Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.

Last update: Dec 29, 2022

Overview

Landing Zone Accelerator on AWS

The Landing Zone Accelerator on AWS solution helps you quickly deploy a secure, resilient, scalable, and fully automated cloud foundation that accelerates your readiness for your cloud compliance program. A landing zone is a cloud environment that offers a recommended starting point, including default accounts, account structure, network and security layouts, and so forth. From a landing zone, you can deploy workloads that utilize your solutions and applications.

The Landing Zone Accelerator (LZA) is architected to align with AWS best practices and in conformance with multiple, global compliance frameworks. When used in coordination with services such as AWS Control Tower, the Landing Zone Accelerator provides a comprehensive no-code solution across 35+ AWS services to manage and govern a multi-account environment built to support customers with highly-regulated workloads and complex compliance requirements. The LZA helps you establish platform readiness with security, compliance, and operational capabilities.

This solution is provided as an open-source project that is built using the AWS Cloud Development Kit (CDK). You install directly into your environment giving you full access to the infrastructure as code (IaC) solution. Through a simplified set of configuration files, you are able to configure additional functionality, guardrails and security services (eg. AWS Managed Config Rules, and AWS SecurityHub), manage your foundational networking topology (eg. VPCs, Transit Gateways, and Network Firewall), and generate additional workload accounts using the AWS Control Tower Account Factory.

There are no additional charges or upfront commitments required to use Landing Zone Accelerator on AWS. You pay only for AWS services enabled in order to set up your platform and operate your guardrails. This solution can also support non-standard AWS partitions, including AWS GovCloud (US), and the US Secret and Top Secret regions.

For an overview and solution deployment guide, please visit Landing Zone Accelerator on AWS

IMPORTANT: This solution will not, by itself, make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated. The information contained in this solution implementation guide is not exhaustive. You must be review, evaluate, assess, and approve the solution in compliance with your organization’s particular security features, tools, and configurations. It is the sole responsibility of you and your organization to determine which regulatory requirements are applicable and to ensure that you comply with all requirements. Although this solution discusses both the technical and administrative requirements, this solution does not help you comply with the non-technical administrative requirements.

Package Structure

@aws-accelerator/accelerator

A CDK Application. The core of the accelerator solution. Contains all the stack definitions and deployment pipeline for the accelerator. This also includes the CDK Toolkit orchestration.

@aws-accelerator/config

A pure typescript library containing modules to manage the accelerator config files.

@aws-accelerator/constructs

Contains L2/L3 constructs that have been built to support accelerator actions, such as creating an AWS Organizational Unit or VPC. These constructs are intended to be fully reusable, independent of the accelerator, and do not directly access the accelerator configuration files. Example: CentralLogsBucket, an S3 bucket that is configured with a CMK with the proper key and bucket policies to allow services and accounts in the organization to publish logs to the bucket.

@aws-accelerator/installer

Contains a CDK Application that defines the accelerator Installer stack.

@aws-accelerator/ui (future)

A web application that utilizes the aws-ui-components library to present a console to configure the accelerator

@aws-accelerator/utils

Contains common utilities and types that are needed by @aws-accelerator/* packages. For example, throttling and backoff for AWS SDK calls

@aws-cdk-extensions/cdk-extensions

Contains L2 constructs that extend the functionality of the CDK repo. The CDK repo is an actively developed project. As the accelerator team identifies missing features of the CDK, those features will be initially developed locally within this repo and submitted to the CDK project as a pull request.

@aws-cdk-extensions/tester

Accelerator tester CDK app. This package creates AWS Config custom rules for every test cases defined in test case manifest file.

Included Features

Service / Feature	Resource	Details
AWS Control Tower	Control Tower	Enabled in the global-config.yaml. It is recommended that AWS Control Tower is enabled, if available, in the desired home region for your environment prior to installing the accelerator. When enabled, the accelerator will integrate with resources and guardrails deployed by AWS Control Tower.
AWS Config	Config Recorder	The accelerator configures AWS Config Recorders in all specified accounts and regions
AWS Config	Config Rules	Defined in the security-config.yaml and deployed to all specified accounts and regions as individual account Config Rules. Support for Organizations Config Rules is planned for a future version
AWS Organizations	Organizational Units	Defined in the organization-config.yaml and deployed through the management (root) in the home region
AWS Organizations	Service Control Policies	Defined in the organization-config.yaml and deployed through the management (root) in the home region
AWS SecurityHub	SecurityHub	Defined in the security-config.yaml and deployed to all specified accounts and regions. Additionally, the accelerator will designate a service administrator account, commonly this is the security audit account
Amazon Macie	Macie Session	Defined in the security-config.yaml and deployed to all specified accounts and regions. Additionally, the accelerator will designate a service administrator account, commonly this is the security audit account
Amazon GuardDuty	GuardDuty	Defined in the security-config.yaml and deployed to all specified accounts and regions. Additionally, the accelerator will designate a service administrator account, commonly this is the security audit account
AWS Cloudtrail	Organizations Trail	Defined in the global-config.yaml. When specified, an Organizations trail is deployed through the management (root) account to cover all regions, and all trails are recorded to the central-logging-bucket defined in the log-archive account.
Centralized Logging	S3	Defined in the global-config.yaml, integrates with AWS Control Tower, if enabled, to centralize logs from AWS services, such as AWS CloudTrail, AWS Config and VPC FlowLogs
AWS IAM	Policies / Roles / Groups / Users	Defined in the iam-config.yaml and deployed to all specified accounts and regions. The accelerator will integrate an identity provider (IdP) metadata document can be stored in AWS CUsers that are specified in the configuration are created with AWS Secrets Manager generated passwords and stored locally in the account where the user was created.
AWS IAM	SAML Federation	Defined in the iam-config.yaml and deployed to all specified accounts and regions. The accelerator will integrate the specified identity provider (IdP) metadata document with AWS IAM.
Core Networking	VPC / Subnets / Route Tables / Security Groups/ NACLs	Defined in the network-config.yaml and deployed to all specified accounts and regions
Core Networking	Transit Gateway	Defined in the network-config.yaml and deployed to all specified accounts and regions. The accelerator will automatically attach VPCs to specified Transit Gateways
Core Networking	VPC Endpoints	Defined in the network-config.yaml and deployed to all specified accounts and regions. The accelerator will also deploy AWS Route53 Hosted Zones to specified VPCs to support centralized VPC endpoint usage
Core Networking	VPC Flow Logs	Defined in the network-config.yaml and deployed to all specified accounts and regions. VPC Flow Logs can be configured on all defined VPCs to send to S3 for centralized logging and/or CloudWatch Logs

Licensed under the Apache License Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at

http://www.apache.org/licenses/

or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions and limitations under the License.

Comments

Landing Zone Failure

Hello Team,

I hope you are doing well. I am testing AWS Landing Zone Accelerator and actually faced a lot of issues (Using AWS Organization instead of Control Tower) but I was able to fix it all. However, I am currently stuck with the Bootstrap Phase of CodePipeline. The build stage is returning:

Cannot assume role for 3600 seconds: AccessDenied: User: arn:aws:sts::ManagementAccountID:assumed-role/AWSAccelerator-PipelineSt-AdminCdkToolkitRole292E1-LNLW330962BO/AWSCodeBuild-afe03dcb-5634-43cf-852f-8d5e1e7fbf79 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::SecurityAccountID:role/AWSControlTowerExecution

Although I have disabled Control Tower in the global-config file, "controlTower: enable: false" the Bootstrap is still assuming that the Control Tower IAM Role "AWSControlTowerExecution" is created but this is not the case for me. The Landing Zone Accelerator documentation stated that if Control Tower is not enabled, the default Role "OrganizationAccountAccessRole" would do the job. This role is present in all my org accounts and the master account can assume these roles but still, the bootstrap is expecting the "AWSControlTowerExecution" role.

Apologies for any inconvenience and thank you so much for your support on this.

Thanks,
bug

opened by balannan 8
Unable to create stateful firewall rule groups when using strict order
Describe the bug Creating a stateful firewall rule group fails when using strict order.

To Reproduce Add statefulRuleOptions: "STRICT_ORDER" to a stateful firewall rule group in network-config.yaml.

centralNetworkServices: networkFirewall: rules: - name: firewall-rule-group: regions: - *HOME_REGION capacity: 100 type: STATEFUL ruleGroup: rulesSource: statefulRules: - action: PASS header: destination: 10.0.0.0/24 destinationPort: '80' direction: FORWARD protocol: TCP source: 10.50.0.0/20 sourcePort: Any ruleOptions: - keyword: sid settings: ['1'] statefulRuleOptions: "STRICT_ORDER"

Expected behavior Create a stateful firewall rule group with rule option strict order with no error.

Please complete the following information about the solution:

[ ] Version: 1.2.2

[ ] Region: us-gov-west-1

[ ] Was the solution modified from the version published on this repository? No

[ ] If the answer to the previous question was yes, are the changes available on GitHub? N/A

[ ] Have you checked your service quotas for the sevices this solution uses? N/A

[ ] Were there any errors in the CloudWatch Logs? No

Additional context Attached is the CodeBuild error log. I'm sure that I have the correct code because it failed earlier in the Build stage when, I believe, the solution goes through code verification. I changed the code to the snippet above to get past the error, but now it fails at the Network_Prepare stage of Deploy.

firewall-rule-error.txt
response requested
opened by tbmorris 7
Landing Zone Accelerator Does Not Deploy Outside of US-EAST-1
Hi,

I'm trying to deploying the Landing Zone Accelerator in EU-WEST-1. During the CodePipeline Account stage it fails as it is looking for a CDK folder in US-EAST-1. There are only 4 regions listed in the GlobalRegionMap section of the template.

To Reproduce Deploy in any region other than US-EAST-1, US-GOV-WEST-1, US-ISOB-EAST-1 or US-ISO-EAST-1 which are all listed.

Expected behavior Expect LZA to deploy all resources in my EU-WEST-1 not split across EU-WEST-1 and US-EAST-1.

Please complete the following information about the solution:

[ ] Version: [e.g. v1.2.0]

[ ] Region: [e.g. eu-west-1]

[ ] Was the solution modified from the version published on this repository? No

[ ] If the answer to the previous question was yes, are the changes available on GitHub?

[ ] Have you checked your [service quotas] yes (https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) for the sevices this solution uses?

[ ] Were there any errors in the CloudWatch Logs? See screenshots

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.
bug
opened by bmadden-arch 5
Does it not create an OU automatically?
Describe the bug The accelerator pipeline not able to create infrastructure OU on first run.

To Reproduce Pipeline runs the first time

Expected behavior Infrastructure OU is automatically created.

Please complete the following information about the solution:

[ x ] Version: [e.g. v1.0.1]

[ x ] Region: ap-south-1

[ x ] Was the solution modified from the version published on this repository? No

[ x ] If the answer to the previous question was yes, are the changes available on GitHub?

[ x ] Have you checked your service quotas for the sevices this solution uses? yes

[ x ] Were there any errors in the CloudWatch Logs? Nope

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.
question
opened by deepend-dev 4
bug(doc): initial naming of extra OU created by Control Tower is called "Sandbox" while "Infrastructure" is expected
Describe the bug When choosing Control Tower (CT) to initialise your environment it will propose to create an extra OU which by default is called "Sandbox". But the Installer is expecting it to be called "Infrastructure". It would be great to have it documented.

To Reproduce Follow the LZA doc going the Control Tower way (which only mention "To set up AWS Control Tower, refer to Getting started with AWS Control Tower in the AWS Control Tower User Guide."). Then deploy LZA Installer with CT enabled. It will fail with an error mentioning that "Infrastructure" OU does not exists and found "Sandbox" one instead.

Expected behavior Properly documented setup for CT.

Please complete the following information about the solution:

[x] Version: v1.3.0

bug
opened by flochaz 2
Guard duty S3 protection doesnt honour manifest settings
Describe the bug S3 protection gets enabled on guard duty for all account irrespective of settings are disabled on manifest

To Reproduce

Disable s3protection on guardduty on manifest

It is still comes up as enabled

Expected behavior S3 protection should be disabled

Please complete the following information about the solution:

[ x ] Version: [e.g. v1.1.0]

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0021) - Video On Demand workflow with AWS Step Functions, MediaConvert, MediaPackage, S3, CloudFront and DynamoDB. Version v5.0.0". If the description does not contain the version information, you can look at the mappings section of the template:

guardduty: enable: true excludeRegions: [] s3Protection: enable: false excludeRegions: [] exportConfiguration: enable: true destinationType: S3 exportFrequency: FIFTEEN_MINUTES

[x] Region: ap-south-1

[x] Was the solution modified from the version published on this repository? No

[x] If the answer to the previous question was yes, are the changes available on GitHub? No

[x] Have you checked your service quotas for the sevices this solution uses?

[x] Were there any errors in the CloudWatch Logs?

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.
bug
opened by deepend-dev 2
Pipeline Fails Due to a Previous Configuration Reference
Describe the bug A previous accounts configuration contained a reference to an OU that was then removed from the configuration. The pipeline fails to build at the prepare stack step with the resulting CloudWatch message:

Provisioning failure error message: InvalidParametersException The parent organizational unit 'OUName (ou-afqi-xxx5xxx9)' is not enrolled in AWS Control Tower.

where 'OUName (ou-afqi-xxx5xxx9)' does not exist in any LZ Accelerator configuration file. All accounts to be created are under different existing OUs registered successfully in control tower.

To Reproduce Add an OU to the organization config without creating the OU prior. Add an account to the accounts config that references the OU that does not yet exist. run the pipeline using this configuration Add the OU manually using the console and register it in control tower rerun the pipeline. It will fail with a log message that the parent OU is not registered in Control Tower (even though the OUID number is correct, and control tower shows no issues with the OU. The account is not created. delete the configuration from the account and organization configs rerun the pipeline. The same message occurs the the parent OU is not registered in Control Tower

Expected behavior Expected behavior is that removing the references in the accounts and organization config should remove any artifacts from the pipeline. The pipeline should now run successfully and not try to deploy anything to the previous configuration.

Please complete the following information about the solution:

[x] Version: [e.g. v1.1.0] v1.1.0

[x] Region: [e.g. us-east-1]

[x] Was the solution modified from the version published on this repository?

no

[x] If the answer to the previous question was yes, are the changes available on GitHub?

[x] Have you checked your service quotas for the sevices this solution uses?

[x] Were there any errors in the CloudWatch Logs? Full CloudWatch log message:

2022-08-18T22:01:10.162Z 913140eb-f4f7-455f-b024-683254d8af17 INFO { RequestType: 'Delete', ServiceToken: 'arn:aws:lambda:us-east-1:1234567891011:function:AWSAccelerator-PrepareSta-CreateCTAccountsCreateCo-jrmzNQRYwAaI', ResponseURL: 'https://cloudformation-custom-resource-response-useast1.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%1234567891011%3Astack/AWSAccelerator-PrepareStack-1234567891011-us-east-1/c4f8e500-1f3f-11ed-8673-0a3a69fb2f09%7CCreateCTAccounts3049A752%7Ca9969771-bdaf-4ef7-9671-1ed7d0b05f66?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20220818T220108Z&X-Amz-SignedHeaders=host&X-Amz-Expires=7200&X-Amz-Credential=AKIA6L7Q4OWTVPX5N4HK%2F20220818%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=7bdc2f2642c72e435def6cc5f00f642150aa2e2ef70550b63b6bfbacd729e718', StackId: 'arn:aws:cloudformation:us-east-1:1234567891011:stack/AWSAccelerator-PrepareStack-1234567891011-us-east-1/c4f8e500-1f3f-11ed-8673-0a3a69fb2f09', RequestId: 'a9969771-bdaf-4ef7-9671-1ed7d0b05f66', LogicalResourceId: 'CreateCTAccounts3049A752', PhysicalResourceId: '97fc9681-1857-4b29-b43e-dca64893d3b2', ResourceType: 'Custom::CreateControlTowerAccounts', ResourceProperties: { ServiceToken: 'arn:aws:lambda:us-east-1:1234567891011:function:AWSAccelerator-PrepareSta-CreateCTAccountsCreateCo-jrmzNQRYwAaI', uuid: 'da85c318-59b8-482b-b0fe-53555cad737f' }, IsComplete: true } 2022-08-18T22:01:10.524Z 913140eb-f4f7-455f-b024-683254d8af17 INFO getSingleAccount response {"Items":[],"Count":0,"ScannedCount":0} 2022-08-18T22:01:10.649Z 913140eb-f4f7-455f-b024-683254d8af17 INFO Provisioning failure error message: InvalidParametersException The parent organizational unit 'Sandbox (ou-afqi-hatb5wy9)' is not enrolled in AWS Control Tower. 2022-08-18T22:01:10.649Z 913140eb-f4f7-455f-b024-683254d8af17 INFO Control Tower account provisioning failed 2022-08-18T22:01:10.649Z 913140eb-f4f7-455f-b024-683254d8af17 INFO Error: Accounts failed to enroll in Control Tower. Check Service Catalog Console at Runtime.Nr [as handler] (/var/task/index.js:1:17989) at processTicksAndRejections (internal/process/task_queues.js:95:5) 2022-08-18T22:01:10.649Z 913140eb-f4f7-455f-b024-683254d8af17 INFO Create accounts failed. Deleting pending account creation records
bug
opened by joshbfei 2
bug(cicd): Change to config repo does not trigger the AWSAccelerator-Pipeline
Describe the bug For any change to be deploy after a commit pushed to the aws-accelerator-config codecommit repo I have to click on "Release Change" in console for them to be applied.

To Reproduce Push updates to the config repo. Nothing will happen in pipeline

Expected behavior Automatic trigger of AWSAccelerator-Pipeline on aws-accelerator-config codecommit repo commits.

Please complete the following information about the solution:

[x] Version: v1.3.0

[x] Region: eu-west-1

[x] Was the solution modified from the version published on this repository? No

[x] If the answer to the previous question was yes, are the changes available on GitHub? -

[x] Have you checked your service quotas for the sevices this solution uses? Yes

[x] Were there any errors in the CloudWatch Logs? No

bug
opened by flochaz 1
AWS IAM Identity Center integration

Now that IAM Identity Center (previous AWS SSO) has a proper set of APIs (https://docs.aws.amazon.com/singlesignon/latest/APIReference/welcome.html) it would be great to be able to manage Permission sets, Groups and account associations through LZA config.

It might be integrated in iam-config.yaml file.
enhancement

opened by flochaz 1
Found Account not in configuration
Describe the bug Prepare phase fails for existing accounts in existing Landing Zone when added to config.

498 | AWSAccelerator-PrepareStack-036499323218-us-east-1 | 4:44:51 PM | CREATE_FAILED | Custom::ValidateEnvironmentConfig | ValidateEnvironmentConfig/Resource/Default (ValidateEnvironmentConfigB40B464F) Received response status [FAILED] from custom resource. Message returned: Error: Found account with id xxxxx in OU Infrastructure that is not in the configuration.,Found account with id xxxxxx in OU Infrastructure that is not in the configuration. Pipeline: AWSAccelerator-Pipeline Phase: Prepare

To Reproduce Existing landing Zone created in Control Tower. Installed Landing zone accelerator 1.2.2 Modified Config to add existing OU and Accounts (Matching Name and Email)

enable: true organizationalUnits: - name: core - name: Security - name: Development - name: Infrastructure - name: Network - name: Production - name: Sandbox serviceControlPolicies: [] taggingPolicies: [] backupPolicies: []

accounts-config.yaml

workloadAccounts: - name: caplz-security-services description: >- The security account email: xxxxx organizationalUnit: Infrastructure - name: caplz-shared-services description: >- The shared services account email: xxxxxx organizationalUnit: Infrastructure

Both Accounts are indeed in this OU and are registered.

ERROR:

Failed resources:

498 | AWSAccelerator-PrepareStack-036499323218-us-east-1 | 4:44:51 PM | CREATE_FAILED | Custom::ValidateEnvironmentConfig | ValidateEnvironmentConfig/Resource/Default (ValidateEnvironmentConfigB40B464F) Received response status [FAILED] from custom resource. Message returned: Error: Found account with id xxxxx3306 in OU Infrastructure that is not in the configuration.,Found account with id xxxxxx344 in OU Infrastructure that is not in the configuration.

Expected behavior Recognize Account Config as Matching AWS Actual

Please complete the following information about the solution:

[release/v1.2.2] Version: [e.g. v1.1.0]

[ us-east-1] Region: [e.g. us-east-1]

[no] Was the solution modified from the version published on this repository?

[no] If the answer to the previous question was yes, are the changes available on GitHub?

[yes] Have you checked your service quotas for the sevices this solution uses?

[yes ] Were there any errors in the CloudWatch Logs?

Screenshots

Additional context Add any other context about the problem here.
bug
opened by joeshawfieldatayo 1
Adding multiple OUs for TagPolicy bug
Describe the bug Specifing multiple OUs for a TagPolicy in the organization-config.yaml causes the LZA pipeline to fail in the bootstrap stage with error: undefined.

To Reproduce Steps to reproduce the behavior. Add more than one OU for a TagPolicy taggingPolicies:

name: TagPolicy description: Organization Tagging Policy policy: tagging-policies/org-tag-policy.json deploymentTargets: organizationalUnits: - Infrastructure - PolicyStaging - Production - Sandbox

Expected behavior A clear and concise description of what you expected to happen. LZA Pipeline to succeed and create the Tagging Policy and attached to passed OUs

Please complete the following information about the solution:

[ ] Version: 1.2.1

[ ] Region: us-east-1

[ ] Was the solution modified from the version published on this repository? No

[ ] If the answer to the previous question was yes, are the changes available on GitHub?

[ ] Have you checked your service quotas for the sevices this solution uses? Not a service limit issue

[ ] Were there any errors in the CloudWatch Logs? No

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here. Logs from CodeBuild --partition aws [2022-11-11 19:47:45] - info: [toolkit] Executing cdk synth [2022-11-11 19:48:12] - info: [app] Begin Accelerator CDK App [2022-11-11 19:48:13] - debug: [prepare-stack] homeRegion: us-east-1 [2022-11-11 19:48:13] - debug: [prepare-stack] CloudWatch Encryption Key [2022-11-11 19:48:13] - debug: [prepare-stack] Lambda Encryption Key [2022-11-11 19:48:13] - debug: [prepare-stack] Configuration assets creation [2022-11-11 19:48:13] - info: [prepare-stack] Load Config Table [2022-11-11 19:48:13] - info: [prepare-stack] Call create ou construct [2022-11-11 19:48:13] - info: [prepare-stack] newOrgAccountsTable [2022-11-11 19:48:13] - info: [prepare-stack] newControlTowerAccountsTable [2022-11-11 19:48:13] - info: [prepare-stack] Validate Environment [2022-11-11 19:48:13] - info: [prepare-stack] Create new organization accounts [2022-11-11 19:48:13] - info: [prepare-stack] Get Portfolio Id [2022-11-11 19:48:13] - info: [prepare-stack] Create new control tower accounts [2022-11-11 19:48:13] - info: [prepare-stack] Completed stack synthesis [2022-11-11 19:48:13] - debug: [finalize-stack] Region: us-east-1 [2022-11-11 19:48:13] - debug: [finalize-stack] Retrieving CloudWatch kms key [2022-11-11 19:48:13] - info: [finalize-stack] Completed stack synthesis [2022-11-11 19:48:13] - debug: [accounts-stack] Region: us-east-1 [2022-11-11 19:48:13] - debug: [accounts-stack] Enable Service Access for access-analyzer.amazonaws.com [2022-11-11 19:48:13] - debug: [accounts-stack] Enable Service Access for guardduty.amazonaws.com [2022-11-11 19:48:13] - debug: [accounts-stack] Enable Service Access for securityhub.amazonaws.com [2022-11-11 19:48:13] - info: [accounts-stack] Completed stack synthesis [2022-11-11 19:48:13] - debug: [organizations-stack] homeRegion: us-east-1 [2022-11-11 19:48:13] - debug: [organizations-stack] logging.cloudtrail.enable: false [2022-11-11 19:48:13] - debug: [organizations-stack] logging.cloudtrail.organizationTrail: false [2022-11-11 19:48:13] - debug: [organizations-stack] Enable Service Access for access-analyzer.amazonaws.com [2022-11-11 19:48:13] - debug: [organizations-stack] Starts guardduty admin account delegation to the account with email xxxxx account in us-east-1 region [2022-11-11 19:48:13] - debug: [organizations-stack] Guardduty Admin Account ID is xxxxxxx [2022-11-11 19:48:13] - debug: [organizations-stack] Starts SecurityHub admin account delegation to the account with email xxxxxx account in us-east-1 region [2022-11-11 19:48:13] - debug: [organizations-stack] SecurityHub Admin Account ID is xxxxxx [2022-11-11 19:48:13] - info: [organizations-stack] Adding Tagging Policies [2022-11-11 19:48:13] - error: undefined
bug
opened by aws-lroy 1
chore(deps): bump json5 from 1.0.1 to 1.0.2 in /source
Bumps json5 from 1.0.1 to 1.0.2.

Release notes

Sourced from json5's releases.

v1.0.2

Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)

Changelog

Sourced from json5's changelog.

Unreleased [code, diff]

v2.2.3 [code, diff]

Fix: [email protected] is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0 [code, diff]

New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

... (truncated)

Commits

a62db1e 1.0.2

e0c23fe docs: update CHANGELOG for v1.0.2

62a6540 fix: add proto to objects and arrays

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 0

feat(customizations): Add stack parameters

It would be great if we could specify parameters to customizations.cloudFormationStacks. Example:

Example:

customizations:
  cloudFormationStacks:
    - deploymentTargets:
        organizationalUnits:
          - SDLC
      description: Project A - Auto CDK bootstrap stack
      name: cdk-bootstrap-template
      regions:
        - us-east-1
      runOrder: 1
      template: cloudformation-templates/cdk-bootstrap-template.yaml
      terminationProtection: true
      parameters:
        - CDK_VERSION: 2.48.0
        - QUALIFIER: projectA

enhancement

opened by flochaz 0

feat(identity-center): Add support for identity store

Would be great to be able to manage groups and users through LZA leveraging identity store API the same way we can manage permission sets and assignments
enhancement

opened by flochaz 0
Run a specific stage of the accelerator pipeline

Is your feature request related to a problem? Please describe. In large environments, running the full pipeline takes hours. This discourage customers to use the native LZA configuration files. It would be nice to be able to run simple changes (e.g. adding a new role, adding a new permissionSet, a new assignment etc.) without having the run the full pipeline (or having to stop its execution once the required stage is finished).

Describe the feature you'd like Being able to re-run a single stage of the pipeline (e.g. security or organization) once a configuration change has been made.

Additional context It's also more environmental friendly and uses less resources ;)
enhancement

opened by thi-baut 0
CloudWatch Alarms does not have authorization to access the SNS topic encryption key
Describe the bug LZA 1.2.2 creates the Config aggregator in the Management Account, and when I set the CloudWatch alarms deployment target to this account, the alarm default action will send the notifications to the SNS topics created in the Audit account.

I received the following error message when I created some events to trigger the alarm: "CloudWatch Alarms does not have authorization to access the SNS topic encryption key."

To fix the issue, I have to update the key "accelerator/kms/sns/key" in the Audit account manually as following.

{ "Sid": "Allow_CloudWatch_for_CMK", "Effect": "Allow", "Principal": { "Service": "cloudwatch.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*" }

To Reproduce Steps to reproduce the behavior.

Expected behavior CloudWatch should have access to the SNS topic encryption key and the Alarm should be able to send the notifications via the topics created in the Audit account.

Please complete the following information about the solution:

[x] Version: [e.g. v1.1.0] v1.2.2

[ ] Region: [e.g. us-east-1]

[ ] Was the solution modified from the version published on this repository?

[ ] If the answer to the previous question was yes, are the changes available on GitHub?

[ ] Have you checked your service quotas for the sevices this solution uses?

[ ] Were there any errors in the CloudWatch Logs?

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.
bug
opened by LawLaw443 1
Unable to add customer managed policies to IAM roles
Describe the bug I appear unable to add customer managed policies to IAM roles.

To Reproduce Try to add a customer managed policy to an IAM role within iam-config.yaml

Expected behavior I am expecting to be able to add customer managed policies to IAM roles. Specifically, I am trying to add the LZA generated Session Manager roles to this specific role.

Please complete the following information about the solution:

[ ] Version: v1.2.2

[ ] Region: us-gov-west-1

[ ] Was the solution modified from the version published on this repository? No

[ ] If the answer to the previous question was yes, are the changes available on GitHub? N/A

[ ] Have you checked your service quotas for the sevices this solution uses? N/A

[ ] Were there any errors in the CloudWatch Logs? No

Additional context

I am trying to create all IAM roles necessary to use EKS in the iam-config.yaml file. I can create multiple IAM roles with no problem. When I add the role with only AWS managed policies there are no problems. If I try the same action with only customer managed polices or with both customer managed polices and AWS managed policies, it fails with no apparent error (see attached CodeBuild logs). I have tried assigning customer managed policies with both arn and name, and both have the same results. I even tried to use the wrong customer managed policy name (as seen in the attached CodeBuild log), and I still have no error in the logs, but end up with a failure.

roleSets: # Roles for EKS - deploymentTargets: accounts: - NCCTDev roles: - name: eksRole assumedBy: - type: service principal: eks.amazonaws.com policies: awsManaged: - AmazonEKSClusterPolicy - name: eksNodeRole-temp assumedBy: - type: service principal: ec2.amazonaws.com policies: awsManaged: - AmazonEKSWorkerNodePolicy - AmazonEKS_CNI_Policy - AmazonS3FullAccess - AmazonEC2ContainerRegistryReadOnly customerManaged: - arn:aws-us-gov:iam::****:policy/AWSAccelerator-SessionManagerLogging-us-gov-west-1 - arn:aws-us-gov:iam::****:policy/AWSAccelerator-SessionManagerUserKMS-us-gov-west-1

CodeBuild-Output.txt
bug
opened by tbmorris 3

Releases(v1.3.0)

v1.3.0(Dec 21, 2022)
Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.3.0 for this release). See Deploy the solution for more information.

Added

feat(installer): add support for organization only install

feat(network): add ability to create site-to-site vpn to tgw

feat(network): add ability to specify file with list of suricata rules for network firewall

feat(network): add ability to specify transit gateway peering

feat(network): add ability to create routes for vpc peering connections

feat(network): add ability to create and reference VGWs for VPNs, subnet routes, and gateway route table associations

feat(network): add ability to create third-party firewalls

feat(network): add ability to configure firewall manager

feat(network): add ability to define ALBs and NLBs

feat(logs): allow specification of centralized logging bucket region independent of home region

feat(iam): add ability for IAM policy replacements

feat(organizations): add support to ignore organizational units

feat(organizations): add functionality to move accounts between ous (orgs-only install)

feat(security): add centralized and configurable sns topics

feat(security): add ability to create ACM from s3 and integrate that with ELBv2

feat(guardDuty): enable S3 export config override

feat(guardDuty): provide functionality to enable EKS protection

feat(ssm): enable SSM Inventory

feat(securityhub): add support for CIS 1.4.0 controls in SecurityHub

feat(cloudformation): Create custom CloudFormation stacks

feat(s3): add ability to define policy statements to s3 buckets and keys

feat(quotas): limits increase for services

feat(sso): add ability to configure iam identity center

feat(mad): add ability to configure managed ad

feat(kms): allow parameter replacement in key files

Changed

enhancement(network): add use of static CIDR property for VPC templates

enhancement(network): update Direct Connect custom resource logic to handle asynchronous actions

enhancement(network): add Resolver endpoint name to deployed endpoints

enhancement(logging): transform cloudwatch logs data to allow query from athena

enhancement(organizations): move replacements to stack level

enhancement(organizations): added checks for scps with no OUs or accounts

enhancement(organizations): validate scp count

enhancement(configs): add config rules and ssm auto remediation in AWS GovCloud (US) reference config

fix(logging): update central log key lookup set log bucket to central log region

fix(logging): move account CloudTrail S3 logs to central log bucket

fix(organizations): add cases for null organizations and accounts in SCP

fix(pipeline): force bootstraping to run in global region and home region if missing

fix(ssm) limit api calls to 20 accounts per invocation

fix(sns): update sns policies

fix(sns): added account check on sns kms key policy

fix(kms): add ebs kms policy for cloud9

fix(security): updated sns topic to use home region rather than global region

New Configurations

US Aerospace

US State and Local Government Central IT

Canadian Centre for Cyber Security (CCCS) Cloud Medium

Trusted Secure Enclaves Sensitive Edition (TSE-SE) for National Security, Defence, and National Law Enforcement

Elections

Finance (Tax)

Source code(tar.gz)
Source code(zip)
v1.2.2(Nov 15, 2022)
Important

This release fixes an issue with the deployment of AWS Budgets, and only affects customers that have deployed an AWS Budget, with multiple enabled regions defined in their global-config.yaml, and are using v1.2.1.

In v1.2.1, the definition of AWS Budgets was not limited to only the home region, which caused the object to be deployed to multiple regions. In this release, logic has been added to ensure that AWS Budgets are only added in the defined home region. These steps are required for if you currently have an AWS Budget deployed through LZA release/v1.2.1:

In the AWS console, delete the existing budget within management or any other account where a budget was deployed.

Go into the LZA config repository and remove (or comment out) budgets from the config.

Update to this version (release/v1.2.2) by updating the branch name for your InstallerStack through the AWS CloudFormation console.

Release the changes to the LZA pipeline within the AWS console once to ensure that the current budget is removed from the account.

Once the pipeline has completed, add the budgets back into the global-config.yaml file and release the CodePipeline for LZA

Changed

fix(app) wrap execution in try/catch to surface errors

fix(budgets) budgets causing operations stack to fail

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.2.2 for this release)
Source code(tar.gz)
Source code(zip)
v1.2.1(Oct 13, 2022)
Added

feat(govcloud): add updated govcloud config files

feat(govcloud): add govcloud account vending service catalog product

feat(configs): add healthcare best practices config files

feat(configs): add support aws-cn and config files

Changed

fix(cloudwatch): change security config to support CT organization-level cloudtrail log metrics creation

fix(logging): cloudwatch log replication in aws-us-gov partition

fix(config): syntax error AWS GovCloud (US) config

fix(bootstrap): cdk centralization bug fix

fix(logging): move session manager principal access

fix(security): update package dependencies

fix(installer): solution-helper is emitting delete event

fix(installer): remove installer kms key from loggroup

fix(logging): log replication KMS created in log receiving account only

fix(config): update network config to align with best practices diagram

fix(logging): set resource dependence for accountTrail CloudWatch log group.

fix (pipeline): fix issue with changeset creation and bootstrap

Source code(tar.gz)
Source code(zip)
v1.2.0(Sep 23, 2022)
Added

feat(iam): add path property to IAM RoleSets

feat(logging): Allow configuration of CloudTrail Insights and configuration of Organization Trail

feat(logging): Centralized Logging

feat(network): add ability to configure Gateway Load Balancer

feat(network): AWS Outpost Support

feat(network): Add ability to configure Direct Connect

feat(network): add ability to define gateway route tables

feat(organizations): Update guardrail scp to include CloudTrail and CloudWatch Logs

feat(partition): add support for aws-iso-b

feat(s3): Apply Lifecycle Rules to Central Log Bucket

feat(security): localize KMS key for every environment and service

feat(security): Add Custom KMS CMKs

enhancement(network): Add tags to RAM shared subnets/vpc

Changed

fix(budgets): Budget reports deployment targets bug

fix(config): add checks for OU presence in organization config file from other config files where OUs are referred

fix(config): Fix issues in network-config.yaml reference

fix(iam): iam user password is not set properly

fix(iam): Cross Account SSM parameter role creates in every region

fix(installer): Updating git Personal Access Token not working once it's expired

fix(installer): Fix duplicate execution of pipeline

fix(logging):Update sessionmanager logging

fix(logging): Existing organization trail fails in organization stack

fix(logging) - lambdaKey lookup only in homeRegion

fix(network): VPC templates rework

fix(network): Fix bug with tcpFlags and source/destination bug with network firewall

fix(network): move endpoint creation to new GWLB-specific stack

fix(network): allow multiple VPCs to fetch a RAM share ID for the same IPAM pool or network firewall policy

fix(network): VPC flowlog bucket exists failure when network-vpc stack updates with new vpc with s3 flow log destination

fix(s3): added error logic for expiration values

fix(security) AWS Macie ExportConfigClassification fails when new account added

fix(security): Check keyManagementService for undefined

fix(security): permissions for CrossAccountAcceleratorSsmParamAccessRole

fix(security): When excluded in config, do not enable the automatically enabled standards for security hub

fix(security): Fix issue with GuardDuty S3 protection not enabled in all accounts

fix(security): Empty EBS encryption key in default config file causes pipeline failure

fix(installer): Enable pipeline notification only for the regions that support AWS CodeStar

chore(build): upgrade to cdk v2.28.0

Source code(tar.gz)
Source code(zip)
v1.1.0(Aug 4, 2022)
Added

feat(auditmanager): add support to enable AWS Audit Manager

feat(cloudformation): enable termination protection for all stacks

feat(config): Add the ability to add tags to AWS Config rules

feat(controltower): add drift detection for AWS Control Tower

feat(detective): add support to enable Amazon Detective

feat(installer): add ability to launch the accelerator pipeline at completion of installer pipeline

feat(network): add managed prefix list as a destination in subnet and tgw route tables

feat(network): add ability to define Amazon Route 53 resolver SYSTEM rules

feat(vpc): add ability to use IPAM address pools

enhancement: add AWS GovCloud (US) sample configuration

Changed

fix(organizations): security services Amazon GuardDuty, Amazon Macie, and AWS Security Hub failing when multiple new regions registered

fix(organizations): fix organizational unit creation and GovCloud account add to organization

fix(iam): fix failing pipeline tests due to service linked role descriptions

fix(network): vpc interface endpoints workflows for GovCloud

fix(network): outbound NACL entries causing duplicate entry error

fix(network): Add check for route entry types in network-vpc stack

fix(route53): add uuid to r53association custom resource to force reevaluation

enhancement(network): make route table target property optional

enhancement(budget): budgets scope based on account or ou

enhancement(backup): update backup vaults to use the accelerator key

enhancement(pipeline): move config lint checks to build stage

enhancement(organizations): add pitr to config table

chore(build): update to javascript sdk v2.1152.0

chore(build): upgrade to cdk v2.25.0

chore(build): update lerna to 5.1.8

chore(readme): update installer stack instructions

chore(iam): Update default boundary policy to require MFA

chore(installer): Added email constraints for installer stack

Source code(tar.gz)
Source code(zip)
v1.0.1(Jun 10, 2022)
Changed

fix(installer): require branch param in installer

fix(accounts): accounts stack fails in GovCloud when enabling SERVICE_CONTROL_POLICY type

enhancement: added more explicit error message in account config

fix(controltower): support creation of new account in nested OU with Control Tower

See changelog for more information.
Source code(tar.gz)
Source code(zip)
v1.0.0(May 23, 2022)
Added

All files, initial version

See changelog for more information.
Source code(tar.gz)
Source code(zip)

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.

Related tags

Overview

Landing Zone Accelerator on AWS

Package Structure

@aws-accelerator/accelerator

@aws-accelerator/config

@aws-accelerator/constructs

@aws-accelerator/installer

@aws-accelerator/ui (future)

@aws-accelerator/utils

@aws-cdk-extensions/cdk-extensions

@aws-cdk-extensions/tester

Included Features

Comments

Failed resources:

v1.0.2

Unreleased [code, diff]

v2.2.3 [code, diff]

v2.2.2 [code, diff]

v2.2.1 [code, diff]

v2.2.0 [code, diff]

v2.1.3 [code, diff]

v2.1.2 [code, diff]

Releases(v1.3.0)

v1.3.0(Dec 21, 2022)

Important

Added

Changed

New Configurations

v1.2.2(Nov 15, 2022)

Important

Changed

v1.2.1(Oct 13, 2022)

Added

Changed

v1.2.0(Sep 23, 2022)

Added

Changed

v1.1.0(Aug 4, 2022)

Added

Changed

v1.0.1(Jun 10, 2022)

Changed

v1.0.0(May 23, 2022)

Added

Owner

Amazon Web Services - Labs

An implementation of Saudi Arabia ZATCA's E-Invoicing requirements, processes, and standards in TypeScript.

A simple Prometheus (aggregated) push gateway allowing stateless/serverless workloads, ephemeral and batch jobs to easily expose their metrics.

GreenWebhook is a proxy or gateway between two systems that helps reduce your carbon footprint by dynamically routing or delaying traffic so that your workloads run when and where they will cause the lowest amount of carbon emissions.

A refined tool for exploring open-source projects on GitHub with a file tree, rich Markdown and image previews, multi-pane multi-tab layouts and first-class support for Ink syntax highlighting.

This package support to build a complex application with domain driven design.

For this workshop, we're going to learn more about cloud computing by exploring how to use Pulumi to build, configure, and deploy a real-life, modern application using Docker

A monorepo that uses the AWS Cloud Development Kit to deploy and configure nanomdm on AWS lambda.

The app's backend is written in Python (Flask) and for search it uses Elasticsearch. I used this app as candidate application for learning out how to build, run and deploy a multi-container environment (docker-compose).

Query for CSS brower support data, combined from caniuse and MDN, including version support started and global support percentages.

A WebApp to preview FTML, the SCP Foundation's markup language, on the Web.

From the Linux Foundation office in New York City, welcome to The Untold Stories of Open Source

A Foundation for Scalable Cross-Platform Apps

A hardhat solidity template with necessary libraries that support to develop, compile, test, deploy, upgrade, verify solidity smart contract

A professional truffle solidity template with all necessary libraries that support developer to develop, debug, test, deploy solidity smart contract

FormGear is a framework engine for dynamic form creation and complex form processing and validation for data collection.

Start building admin tools on Slack without going into complex slack syntax and flows.

A Javascript lib about complex

high performance、complex interaction table

🐻 Trying out the bear necessities for complex state management.