- Introduction
- Architecture
- Prerequisites
- Tools and services
- Usage
- Clean up
- Reference
- Contributing
- License
This project configures the following AWS Organizations functionality:
- Set up the AWS Control Tower "Audit" account to be the delegated administrator for:
- Amazon GuardDuty
- AWS Security Hub
- AWS Firewall Manager
- Amazon Macie
- AWS IAM Access Analyzer
- Amazon Inspector
- Amazon Detective
- Amazon Security Lake
- Enables organizational sharing for AWS Service Catalog and AWS Resource Access Manager (RAM)
- Optionally, configures an AI opt-out policy at the organization root
- When an AWS Control Tower landing zone is created, a SetupLandingZone event is sent to the Amazon EventBridge default event bus.
- An Amazon EventBridge rule matches the
SetupLandingZoneevent and triggers theOrganizationSetupAWS Lambda function. - The AWS Lambda function will coordinate the various services to set up the security operations account
- Python 3, installed
- AWS Command Line Interface (AWS CLI) version 2, installed
- AWS Serverless Application Model (SAM), installed
- Docker Desktop, installed
- AWS SAM - The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, and event source mappings.
- AWS Lambda - AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers, creating workload-aware cluster scaling logic, maintaining event integrations, or managing runtimes.
- AWS Control Tower - AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone.
- AWS Organizations - AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources.
- Amazon GuardDuty - Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.
- AWS Security Hub - AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts.
- Amazon EventBridge - Amazon EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources.
- Amazon Macie - Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
- AWS Firewall Manager - AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations.
- AWS Service Catalog - AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.
- AWS Resource Access Manager - AWS Resource Access Manager (RAM) helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs) in AWS Organizations, and with IAM roles and IAM users for supported resource types.
- AWS IAM Access Analyzer - IAM Access Analyzer helps you review existing access so that you can identify and remove unintended external or unused permissions.
- Amazon Inspector - Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.
- Amazon Detective - Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.
- Amazon Security Lake - Amazon Security Lake automatically centralizes security data from cloud, on-premises, and custom sources into a purpose-built data lake stored in your account.
| Parameter | Type | Default | Description |
|---|---|---|---|
| Regions | String | us-east-1 | Comma-delimited list of regions to enable for GuardDuty and Security Hub |
| ExecutionRoleName | String | AWSControlTowerExecution | IAM execution role in each new account |
| AdministratorAccountName | String | Audit | Name of the AWS account to use for security operations |
| ExecutionCount | Number | 1 | Increment value to re-execute OrganizationSetup Lambda function |
| EnableAIOptOutPolicy | String | false | Optionally opt-out of AI-service improvement |
| SigningProfileVersionArn | String | None | Code Signing Profile Version ARN |
The CloudFormation stack must be deployed in the same AWS account where the AWS Control Tower landing zone will be created. This is usually the AWS Organizations Management account.
git clone https://github.com/aws-samples/aws-control-tower-org-setup-sample
cd aws-control-tower-org-setup-sample
aws signer put-signing-profile --platform-id "AWSLambda-SHA384-ECDSA" --profile-name OrganizationSetupProfile
sam build
sam deploy \
--guided \
--signing-profiles OrganizationSetupFunction=OrganizationSetupProfile \
--tags "GITHUB_ORG=aws-samples GITHUB_REPO=aws-control-tower-org-setup-sample"
Deleting the CloudFormation Stack will remove the Lambda function and EventBridge rule. All of the administrator delegations will not be removed.
sam delete
This solution is inspired by these references:
- Why not Terraform?
- AWS Solutions Library - Customizations for AWS Control Tower
- AWS Deployment Framework
- How to automate the creation of multiple accounts in AWS Control Tower
- Enabling AWS IAM Access Analyzer on AWS Control Tower accounts
- Automating AWS Security Hub Alerts with AWS Control Tower lifecycle events
- Using lifecycle events to track AWS Control Tower actions and trigger automated workflows
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.