Detailed instruction on how to setup a Secure Landing Zone solution can be found on following confluence page:
$ aws organizations list-accounts$ cd AWSLandingZoneFollow the instructions given on the following page: https://webgate.ec.europa.eu/fpfis/wikis/display/CVTF/%5BAWS%5D+Account+creation+broker+procedure
To configure the SecLog account that you just created, we'll need to run the EC-Setup-SecLog.sh script by adding following parameters:
Run the script
$ ./EC-Setup-SecLog.sh --organisation DIGIT_ORG_ACC --seclogprofile D3_seclog --splunkprofile EC_DIGIT_C2-SPLUNK --notificationemail D3-SecNotif@ec.europa.eu --logdestination dgtest Wait for the execution of the installation script to finish. When done, the user will see a message with the following instructions:
---------------------------------------------------------------------------------------------------------
| ATTENTION PLEASE: |
---------------------------------------------------------------------------------------------------------
| |
| Please check the installation of the stackset instances from the AWS console for the SECLOG account |
| The moment all instances are deployed, please execute the 2nd stage of the LZ installation with the |
| following command: |
| |
| sh ./SH/EC-Enable-SecurityHub-Controls-All-Regions.sh {seclogprofile} |
| |
---------------------------------------------------------------------------------------------------------Check in the SECLOG account if all stackset instances have been deployed, and when all is done, copy and paste the command as shown to execute it.
If you wish to disable any of the default SOC log integrations, use the appropriate flags (can be combined on a single script call)
Disable CloudTrail integration
$ ./EC-Setup-SecLog.sh --organisation DIGIT_ORG_ACC --seclogprofile D3_seclog --splunkprofile EC_DIGIT_C2-SPLUNK --notificationemail D3-SecNotif@ec.europa.eu --logdestination dgtest --cloudtrailintegration falseDisable GuardDuty integration
$ ./EC-Setup-SecLog.sh --organisation DIGIT_ORG_ACC --seclogprofile D3_seclog --splunkprofile EC_DIGIT_C2-SPLUNK --notificationemail D3-SecNotif@ec.europa.eu --logdestination dgtest --guarddutyintegration falseDisable SecurityHub integration
$ ./EC-Setup-SecLog.sh --organisation DIGIT_ORG_ACC --seclogprofile D3_seclog --splunkprofile EC_DIGIT_C2-SPLUNK --notificationemail D3-SecNotif@ec.europa.eu --logdestination dgtest --securityhubintegration falseRun script in batch mode - no confirmation asked from user
$ ./EC-Setup-SecLog.sh--seclogprofile D3_seclog --splunkprofile EC_DIGIT_C2-SPLUNK --notificationemail D3-SecNotif@ec.europa.eu --logdestination dgtest --batch trueFollow the instructions given on the following page: https://webgate.ec.europa.eu/fpfis/wikis/display/CVTF/%5BAWS%5D+Account+creation+broker+procedure
This script will add a new (or existing) client account to the secure landing zone environment.
For existing accounts, make sure the SECLZ-CreateCloudBrokerRole exists in the client account, otherwise execute this script in the client account first: "https://webgate.ec.europa.eu/CITnet/stash/projects/CLOUDLZ/repos/aws-secure-landing-zone/raw/EC-landingzone-v2/CFN/EC-lz-CloudBroker-Role.yml?at=refs%2Fheads%2Fmaster"
This script will:
To configure the Client account that you just created, we'll need to run the EC-Setup-Client.sh script by adding the following parameters:
Run the script
$ ./EC-Setup-Client.sh --organisation EC_BROKER_ADM --clientaccprofile D3_Acc1 --seclogprofile D3_seclogOr if you're provided with an norganisational unit ID, use the following:
$ ./EC-Setup-Client.sh --organisation EC_BROKER_ADM --ou ou-jh16-abcdefgh --clientaccprofile D3_Acc1 --seclogprofile D3_seclogOr, if thte organisation account is not available, use the following:
$ ./EC-Setup-Client.sh --clientaccountemail digit-cloud-tech-account-aXXX@ec.europa.eu --clientaccprofile D3_Acc1 --seclogprofile D3_seclogWait for the execution of the installation script to finish. When done, the user will see a message with the following instructions:
---------------------------------------------------------------------------------------------------------
| ATTENTION PLEASE: |
---------------------------------------------------------------------------------------------------------
| |
| Please check the installation of the stackset instances from the AWS console for the SECLOG account |
| The moment all instances are deployed, please execute the 2nd stage of the LZ installation with the |
| following command: |
| |
| sh ./SH/EC-Enable-SecurityHub-Controls-All-Regions.sh {clientaccprofile} |
| |
---------------------------------------------------------------------------------------------------------Check in the SECLOG account if all stackset instances have been deployed, and when all is done, copy and paste the command as shown to execute it.
Run script in batch mode - no confirmation asked from user
This is a 3 stage process. First execute the setup script to deploy the base components of the LZ on the client account by issuing the following command:
$ ./EC-Setup-Client.sh --organisation EC_BROKER_ADM --clientaccprofile D3_Acc1 --seclogprofile D3_seclog --batch trueOr, if thte organisation account is not available, use the following:
$ ./EC-Setup-Client.sh --clientaccountemail digit-cloud-tech-account-aXXX@ec.europa.eu --clientaccprofile D3_Acc1 --seclogprofile D3_seclog --batch trueWait for the execution of the installation script to finish. When done, the user will see a message with the following instructions:
--------------------------------------------------------------------------------------------------------------------
| ATTENTION PLEASE: |
--------------------------------------------------------------------------------------------------------------------
| |
| |
| Batch mode has been selected. You'll be required to execute an intermediary step to create instances from |
| two stacksets provisioned on the seclog account. When the batch installation of the LZ script finishes, |
| please execute the following command: |
| |
| sh ./SH/EC-Install-Stacksets-from-SecLog-Account.sh 001111111111,002222222222,... $seclogprofile |
| |
| where the first parameter (comma separated) are the client account IDs where the LZ has been installed and |
| the second parameter is the SECLOG account profile. |
| |
| Please check the installation of the stackset instances from the AWS console for the SECLOG account. As soon |
| all the instances are deployed, please execute the 2nd stage of the LZ installation with the following command |
| |
| sh ./SH/EC-Enable-SecurityHub-Controls-All-Regions.sh $clientaccprofile |
| |
--------------------------------------------------------------------------------------------------------------------The second stage is to deploy the stackset instances on all regions for all accounts that were installed as part of the batch execution. The EC-Install-Stacksets-from-SecLog-Account.sh will require 2 parameters:
For the 3rd stage, first check in the SECLOG account if all stackset instances have been deployed. When it's all is done, execute the last command from the message above for "all" client accounts..
Updates are now based a new approach that combines all steps in a single stage for the SECLOG account as well all the linked associated accounts. This script can be run as usual on the DEVOPS management account, or if required can also be executed directly on the SECLOG account via AWS CloudShell.
Note: This options gives the ability to the customer to update the Secure Landing Zone themselves if required.
This script will:
The SLZ is highly configurable and it is based on a manifest file (json format) that is provided as a default template for each release. Users are welcomed to review the manifest and update it as per own needs.
To execute the update script execute the following command (location of the manifest and seclog profile are given as an example; please adapt accordingly):
$ sh ./EC-Update-LZ.sh --manifest ./Update/1.5.0/manifest.json --seclog EC_DIGIT_C1-LZ-SECLOGIn the case the script is to be executed on the SECLOG account directly using AWS Cloudshell, run the following command (no --seclog parameter is required):
$ sh ./EC-Update-LZ.sh --manifest ./Update/1.5.0/manifest.json The script runs unattended and does not require intervention by the user (perhaps only exception would be entering the MFA token if required by the profile).
The shell script will perform a number of actions to prepare the execution environment for the SLZ update script. After that, the update script will perform a number of validations and begin the process of updating the SECLOG account, acording to the pre-defined settings from the manifest file. When done, the script cycles through all the linked accounts associated with the SECLOG and will perform the required updates as mentioned previously.
The manifest file is bound to each release and defines what actions are to be performed by the SLZ update script. A sample can be seen below:
{ "version" : "1.5.0",
"regions" : ["ap-northeast-1","ap-northeast-2","ap-northeast-3","ap-south-1","ap-southeast-1","ap-southeast-2","ca-central-1","eu-central-1","eu-north-1","eu-west-1", "eu-west-2","eu-west-3","sa-east-1","us-east-1","us-east-2","us-west-1","us-west-2"],
"ssm" : {
"seclog-ou" : {
"value" : "",
"update" : false
},
"notification-mail" : {
"value" : "",
"update" : false
},
"cloudtrail-groupname" : {
"value" : "",
"update" : false
},
"insight-groupname" : {
"value" : "",
"update" : false
},
"guardduty-groupname" : {
"value" : "",
"update" : false
},
"securityhub-groupname" : {
"value" : "",
"update" : false
},
"config-groupname" : {
"value" : "/aws/events/config",
"update" : false
},
"alarms-groupname" : {
"value" : "/aws/events/cloudwatch-alarms",
"update" : true
}
},
"stacks" : {
"SECLZ-Cloudtrail-KMS" : {
"update" : true
},
"SECLZ-LogShipper-Lambdas-Bucket" : {
"update" : true
},
"SECLZ-LogShipper-Lambdas" : {
"update" : true
},
"SECLZ-Central-Buckets" : {
"update" : true
},
"SECLZ-Iam-Password-Policy" : {
"update" : true
},
"SECLZ-config-cloudtrail-SNS" : {
"update" : true
},
"SECLZ-Guardduty-detector" : {
"update" : true
},
"SECLZ-SecurityHub" : {
"update" : true
},
"SECLZ-Notifications-Cloudtrail" : {
"update" : true,
"params" : [
{"ParameterKey": "LogGroupName", "ParameterValue": "/org/member/SecLog_cloudtrail-groupname"}
]
},
"SECLZ-CloudwatchLogs-SecurityHub" : {
"update" : true
}
},
"stacksets" : {
"SECLZ-Enable-Config-SecurityHub-Globally" : {
"update" : true
},
"SECLZ-Enable-Guardduty-Globally" : {
"update" : true
}
},
"cis" : {
"cis-aws-foundations-benchmark/v/1.2.0": {
"checks" : ["3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"],
"disabled" : true,
"disabled-reason" : "Alarm action unmanaged by SNS but cloudwatch event",
"regions": [],
"exclusions" : ["ap-northeast-3"]
},
"aws-foundational-security-best-practices/v/1.0.0": {
"checks" : ["IAM.1", "IAM.2", "IAM.3", "IAM.4", "IAM.6", "IAM.7", "Config.1"],
"disabled" : true,
"disabled-reason" : "Disable recording of global resources in all but one Region",
"regions": [],
"exclusions" : ["eu-west-1", "ap-northeast-3"]
},
"cis-aws-foundations-benchmark/v/1.2.0/1.14": {
"disabled" : true,
"disabled-reason" : "Managed by Cloud Broker Team",
"regions": ["eu-west-1"],
"exclusions" : []
},
"aws-foundational-security-best-practices/v/1.0.0/IAM.6": {
"disabled" : true,
"disabled-reason" : "Managed by Cloud Broker Team",
"regions": ["eu-west-1"],
"exclusions" : []
}
},
"tags" : [
{ "Key": "Organization","Value": "EC" },
{ "Key": "Owner","Value": "DIGIT.C.1" },
{ "Key": "Environment","Value": "prod" },
{ "Key": "Criticity","Value": "high" },
{ "Key": "Project","Value": "secLZ" },
{ "Key": "Confidentiality","Value": "confidential" },
{ "Key": "ApplicationRole","Value": "security" }
],
"accounts" : {
"exclude" : [],
"include" : []
}
}
Attributes are as follows: