Merge pull request #30 from aws-samples/feature/refactor-config-conformance-pack-org

Refactor Config Conformance Pack Solution Issue #28

Author: andywick-aws

solutions/config/conformance-pack-org/README.md

@@ -55,8 +55,9 @@ is not supported by CloudFormation (November 2020)
 
 * Lambda Function Name = [Prefix]-config-register-delegated-admin
 * Environment Variables (Configurable and set via CloudFormation)
+    * AWS_SERVICE_PRINCIPAL - AWS service principal to delegate administration for
     * DELEGATED_ADMIN_ACCOUNT_ID - Organization Member Account ID which is typically the Security account
-    * LOG_LEVEL - Default = info, Valid Values = info, warning, error, critical
+    * LOG_LEVEL - Default = info, Valid Values = debug, info, warning, error, critical
     * TAG_KEY1 - Tags the IAM role and Lambda Function with this key
     * TAG_VALUE1 - Tags the IAM role and Lambda Function with this value
 
@@ -212,20 +213,20 @@ get started and to evaluate your AWS environment, use one of the sample conforma
 
 #### Pre-requisites
 1. Create AWS Config Conformance Pack Templates S3 Bucket in the Security Tooling Account
-   * Create an SSM parameter in the Organization Primary Account (Optional)
+   * Create an SSM parameter in the Organization Management Account (Optional)
    * CloudFormation template to create the S3 bucket - documentation/setup/create-conformance-pack-templates-bucket.yaml
 2. Upload documentation/setup/conformance-pack-templates/aws-control-tower-detective-guardrails.yaml to the AWS Config 
     Conformance Pack Templates S3 Bucket
 
 #### Instructions
 
 > **Solution Deployment Order:**
-> 1. Primary Account (ConformancePackDelegatedAdmin)
+> 1. Management Account (ConformancePackDelegatedAdmin)
 > 2. Log-Archive Account (ConformancePackDeliveryBucket)
 > 3. Security Account (ConformancePackDeployment)
 
-1. Create new or use an existing S3 bucket within the deployment region owned by the Organization Primary Account
-   * Example bucket name: lambda-zips-[Primary Account ID]-[AWS region]
+1. Create new or use an existing S3 bucket within the deployment region owned by the Organization Management Account
+   * Example bucket name: lambda-zips-[Management Account ID]-[AWS region]
    * [Example CloudFormation Template](../../../extras/lambda-s3-buckets.yaml)
    * Each bucket must allow the s3:GetObject action to the AWS Organization using a bucket policy like the one below 
         to allow the accounts within the Organization to get the Lambda files.
@@ -254,7 +255,7 @@ get started and to evaluate your AWS environment, use one of the sample conforma
    
    |     Account     |   StackSet Name   |  Template  |
    | --------------- | ----------------- | ---------- |
-   | Primary | ConformancePackDelegatedAdmin | templates/conformance-pack-org-register-delegated-admin.yaml |
+   | Management | ConformancePackDelegatedAdmin | templates/conformance-pack-org-register-delegated-admin.yaml |
    | Log Archive | ConformancePackDeliveryBucket | templates/conformance-pack-org-delivery-bucket.yaml |
    | Security | ConformancePackDeployment | templates/conformance-pack-org-deployment.yaml |
    

solutions/config/conformance-pack-org/aws-control-tower/README.md

@@ -7,14 +7,14 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 1. Make sure the required [prerequisites](../../../../extras/aws-control-tower/prerequisites/README.md) are completed
 2. Verify that all accounts in the organization have an AWS Configuration Recorder
    * Run the [list-config-recorder-status.py](../../../../extras/aws-control-tower/helper-scripts/list-config-recorder-status.py) 
-     within the Organization Primary account to get the list of accounts.
+     within the Organization Management account to get the list of accounts.
    * Include the Account IDs without an AWS Configuration Recorder in the pExcludedAccounts parameter 
-3. Create the Conformance Pack Template S3 bucket within the Audit account using the 
+3. Create the Conformance Pack Template S3 bucket within the Security Tooling account using the 
     [create-conformance-pack-templates-bucket.yaml](../documentation/setup/create-conformance-pack-templates-bucket.yaml)
     template
 4. Upload the [Operational-Best-Practices-for-Encryption-and-Keys.yaml](../documentation/setup/conformance-pack-templates/Operational-Best-Practices-for-Encryption-and-Keys.yaml) 
    conformance pack template to the Conformance Pack Template S3 bucket created above.
-5. Add the /org/config/conformance_pack_templates_bucket SSM Parameter in the Primary account
+5. Add the /org/config/conformance_pack_templates_bucket SSM Parameter in the Management account
    ```
    aws ssm put-parameter \ 
        --name /org/config/conformance_pack_templates_bucket \ 
@@ -35,7 +35,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 8. Update the manifest.yaml file with your account names
 9. Deploy the Customizations for AWS Control Tower configuration
 10. How to verify after the pipeline completes?
-   1. Log into the Audit account and navigate to the AWS Config page
+   1. Log into the Security Tooling account and navigate to the AWS Config page
    2. Verify the correct configurations have been applied to each region
       1. Conformance packs -> OrgConformsPack-Operational-Best-Practices-for-Encryption-and-Keys-* created in each region
       2. Settings -> Delivery location set to the awsconfigconforms-[Log Archive Account ID]-[Region]
@@ -47,6 +47,6 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
    1. Remove the Conformance Pack configurations from the manifest.yaml file
    2. (Optional) Delete the parameter and template files for the Conformance Pack solution
 2. Deploy the Customizations for AWS Control Tower configuration
-3. After the pipeline completes, log into the Primary account and navigate to the CloudFormation page
+3. After the pipeline completes, log into the Management account and navigate to the CloudFormation page
    1. Delete the CustomControlTower-ConformancePack* CloudFormation StackSets
 

solutions/config/conformance-pack-org/aws-control-tower/manifest-v2.yaml

@@ -0,0 +1,78 @@
+---
+#Default region for deploying Custom Control Tower: Code Pipeline, Step functions, Lambda, SSM parameters, and StackSets
+region: us-east-1
+version: 2021-03-15
+
+# Control Tower Custom Resources (Service Control Policies or CloudFormation)
+resources:
+# -----------------------------------------------------------------------------
+# Organization Config Conformance Pack
+# -----------------------------------------------------------------------------
+  - name: ConformancePackDelegatedAdmin
+    resource_file: templates/conformance-pack-org-register-delegated-admin.yaml
+    parameters:
+      - parameter_key: pDefaultLogGroupRetention
+        parameter_value: "30"
+      - parameter_key: pDelegatedAdminAccountId
+        parameter_value: $[alfred_ssm_/org/member/Audit/account_id]
+      - parameter_key: pLambdaExecutionRoleName
+        parameter_value: cfct-config-register-delegated-admin-lambda
+      - parameter_key: pLambdaFunctionName
+        parameter_value: cfct-config-register-delegated-admin
+      - parameter_key: pLambdaS3BucketName
+        parameter_value: $[alfred_ssm_/org/primary/lambda_zips_bucket/us-east-1]
+      - parameter_key: pLambdaZipFileName
+        parameter_value: organization-register-delegated-admin.zip
+      - parameter_key: pLogLevel
+        parameter_value: info
+      - parameter_key: pTagKey1
+        parameter_value: cfct
+      - parameter_key: pTagValue1
+        parameter_value: managed-by-cfct
+    deploy_method: stack_set
+    deployment_targets:
+      accounts:
+        - Control Tower Management
+
+  - name: ConformancePackDeliveryBucket
+    resource_file: templates/conformance-pack-org-delivery-bucket.yaml
+    parameters:
+      - parameter_key: pOrganizationId
+        parameter_value: $[alfred_ssm_/org/primary/organization_id]
+      - parameter_key: pTagKey1
+        parameter_value: cfct
+      - parameter_key: pTagValue1
+        parameter_value: managed-by-cfct
+    deploy_method: stack_set
+    deployment_targets:
+      accounts:
+        - Log archive
+    export_outputs:
+      - name: /org/config/conformance_pack_delivery_bucket
+        value: $[output_oConformancePackDeliveryBucket]
+
+  - name: ConformancePackDeployment
+    resource_file: templates/conformance-pack-org-deployment.yaml
+    parameters:
+      - parameter_key: pConformancePackName
+        parameter_value: Operational-Best-Practices-for-Encryption-and-Keys
+      - parameter_key: pDeliveryBucketName
+        parameter_value: $[alfred_ssm_/org/config/conformance_pack_delivery_bucket]
+      - parameter_key: pDeliveryS3KeyPrefix
+        parameter_value: Config
+      - parameter_key: pExcludedAccounts
+        parameter_value: $[alfred_ssm_/org/member/Control-Tower-Management/account_id]
+      - parameter_key: pTemplateBucketName
+        parameter_value: $[alfred_ssm_/org/config/conformance_pack_templates_bucket]
+      - parameter_key: pTemplatePrefix
+        parameter_value: Operational-Best-Practices-for-Encryption-and-Keys.yaml
+    deploy_method: stack_set
+    deployment_targets:
+      accounts:
+        - Audit
+    regions:
+      - ap-southeast-2
+      - eu-west-1
+      - us-east-1
+      - us-east-2
+      - us-west-2

solutions/config/conformance-pack-org/aws-control-tower/manifest.yaml

@@ -13,7 +13,7 @@ cloudformation_resources:
     parameter_file: parameters/conformance-pack-org-register-delegated-admin.json
     deploy_method: stack_set
     deploy_to_account:
-      - Control Tower Primary
+      - Control Tower Management
 
   - name: ConformancePackDeliveryBucket
     template_file: templates/conformance-pack-org-delivery-bucket.yaml

solutions/config/conformance-pack-org/aws-control-tower/parameters/conformance-pack-org-delivery-bucket.json

@@ -5,10 +5,10 @@
     },
     {
         "ParameterKey": "pTagKey1",
-        "ParameterValue": "control-tower"
+        "ParameterValue": "cfct"
     },
     {
         "ParameterKey": "pTagValue1",
-        "ParameterValue": "managed-by-control-tower"
+        "ParameterValue": "managed-by-cfct"
     }
 ]

solutions/config/conformance-pack-org/aws-control-tower/parameters/conformance-pack-org-deployment.json

@@ -1,15 +1,7 @@
 [
     {
         "ParameterKey": "pConformancePackName",
-        "ParameterValue": "control-tower-detective-guardrails"
-    },
-    {
-        "ParameterKey": "pTemplateBucketName",
-        "ParameterValue": "$[alfred_ssm_/org/config/conformance_pack_templates_bucket]"
-    },
-    {
-        "ParameterKey": "pTemplatePrefix",
-        "ParameterValue": "aws-control-tower-detective-guardrails.yaml"
+        "ParameterValue": "Operational-Best-Practices-for-Encryption-and-Keys"
     },
     {
         "ParameterKey": "pDeliveryBucketName",
@@ -21,6 +13,14 @@
     },
     {
         "ParameterKey": "pExcludedAccounts",
-        "ParameterValue": "$[alfred_ssm_/org/member/Control-Tower-Primary/account_id]"
+        "ParameterValue": "$[alfred_ssm_/org/member/Control-Tower-Management/account_id]"
+    },
+    {
+        "ParameterKey": "pTemplateBucketName",
+        "ParameterValue": "$[alfred_ssm_/org/config/conformance_pack_templates_bucket]"
+    },
+    {
+        "ParameterKey": "pTemplatePrefix",
+        "ParameterValue": "Operational-Best-Practices-for-Encryption-and-Keys.yaml"
     }
 ]

solutions/config/conformance-pack-org/aws-control-tower/parameters/conformance-pack-org-register-delegated-admin.json

@@ -1,38 +1,38 @@
 [
     {
-        "ParameterKey": "pLambdaFunctionName",
-        "ParameterValue": "control-tower-config-register-delegated-admin"
+        "ParameterKey": "pDefaultLogGroupRetention",
+        "ParameterValue": "30"
     },
     {
-        "ParameterKey": "pLambdaS3BucketName",
-        "ParameterValue": "$[alfred_ssm_/org/primary/lambda_zips_bucket/us-east-1]"
+        "ParameterKey": "pDelegatedAdminAccountId",
+        "ParameterValue": "$[alfred_ssm_/org/member/Audit/account_id]"
     },
     {
-        "ParameterKey": "pLambdaZipFileName",
-        "ParameterValue": "organization-register-delegated-admin-v1.zip"
+        "ParameterKey": "pLambdaExecutionRoleName",
+        "ParameterValue": "cfct-config-register-delegated-admin-lambda"
     },
     {
-        "ParameterKey": "pDelegatedAdminAccountId",
-        "ParameterValue": "$[alfred_ssm_/org/member/Audit/account_id]"
+        "ParameterKey": "pLambdaFunctionName",
+        "ParameterValue": "cfct-config-register-delegated-admin"
     },
     {
-        "ParameterKey": "pLogLevel",
-        "ParameterValue": "info"
+        "ParameterKey": "pLambdaS3BucketName",
+        "ParameterValue": "$[alfred_ssm_/org/primary/lambda_zips_bucket/us-east-1]"
     },
     {
-        "ParameterKey": "pDefaultLogGroupRetention",
-        "ParameterValue": "30"
+        "ParameterKey": "pLambdaZipFileName",
+        "ParameterValue": "organization-register-delegated-admin.zip"
     },
     {
-        "ParameterKey": "pLambdaExecutionRoleName",
-        "ParameterValue": "control-tower-config-register-delegated-admin-lambda"
+        "ParameterKey": "pLogLevel",
+        "ParameterValue": "info"
     },
     {
         "ParameterKey": "pTagKey1",
-        "ParameterValue": "control-tower"
+        "ParameterValue": "cfct"
     },
     {
         "ParameterKey": "pTagValue1",
-        "ParameterValue": "managed-by-control-tower"
+        "ParameterValue": "managed-by-cfct"
     }
 ]

solutions/config/conformance-pack-org/aws-landing-zone/README.md

@@ -7,17 +7,18 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 1. Create AWS Config Conformance Pack Templates S3 Bucket in the Security Tooling Account
    * Create an SSM parameter in the Organization Master account (Optional)
    * CloudFormation template to create the S3 bucket - documentation/setup/create-conformance-pack-templates-bucket.yaml
-2. Upload documentation/setup/conformance-pack-templates/aws-control-tower-detective-guardrails.yaml to the AWS Config Conformance Pack Templates S3 Bucket
+2. Upload documentation/setup/conformance-pack-templates/aws-control-tower-detective-guardrails.yaml to the AWS Config 
+   Conformance Pack Templates S3 Bucket
 
 ### Instructions
 
 > **Core accounts within the manifest.yaml must be listed in the following order for this solution to work:**
-> 1. primary (ConformancePackDelegatedAdmin)
+> 1. management (ConformancePackDelegatedAdmin)
 > 2. log-archive (ConformancePackDeliveryBucket)
 > 3. security (ConformancePackDeployment)
 
-1. Create new or use an existing S3 bucket within the ALZ region owned by the Organization Primary Account
-   * Example bucket name: lambda-zips-[Primary Account ID]-[ALZ Region]
+1. Create new or use an existing S3 bucket within the ALZ region owned by the Organization Management Account
+   * Example bucket name: lambda-zips-[Management Account ID]-[ALZ Region]
    * [Example CloudFormation Template](../../../../extras/lambda-s3-buckets.yaml)
    * Each bucket must allow the s3:GetObject action to the AWS Organization using a bucket policy like the one below 
         to allow the accounts within the Organization to get the Lambda files.
@@ -55,7 +56,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 5. Update the parameter files with any specific values for your AWS Landing Zone implementation
 6. Update the add_on_manifest.yaml with OU and accounts for your AWS Landing Zone implementation
 7. Update the manifest.yaml file so that the core accounts are listed in this order: 
-   1. primary 
+   1. management
    2. log-archive 
    3. security
    * Reason: The AWS Landing Zone deploys resources for the core accounts in the order that they are listed within 

solutions/config/conformance-pack-org/aws-landing-zone/parameters/conformance-pack-org-deployment.json

@@ -3,14 +3,6 @@
         "ParameterKey": "pConformancePackName",
         "ParameterValue": "control-tower-detective-guardrails"
     },
-    {
-        "ParameterKey": "pTemplateBucketName",
-        "ParameterValue": "$[alfred_ssm_/org/config/conformance_pack_templates_bucket]"
-    },
-    {
-        "ParameterKey": "pTemplatePrefix",
-        "ParameterValue": "aws-control-tower-detective-guardrails.yaml"
-    },
     {
         "ParameterKey": "pDeliveryBucketName",
         "ParameterValue": "$[alfred_ssm_/org/config/conformance_pack_delivery_bucket]"
@@ -22,5 +14,13 @@
     {
         "ParameterKey": "pExcludedAccounts",
         "ParameterValue": ""
+    },
+    {
+        "ParameterKey": "pTemplateBucketName",
+        "ParameterValue": "$[alfred_ssm_/org/config/conformance_pack_templates_bucket]"
+    },
+    {
+        "ParameterKey": "pTemplatePrefix",
+        "ParameterValue": "aws-control-tower-detective-guardrails.yaml"
     }
 ]

solutions/config/conformance-pack-org/aws-landing-zone/parameters/conformance-pack-org-register-delegated-admin.json

@@ -1,4 +1,16 @@
 [
+    {
+        "ParameterKey": "pDefaultLogGroupRetention",
+        "ParameterValue": "30"
+    },
+    {
+        "ParameterKey": "pDelegatedAdminAccountId",
+        "ParameterValue": "$[alfred_ssm_/org/member/security/account_id]"
+    },
+    {
+        "ParameterKey": "pLambdaExecutionRoleName",
+        "ParameterValue": "aws-landing-zone-config-register-delegated-admin-lambda"
+    },
     {
         "ParameterKey": "pLambdaFunctionName",
         "ParameterValue": "aws-landing-zone-config-register-delegated-admin"
@@ -11,22 +23,10 @@
         "ParameterKey": "pLambdaZipFileName",
         "ParameterValue": "organization-register-delegated-admin-v1.zip"
     },
-    {
-        "ParameterKey": "pDelegatedAdminAccountId",
-        "ParameterValue": "$[alfred_ssm_/org/member/security/account_id]"
-    },
     {
         "ParameterKey": "pLogLevel",
         "ParameterValue": "info"
     },
-    {
-        "ParameterKey": "pDefaultLogGroupRetention",
-        "ParameterValue": "30"
-    },
-    {
-        "ParameterKey": "pLambdaExecutionRoleName",
-        "ParameterValue": "aws-landing-zone-config-register-delegated-admin-lambda"
-    },
     {
         "ParameterKey": "pTagKey1",
         "ParameterValue": "aws-landing-zone"