Properties
				
					
					Optional access-analyzer
					access-analyzer: boolean
					
					Title: Access Analyzer
Description: Enables AWS Access Analyzer in all accounts and regions and sets the Access Analyzer Administrator account to the central security account. Default to false. [SECURITY]
				
				
					
					account
					account: string
					
					Title: Account
Description: The name of the AWS Account, as defined in this config, to enable centralized services. [ALL]
				
				
					
					Optional add-sns-topics
					add-sns-topics: boolean
					
					Title: Add SNS Topics
Description: Adds a local SNS topic in the specified account due to challenges with cross-account topics. [OPS][MGMT]
				
				
					
					Optional config-aggr
					config-aggr: boolean
					
					Title: AWS Config Aggregator
Description: Configures the AWS Account with an AWS Config Aggregator. [ALL]
				
				
					
					Optional config-aggr-excl-regions
					config-aggr-excl-regions: string[]
					
					Title: Deprecated
Description: Deprecated
				
				
					
					Optional config-excl-regions
					config-excl-regions: string[]
					
					Title: Config Exclusion Regions
Description: A list of regions to exclude from enabling a Config Recorder. [SECURITY]
				
				
					
					Optional cwl
					cwl: boolean
					
					Title: CloudWatch Logs Access
Description: Enables users in the specified account (central security account/central operations account) to access the CloudWatch Logs of all accounts in the Organization. [SECURITY][OPS]
				
				
					
					Optional cwl-access-level
					cwl-access-level: string
					
					Title: CloudWatch Logs Access Level
Description: Supported values are: `full` (CloudWatchReadOnlyAccess, CloudWatchAutomaticDashboardsAccess, job-function/ViewOnlyAccess, AWESXrayReadOnlyAccess), `cwl+auto+xray` (CloudWatchReadOnlyAccess, CloudWatchAutomaticDashboardsAccess, AWESXrayReadOnlyAccess), and `cwl+auto` (CloudWatchReadOnlyAccess, CloudWatchAutomaticDashboardsAccess). [SECURITY][OPS]
				
				
					
					Optional cwl-exclusions
					
					
					Title: CloudWatch Logs Exclusions
Description: Excludes log groups matching the specified pattern, in the specified account, from being forwarded to the central-log-services bucket. [LOGS]
				
				
					
					Optional cwl-glbl-exclusions
					cwl-glbl-exclusions: string[]
					
					Title: CloudWatch Logs Global Exclusions
Description: Excludes log groups matching the pattern in any account from being forwarded to the central-log-services bucket. Wildcards supported. For example /xxx/yyy/*. [LOGS]
				
				
					
					Optional dynamic-s3-log-partitioning
					
					
					Title: Dynamic S3 Log Partitioning
Description: Configures CWLogs to be extracted and placed into different S3 prefixes from Firehose.
				
				
					
					Optional fw-mgr-alert-level
					fw-mgr-alert-level: "None" | "Low" | "Medium" | "High"
					
					Title: Firewall Manager Alert Level
Description: Determines which of the three security notification email priority levels to subscribe all Firewall Manager alerts. [SECURITY]
				
				
					
					Optional guardduty
					guardduty: boolean
					
					Title: GuardDuty
Description: Enables Guardduty in all accounts and regions and sets the Guardduty Administrator account to central security account. Default to false. [SECURITY]
				
				
					
					Optional guardduty-excl-regions
					guardduty-excl-regions: string[]
					
					Title: GuardDuty Exclusion Regions
Description: List of excluded regions from Guardduty protection. [SECURITY]
				
				
					
					Optional guardduty-s3
					guardduty-s3: boolean
					
					Title: GuardDuty S3 Protection
Description: S3 protection enables Amazon GuardDuty to monitor object-level API operations to identify potential security risks for data within your S3 buckets. [SECURITY]
				
				
					
					Optional guardduty-s3-excl-regions
					guardduty-s3-excl-regions: string[]
					
					Title: GuardDuty S3 Protection Exclusion Regions
Description: List of excluded regions from Guardduty S3 protection. [SECURITY]
				
				
					
					Optional kinesis-stream-shard-count
					kinesis-stream-shard-count: number
					
					Title: Kinesis Stream Shard Count
Description: The Kinesis Data Stream shard count used for CloudWatch Log centralization.  This needs to be manually scaled as a customers environment grows to ensure all logs are centralized. [LOGS]
				
				
					
					Optional macie
					macie: boolean
					
					Title: Macie
Description: Enables Macie in all accounts and regions and sets the Macie Administrator account to the central security account. Default to false. [SECURITY]
				
				
					
					Optional macie-excl-regions
					macie-excl-regions: string[]
					
					Title: Macie Exclusion Regions
Description: A list of regions to exclude from being Macie enabled. [SECURITY]
				
				
					
					Optional macie-frequency
					macie-frequency: string
					
					Title: Update Frequency for Policy Findings
Description: The schedule Macie uses to publish updates to policy findings. Supported values are: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. [SECURITY]
				
				
					
					Optional macie-sensitive-sh
					macie-sensitive-sh: boolean
					
					Title: Send Macie sensitive findings to Security Hub
Description: Publish Macie sensitive data findings to Security Hub. [SECURITY]
				
				
					
					region
					region: string
					
					Title: Region
Description: The region to designate as the `home` region for central services. When possible, the functionality of the centralized service will be consolidated by to this single region.  The region which contains the centralized log-archive bucket and the region that security tooling admin functionality will be centralized to(when possible). [ALL]
				
				
					
					Optional s3-retention
					s3-retention: number
					
					Title: Central S3 logging bucket retention period
Description: Specifies the retention period  for logs stored in the central logging buckets, in days.  After this time these logs are permenently deleted. [LOG]
				
				
					
					Optional security-hub
					security-hub: boolean
					
					Title: Security Hub
Description: Enables Security Hub in all accounts and regions and sets the Security Hub Administrator account to central security account. Default to false.[SECURITY]
				
				
					
					Optional security-hub-excl-regions
					security-hub-excl-regions: string[]
					
					Title: Security Hub Exclusion Regions
Description: A list of regions to exclude from Security Hub being enabled. [SECURITY]
				
				
					
					Optional security-hub-findings-sns
					security-hub-findings-sns: "None" | "Low" | "Medium" | "High" | "Critical"
					
					Title: Send Security Hub Findings to SNS
Description: Send all Security Hub findings ABOVE this severity level to the appropriate security notification topic.  Values: Low, Medium, High, Critical, None. [SECURITY]
				
				
					
					Optional sns-excl-regions
					sns-excl-regions: string[]
					
					Title: SNS Exclusion Regions
Description: A list of regions to exclude from deploying SNS topics and the SNS Subscription Lambda. [LOG]
				
				
					
					Optional sns-subscription-emails
					sns-subscription-emails: {}
					
					Title: SNS Subscription Emails
Description: Email addresses to forward all alerts and alarms categorized by priority.  Required topics include: High, Medium, Low, Ignore. [LOG]
					
				
				
					
					Optional ssm-to-cwl
					ssm-to-cwl: boolean
					
					Title: Session Manager logging to CloudWatch Logs
Description: Set to true to configure and send Session Manager session logs to CloudWatch Logs. [LOGS]
				
				
					
					Optional ssm-to-s3
					ssm-to-s3: boolean
					
					Title: Session Manager logging to S3 central bucket.
Description: Set to true to configure and send Session Manager session logs to the central-log-services bucket. [LOGS]
				
			
		 
The Accelerator has the concept of grouping certain sets of functionality (security, logs, ITOps, Management) together and centralizing their respective capabilities into a single account. This section identifies the respective central account and provides the ability to enable/disable services associated with it which are applicable across the organization. The central account will be defined in the
mandatory-account-configssection of the config file. The respective Organization wide central Services will be defined in this section, eitheraws-org-managment,central-log-services,central-operations-services, orcentral-security-services. Not all options are available in each of these four sections of the config file.