Options
All
  • Public
  • Public/Protected
  • All
English
  • English
  • Français
Menu
Warning
The configuration file schema documentation is a work in progress. Please use this draft document with caution. The deeper you browse into the hierarchy, the less accurate the definitions are likely to be.

The Accelerator has the concept of grouping certain sets of functionality (security, logs, ITOps, Management) together and centralizing their respective capabilities into a single account. This section identifies the respective central account and provides the ability to enable/disable services associated with it which are applicable across the organization. The central account will be defined in the mandatory-account-configs section of the config file. The respective Organization wide central Services will be defined in this section, either aws-org-managment, central-log-services, central-operations-services, or central-security-services. Not all options are available in each of these four sections of the config file.

Hierarchy

  • CentralizedSecurityServicesConfig1

Index

Properties

Optional access-analyzer

access-analyzer: boolean
Title: Access Analyzer
Description: Enables AWS Access Analyzer in all accounts and regions and sets the Access Analyzer Administrator account to the central security account. Default to false. [SECURITY]

account

account: string
Title: Account
Description: The name of the AWS Account, as defined in this config, to enable centralized services. [ALL]

Optional add-sns-topics

add-sns-topics: boolean
Title: Add SNS Topics
Description: Adds a local SNS topic in the specified account due to challenges with cross-account topics. [OPS][MGMT]

Optional config-aggr

config-aggr: boolean
Title: AWS Config Aggregator
Description: Configures the AWS Account with an AWS Config Aggregator. [ALL]

Optional config-aggr-excl-regions

config-aggr-excl-regions: string[]
Title: Deprecated
Description: Deprecated

Optional config-excl-regions

config-excl-regions: string[]
Title: Config Exclusion Regions
Description: A list of regions to exclude from enabling a Config Recorder. [SECURITY]

Optional cwl

cwl: boolean
Title: CloudWatch Logs Access
Description: Enables users in the specified account (central security account/central operations account) to access the CloudWatch Logs of all accounts in the Organization. [SECURITY][OPS]

Optional cwl-access-level

cwl-access-level: string
Title: CloudWatch Logs Access Level
Description: Supported values are: `full` (CloudWatchReadOnlyAccess, CloudWatchAutomaticDashboardsAccess, job-function/ViewOnlyAccess, AWESXrayReadOnlyAccess), `cwl+auto+xray` (CloudWatchReadOnlyAccess, CloudWatchAutomaticDashboardsAccess, AWESXrayReadOnlyAccess), and `cwl+auto` (CloudWatchReadOnlyAccess, CloudWatchAutomaticDashboardsAccess). [SECURITY][OPS]

Optional cwl-exclusions

cwl-exclusions: CloudWatchLogExclusions1[]
Title: CloudWatch Logs Exclusions
Description: Excludes log groups matching the specified pattern, in the specified account, from being forwarded to the central-log-services bucket. [LOGS]

Optional cwl-glbl-exclusions

cwl-glbl-exclusions: string[]
Title: CloudWatch Logs Global Exclusions
Description: Excludes log groups matching the pattern in any account from being forwarded to the central-log-services bucket. Wildcards supported. For example /xxx/yyy/*. [LOGS]

Optional dynamic-s3-log-partitioning

dynamic-s3-log-partitioning: S3LogPartitionMapping1[]
Title: Dynamic S3 Log Partitioning
Description: Configures CWLogs to be extracted and placed into different S3 prefixes from Firehose.

Optional fw-mgr-alert-level

fw-mgr-alert-level: "None" | "Low" | "Medium" | "High"
Title: Firewall Manager Alert Level
Description: Determines which of the three security notification email priority levels to subscribe all Firewall Manager alerts. [SECURITY]

Optional guardduty

guardduty: boolean
Title: GuardDuty
Description: Enables Guardduty in all accounts and regions and sets the Guardduty Administrator account to central security account. Default to false. [SECURITY]

Optional guardduty-excl-regions

guardduty-excl-regions: string[]
Title: GuardDuty Exclusion Regions
Description: List of excluded regions from Guardduty protection. [SECURITY]

Optional guardduty-s3

guardduty-s3: boolean
Title: GuardDuty S3 Protection
Description: S3 protection enables Amazon GuardDuty to monitor object-level API operations to identify potential security risks for data within your S3 buckets. [SECURITY]

Optional guardduty-s3-excl-regions

guardduty-s3-excl-regions: string[]
Title: GuardDuty S3 Protection Exclusion Regions
Description: List of excluded regions from Guardduty S3 protection. [SECURITY]

Optional kinesis-stream-shard-count

kinesis-stream-shard-count: number
Title: Kinesis Stream Shard Count
Description: The Kinesis Data Stream shard count used for CloudWatch Log centralization. This needs to be manually scaled as a customers environment grows to ensure all logs are centralized. [LOGS]

Optional macie

macie: boolean
Title: Macie
Description: Enables Macie in all accounts and regions and sets the Macie Administrator account to the central security account. Default to false. [SECURITY]

Optional macie-excl-regions

macie-excl-regions: string[]
Title: Macie Exclusion Regions
Description: A list of regions to exclude from being Macie enabled. [SECURITY]

Optional macie-frequency

macie-frequency: string
Title: Update Frequency for Policy Findings
Description: The schedule Macie uses to publish updates to policy findings. Supported values are: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. [SECURITY]

Optional macie-sensitive-sh

macie-sensitive-sh: boolean
Title: Send Macie sensitive findings to Security Hub
Description: Publish Macie sensitive data findings to Security Hub. [SECURITY]

region

region: string
Title: Region
Description: The region to designate as the `home` region for central services. When possible, the functionality of the centralized service will be consolidated by to this single region. The region which contains the centralized log-archive bucket and the region that security tooling admin functionality will be centralized to(when possible). [ALL]

Optional s3-retention

s3-retention: number
Title: Central S3 logging bucket retention period
Description: Specifies the retention period for logs stored in the central logging buckets, in days. After this time these logs are permenently deleted. [LOG]

Optional security-hub

security-hub: boolean
Title: Security Hub
Description: Enables Security Hub in all accounts and regions and sets the Security Hub Administrator account to central security account. Default to false.[SECURITY]

Optional security-hub-excl-regions

security-hub-excl-regions: string[]
Title: Security Hub Exclusion Regions
Description: A list of regions to exclude from Security Hub being enabled. [SECURITY]

Optional security-hub-findings-sns

security-hub-findings-sns: "None" | "Low" | "Medium" | "High" | "Critical"
Title: Send Security Hub Findings to SNS
Description: Send all Security Hub findings ABOVE this severity level to the appropriate security notification topic. Values: Low, Medium, High, Critical, None. [SECURITY]

Optional sns-excl-regions

sns-excl-regions: string[]
Title: SNS Exclusion Regions
Description: A list of regions to exclude from deploying SNS topics and the SNS Subscription Lambda. [LOG]

Optional sns-subscription-emails

sns-subscription-emails: {}
Title: SNS Subscription Emails
Description: Email addresses to forward all alerts and alarms categorized by priority. Required topics include: High, Medium, Low, Ignore. [LOG]

Type declaration

  • [k: string]: string[]

Optional ssm-to-cwl

ssm-to-cwl: boolean
Title: Session Manager logging to CloudWatch Logs
Description: Set to true to configure and send Session Manager session logs to CloudWatch Logs. [LOGS]

Optional ssm-to-s3

ssm-to-s3: boolean
Title: Session Manager logging to S3 central bucket.
Description: Set to true to configure and send Session Manager session logs to the central-log-services bucket. [LOGS]