aws-samples
diff --git a/‎README.md‎
Lines changed: 1 addition & 0 deletions b/‎README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎solutions/common/register-delegated-administrator/README.md‎
Lines changed: 155 additions & 0 deletions b/‎solutions/common/register-delegated-administrator/README.md‎
Lines changed: 155 additions & 0 deletions
diff --git a/‎solutions/common/register-delegated-administrator/aws-control-tower/README.md‎
Lines changed: 68 additions & 0 deletions b/‎solutions/common/register-delegated-administrator/aws-control-tower/README.md‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎solutions/common/register-delegated-administrator/aws-control-tower/manifest-v2.yaml‎
Lines changed: 35 additions & 0 deletions b/‎solutions/common/register-delegated-administrator/aws-control-tower/manifest-v2.yaml‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎solutions/common/register-delegated-administrator/aws-control-tower/manifest.yaml‎
Lines changed: 19 additions & 0 deletions b/‎solutions/common/register-delegated-administrator/aws-control-tower/manifest.yaml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎solutions/common/register-delegated-administrator/aws-control-tower/parameters/common-register-delegated-administrator.json‎
Lines changed: 38 additions & 0 deletions b/‎solutions/common/register-delegated-administrator/aws-control-tower/parameters/common-register-delegated-administrator.json‎
Lines changed: 38 additions & 0 deletions
@@ -20,6 +20,7 @@ platform (e.g. AWS Landing Zone, AWS Control Tower, AWS CloudFormation StackSets
     * [Organization CloudTrail](solutions/cloudtrail/cloudtrail-org)
 * Config
     * [Account Aggregator](solutions/config/aggregator-acct)
+    * [Organization Aggregator](solutions/config/aggregator-org)
     * [Organization Conformance Pack](solutions/config/conformance-pack-org)
 * Firewall Manager
     * [Organization Firewall Manager](solutions/firewall-manager/firewall-manager-org)
 
@@ -0,0 +1,155 @@
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
+
+# Register Delegated Administrator Account
+
+The register delegated administrator account solution is a common solution to register a delegated administrator 
+account (e.g. Security Tooling Account) within the AWS Organizations management account using the AWS Organizations 
+APIs.
+
+----
+
+# Table of Contents
+* [Deployed Resource Details](#deployed-resource-details)
+* [Implementation Instructions](#implementation-instructions)
+* [References](#references)
+
+----
+
+# Deployed Resource Details
+
+![Architecture](./documentation/Register-Delegated-Admin-Architecture.png "Architecture")
+
+## 1.0 Organization Management Account
+
+### 1.1 AWS CloudFormation
+
+**Description:**
+
+All resources are deployed via CloudFormation StackSet and Stacks within member accounts
+
+**Configuration:**
+
+* StackSet Names:
+    * RegisterDelegatedAdmin
+
+### 1.2 AWS Lambda Function
+
+**Description:**
+
+The custom CloudFormation Lambda resource is required to delegate an administrator account because this capability 
+is not supported by CloudFormation.
+
+**Configuration:**
+
+* Lambda Function Name = [Prefix]-register-delegated-admin
+* Environment Variables and Properties (Configurable and set via CloudFormation)
+    * AWS_SERVICE_PRINCIPAL_LIST - AWS service principals to delegate administration for
+    * DELEGATED_ADMIN_ACCOUNT_ID - Organization Member Account ID, e.g. Security Tooling Account
+    * LOG_LEVEL - Default = info, Valid Values = debug, info, warning, error, critical
+    
+**Input Validation**
+
+Validation of environment variables and properties is done to make sure values exist and are the correct type
+
+### 1.3 Lambda CloudWatch Log Group
+
+**Description:**
+
+Contains Lambda function execution logs
+
+**Configuration:**
+
+* Log group name = /aws/lambda/[Lambda Function]
+
+### 1.4 Lambda Execution IAM Role
+
+**Description:**
+
+Used by the custom CloudFormation Lambda function to enable AWS service access for the provided service and register 
+an AWS account as the delegated administrator.
+
+**Configuration:**
+
+* Role Name: [Prefix]-register-delegated-admin-lambda
+* Policy Name: [Prefix]-register-delegated-admin-lambda
+* Permissions:
+    * CloudWatch Logs - Limited: Write on LogGroupName like /aws/lambda/[Lambda Function]
+    * Organizations - Limited: List, Read, Write
+
+### 1.5 AWS Organizations
+
+**Description:**
+
+AWS Organizations APIs are used to delegate the administrator account
+
+**Configuration:**
+
+* Delegated Admin Account ID
+* Service Principal
+
+
+----
+
+## 2.0 Delegated Administrator Account (Security Tooling)
+
+### 2.1 Services Supported
+
+**Description:**
+
+The services that support a delegated administrator account can be configured and managed within this account.  
+
+**Configuration:**
+
+* Service Principal Mapping
+
+|          Service             |          Service Principal             |
+| ---------------------------- | -------------------------------------- |
+| AWS IAM Access Analyzer      | access-analyzer.amazonaws.com          |
+| AWS Audit Manager            | auditmanager.amazonaws.com             |
+| AWS CloudFormation StackSets | stacksets.cloudformation.amazonaws.com |
+| AWS Config                   | config.amazonaws.com                   | 
+| AWS Config Conformance Packs | config-multiaccountsetup.amazonaws.com |
+| Amazon Macie                 | macie.amazonaws.com                    |
+| AWS Security Hub             | securityhub.amazonaws.com              |
+| Amazon S3 Storage Lens       | storage-lens.s3.amazonaws.com          |
+
+
+----
+
+# Implementation Instructions
+
+### [AWS Control Tower](./aws-control-tower)
+### CloudFormation StackSets
+
+1. Create new or use an existing S3 bucket within the deployment region owned by the Organization Management Account
+   * Example bucket name: lambda-zips-[Management Account ID]-[AWS region]
+   * [Example CloudFormation Template](../../../extras/lambda-s3-buckets.yaml)
+   * Each bucket must allow the s3:GetObject action to the AWS Organization using a bucket policy like the one below 
+        to allow the accounts within the Organization to get the Lambda files.
+2. Package the Lambda code into a zip file and upload it to the S3 bucket
+   * Package and Upload the Lambda zip file to S3 - [Packaging script](../../../extras/packaging-scripts/package-lambda.sh)
+   ```shell
+    export BUCKET=lambda-zips-CHANGE_ME_ACCOUNT_ID-CHANGE_ME_REGION
+    sh ~/aws-security-reference-architecture-examples/extras/packaging-scripts/package-lambda.sh \
+    --file_name common-register-delegated-admin.zip \
+    --bucket $BUCKET \
+    --src_dir ~/aws-security-reference-architecture-examples/solutions/common/register-delegated-admninistrator/code/src
+   ```
+3. Create a CloudFormation StackSet or Stack with the following template
+   
+   |     Account     |   StackSet Name   |  Template  |
+   | --------------- | ----------------- | ---------- |
+   | Management | RegisterDelegatedAdmin | templates/register-delegated-admin.yaml |
+4. Verify configuration using the following AWS CLI shell script
+   ```shell
+    for accountId in $(aws organizations list-delegated-administrators --query 'DelegatedAdministrators[*].Id' \
+    --output text); do echo -e "$accountId\n Service Principals: " \
+    $(aws organizations list-delegated-services-for-account --account-id $accountId \
+    --query 'DelegatedServices[*].ServicePrincipal'); done
+   ```
+
+----
+
+# References
+
+* [AWS services that you can use with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html)
@@ -0,0 +1,68 @@
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
+
+----
+   
+# Implementation Instructions
+
+1. Make sure the required [prerequisites](../../../../extras/aws-control-tower/prerequisites/README.md) are completed
+2. Package and upload the common-register-delegated-administrator Lambda function
+   ```shell
+    export AWS_ACCESS_KEY_ID=INSERT_AWS_ACCESS_KEY_ID
+    export AWS_SECRET_ACCESS_KEY=INSERT_AWS_SECRET_ACCESS_KEY
+    export AWS_SESSION_TOKEN=INSERT_AWS_SESSION_TOKEN
+   
+    export BUCKET=lambda-zips-CHANGE_ME_ACCOUNT_ID-CHANGE_ME_REGION
+    sh ~/aws-security-reference-architecture-examples/extras/packaging-scripts/package-lambda.sh \
+    --file_name common-register-delegated-admin.zip \
+    --bucket $BUCKET \
+    --src_dir ~/aws-security-reference-architecture-examples/solutions/common/register-delegated-admninistrator/code/src
+   ```
+3. Copy the files to the Customizations for AWS Control Tower configuration 
+   1. customizations-for-control-tower-configuration
+       1. [manifest.yaml](manifest.yaml) -> manifest.yaml 
+       2. [common/register-delegated-administrator/aws-control-tower/parameters/common-register-delegated-administrator.json](../../../common/register-delegated-administrator/aws-control-tower/parameters/common-register-delegated-administrator.json) 
+          -> parameters/common-register-delegated-administrator.json
+       3. [common/register-delegated-administrator/templates/common-register-delegated-administrator.yaml](../../../common/register-delegated-administrator/templates/common-register-delegated-administrator.yaml) 
+          -> templates/common-register-delegated-administrator.yaml
+4. Add service principals to the pServicePrincipalList parameter in the 
+   parameters/common-register-delegated-administrator.json
+5. Add the [common/register-delegated-administrator/aws-control-tower/manifest.yaml](../../../common/register-delegated-administrator/aws-control-tower)
+   resource configuration to your manifest.yaml file.
+   ```yaml
+   ...
+   cloudformation_resources:
+   # -----------------------------------------------------------------------------
+   # Common Register Delegated Administrator
+   # -----------------------------------------------------------------------------
+   - name: CommonRegisterDelegatedAdmin
+     template_file: templates/common-register-delegated-administrator.yaml
+     parameter_file: parameters/common-register-delegated-administrator.json
+     deploy_method: stack_set
+     deploy_to_account:
+       - REPLACE_ME_ORG_MANAGEMENT_ACCOUNT_NAME
+   ...
+   ```
+6. Update the manifest.yaml file with your account names and SSM parameters
+7. Deploy the Customizations for AWS Control Tower configuration
+8. How to verify after the pipeline completes?
+   1. Export the management account credentials in your local terminal and run the following script:
+      ```shell
+       for accountId in $(aws organizations list-delegated-administrators --query 'DelegatedAdministrators[*].Id' \
+       --output text); do echo -e "$accountId\n Service Principals: " \
+       $(aws organizations list-delegated-services-for-account --account-id $accountId \
+       --query 'DelegatedServices[*].ServicePrincipal'); done
+      ```
+   2. Verify that the service principals are listed for the delegated administrator account
+      
+# Delete Instructions
+
+1. Verify that all solutions related to the service principals are removed before deleting the solution
+2. Within the Customizations for AWS Control Tower configuration
+   1. Remove the Common Register Delegated Administrator configuration from the manifest.yaml file
+   2. (Optional) Delete the parameter and template files for the Common Register Delegated Administrator solution
+3. Deploy the Customizations for AWS Control Tower configuration
+4. After the pipeline completes, log into the Management account and navigate to the CloudFormation StackSet page
+   1. Delete the Stack Instance from the CustomControlTower-CommonRegisterDelegatedAdmin CloudFormation StackSet
+   2. After the Stack Instance deletes, delete the CustomControlTower-CommonRegisterDelegatedAdmin CloudFormation 
+      StackSet
+   
@@ -0,0 +1,35 @@
+---
+#Default region for deploying Custom Control Tower: Code Pipeline, Step functions, Lambda, SSM parameters, and StackSets
+region: us-east-1
+version: 2021-03-15
+
+# Control Tower Custom Resources (Service Control Policies or CloudFormation)
+resources:
+# -----------------------------------------------------------------------------
+# Common Register Delegated Administrator Solution
+# -----------------------------------------------------------------------------
+  - name: CommonRegisterDelegatedAdmin
+    resource_file: templates/common-register-delegated-admin.yaml
+    parameters:
+      - parameter_key: pDelegatedAdminAccountId
+        parameter_value: $[alfred_ssm_/org/member/Audit/account_id]
+      - parameter_key: pLambdaExecutionRoleName
+        parameter_value: cfct-aggregator-register-delegated-admin-lambda
+      - parameter_key: pLambdaFunctionName
+        parameter_value: cfct-aggregator-register-delegated-admin
+      - parameter_key: pLambdaS3BucketName
+        parameter_value: $[alfred_ssm_/org/primary/lambda_zips_bucket/us-east-1]
+      - parameter_key: pLambdaZipFileName
+        parameter_value: common-register-delegated-administrator.zip
+      - parameter_key: pLogLevel
+        parameter_value: debug
+      - parameter_key: pServicePrincipalList
+        parameter_value: "CHANGE_ME_SERVICE_PRINCIPAL_LIST"
+      - parameter_key: pTagKey1
+        parameter_value: cfct
+      - parameter_key: pTagValue1
+        parameter_value: managed-by-cfct
+    deploy_method: stack_set
+    deployment_targets:
+      accounts:
+        - REPLACE_ME_ORG_MANAGEMENT_ACCOUNT_NAME
@@ -0,0 +1,19 @@
+---
+#Default region for deploying Custom Control Tower: Code Pipeline, Step functions, Lambda, SSM parameters, and StackSets
+region: us-east-1
+version: 2020-01-01
+
+# Control Tower Custom Service Control Policies
+organization_policies: []
+
+# Control Tower Custom CloudFormation Resources
+cloudformation_resources:
+  # -----------------------------------------------------------------------------
+  # Common Register Delegated Administrator
+  # -----------------------------------------------------------------------------
+  - name: CommonRegisterDelegatedAdmin
+    template_file: templates/common-register-delegated-administrator.yaml
+    parameter_file: parameters/common-register-delegated-administrator.json
+    deploy_method: stack_set
+    deploy_to_account:
+      - REPLACE_ME_ORG_MANAGEMENT_ACCOUNT_NAME
@@ -0,0 +1,38 @@
+[
+  {
+      "ParameterKey": "pDelegatedAdminAccountId",
+      "ParameterValue": "$[alfred_ssm_/org/member/Audit/account_id]"
+  },
+  {
+      "ParameterKey": "pLambdaExecutionRoleName",
+      "ParameterValue": "cfct-common-register-delegated-admin-lambda"
+  },
+  {
+      "ParameterKey": "pLambdaFunctionName",
+      "ParameterValue": "cfct-common-register-delegated-admin"
+  },
+  {
+      "ParameterKey": "pLambdaS3BucketName",
+      "ParameterValue": "$[alfred_ssm_/org/primary/lambda_zips_bucket/us-east-1]"
+  },
+  {
+      "ParameterKey": "pLambdaZipFileName",
+      "ParameterValue": "common-register-delegated-administrator.zip"
+  },
+  {
+      "ParameterKey": "pLogLevel",
+      "ParameterValue": "debug"
+  },
+  {
+      "ParameterKey": "pServicePrincipalList",
+      "ParameterValue": "CHANGE_ME_SERVICE_PRINCIPAL_LIST"
+  },
+  {
+      "ParameterKey": "pTagKey1",
+      "ParameterValue": "cfct"
+  },
+  {
+      "ParameterKey": "pTagValue1",
+      "ParameterValue": "managed-by-cfct"
+  }
+]