Merge pull request #2 from aws-ia/html-guide

Generated deployment guide

.project_automation/functional_tests/entrypoint.sh

@@ -22,15 +22,15 @@ if echo "${DIFF_OUTPUT}" | grep "^diff --git a/docs/"; then
     asciidoctor --base-dir docs/ --backend=html5 -o ../index.html -w --doctype=book -a toc2 -a production_build docs/boilerplate/index_deployment_guide.adoc
     ## Create PR with index.html file
     CURRENT_BRANCH=$(git branch --show-current)
-    git checkout main
+    # git checkout main
     git checkout -b "${DOCS_BRANCH}"
     git add index.html
     git commit -m '(automated) rendered html deployment guide'
     git push --set-upstream origin "${DOCS_BRANCH}"
     gh pr create --title 'Generated deployment guide' --body "_This is an automated PR with rendered html file for the deployment guide. Please review it before merge_"
 else
     printf '\nNo changes detected in the /docs files. \n'
-fi  
+fi
 
 ##----------------------------------------------------
 ## Download taskcat overrides from AWS Secrets Manager

.project_automation/static_tests/Dockerfile

@@ -1,4 +1,4 @@
 FROM public.ecr.aws/codebuild/amazonlinux2-x86_64-standard:4.0
 RUN git clone https://github.com/aws-quickstart/qs-cfn-lint-rules.git /tmp/qs-cfn-lint-rules
-RUN cd /tmp/qs-cfn-lint-rules && pip install .
-RUN cfn-lint -u
+RUN cd /tmp/qs-cfn-lint-rules && git checkout 8268db9df3407ccf5383def635bc22e0f99d6b39 && pip install .
+#RUN cfn-lint -u

.project_automation/static_tests/entrypoint.sh

@@ -6,4 +6,11 @@ PROJECT_PATH=${BASE_PATH}/project
 PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
 
 cd $PROJECT_PATH
-cfn-lint --non-zero-exit-code none -t templates/**/*.yaml -a /tmp/qs-cfn-lint-rules/qs_cfn_lint_rules/
+
+# Ignoring the following for migration
+# All warnings,
+# E1019 - Sub validation - false positive for conditionals,
+# E2521 - required properties, E3002 - resource properties - false positive for newer resources than pinned CloudFormation resource spec
+# E3005 - DependsOn - false positive for conditionals,
+# E9101 - Inclusive language check - false positive for database resources
+cfn-lint --ignore-checks W,E1019,E2521,E3002,E3005,E9101,E3030 -t templates/**/*.yaml -a /tmp/qs-cfn-lint-rules/qs_cfn_lint_rules/

.taskcat.yml

@@ -1,33 +1,39 @@
 project:
-  name: cfn-sample-template
-  owner: quickstart@amazon.com
+  name: cfn-ps-cmmc-microsoft-activedirectory
+  owner: quickstart-eng@amazon.com
   package_lambda: false
   regions:
   - ap-northeast-1
   - ap-northeast-2
+  - ap-south-1
   - ap-southeast-1
   - ap-southeast-2
+  - ca-central-1
   - eu-central-1
   - eu-west-1
+  - eu-west-2
+  # - eu-west-3
   - sa-east-1
   - us-east-1
+  - us-east-2
   - us-west-1
   - us-west-2
 tests:
-  sample:
+  cmmc-ad:
     parameters:
-      Param1: 'Inputs to Stack'
-      # Examples: of other taskcat dynamic input parameters for more into see http://taskcat.io
-      #
-      #      AvailabilityZones: $[taskcat_genaz_3]
-      #      ByteValue: 1
-      #      PasswordA: $[taskcat_genpass_8A]
-      #      PasswordB: $[taskcat_genpass_32S]
-      #      RandomNumber: $[taskcat_random-numbers]
-      #      RandomString: $[taskcat_random-string]
-      #      StackName: TestStack
-      #      UUID: $[taskcat_genuuid]
-      #
+      AdministratorPassword: $[taskcat_genpass_16]
+      AvailabilityZones: $[taskcat_genaz_2]
+      CAAdministratorPassword: $[taskcat_genpass_16]
+      CreateS3Buckets: "no"
+      CRLS3BucketName: override
+      DomainAdminPassword: $[taskcat_genpass_16]
+      GPOS3BucketName: override
+      KeyPairName: $[taskcat_getkeypair]
+      LogsS3BucketName: override
+      QSS3BucketName: $[taskcat_autobucket]
+      QSS3BucketRegion: $[taskcat_current_region]
+      RDGWCIDR: 10.0.0.0/16
+      RestoreModePassword: $[taskcat_genpass_16]
     regions:
     - us-east-2
-    template: templates/another-workload.template.yaml
+    template: templates/ad-main-1-ssm.template.yaml

README.md

@@ -0,0 +1,7 @@
+## CMMC-Ready Microsoft Active Directory on the AWS Cloud—Quick Start
+
+For architectural details, step-by-step instructions, and customization options, see the [deployment guide](https://fwd.aws/6Jpan).
+
+To post feedback, submit feature ideas, or report bugs, use the **Issues** section of this GitHub repo. 
+
+To submit code for this Quick Start, see the [AWS Quick Start Contributor's Kit](https://aws-quickstart.github.io/).

docs/certification-authority.md

@@ -0,0 +1,39 @@
+# Microsoft Two-Tier PKI Configuration
+
+This solution deploys a two-tier PKI setup consisting of an offline Root Certification Authority (CA) and an Enterprise Subordinate Certification Authority (CA). The CAs are both configured to run on Microsoft Windows Server hosts that are joined to Microsoft Active Directory (AD) and running on Amazon EC2 instances.
+
+An Amazon S3 bucket is setup along with the CA instances. This bucket is used as the Certificate Revocation Lists (CRL) distribution point. It is also used to fasicilate the transfer of certificates between the Root CA and Subordinate CA during the setup process.
+
+The user logins for Active Directory and the CAs are stored in AWS Secrets Manager. There are 4 logins: domain administrator, alternate domain administrator restore credentials for Active Directory and the local administrator for the CA instances.
+
+## Setup Process
+
+The setup for the CAs is an automated process. An AWS System Manager (SSM) automation document is used to execute a series of Powershell and Powershell DSC scripts in a specific order necessary to complete the entire configuration. Parameter and resource values are passed to the SSM document from the CloudFormation Stack. The document executes the following steps in order:
+
+1. The Instance IDs for each of the CA instances is retrieved
+2. The required Powershell modules are installed from the PSGallery on each of the CA instances
+3. A self-signed certificate is generated on each instance that is used to encrypt/decrypt the Powershell DSC credentials on the given instance
+4. The encrpytion certificates are uploaded to the CRL S3 bucket
+5. The certificate for the opposing CA is downloaded on each CA instance and imported into the local computer certificate store _(ex. Root CA downloads the certificates for Sub CA)_
+    > **Note:** This is necessary because the Powershell DSC script will configure both CA instances at the same time and it will need to decrypt the credentials and use the appropriate certificate given which instance it is configuring at the time.
+6. The DSC Local Configuration Manager (LCM) is configured on each instance. The LCM is instantiated with the self-signed encryption certificate for the given instance
+7. The MOF files are created on each CA instance with the configuration for renaming the instance to the provided host name, setting the local administrator password and joining the instance to the Active Directory domain
+8. The LCM executes the configuration based on those MOFs on each of the CA instances. When complete, the instances are renamed and joined to the domain and then restarted to complete the setup.
+    > **Note:** If the instances are not restarted, the renaming of the instance doesn't in fact take effect and therefore the proceeding scripts cannot reference each CA by name
+9. The MOF files are created on each instance with the configuration for setting up Active Directory Certificate Services (ADCS) and all other components and functions necessary to complete the CA configuration process
+10. The LCM executes the MOF file on the Subordinate CA instance to complete the configuration of both CA instances. This is where the majority of the heavy lifting occurs.
+    > **Note:** This is executed from the Subordinate CA only because the last step in the process is to shutdown the Root CA but also because if you execute it on both instances it actually becomes two separate configuration processes and they will collide with each other
+
+The last step in this process where it runs the configuration for both of the CA instances requires a carefully orchestrated set of actions. This is done using a cross-node configuration script in Powershell DSC which allows a given node to wait for a step to complete on another node before proceeding with the configuration.
+
+## Security
+
+All of the user credentials that are provided to the CloudFormation Stack are stored in AWS Secrets Manager. These Powershell scripts create secure credentail objects by access the Secrets via the FIPS endpoint in the given region for Secrets Manager.
+
+The EBS drives for the Root CA and Subordinate CA instances are encrypted using an AWS Key Management Service Customer Managed Key (KMS CMK). This CMK is created in the parent stack and the Key ID is passed to the CA stack via parameters.
+
+The S3 bucket for the CRL files has a policy that only allows access through the S3 VPC Endpoint. That endpoint is either created via the VPC Stack or is provided via parameters.
+
+The EC2 instances are part of the CA Security Group. This security group only allows traffic from the Domain Controllers Security Group and Domain Members Security Group. Both of those security groups are created in the Active Directory Stacks and the IDs are passed into the CA Stack via parameters.
+
+IAM roles are created and assigned to the SSM automation document and the EC2 instances. These roles follow the principle of least-privilege.

docs/deployment_guide/partner_editable/_settings.adoc

@@ -1,15 +1,15 @@
-:partner-solution-project-name: partner-solution-repo-name
-:partner-solution-github-org: aws-quickstart
-:partner-product-name: Full Product Name
-:partner-product-short-name: Product Name
-:partner-company-name: Example Company Name, Ltd.
-:doc-month: January
+:partner-solution-project-name: cfn-ps-cmmc-microsoft-activedirectory
+:partner-solution-github-org: aws-ia
+:partner-product-name: CMMC-ready Microsoft Active Directory
+:partner-product-short-name: Active Directory
+//:partner-company-name: Example Company Name, Ltd.
+:doc-month: August
 :doc-year: 2023
-:partner-contributors: John Smith, {partner-company-name}
+//:partner-contributors: John Smith, {partner-company-name}
 // :other-contributors: Akua Mansa, Trek10
-:aws-contributors: Janine Singh, AWS IoT Partner team
-:aws-ia-contributors: Toni Jones, AWS Integration & Automation team
-:deployment_time: 15 minutes
+:aws-contributors: Mike Whalen, AWS Cloud Architectam
+:aws-ia-contributors: Dave May and Troy Ameigh, AWS Integration & Automation team
+:deployment_time: 1 hour
 :default_deployment_region: us-east-1
 // :private_repo:
 

docs/deployment_guide/partner_editable/architecture.adoc

@@ -7,22 +7,31 @@ AWS Cloud.
 
 [#architecture1]
 .Partner Solution architecture for {partner-product-short-name} on AWS
-image::../docs/deployment_guide/images/architecture_diagram.png[Architecture]
+image::../docs/deployment_guide/images/cmmc-active-directory-architecture-diagram.png[Architecture]
 
-As shown in <<architecture1>>, this Partner Solution sets up the following:
+As shown in <<architecture1>>, the Quick Start sets up the following:
 
 * A highly available architecture that spans two Availability Zones.*
-* A virtual private cloud (VPC) configured with public and private subnets, according to AWS
+* A VPC configured with public and private subnets, according to AWS
 best practices, to provide you with your own virtual network on AWS.*
 * In the public subnets:
+
 ** Managed network address translation (NAT) gateways to allow outbound
 internet access for resources in the private subnets.*
-** A Linux bastion host in an Auto Scaling group to allow inbound Secure
-Shell (SSH) access to Amazon Elastic Compute Cloud (Amazon EC2) instances in public and private subnets.*
+** A Remote Desktop Gateway (RD Gateway) in an Auto Scaling group to allow inbound Remote Desktop Protocol (RDP) access to Amazon Elastic Compute Cloud (Amazon EC2) instances in public and private subnets. An RD Gateway is deployed in Availability Zone 2 only if Availability Zone 1 becomes unavailable.*
+
 * In the private subnets:
-** <item>.
-** <item>.
-// Add bullet points for any additional components that are included in the deployment. Ensure that the additional components are shown in the architecture diagram. End each bullet with a period.
-* <describe any additional components>.
+
+** An offline root certificate authority.
+** Two Active Directory domain controllers.
+** An online subordinate certificate authority.
+// Add bullet points for any additional components that are included in the deployment. Make sure that the additional components are also represented in the architecture diagram. End each bullet with a period.
+
+* Amazon S3 Federal Information Processing Standards (FIPS) endpoints for accessing Group Policy Objects (GPOs), logs, certificate revocation lists (CRLs), and setup files.
+* Lambda functions to check for and import new GPOs.
+* AWS Systems Manager automation to import GPOs and set up both the Active Directory domain controllers and the certificate authority.
+* AWS Secrets Manager to store credentials.
+* An AWS Key Management Service (AWS KMS) customer master key (CMK) to use with Amazon Elastic Block Store (Amazon EBS) and AWS Secrets Manager encryption.
+* Encrypted Amazon EBS volumes for the Amazon EC2 instances. 
 
 [.small]#* The template that deploys this Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.#

docs/deployment_guide/partner_editable/deployment_options.adoc

@@ -1,8 +1,5 @@
 // Edit this placeholder text as necessary to describe the deployment options.
 
-This Partner Solution provides the following deployment options:
+This Partner Solution provides the following deployment option:
 
-* https://qs_launch_permalink[Deploy {partner-product-short-name} into a new VPC^]. This option builds a new AWS environment that consists of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys {partner-product-short-name} into this new VPC.
-* https://qs_launch_permalink[Deploy {partner-product-short-name} into an existing VPC^]. This option provisions {partner-product-short-name} in your existing AWS infrastructure.
-
-This Partner Solution provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and {partner-product-short-name} settings.
+* https://fwd.aws/vNGq5[Deploy {partner-product-short-name} into a new VPC^]. This option provides the ability to build a new AWS environment that comprising a VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components, and then deploy {partner-product-short-name} into this new VPC, or to deploy {partner-product-short-name} into an existing VPC.

docs/deployment_guide/partner_editable/licenses.adoc

@@ -1,3 +1,5 @@
 // Include details about any licenses and how to sign up. Provide links as appropriate.
 
-There is no cost to use this Partner Solution, but you will be billed for any AWS services or resources that this Partner Solution deploys. For more information, refer to the https://fwd.aws/rA69w?[AWS Partner Solution General Information Guide^].
+There is no cost to use this Partner Solution, but you will be billed for any AWS services or resources that this Partner Solution deploys. For more information, refer to the https://fwd.aws/rA69w?[AWS Partner Solution General Information Guide^].
+
+This Quick Start launches the Amazon Machine Image (AMI) for Microsoft Windows Server 2019 and includes the license for the Windows Server operating system. The AMI is updated on a regular basis with the latest service pack for the operating system, so you don’t have to install any updates. The Windows Server AMI includes two Microsoft Remote Desktop Services licenses. The Windows Server AMI doesn’t require Client Access Licenses (CALs). For details, see https://aws.amazon.com/windows/resources/licensing/[Microsoft Licensing on AWS^].