Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Related tags

Third-party APIs Wrappersawssecurityautomationcontrol-towereventbridgeaws-web-services
Overview

Automate activities in Control Tower provisioned AWS accounts

Table of contents

  1. Introduction
  2. Architecture
  3. Prerequisites
  4. Tools and services
  5. Usage
  6. Clean up
  7. Reference
  8. Contributing
  9. License

Introduction

This project will configure the following settings on a new AWS account provisioned by AWS Control Tower:

  1. Deletes the default VPC in every region
  2. Adds a CloudWatch Logs resource policy that allows Route53 to log DNS requests to CloudWatch in the us-east-1 (Northern Virginia) region
  3. Enables the account-wide public S3 block setting
  4. Modifies account-level ECS settings
  5. Associates specific principals to shared AWS Service Catalog portfolios
  6. Grants specific AWS SSO groups access to the new account

Architecture

architecture

  1. When AWS Control Tower provisions a new account, a CreateManagedAccount event is sent to the Amazon EventBridge default event bus.
  2. An Amazon EventBridge rule matches the CreateManagedAccount event and triggers an AWS Step Functions state machine that executes AWS Lambda functions in parallel.
  3. The "Delete Default VPC Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and deletes the default VPC from every region.
  4. The "Route53 Logs Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and creates a CloudWatch Logs resource policy in the us-east-1 region that allows Route53 to write DNS query logs to CloudWatch.
  5. The "Public S3 Block Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and enables the account-level S3 public block setting.
  6. The "ECS Settings Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and enables various ECS settings.
  7. The "Portfolio Share Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and accepts shared Service Catalog portfolios in the new account and grants specific principals access to those portfolios.
  8. The "SSO Group Assignment Lambda" function assigns any AWS SSO groups that start with AWS-O-<PermissionSetName> access to the new account with the <PermissionSetName> permission set.

Prerequisites

Tools and services

  • AWS SAM - The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, and event source mappings.
  • AWS Lambda - AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers, creating workload-aware cluster scaling logic, maintaining event integrations, or managing runtimes.
  • AWS Control Tower - AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone.
  • AWS Organizations - AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources.
  • Amazon EventBridge - Amazon EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources.
  • AWS Service Catalog - AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.
  • AWS Single Sign-On - AWS Single Sign-On (AWS SSO) is where you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization.

Usage

Parameters

Parameter Type Default Description
OrganizationGroups String us-east-1 List of AWS SSO groups that should have access to all accounts
ExecutionRoleName String AWSControlTowerExecution Execution IAM role name
PortfolioIds String None Service Catalog Portfolio IDs
PermissionSets String None AWS SSO Permission Set names
SigningProfileVersionArn String None Code Signing Profile Version ARN

Installation

The CloudFormation stack must be deployed in the same AWS account and region where the AWS Control Tower landing zone has been created. This is usually the AWS Organizations Management account.

git clone https://github.com/aws-samples/aws-control-tower-account-setup-using-step-functions
cd aws-control-tower-account-setup-using-step-functions
aws signer put-signing-profile --platform-id "AWSLambda-SHA384-ECDSA" --profile-name AccountSetupProfile
sam build
sam deploy \
  --guided \
  --signing-profiles \
    S3PublicBlockFunction=AccountSetupProfile \
    DeleteDefaultVpcFunction=AccountSetupProfile \
    Route53QueryLogsFunction=AccountSetupProfile \
    ECSAccountSettingsFunction=AccountSetupProfile \
    SSOAssignmentFunction=AccountSetupProfile \
    ServiceCatalogPortfolioFunction=AccountSetupProfile \
    DependencyLayer=AccountSetupProfile \
  --tags "GITHUB_ORG=aws-samples GITHUB_REPO=aws-control-tower-account-setup-using-step-functions"

Clean up

Deleting the CloudFormation Stack will remove the Lambda functions, state machine and EventBridge rule and new accounts will no longer be updated after they are created.

sam delete

Reference

This solution is inspired by these references:

Contributing

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Owner
AWS Samples
AWS Samples
GitHub Repository https://aws.amazon.com/controltower/
Cryptocurrency Prices Telegram Bot For Python

Cryptocurrency Prices Telegram Bot How to Run Set your telegram bot token as environment variable TELEGRAM_BOT_TOKEN: export TELEGRAM_BOT_TOKEN=your_

Sina Nazem 3 Oct 31, 2022
EpikCord.py - This is an API Wrapper for Discord's API for Python

EpikCord.py - This is an API Wrapper for Discord's API for Python! We've decided not to fork discord.py and start completely from scratch for a new, better structuring system!

EpikHost 28 Oct 10, 2022
simple discord token grabber with webhook hiding feature.

Token Grabber A simple Discord token grabber with base64 webhook encoding, it uses pastebin as a database to get webhook, so next time u dont get your

0 Dec 01, 2021
Stock market bot that will be used to learn about API calls and database connections.

Stock market bot that will be used to learn about API calls and database connections.

1 Dec 24, 2021
An API wrapper for Discord written in Python.

HCord A fork of discord.py project. HCord is a modern, easy to use, feature-rich, and async ready API wrapper for Discord written in Python. Key Featu

HCord 0 Jul 30, 2022
Kyura-Userbot: a modular Telegram userbot that runs in Python3 with a sqlalchemy database

Kyura-Userbot Telegram Kyura-Userbot adalah userbot Telegram modular yang berjal

Kyura 17 Oct 29, 2022
a list of disposable and temporary email address domains

List of disposable email domains This repo contains a list of disposable and temporary email address domains often used to register dummy users in ord

1.6k Jan 08, 2023
a discord libary that use to make discord bot with low efficiency and bad performance because I don't know how to manage the project

Aircord 🛩️ a discord libary that use to make discord bot with low efficiency and bad performance because I don't know how to manage the project Examp

Aircord 2 Oct 24, 2021
A bot that updates about the most subscribed artist' channels on YouTube

A bot that updates about the most subscribed artist' channels on YouTube. A weekly top chart report is provided every Monday. It posts updates on Twitter

Marco Fantauzzo 5 Dec 14, 2022
Requests based multi-threaded script for increasing followers on Spotify

Proxyless Spotify Follow Bot Requests based multi-threaded script for increasing followers on Spotify. Click here to report bugs. Usage Download ZIP h

397 Jan 03, 2023
Popcorn-time-api - Python API for interacting with the Popcorn Time Servers

Popcorn Time API 📝 CONTRIBUTIONS Before doing any contribution read CONTRIBUTIN

Antonio 3 Oct 31, 2022
A Discord Token Grabber/Stealer But It's in One Line of Coding

Discord-Token-Grabber-But-In-One-Line That's a Discord Token Grabber/Stealer But It's in One Line of Coding! The Name Says All 3

YoSoyAngi 2 Jan 11, 2022
Set up recurring buys in Gemini

Overview Set up recurring buys in Gemini. Given some keys (Create API Keys), allows you to configure a recurring buy using the reduced API maker and t

Ahmad Abuomar 3 Jan 06, 2022
A Discord token grabber written in Python3, with awesome obfuscation and anti-debug protection.

☣️ Plague ☣️ Plague is a Discord token grabber written in Python3, obfuscated with Kramer, protected from traffic analysers with Scarecrow and using t

Billy 125 Dec 20, 2022
Telegram Radio - A User-bot who continuously play random audio files (from the famous telegram music channel @mveargasm) in the intended voice chat.

MvEargasmDJ: This is my submission for the Telegram Radio Project of Baivaru. Which required a userbot to continiously play random audio files from th

eyaadh 24 Nov 12, 2022
Telegram bot to stream videos in telegram voicechat for both groups and channels. Supports live strams, YouTube videos and telegram media.

Telegram bot to stream videos in telegram voicechat for both groups and channels. Supports live strams, YouTube videos and telegram media.

SUBIN 449 Dec 27, 2022
A pyrogram simple bot for Educational purpose.

A pyrogram simple bot for Educational purpose. To Learn More check at @PyrogramBot or on Documentation Mandatory variables API_ID - Get It From my.tel

SpamShield 10 Dec 06, 2022
Telegram Bot for generating and decoding QR-codes

Telegram openqrgen_bot Telegram Bot that generates from user's messages and decodes QR-codes from photos. Also contains rickroll detection :) Just typ

2 Nov 14, 2021
Yes, it's true :revolving_hearts: This repository has 301 stars.

Yes, it's true! Inspired by a similar repository from @RealPeha, but implemented using a webhook on AWS Lambda and API Gateway, so it's serv

511 Dec 30, 2022
Graviti TensorBay Python SDK

TensorBay Python SDK is a python library to access TensorBay and manage your datasets. It provides: A pythonic way to access your

Graviti 72 Aug 22, 2022