Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Related tags

Third-party APIs Wrappersawssecurityautomationcontrol-towereventbridgeaws-web-services
Overview

Automate activities in Control Tower provisioned AWS accounts

Table of contents

  1. Introduction
  2. Architecture
  3. Prerequisites
  4. Tools and services
  5. Usage
  6. Clean up
  7. Reference
  8. Contributing
  9. License

Introduction

This project will configure the following settings on a new AWS account provisioned by AWS Control Tower:

  1. Deletes the default VPC in every region
  2. Adds a CloudWatch Logs resource policy that allows Route53 to log DNS requests to CloudWatch in the us-east-1 (Northern Virginia) region
  3. Enables the account-wide public S3 block setting
  4. Modifies account-level ECS settings
  5. Associates specific principals to shared AWS Service Catalog portfolios
  6. Grants specific AWS SSO groups access to the new account

Architecture

architecture

  1. When AWS Control Tower provisions a new account, a CreateManagedAccount event is sent to the Amazon EventBridge default event bus.
  2. An Amazon EventBridge rule matches the CreateManagedAccount event and triggers an AWS Step Functions state machine that executes AWS Lambda functions in parallel.
  3. The "Delete Default VPC Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and deletes the default VPC from every region.
  4. The "Route53 Logs Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and creates a CloudWatch Logs resource policy in the us-east-1 region that allows Route53 to write DNS query logs to CloudWatch.
  5. The "Public S3 Block Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and enables the account-level S3 public block setting.
  6. The "ECS Settings Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and enables various ECS settings.
  7. The "Portfolio Share Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and accepts shared Service Catalog portfolios in the new account and grants specific principals access to those portfolios.
  8. The "SSO Group Assignment Lambda" function assigns any AWS SSO groups that start with AWS-O-<PermissionSetName> access to the new account with the <PermissionSetName> permission set.

Prerequisites

Tools and services

  • AWS SAM - The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, and event source mappings.
  • AWS Lambda - AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers, creating workload-aware cluster scaling logic, maintaining event integrations, or managing runtimes.
  • AWS Control Tower - AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone.
  • AWS Organizations - AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources.
  • Amazon EventBridge - Amazon EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources.
  • AWS Service Catalog - AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.
  • AWS Single Sign-On - AWS Single Sign-On (AWS SSO) is where you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization.

Usage

Parameters

Parameter Type Default Description
OrganizationGroups String us-east-1 List of AWS SSO groups that should have access to all accounts
ExecutionRoleName String AWSControlTowerExecution Execution IAM role name
PortfolioIds String None Service Catalog Portfolio IDs
PermissionSets String None AWS SSO Permission Set names
SigningProfileVersionArn String None Code Signing Profile Version ARN

Installation

The CloudFormation stack must be deployed in the same AWS account and region where the AWS Control Tower landing zone has been created. This is usually the AWS Organizations Management account.

git clone https://github.com/aws-samples/aws-control-tower-account-setup-using-step-functions
cd aws-control-tower-account-setup-using-step-functions
aws signer put-signing-profile --platform-id "AWSLambda-SHA384-ECDSA" --profile-name AccountSetupProfile
sam build
sam deploy \
  --guided \
  --signing-profiles \
    S3PublicBlockFunction=AccountSetupProfile \
    DeleteDefaultVpcFunction=AccountSetupProfile \
    Route53QueryLogsFunction=AccountSetupProfile \
    ECSAccountSettingsFunction=AccountSetupProfile \
    SSOAssignmentFunction=AccountSetupProfile \
    ServiceCatalogPortfolioFunction=AccountSetupProfile \
    DependencyLayer=AccountSetupProfile \
  --tags "GITHUB_ORG=aws-samples GITHUB_REPO=aws-control-tower-account-setup-using-step-functions"

Clean up

Deleting the CloudFormation Stack will remove the Lambda functions, state machine and EventBridge rule and new accounts will no longer be updated after they are created.

sam delete

Reference

This solution is inspired by these references:

Contributing

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Owner
AWS Samples
AWS Samples
GitHub Repository https://aws.amazon.com/controltower/
“Hey there 👋 I'm szrosebot .A Powerful, Smart And Simple Group Manager with some extra features..

A Powerful, Smart And Simple Group Manager szrose bot This is the clone of DewmiBotit is a Powerful, Smart And Simple Group Manager bot made by hiruna

slgeekshow 36 Oct 30, 2022
The official Python library for the Plutto API

Plutto Ruby SDK This library will help you easily integrate Plutto API to your software, making your developer life a little bit more enjoyable. Insta

Plutto 3 Nov 23, 2021
A repository for 8G server's discord bot

8G Discord-Bot A general-purpose discord bot for the 8G Discord-Server To setup: Create a new file called secrets.py and make it look like this TOKEN=

1 Jan 12, 2022
A Telegram bot to upload files from Telegram or Direct links to Google Drive.

Google Drive Uploader Telegram Bot A Telegram bot to upload files from Telegram or Direct links to Google Drive. Features Telegram files support. Dire

IDNCoderX 21 Dec 05, 2022
Drop-in Replacement of pychallonge

pychal Pychal is a drop-in replacement of pychallonge with some extra features and support for new Python versions. Pychal provides python bindings fo

ZED 29 Nov 28, 2022
Use GitHub Actions to create a serverless service.

ActionServerless - Use GitHub Actions to create a serverless service ActionServerless is an action to do some computing and then generate a string/JSO

107 Oct 28, 2022
A simple Telegram bot that analyses a given word, built with python-telegram-bot

Telegram Word Bot A simple Telegram bot that analyses a given word, built with python-telegram-bot. The bot is fairly useless - unless you often need

Chris N 2 Jul 14, 2022
Cord Python API Client

Cord Python API Client The data programming platform for AI 💻 Features Minimal low-level Python client that allows you to interact with Cord's API Su

Cord 52 Nov 25, 2022
An attempt to escape the horrible JIRA editor.

An attempt to escape the horrible JIRA editor. jira_filter.py is a pandoc filter that cleans up some of JIRA's html so that it can be converted to Mar

Stefan Matting 2 Feb 10, 2022
Discord Unverified Token Gen

Discord-Unverified-Token-Gen This is a token gen that was made in an hour and just generates unverified tokens, most will be locked. Usage: in cmd jus

Aran 2 Oct 23, 2022
Free and Open Source Group Voice chat music player for telegram ❤️ with button support youtube playback support

Free and Open Source Group Voice chat music player for telegram ❤️ with button support youtube playback support

Sehath Perera 1 Jan 08, 2022
A component of BuzzUtilityBot that allows for inter-server communication

A component of BuzzUtilityBot that allows for inter-server communication! Separated due to privacy and ease of inspection concerns

OHaiiBuzzle 2 Oct 11, 2022
A Twitter bot developed in Python using the Tweepy library and hosted in AWS.

Twitter Cameroon: @atangana_aron A Twitter bot developed in Python using the Tweepy library and hosted in AWS. https://twitter.com/atangana_aron Cost

1 Jan 30, 2022
ARKHAM X GOD MULTISPAM BOT

ARKHAM-X-GOD-MULTISPAM-BOT 𝗗𝗘𝗣𝗟𝗢𝗬 𝗨𝗣𝗧𝗢 30 𝗕𝗢𝗧𝗦 𝗜𝗡 𝗔 𝗦𝗜𝗡𝗚𝗟?

ArkhamXGod 2 Jan 08, 2022
Powerful Ethereum Smart-Contract Toolkit

Heimdall Heimdall is an advanced and modular smart-contract toolkit which aims to make dealing with smart contracts on EVM based chains easier. Instal

Jonathan Becker 69 Dec 26, 2022
Throttle and debounce add-on for Pyrogram

pyrothrottle Throttle and debounce add-on for Pyrogram Quickstart implementation on decorators from pyrogram import Client, filters from pyrogram.type

7 Oct 01, 2022
TM1py is a Python package that wraps the TM1 REST API in a simple to use library.

By wrapping the IBM Planning Analytics (TM1) REST API in a concise Python framework, TM1py facilitates Python developments for TM1. Interacting with T

Cubewise CODE 147 Dec 15, 2022
A simple Facebook Account generator, written in python (needs different Email so Accounts do not get banned)

FacebookAccountGenerator FAB is a Facebook-Account generating script, written in python Installation Use the package manager pip to install selenium p

MrOverload 7 Jan 05, 2023
Its Is A Telegram Maths Basic Calculator Bot

Its Is A Telegram Maths Basic Calculator Bot

ANKIT KUMAR 1 Dec 26, 2021
This Bot Can Upload Video from Link Of Pdisk to Pdisk using its API. @PredatorHackerzZ

𝐏𝐝𝐢𝐬𝐤 𝐂𝐨𝐧𝐯𝐞𝐫𝐭𝐞𝐫 𝐁𝐨𝐭 Make short link by using 𝐏𝐝𝐢𝐬𝐤 API key Installation 𝐓𝐡𝐞 𝐄𝐚𝐬𝐲 𝐖𝐚𝐲 𝐑𝐞𝐪𝐮𝐢𝐫𝐞𝐝 𝐕𝐚𝐫𝐢𝐚𝐛𝐥𝐞

ρяє∂αтσя 25 Dec 02, 2022