awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
563 stars 448 forks source link

Support for Amazon Inspector in security_config in Audit account #109

Open ssofian opened 1 year ago

ssofian commented 1 year ago

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the feature you'd like Support for enabling Amazon Inspectorv2 in security_config. Designating Audit account as Delegated Administrator and activating scans across all members accounts in AWS Organizations.

Additional context Add any other context or screenshots about the feature request here.

crissupb commented 1 year ago

Amazon Detective is available in the security config. This is a link to the configuration documentation https://awslabs.github.io/landing-zone-accelerator-on-aws/classes/_aws_accelerator_config.DetectiveConfig.html It is not enabled by default in the best practice configurations because GuardDuty must be enabled for 48 hours prior to enabling Detective. https://docs.aws.amazon.com/detective/latest/adminguide/detective-enabling.html.

Have you configured the service and it's not working?

ssofian commented 1 year ago

Oopss.. I meant Inspector.. Not Detective... The subject is Inspector, my bad :)

frankscalzo commented 1 year ago

Following since I was looking for same enhancement

rvanbutselaar commented 1 year ago

Please add this functionality to Landing Zone Accelerator on AWS. We now use Customizations for AWS Control Tower (CFCT) and aws-security-reference-architecture-examples to configure Inspector for new and existing accounts.

It would be nice if we can use a single solution to configure inspector for new and existing accounts.

richardkeit commented 9 months ago

Hi @crissupb , We'd also be after Inspector configuration - are you able to remove the response requested flag?

APotterIrwinCS commented 4 months ago

This functionality would be helpful for our deployments. Would it be possible to get an update and the response requested flag removed?

ajobayer commented 3 months ago

Hi AWS LZA Team, Do you have an ETA for inspector support? Trying to deploy through SRA then bake in customizaion_config, its very challenging though!

richardkeit commented 3 months ago

Hi @bo1984 ,

Are you able to assist with the update of flags?

https://github.com/awslabs/landing-zone-accelerator-on-aws/issues/109#issuecomment-1953173856

rl-gr24 commented 1 week ago

Wanted to follow up and ask if there is an ETA on this? Using SRA customization is not straightforward and would be nice if the security-config or another config file would "natively" support the security lake management for the organization.