search

rebuy-de / aws-nuke

Nuke a whole AWS account and delete all its resources.
https://github.com/ekristen/aws-nuke
MIT License
5.76k stars 724 forks source link

Protect Control Tower Resources #711

Closed thebigcosinus closed 1 month ago

thebigcosinus commented 2 years ago

Hi,

I'm looking for a template to protect accounts in an organization deployed with AWS SSO and Control Tower

Thanks

james-green-affinity commented 2 years ago

There you go

Disclaimer! Double check this yourself!

` regions:

account-blocklist:

accounts: "0000000": # filters:

  CloudFormationStack:
  - type: glob
    value: "*"

  NetpuneSnapshot:
  - type: glob
    value: "*"

  ConfigServiceConfigRule:
  - type: glob
    value: "*"

  IAMRole:
  - type: regex
    value: "aws-controltower-*"
  - type: regex
    value: "AWSControlTowerExecution"
  - type: regex
    value: "AWSReservedSSO_*"
  - type: regex
    value: "AWSReservedSSO_*"
  - "backup"

  IAMRolePolicyAttachment:
  - type: regex
    value: "aws-controltower-*"
  - type: regex
    value: "AWSReservedSSO_*"
  - "AWSControlTowerExecution*"
  - "backup"

  IAMRolePolicy:
  - type: regex
    value: "aws-controltower-*"
  - type: regex
    value: "AWSControlTowerExecution"
  - type: regex
    value: "terraform-*"

  ConfigServiceDeliveryChannel:
  - "aws-controltower-BaselineConfigDeliveryChannel"

  ConfigServiceConfigurationRecorder:
  - "aws-controltower-BaselineConfigRecorder"

  CloudTrailTrail:
  - type: glob
    value: "*"

  EC2DHCPOption:
  - type: glob
    value: "*"

  SNSTopic:
  - type: regex
    value: "TopicARN: arn:aws:sns:eu-west-2:000000000000:aws-controltower-SecurityNotifications-*"

  CloudWatchEventsRule:
  - "Rule: aws-controltower-ConfigComplianceChangeEventRule"

  CloudWatchLogsLogGroup:
  - "/aws/lambda/aws-controltower-NotificationForwarder"
  - "aws-controltower/CloudTrailLogs"
  - "/aws/lambda/us-east-1.basicAuth"
  - type: regex
    value: "/aws/rds/*"
  - type: regex
    value: "/ecs/*"

  CloudWatchEventsTarget:
  - type: regex
    value: "Rule: aws-controltower-*"

  SNSSubscription:
  - type: regex
    value: "Owner: * ARN: arn:aws:sns:eu-west-2:*:aws-controltower-*"

  LambdaFunction:
  - type: regex
    value: "aws-controltower-NotificationForwarder*"

  GuardDutyDetector:
  - type: glob
    value: "*"

  IAMSAMLProvider:
  - type: regex
    value: "arn:aws:iam::*:saml-provider/AWSSSO_c0b2c38aa90e902f_DO_NOT_DELETE"

  EFSMountTarget:
  - type: glob
    value: "*"

  AWSBackupRecoveryPoint:
  - type: glob
    value: "*"

  RDSInstance:
  - type: glob
    value: "*"

  NeptuneCluster:
  - type: glob
    value: "*"`
mavogel commented 2 years ago

you might want to use aws s3 cp s3://aws-nuke-config-retain-control-tower/aws-nuke-config.yaml . as a baseline and then adapt the values

LVSant commented 2 years ago

I'd like to contribute with what's being working for us. We use AWS SSO and AWS Control Tower.

presets:
  sso:
    filters:
      IAMSAMLProvider:
        - type: "regex"
          value: "AWSSSO_.*_DO_NOT_DELETE"
      IAMRole:
        - type: "glob"
          value: "AWSReservedSSO_*"
      IAMRolePolicyAttachment:
        - type: "glob"
          value: "AWSReservedSSO_*"
  controltower:
    filters:
      CloudTrailTrail:
        - type: "contains"
          value: "aws-controltower"
      CloudWatchEventsRule:
        - type: "contains"
          value: "aws-controltower"
      EC2VPCEndpoint:
        - type: "contains"
          value: "aws-controltower"
      EC2VPC:
        - type: "contains"
          value: "aws-controltower"
      OpsWorksUserProfile:
        - type: "contains"
          value: "AWSControlTowerExecution"
      CloudWatchLogsLogGroup:
        - type: "contains"
          value: "aws-controltower"
        - type: "contains"
          value: "AWSControlTowerBP"
      CloudWatchEventsTarget:
        - type: "contains"
          value: "aws-controltower"
      SNSSubscription:
        - type: "contains"
          value: "aws-controltower"
      SNSTopic:
        - type: "contains"
          value: "aws-controltower"
      EC2Subnet:
        - type: "contains"
          value: "aws-controltower"
      ConfigServiceDeliveryChannel:
        - type: "contains"
          value: "aws-controltower"
      ConfigServiceConfigurationRecorder:
        - type: "contains"
          value: "aws-controltower"
      CloudFormationStack:
        - type: "contains"
          value: "AWSControlTower"
      EC2RouteTable:
        - type: "contains"
          value: "aws-controltower"
      LambdaFunction:
        - type: "contains"
          value: "aws-controltower"
      EC2DHCPOption:
        - type: "contains"
          value: "aws-controltower"
      IAMRole:
        - type: "contains"
          value: "aws-controltower"
        - type: "contains"
          value: "AWSControlTower"
      IAMRolePolicyAttachment:
        - type: "contains"
          value: "aws-controltower"
        - type: "contains"
          value: "AWSControlTower"
      IAMRolePolicy:
        - type: "contains"
          value: "aws-controltower"
ekristen commented 1 month ago

Tracking via https://github.com/ekristen/aws-nuke/issues/330

Please see the copy of the notice from the README about the deprecation of this project. Sven was kind enough to grant me access to help triage and close issues and pull requests that have already been addressed in the actively maintained fork. Some additional information is located in the welcome issue for more information.

[!CAUTION] This repository for aws-nuke is no longer being actively maintained. We recommend users to switch to the actively maintained fork of this project at ekristen/aws-nuke. We appreciate all the support and contributions we've received throughout the life of this project. We believe that the fork will continue to provide the functionality and support that you have come to expect from aws-nuke. Please note that this deprecation means we will not be addressing issues, accepting pull requests, or making future releases from this repository. Thank you for your understanding and support.