Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Related tags

Third-party APIs Wrappersawssecurityautomationcontrol-towereventbridgeaws-web-services
Overview

Automate activities in Control Tower provisioned AWS accounts

Table of contents

  1. Introduction
  2. Architecture
  3. Prerequisites
  4. Tools and services
  5. Usage
  6. Clean up
  7. Reference
  8. Contributing
  9. License

Introduction

This project will configure the following settings on a new AWS account provisioned by AWS Control Tower:

  1. Deletes the default VPC in every region
  2. Adds a CloudWatch Logs resource policy that allows Route53 to log DNS requests to CloudWatch in the us-east-1 (Northern Virginia) region
  3. Enables the account-wide public S3 block setting
  4. Modifies account-level ECS settings
  5. Associates specific principals to shared AWS Service Catalog portfolios
  6. Grants specific AWS SSO groups access to the new account

Architecture

architecture

  1. When AWS Control Tower provisions a new account, a CreateManagedAccount event is sent to the Amazon EventBridge default event bus.
  2. An Amazon EventBridge rule matches the CreateManagedAccount event and triggers an AWS Step Functions state machine that executes AWS Lambda functions in parallel.
  3. The "Delete Default VPC Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and deletes the default VPC from every region.
  4. The "Route53 Logs Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and creates a CloudWatch Logs resource policy in the us-east-1 region that allows Route53 to write DNS query logs to CloudWatch.
  5. The "Public S3 Block Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and enables the account-level S3 public block setting.
  6. The "ECS Settings Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and enables various ECS settings.
  7. The "Portfolio Share Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and accepts shared Service Catalog portfolios in the new account and grants specific principals access to those portfolios.
  8. The "SSO Group Assignment Lambda" function assigns any AWS SSO groups that start with AWS-O-<PermissionSetName> access to the new account with the <PermissionSetName> permission set.

Prerequisites

Tools and services

  • AWS SAM - The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, and event source mappings.
  • AWS Lambda - AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers, creating workload-aware cluster scaling logic, maintaining event integrations, or managing runtimes.
  • AWS Control Tower - AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone.
  • AWS Organizations - AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources.
  • Amazon EventBridge - Amazon EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources.
  • AWS Service Catalog - AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.
  • AWS Single Sign-On - AWS Single Sign-On (AWS SSO) is where you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization.

Usage

Parameters

Parameter Type Default Description
OrganizationGroups String us-east-1 List of AWS SSO groups that should have access to all accounts
ExecutionRoleName String AWSControlTowerExecution Execution IAM role name
PortfolioIds String None Service Catalog Portfolio IDs
PermissionSets String None AWS SSO Permission Set names
SigningProfileVersionArn String None Code Signing Profile Version ARN

Installation

The CloudFormation stack must be deployed in the same AWS account and region where the AWS Control Tower landing zone has been created. This is usually the AWS Organizations Management account.

git clone https://github.com/aws-samples/aws-control-tower-account-setup-using-step-functions
cd aws-control-tower-account-setup-using-step-functions
aws signer put-signing-profile --platform-id "AWSLambda-SHA384-ECDSA" --profile-name AccountSetupProfile
sam build
sam deploy \
  --guided \
  --signing-profiles \
    S3PublicBlockFunction=AccountSetupProfile \
    DeleteDefaultVpcFunction=AccountSetupProfile \
    Route53QueryLogsFunction=AccountSetupProfile \
    ECSAccountSettingsFunction=AccountSetupProfile \
    SSOAssignmentFunction=AccountSetupProfile \
    ServiceCatalogPortfolioFunction=AccountSetupProfile \
    DependencyLayer=AccountSetupProfile \
  --tags "GITHUB_ORG=aws-samples GITHUB_REPO=aws-control-tower-account-setup-using-step-functions"

Clean up

Deleting the CloudFormation Stack will remove the Lambda functions, state machine and EventBridge rule and new accounts will no longer be updated after they are created.

sam delete

Reference

This solution is inspired by these references:

Contributing

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Owner
AWS Samples
AWS Samples
GitHub Repository https://aws.amazon.com/controltower/
Bot inspirado no Baidu Antivírus

Baidu Bot Bot inspirado no lendário Baidu Antivírus Informações O programa foi inteiramente feito em Python, sinta-se livre para fazer qualquer altera

Caio Eduardo de Albuquerque Magalhães 1 Dec 18, 2021
a Music bot for discord

Bot this is a discord bot made by AnHalfGuy.py#6031(ID: 747864072879603743) and HastagStopAnimalAbuse#5617(ID :349916852308279306) This Bot Is For Mus

A Discord Bot Development 1 Oct 29, 2021
An advanced telegram movie information finder bot

An advanced telegram movie information finder bot

Fayas Noushad 22 Aug 23, 2022
This is a Telegram video compress bot repo. By Binary Tech💫

This is a Telegram Video Compress Bot. Prouduct By Binary Tech 💫 Features Compresse videos and generate screenshots too.You can set custom video name

silentz lk 2 Jan 06, 2022
Innocent-Bot - A Discord client self-bot for destroying, nuking and causing mischief in servers

Innocent-bot A Discord client self-bot for destroying, nuking and causing mischi

†† 5 Jan 26, 2022
Touca SDK for Python

Touca SDK For Python Touca helps you understand the true impact of your day to day code changes on the behavior and performance of your overall softwa

Touca 12 May 18, 2022
A delivery protection and notification system

DeliveryProtect This project builds a delivery protection and notification system, based on integration of Arduino Uno and Raspberry Pi 4. The codes a

2 Dec 13, 2021
A modern,feature-rich, and async ready API wrapper for Discord written in Python

discord.io A modern, easy to use, feature-rich, and async ready API wrapper for Discord written in Python. Key Features Modern Pythonic API using asyn

Vincent 18 Jan 02, 2023
Simple discord token generator good for memberboosting your server! Uses Hcaptcha bypass

discord-tokens-generator INFO This is a Simple Discord Token Generator which creates unverified discord accounts These accounts are good for member bo

Avenger 41 Dec 20, 2022
Helpful aws-boto3-scripts - Python3 scripts that include threading to quickly perform a few checks on any keys added to an input file

Helpful aws boto3 scripts python3 scripts that include threading to quickly perf

Cedric Owens 16 Sep 27, 2022
Media Replay Engine (MRE) is a framework to build automated video clipping and replay (highlight) generation pipelines for live and video-on-demand content.

Media Replay Engine (MRE) is a framework for building automated video clipping and replay (highlight) generation pipelines using AWS services for live

Amazon Web Services - Labs 30 Nov 29, 2022
Discord bot ( discord.py ), uses pandas library from python for data-management.

Discord_bot A Best and the most easy-to-use Discord bot !! Some simple basic auto moderations, Chat functions. It includes a game similar to Casino, g

Jaitej 4 Aug 30, 2022
Código para trabalho com o dataset Wine em Python

Um perceptron multicamadas (MLP) é uma rede neural artificial feedforward que gera um conjunto de saídas a partir de um conjunto de entradas. Um MLP é

Hemili Beatriz 1 Jan 08, 2022
This is an Advanced Calculator maybe with Discord Buttons in python.

Welcome! This is an Advanced Calculator maybe with Discord Buttons in python. This was the first version of the calculator, made for my discord bot, P

Polsulpicien 18 Dec 24, 2022
Sms-bomber - A Simple Browser Automated Bomber

A Simple Browser Automated Bomber which uses selenium :D Star the Repo and Follo

Terminal1337 9 Apr 11, 2022
𝘼 𝙗𝙤𝙩 𝙩𝙝𝙖𝙩 𝙘𝙖𝙣 𝙥𝙡𝙖𝙮 𝙢𝙪𝙨𝙞𝙘 𝙤𝙣 𝙏𝙚𝙡𝙚𝙜𝙧𝙖𝙢 𝙂𝙧𝙤𝙪𝙥 𝙖𝙣𝙙 𝘾𝙝𝙖𝙣𝙣𝙚𝙡 𝙑𝙤𝙞𝙘𝙚 𝘾𝙝𝙖𝙩𝙨

Free and Open Source Channel/Group Voice chat music player for telegram ❤️ with button support, deezer and saavn playback support @Sadew451

Sadew Jayasekara 23 Oct 21, 2022
A quick way to verify your Climate Hack.AI (2022) submission locally!

Climate Hack.AI (2022) Submission Validator This repository contains code that allows you to quickly validate your Climate Hack.AI (2022) submission l

Jeremy 3 Mar 03, 2022
Discord E-Store Bot

A delivery bot for Discord, works like Amazon where real users can pack & deliver orders in different servers!

Amit Pathak 2 Jan 28, 2022
The smart farm is an idea that designing Smart Farm by IoT

The smart farm is an idea that designing Smart Farm by IoT. Using Raspberry Pi 4 detect the data from different sensors(Raindrop sensor and DHT22 sensor), and push the data to Azure IoT central.

Jiage 1 Jan 11, 2022
Discord Mass Report script that uses multiple tokens

Discord-Mass-Report Discord Mass Report script that uses multiple tokens, full credits to https://github.com/hoki0/Discord-mass-report who made it in

cChimney 4 Jun 08, 2022