Merge pull request #106 from andywick-aws/quick-setup

Quick Setup

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2022-07-29](#2022-07-29)
 - [2022-07-15](#2022-07-15)
 - [2022-05-23](#2022-05-23)
 - [2022-05-15](#2022-05-15)
@@ -30,6 +31,23 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## 2022-07-29
+
+### Added<!-- omit in toc -->
+
+- Added [Quick Setup](aws_sra_examples/quick_setup/) which provides the ability to deploy all the solutions from a single centralized CloudFormation template.
+
+### Changed<!-- omit in toc -->
+
+- Updated all the solution main templates to use a consistent naming convention for solution parameter labels.
+- Added pSourceStackName parameter to the [AWS Config Conformance Pack](aws_sra_examples/solutions/config/config_conformance_pack_org) and [Security Hub Organization](aws_sra_examples/solutions/securityhub/securityhub_org) solutions to handle the DependsOn requirement for the Config Management Account solution within the Quick Setup solution.
+- Updated the [Firewall Manager](aws_sra_examples/solutions/firewall_manager/firewall_manager_org), [Macie](aws_sra_examples/solutions/macie/macie_org), [GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org), and [IAM Password Policy](aws_sra_examples/solutions/iam/iam_password_policy) solutions to remove default parameters from the CFCT configuration and main templates.
+- Updated the [CFCT-DEPLOYMENT-INSTRUCTIONS.md](aws_sra_examples/docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md) to include instructions for disabling solutions within all accounts before deletion.
+- Updated the [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) solution to fix a spelling error.
+- Updated all StackSet resources to use the `Managed Execution` setting, which allows queuing of operations.
+- Updated all Stack resources in the main templates to include the DeletionPolicy and UpdateReplacePolicy with a value of Delete to resolve cfn-lint findings.
+- Updated all the python boto3 clients to include configuration setting the max_attempts to 10 increasing from the default of 5. This prevents retry errors that we have started to see from some of the API calls.
+
 ## 2022-07-15
 
 ### Changed<!-- omit in toc -->

README.md

@@ -8,6 +8,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 
 - [Introduction](#introduction)
 - [Getting Started with the SRA Code Examples](#getting-started-with-the-sra-code-examples)
+- [Quick Setup](#quick-setup)
 - [Example Solutions](#example-solutions)
 - [Utils](#utils)
 - [Environment Setup](#environment-setup)
@@ -31,17 +32,24 @@ The examples within this repository have been deployed and tested within an `AWS
 
 ![How to get started process diagram](./aws_sra_examples/docs/artifacts/where-to-start-process.png)
 
-1. Setup the environment to configure [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) within a new or existing AWS account.
-2. Deploy the [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) solution.
+1. Setup the environment to configure [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) within a new or existing AWS account. Existing AWS Control Tower environments can also be used but may require existing service configurations to be removed.
+2. Deploy the [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) solution. **Note:** This only needs to be done once for all the solutions.
 3. Choose a deployment method:
    - AWS CloudFormation StackSets/Stacks - [AWS Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html)
    - Customizations for AWS Control Tower (CFCT) - [Solution Documentation](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/)
 4. (Optional) - Deploy the [Customizations for AWS Control Tower (CFCT) Setup](aws_sra_examples/solutions/common/common_cfct_setup) solution. **Note** Only implement if the CFCT deployment method was selected.
-5. Per your requirements select one or all of the below Example Solutions to implement via the selected deployment method.
+5. Per your requirements select one or all of the below [Example Solutions](#example-solutions) to implement via the selected deployment method.
+
+## Quick Setup
+
+With the `Quick Setup` you can now deploy all the [Example Solutions](#example-solutions) listed in the below table via a single centralized CloudFormation template either directly within the CloudFormation console or via the Customizations for AWS Control Tower (CFCT) solution. Our testing within an environment that has the default AWS Control Tower setup (3 accounts and 1 region) resulted in deploying all the solutions within the `Quick Setup` in under 20 minutes.
+
+Follow the instructions within the [Quick Setup](aws_sra_examples/quick_setup) to deploy all or a subset of the solutions based on your environment requirements.
 
 ## Example Solutions
 
-**Note:** All solutions below depend on the [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) solution in addition to the specified solutions within the `Depends On` column.
+- **Note:** All solutions below depend on the [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) solution in addition to the specified solutions within the `Depends On` column.
+- Navigate to corresponding example solution to review what is deployed and configured within the environment.
 
 | Example Solution                                                                                      | Solution Highlights                                                                                                                                                                         | What does Control Tower provide?                                                                             | Depends On                                                                                                                                                                                                                              |
 | :---------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :----------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

aws_sra_examples/docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md

@@ -77,8 +77,9 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 ### Delete Instructions<!-- omit in toc -->
 
 1. Within the Customizations for AWS Control Tower configuration
-   1. Remove the solution configuration from the `manifest.yaml` file
-   2. (Optional) Delete the parameter (Version 1 only) and template files for the solution
+   1. (Optional) Change the `Disable <Solution Name>` parameter to `true` and trigger the CFCT pipeline. This will disable the solution within each of the member accounts/regions.
+   2. Remove the solution configuration from the `manifest.yaml` file
+   3. (Optional) Delete the parameter (Version 1 only) and template files for the solution
 2. Deploy the Customizations for AWS Control Tower configuration
 3. After the pipeline completes, log into the `management account` and navigate to the `CloudFormation StackSet` page
    1. Delete the Stack Instances from the `CustomControlTower-<solution_name>*` CloudFormation StackSets

aws_sra_examples/docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md

@@ -19,9 +19,15 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
    template file as the source.
 
    ```bash
+   # Deploy the S3 Staging Bucket template with current or default AWS CLI profile
    aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml --stack-name sra-common-prerequisites-staging-s3-bucket --capabilities CAPABILITY_NAMED_IAM
    ```
 
+   ```bash
+   # Deploy the S3 Staging Bucket template with AWS CLI profile
+   aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml --stack-name sra-common-prerequisites-staging-s3-bucket --capabilities CAPABILITY_NAMED_IAM --profile <AWS_MANAGEMENT_ACCOUNT_PROFILE>
+   ```
+
 5. Package and stage all the AWS SRA example solutions. For more information see [Staging script details](#staging-script-details).
    <!-- markdownlint-disable-next-line MD031 -->
 

aws_sra_examples/quick_setup/README.md

@@ -0,0 +1,79 @@
+# Quick Setup<!-- omit in toc -->
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
+
+## Table of Contents<!-- omit in toc -->
+
+- [Introduction](#introduction)
+- [Deployment Summary](#deployment-summary)
+- [Key Parameter Definitions](#key-parameter-definitions)
+- [Implementation Instructions](#implementation-instructions)
+
+---
+
+## Introduction
+
+The Quick Setup provides the ability to deploy all of the [SRA solutions](../../README.md#example-solutions) via a single centralized CloudFormation template. Review the individual solution documentation to get the details of what is deployed and configured. Quick Setup utilizes the `<solution_name>-main-ssm.yaml` template within each of the corresponding solutions for deployment. `Deploy Parameters` are provided to allow the selection of which solutions to deploy within the environment along with solution specific parameters .
+
+There are rules built into the Quick Setup CloudFormation template to prevent the deployment of a solution without it's dependent solution(s). Review the [Example Solutions](../../README.md#example-solutions) table within the main README to understand which solutions have dependencies.
+
+Quick Setup was created with the intention of simplifying the setup of new environments but it can be leveraged by existing SRA environments. If one of the SRA solutions has been deployed within the environment, follow the below options to prevent any conflicts.
+
+- Option 1 - Set the `Deploy Parameter` for each of the solutions previously deployed to `No`.
+  - **Note:** The Config Management Solution `Deploy Parameter` must be set to `Already Deployed` or `Yes` to pass the validation rules when it is a dependency of another solution (e.g. Security Hub, Config Organization Conformance Pack).
+- Option 2
+  - Disable/Delete the previously deployed solutions following the associated solution delete instructions.
+  - Deploy the solutions using the Quick Setup.
+
+---
+
+## Deployment Summary
+
+![Deployment Summary](./documentation/quick-setup.png)
+
+---
+
+## Key Parameter Definitions
+
+- Deploy the <SOLUTION_NAME> Solution
+  - Yes = Includes the solution in the deployment
+  - No = Does not include the solution in the deployment
+  - Already Deployed = The solution has already been deployed within the environment
+- Disable <SOLUTION_NAME>
+  - Yes = The solution `Deploy` parameter above must be `Yes`. This will disable the service within all the member accounts/regions.
+  - No = (Default) Use this value when deploying the solution for the first time.
+
+---
+
+## Implementation Instructions
+
+### Prerequisites<!-- omit in toc -->
+
+Verify that the [SRA Prerequisites Solution](../solutions/common/common_prerequisites/) has been deployed. **Note:** This only needs to be done once for all the solutions.
+
+### Solution Deployment<!-- omit in toc -->
+
+Choose a Deployment Method:
+
+- [AWS CloudFormation](#aws-cloudformation)
+- [Customizations for AWS Control Tower](../docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md)
+
+#### AWS CloudFormation<!-- omit in toc -->
+
+1. Download the [sra-quick-setup-ssm.yaml](templates/sra-quick-setup-ssm.yaml) template to your Desktop or locate it within the local machine `$HOME/aws-sra-examples/aws_sra_examples/quick_setup/templates/sra-quick-setup-ssm.yaml`.
+2. In the `management account (home region)`, launch an AWS CloudFormation **Stack** using the [sra-quick-setup-ssm.yaml](templates/sra-quick-setup-ssm.yaml) template.
+
+#### Solution Update Instructions<!-- omit in toc -->
+
+1. [Download and Stage the SRA Solutions](../docs/DOWNLOAD-AND-STAGE-SOLUTIONS.md). **Note:** Get the latest code and run the staging script.
+2. Update the existing CloudFormation Stack or CFCT configuration. **Note:** New parameters or changes to existing parameters may require input.
+
+#### Solution Delete Instructions<!-- omit in toc -->
+
+1. In the `management account (home region)`, change the `Disable GuardDuty`, `Disable Macie`, and `Disable Security Hub` parameters to `true` and update the AWS CloudFormation **Stack** (`sra-quick-setup-ssm`). This will disable the solutions within each of the member accounts/regions.
+2. In the `management account (home region)`, verify that the GuardDuty, Macie, and Security Hub Lambda functions are finished processing by confirming no more CloudWatch logs are generated.
+3. In the `management account (home region)`, delete the AWS CloudFormation **Stack** (`sra-quick-setup-ssm`).
+4. In the `management account (home region)`, delete the AWS CloudWatch **Log Groups**.
+   1. `/aws/lambda/<solution_name>` for the Lambda functions deployed
+   2. `sra/sra-org-trail` for the SRA Organizations CloudTrail solution
+5. In the `Log Archive account`, empty and delete the S3 buckets created by the SRA solutions (e.g. `sra-<solution_name>-<account_id>-<region>`).

aws_sra_examples/quick_setup/customizations_for_aws_control_tower/README.md

@@ -0,0 +1,7 @@
+# Customizations for AWS Control Tower<!-- omit in toc -->
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
+
+---
+
+[Customizations for AWS Control Tower Deployment Instructions](../../docs/CFCT-DEPLOYMENT-INSTRUCTIONS.md)