey": "pLoggingAccountId",
+        "ParameterValue": "$[alfred_ssm_/org/member/Log-archive/account_id]"
     },
     {
-        "ParameterKey": "pOrgPrimaryAccountId",
-        "ParameterValue": "$[alfred_ssm_/org/member/Control-Tower-Primary/account_id]"
+        "ParameterKey": "pMacieDeliveryKeyAlias",
+        "ParameterValue": "MacieDeliveryKMSKey"
     },
     {
-        "ParameterKey": "pLoggingAccountId",
-        "ParameterValue": "$[alfred_ssm_/org/member/Log-archive/account_id]"
+        "ParameterKey": "pOrgManagementAccountId",
+        "ParameterValue": "$[alfred_ssm_/org/member/Control-Tower-Management/account_id]"
     },
     {
         "ParameterKey": "pTagKey1",

solutions/macie/macie-org/aws-control-tower/parameters/macie-org-member-disable-role.json

@@ -4,11 +4,11 @@
         "ParameterValue": "cfct-disable-macie"
     },
     {
-        "ParameterKey": "pOrgPrimaryAccountId",
-        "ParameterValue": "$[alfred_ssm_/org/member/Control-Tower-Primary/account_id]"
+        "ParameterKey": "pOrgManagementAccountId",
+        "ParameterValue": "$[alfred_ssm_/org/member/Control-Tower-Management/account_id]"
     },
     {
-        "ParameterKey": "pOrgPrimaryLambdaRoleName",
+        "ParameterKey": "pLambdaRoleName",
         "ParameterValue": "cfct-macie-org-lambda"
     },
     {

solutions/macie/macie-org/aws-control-tower/parameters/macie-org-s3-bucket.json

@@ -1,4 +1,8 @@
 [
+    {
+        "ParameterKey": "pDelegatedAdminAccountId",
+        "ParameterValue": "$[alfred_ssm_/org/member/Audit/account_id]"
+    },
     {
         "ParameterKey": "pMacieDeliveryBucketPrefix",
         "ParameterValue": "macie-delivery"
@@ -7,6 +11,10 @@
         "ParameterKey": "pMacieDeliveryKMSKeyArn",
         "ParameterValue": "$[alfred_ssm_/org/macie/kms_key_arn]"
     },
+    {
+        "ParameterKey": "pOrganizationId",
+        "ParameterValue": "$[alfred_ssm_/org/primary/organization_id]"
+    },
     {
         "ParameterKey": "pTagKey1",
         "ParameterValue": "cfct"

solutions/macie/macie-org/aws-landing-zone/README.md

@@ -69,4 +69,5 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
    2. MacieOrgDeliveryS3Bucket - Manually cleanup the S3 bucket after deleting the StackSet
    3. MacieOrgDeliveryKMSKey
    4. MacieOrgMemberDisableRole
-4. Delete all the Macie StackSets
+6. Delete all the Macie StackSets
+7. Delete the Lambda CloudWatch log group in the management account