Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Related tags

Third-party APIs Wrappersawssecurityautomationcontrol-towereventbridgeaws-web-services
Overview

Automate activities in Control Tower provisioned AWS accounts

Table of contents

  1. Introduction
  2. Architecture
  3. Prerequisites
  4. Tools and services
  5. Usage
  6. Clean up
  7. Reference
  8. Contributing
  9. License

Introduction

This project will configure the following settings on a new AWS account provisioned by AWS Control Tower:

  1. Deletes the default VPC in every region
  2. Adds a CloudWatch Logs resource policy that allows Route53 to log DNS requests to CloudWatch in the us-east-1 (Northern Virginia) region
  3. Enables the account-wide public S3 block setting
  4. Modifies account-level ECS settings
  5. Associates specific principals to shared AWS Service Catalog portfolios
  6. Grants specific AWS SSO groups access to the new account

Architecture

architecture

  1. When AWS Control Tower provisions a new account, a CreateManagedAccount event is sent to the Amazon EventBridge default event bus.
  2. An Amazon EventBridge rule matches the CreateManagedAccount event and triggers an AWS Step Functions state machine that executes AWS Lambda functions in parallel.
  3. The "Delete Default VPC Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and deletes the default VPC from every region.
  4. The "Route53 Logs Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and creates a CloudWatch Logs resource policy in the us-east-1 region that allows Route53 to write DNS query logs to CloudWatch.
  5. The "Public S3 Block Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and enables the account-level S3 public block setting.
  6. The "ECS Settings Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and enables various ECS settings.
  7. The "Portfolio Share Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and accepts shared Service Catalog portfolios in the new account and grants specific principals access to those portfolios.
  8. The "SSO Group Assignment Lambda" function assigns any AWS SSO groups that start with AWS-O-<PermissionSetName> access to the new account with the <PermissionSetName> permission set.

Prerequisites

Tools and services

  • AWS SAM - The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, and event source mappings.
  • AWS Lambda - AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers, creating workload-aware cluster scaling logic, maintaining event integrations, or managing runtimes.
  • AWS Control Tower - AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone.
  • AWS Organizations - AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources.
  • Amazon EventBridge - Amazon EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources.
  • AWS Service Catalog - AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.
  • AWS Single Sign-On - AWS Single Sign-On (AWS SSO) is where you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization.

Usage

Parameters

Parameter Type Default Description
OrganizationGroups String us-east-1 List of AWS SSO groups that should have access to all accounts
ExecutionRoleName String AWSControlTowerExecution Execution IAM role name
PortfolioIds String None Service Catalog Portfolio IDs
PermissionSets String None AWS SSO Permission Set names
SigningProfileVersionArn String None Code Signing Profile Version ARN

Installation

The CloudFormation stack must be deployed in the same AWS account and region where the AWS Control Tower landing zone has been created. This is usually the AWS Organizations Management account.

git clone https://github.com/aws-samples/aws-control-tower-account-setup-using-step-functions
cd aws-control-tower-account-setup-using-step-functions
aws signer put-signing-profile --platform-id "AWSLambda-SHA384-ECDSA" --profile-name AccountSetupProfile
sam build
sam deploy \
  --guided \
  --signing-profiles \
    S3PublicBlockFunction=AccountSetupProfile \
    DeleteDefaultVpcFunction=AccountSetupProfile \
    Route53QueryLogsFunction=AccountSetupProfile \
    ECSAccountSettingsFunction=AccountSetupProfile \
    SSOAssignmentFunction=AccountSetupProfile \
    ServiceCatalogPortfolioFunction=AccountSetupProfile \
    DependencyLayer=AccountSetupProfile \
  --tags "GITHUB_ORG=aws-samples GITHUB_REPO=aws-control-tower-account-setup-using-step-functions"

Clean up

Deleting the CloudFormation Stack will remove the Lambda functions, state machine and EventBridge rule and new accounts will no longer be updated after they are created.

sam delete

Reference

This solution is inspired by these references:

Contributing

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Owner
AWS Samples
AWS Samples
GitHub Repository https://aws.amazon.com/controltower/
A replacement for Reddit /r/copypasta CummyBot2000 with extra measures to avoid it being banned.

CummyBot1984 A replacement for Reddit /r/copypasta's CummyBot2000 with extra measures to respect Reddit's API rules. Features Copies and replies to ev

2 Feb 21, 2022
Python API for working with RESQML models

resqpy: Python API for working with RESQML models Introduction resqpy is a pure python package which provides a programming interface (API) for readin

BP 44 Dec 14, 2022
telegram bot that calculates file hash / Dosya toplamı hesaplayan telegram botu

Telegram File Hash Bot FileHashBot: 🇬🇧 Bot that calculates file hashes. 🇹🇷 Dosya toplamları hesaplayan bot. Demo in Telegram: @FileHashBot 🇬🇧 Se

Hüzünlü Artemis [HuzunluArtemis] 5 Jun 29, 2022
TwitterDataStreaming - Twitter data streaming using APIs

Twitter_Data_Streaming Twitter data streaming using APIs Use Case 1: Streaming r

Rita Kushwaha 1 Jan 21, 2022
This is a very easy to use tool developed in python that will search for free courses from multiple sites including youtube and enroll in the ones in which it can.

Free-Course-Hunter-and-Enroller This is a very easy to use tool developed in python that will search for free courses from multiple sites including yo

Zain 12 Nov 12, 2022
Python Library for Accessing the Cohere API

Cohere Python SDK This package provides functionality developed to simplify interfacing with the Cohere API in Python 3. Documentation See the API's d

cohere.ai 42 Jan 03, 2023
A Script to automate fowarding all new messages from one/many channel(s) to another channel(s), without the forwarded tag.

Channel Auto Message Forward A script to automate fowarding all new messages from one/many channel(s) to another channel(s), without the forwarded tag

16 Oct 21, 2022
A python library built on the API of the coderHub.sa, which helps you to fetch the challenges and more

coderHub A python library built on the API of the coderHub.sa, which helps you to fetch the challenges and more Installation • Features • Usage • Lice

TheAwiteb 5 Nov 04, 2022
This is a cryptocurrency trading bot that analyses Reddit sentiment and places trades on Binance based on reddit post and comment sentiment. If you like this project please consider donating via brave. Thanks.

This is a cryptocurrency trading bot that analyses Reddit sentiment and places trades on Binance based on reddit post and comment sentiment. The bot f

Andrei 157 Dec 15, 2022
An automated tool that fetches information about your crypto stake and generates historical data in time.

Introduction Yield explorer is a WIP! I needed a tool that would show me historical data and performance of my staked crypto but was unable to find a

Sedat Can Yalçın 42 Nov 26, 2022
This Binance trading bot detects new coins as soon as they are listed on the Binance exchange and automatically places sell and buy orders. It comes with trailing stop loss and other features. If you like this project please consider donating via Brave.

binance-trading-bot-new-coins This Binance trading bot detects new coins as soon as they are listed on the Binance exchange and automatically places s

Andrei 1.4k Dec 24, 2022
We’re releasing an open-source tool you can use now, which we developed as a homemade Just-In-Time database access control tool for our sensitive database. This tool syncs with our directory service, slack, SIEM, and finally, our Apache Cassandra database.

Cassandra Access Control By Aner Izraeli - Intezer Security Manager ([email p

Intezer Labs 6 Mar 31, 2022
Python SDK for 42DI

42di Python SDK Install pip install git+https://github.com/42di/python-sdk import import di #42di import pandas_datareader as pdr Init SDK project =

42DI 2 Nov 03, 2021
An Open Source ALL-In-One Telegram RoBot, that can do lot of things.

URL Uploader Bot An Open Source ALL-In-One Telegram RoBot, that can do lot of things. My Features Installation The Easy Way You can also tap the Deplo

NT BOTS 1 Oct 23, 2021
Python SDK for interacting with the Frame.io API.

python-frameio-client Frame.io Frame.io is a cloud-based collaboration hub that allows video professionals to share files, comment on clips real-time,

Frame.io 37 Dec 21, 2022
Create Fast and easy image datasets using reddit

Reddit-Image-Scraper Reddit Reddit is an American Social news aggregation, web content rating, and discussion website. Reddit has been devided by topi

Wasin Silakong 4 Apr 27, 2022
Flood discord webhooks

Webhook-Spammer Flood discord webhooks Asynchronous webhook spammer Fast & Efficient Usage - Use it with atleast 500 threads Put a valid webhook Use a

trey 1 Apr 22, 2022
Una herramienta para transmitir mensajes automáticamente a múltiples grupos de chat

chat-broadcast Una herramienta para transmitir mensajes automáticamente a múltiples grupos de chat Setup Librerías Necesitas Python 3 con la librería

Seguimos 2 Jan 09, 2022
a small cli to generate AWS Well Architected Reports on the road

well-architected-review This repo intends to publish some scripts related to Well Architected Reviews. war.py extracts in txt & xlsx files all the WAR

4 Mar 18, 2022
Python API to interact with Uwazi

Python Uwazi API Quick Start To use the API install the requirements pip3 install -r requirements.txt and use it like this: uwazi_adapter = UwaziAdap

HURIDOCS 2 Dec 16, 2021