Customizations for Control Tower (CfCT) deployments

[julian-price]

Customizations for Control Tower (CfCT) is a controlled means of deploying change (CloudFormation StackSets and SCPs) across a Control Tower landing zone. It supports lifecycle events (e.g new account creation) as a trigger to ensure that deployments remain synchronised across the entire landing zone.

It is used by many AWS solutions, such as the Security Reference Architecture (SRA) as a means of deploying those solutions, reducing complexity, and providing an audited, automated means of deploying change across a whole Organization.

Describe the feature you'd like

An enhancement for the sharr solution would be to provide a documented CfCT deployment mechanism for the solution. Below are the manifest.yaml entries I used to perform my deployment of the solution, utilising the #204 enhancement to store a single set of shared KMS keys in the Control Tower audit account.

Note that this solution does not include delegation of the SecurityHub management account, nor does it include deployment of SecurityHub itself. If using the SRA, it provides a mechanism to delegate SecurityHub management to the CT audit account and deployment the SecurityHub solution there.

The scripts below use the Alfred Helper to read parameters from SSM parameters which are stored in the management account. The is available as part of the CfCT solution, although parameters used below are created by the SRA. Even without using the Alfred Helper, parameters could be provided as account IDs.

The resource_file parameter allows for CloudFormation templates to be loaded from https:// or s3:// URLs. While this is how I deployed the solution, those URLs have been removed for berevity below and instead the files are being loaded from the templates/ folder within the CfCT Git repo.

  - name: aws-sharr-org-shared-key
    description: Deploy the Automated Security Response on AWS solution shared KMS key to each CT region
    resource_file: templates/aws-sharr-org-shared-key.template
    parameters:
      - parameter_key: 'OrganizationId'
        parameter_value: '$[alfred_ssm_/sra/control-tower/organization-id]'
    deploy_method: stack_set
    deployment_targets:
      accounts:
        - <e.g. audit account name or ID>
    regions:
      - <list each region where the solution is to be deployed to>

  - name: aws-sharr-deploy
    description: Deploy the main SecurityHub solution for the Automated Security Response on AWS. Deployed to  
    resource_file: templates/aws-sharr-deploy.template
    deploy_method: stack_set
    deployment_targets:
      accounts:
        - <SecurityHub account name or ID>

  - name: aws-sharr-member-roles
    description: Deploy the member roles for the Automated Security Response on AWS. Deploy to every account, but only to the CT home region
    resource_file: templates/aws-sharr-member-roles.template
    parameters:
      - parameter_key: 'SecHubAdminAccount'
        parameter_value: '$[alfred_ssm_/sra/control-tower/audit-account-id]'
    deploy_method: stack_set
    deployment_targets:
      organizational_units:
        - Root

  - name: aws-sharr-member
    description: Deploy the member solution for the Automated Security Response on AWS to every account and region
    resource_file: templates/aws-sharr-member.template
    parameters:
      - parameter_key: 'SecHubAdminAccount'
        parameter_value: '$[alfred_ssm_/sra/control-tower/audit-account-id]'
      - parameter_key: 'KeyMgmtAdminAccount'
        parameter_value: '$[alfred_ssm_/sra/control-tower/audit-account-id]'
      - parameter_key: 'LogGroupName'
        parameter_value: '/Solutions/SO0111/Metrics_LogGroupName'
    deploy_method: stack_set
    deployment_targets:
      organizational_units:
        - Root
    regions:
      - <list each region where the solution is to be deployed to>

[jrgaray27]

Hi Julian, We appreciate the detailed feature request! We will add this to our backlog to evaluate for future enhancement releases.

Thanks.