1. Accelerator Installation Guide(link)
1.1. Overview(link)
We encourage customers installing the Accelerator to get the support of their local AWS account team (SA, TAM, CSM, ProServe) to assist with the installation of the Accelerator, as the Accelerator leverages, deploys, or orchestrates over 50 different AWS services.
Users are strongly encouraged to also read the Accelerator Operations/Troubleshooting Guide before installation and the FAQ while waiting for the installation to complete. The Operations/Troubleshooting Guide provides details as to what is being performed at each stage of the installation process, including detailed troubleshooting guidance.
These installation instructions assume one of the prescribed architectures is being deployed.
1.2. Prerequisites(link)
1.2.1. General(link)
- Management or root AWS Organization account (the AWS Accelerator cannot be deployed in an AWS sub-account)
- No additional AWS accounts need to be pre-created before Accelerator installation
- If required, a limit increase to support your desired number of new AWS sub-accounts (default limit is 10 sub-accounts)
- recent changes to new AWS account limits are causing accelerator installation failures, please work with your local account team to increase your limits
- Valid Accelerator configuration file, updated to reflect your requirements (see below)
- Determine your primary or Accelerator
control
orhome
region, this is the AWS region in which you will most often operate - Government of Canada customers are still required to do a standalone installation at this time, please request standalone installation instructions from your Account SA or TAM
- The Accelerator can be installed into existing AWS Organizations - see caveats and notes here
- Existing AWS Landing Zone Solution (ALZ) customers are required to remove their ALZ deployment before deploying the Accelerator. Scripts are available to assist with this process.
- Changes to the Accelerator codebase are strongly discouraged unless they are contributed and accepted back to the solution. Code customization will block the ability to upgrade to the latest release and upgrades are encouraged to be done between quarterly to semi-annually. The solution was designed to be extremely customizable without changing code, existing customers following these guidelines have been able to upgrade across more than 50 Accelerator releases, while maintaining their customizations and gaining the latest bug fixes, features and enhancements without any developer or professional services based support. Please see this FAQ for more details.
1.3. Production Deployment Planning(link)
1.3.1. General(link)
For any deployment of the Accelerator which is intended to be used for production workloads, you must evaluate all these decisions carefully. Failure to understand these choices could cause challenges down the road. If this is a "test" or "internal" deployment of the Accelerator which will not be used for production workloads, you can leave the default config values.
Config file schema documentation (Draft)
1.3.2. OU Structure Planning(link)
Plan your OU and core account structure carefully. By default, we suggest: Security, Infrastructure, Central, Sandbox, Dev, Test, Prod
.
- The
Security
OU will contain theSecurity
account, theLog Archive
account, and the OrganizationManagement
account. - The
Infrastructure
OU will hold the remainder of the accounts shared or utilized by the rest of the organization (Shared Network
,Perimeter
, andOperations
). - The remainder of the OUs correspond with major permission shifts in the SDLC cycle and NOT every stage an organization has in their SDLC cycle (i.e. QA or pre-prod would be included in one of the other OUs).
- The
Central
OU is used to hold accounts with workloads shared across Dev, Test, and Prod environments like centralized CI/CD tooling. - The v1.5.0+ releases align the Accelerator OU and account structure with AWS multi-account guidance, splitting the
core
OU into theSecurity
andInfrastructure
OUs.
Note: While OUs can be renamed or additional OUs added at a later point in time, deployed AWS accounts CANNOT be moved between top-level OUs (guardrail violation), nor can top-level OUs easily be deleted (requires deleting all AWS accounts from within the OU first).
1.3.3. Network Configuration Planning(link)
If deploying the prescriptive architecture using the Full or Lite sample config files, you will need the following network constructs:
-
Six (6) RFC1918 Class B address blocks (CIDR's) which do not conflict with your on-premise networks (a single /13 block works well)
- VPC CIDR blocks cannot be changed after installation, this is simply the way the AWS platform works, given everything is built on top of them. Carefully consider your address block selection.
- one block for each OU, except Sandbox which is not routable (Sandbox OU will use a 7th non-routed address block)
- the "core" Class B range will be split to support the Endpoint VPC and Perimeter VPC (with extra addresses remaining for future use)
- Given a shared VPC architecture is leveraged (prevents stranded islands of CIDR blocks and reduces networking costs), we have assigned a class B address block to each VPC to future proof the deployment. Smaller customers can successfully deploy with a half class B CIDR block per shared VPC.
-
Two (2) RFC6598 /23 address blocks (Government of Canada (GC) requirement only)
- Used for AWS Managed Active Directory (MAD) deployment and perimeter underlay network
- non-GC customers can replace the RFC6598 address space with the extra unused addresses from the above RFC1918 CIDR range above (the App2 subnets in the Central VPC and the Perimeter VPC address space)
-
BGP ASN's for network routing, one for each of:
- Transit Gateway (one unique ASN per TGW, multi-region example requires a second ASN)
- IPSec VPN Firewall Cluster (if deployed)
-
VGW for Direct Connect connectivity (only shown in the config.multi-region-example.json)
-
For example: the Control Tower with Network Firewall example config requires a single BGP ASN for the TGW, the IPSec VPN example requires two BGP ASN's, and the multi-region example requires five unique BGP ASN's.
NOTE: Prior to v1.5.0 CIDR ranges were assigned to each VPC and subnet throughout the config file. This required customers to perform extensive updates across the config file when needing to move to specific IP ranges compatible with a customer's existing on-premise networks.
While this is still supported for those wanting to control exactly what address is used on every subnet, the solution has added support for dynamic CIDR assignments and the sample config files have been updated to reflect. New installs will have CIDR's pulled from CIDR pools, defined in the global-options section of the config file with state maintained in DynamoDB.
The v1.5.0 custom upgrade guide will provides details on the upgrade process and requirements to migrate to the new CIDR assignment system, if desired. A script was created to assist with this migration.
1.3.4. DNS, Domain Name, TLS Certificate Planning(link)
If deploying the prescriptive architecture, you must decide on:
- A unique Windows domain name (
organizationaws
/organization.aws
,organizationcloud
/organization.cloud
, etc.). Given this is designed as the primary identity store and used to domain join all cloud hosted workloads, changing this in future is difficult. Pick a Windows domain name that does NOT conflict with your on-premise AD domains, ensuring the naming convention conforms to your organizations domain naming standards to ensure you can eventually create a domain trust between the MAD and on-premise domains/forests - DNS Domain names and DNS server IP's for on-premise private DNS zones requiring cloud resolution (can be added in future)
- DNS Domain for a cloud hosted public zone
"public": ["organization.cloud-nuage.canada.ca"]
(can be added in future) - DNS Domain for a cloud hosted private zone
"private": ["organization.cloud-nuage.gc.ca"]
(can be added in future) - Wildcard TLS certificate for each of the 2 previous zones (can be added/changed in future)
1.3.5. Email Address Planning(link)
- While you require a minimum of 6 unique email addresses (1 per sub-account being created), we recommend at least 20 unique email ALIASES associated with a single mailbox, never used before to open AWS accounts, such that you do not need to request new email aliases every time you need to create a new AWS account and they can all be monitored via a single mailbox. These email addresses can never have been used to previously open an AWS account.
- You additionally require email addresses for the following additional purposes (these can be existing monitored mailboxes and do not need to be unique):
- Accelerator execution (state machine) notification events (1 address)
- High, Medium and Low security alerts (3 addresses if you wish to segregate alerts)
- Budget notifications
1.3.6. Centralized Ingress/Egress Firewalls(link)
As of v1.5.0 the Accelerator offers multiple automated firewall deployment options:
a) AWS Network Firewall (native AWS Cloud service)
- Defined in the config file as part of a VPC
b) 3rd party firewalls interconnected to the cloud tenancy via IPSec VPN (Active/Active using BGP + ECMP)
- Defined in the config file under deployments w/TGW VPN attachments
- this was the only automated option prior to v1.5.0
- a sample Fortinet Fortigate configuration is provided (both PAYGO and BYOL supported)
- For Fortinet BYOL, requires minimum 2 valid license files (evaluation licenses adequate) (can be added in future)
c) 3rd party firewalls interconnected to the cloud tenancy via Gateway Load Balancer (GWLB) in an auto-scaling group
- Defined in the config file under both deployments and load balancers
- a sample Checkpoint CloudGuard configuration is provided (both PAYGO and BYOL supported)
d) Customer gateway (CGW) creation, to enable connectivity to on-premises firewalls or manually deployed cloud firewalls
- Defined in the config file under deployments w/TGW VPN attachments (but without an AMI or VPC association)
Examples of each of the firewall options have been included as variants of the Lite config file example.
Note: While we only provide a single example for each 3rd party implementation today, the implementations are generic and should be usable by any 3rd party firewall vendor, assuming they support the required features and protocols. The two examples were driven by customer demand and heavy lifting by the 3rd party vendor. We look forward to additional vendors developing and contributing additional sample configurations. For new 3rd party integrations, we encourage the use of the GWLB approach.
1.3.7. Other(link)
- We recommend installing with the default Accelerator Name (
ASEA
) and Accelerator Prefix (ASEA-
), but allow customization. Prior to v1.5.0 the defaults were (PBMM
) and (PBMMAccel-
) respectively.- the Accelerator name and prefix CANNOT be changed after the initial installation;
- the Accelerator prefix including the mandatory dash cannot be longer than 10 characters.
- New installations, which now leverage Control Tower, require the
organization-admin-role
be set toAWSControlTowerExecution
. Existing standalone installations will continue to utilize their existing role name for theorganization-admin-role
, typicallyOrganizationAccountAccessRole
, as this role is used by AWS Organizations by default when no role name is specified while creating AWS accounts through the AWS console.- the Accelerator leverages this role name to create all new accounts in the organization;
- this role name, as defined in the config file, MUST be utilized when manually creating all new sub-accounts in the Organization;
- existing installs wishing to change the role name are required to first deploy a new role with a trust to the root account, in all accounts in the organization.
1.4. Accelerator Pre-Install Steps(link)
1.4.1. General(link)
Before installing, you must first:
- Login to the Organization Management (root) AWS account with
AdministratorAccess
. - Set the region to your desired
home
region (i.e.ca-central-1
) - Install AWS Control Tower:
- Government of Canada customers are required to skip this step
- OU and account names can ONLY be customized during initial installation. These values MUST match with the values supplied in the Accelerator config file.
- Go to the AWS Control Tower console and click
Set up landing zone
- Select your
home
region (i.e.ca-central-1
) - the Accelerator home region must match the Control Tower home region - Leave the Region deny setting set to
Not enabled
- the Accelerator needs a customized region deny policy - Select all regions for
Additional AWS Regions for governance
, clickNext
- The Control Tower and Accelerator regions MUST be properly aligned
- If a region is not
governed
by Control Tower, it must NOT be listed incontrol-tower-supported-regions
- To manage a region requires the region:
- be enabled in Control Tower (if supported)
- added to the config file
control-tower-supported-regions
list (if supported) - added to the config file
supported-regions
list (even if not supported by Control Tower, as the Accelerator can manage regions not yet supported by Control Tower, but only when NOT listed incontrol-tower-supported-regions
) - While we highly recommend guardrail deployment for all AWS enabled by default regions, at minimum
- the home region MUST be enabled in Control Tower and must be listed in
control-tower-supported-regions
- both the home-region and ${GBL*REGION} must be listed in
supported-regions
- the home region MUST be enabled in Control Tower and must be listed in
- For the
Foundational OU
, leave the default valueSecurity
- For the
Additional OU
provide the valueInfrastructure
, clickNext
- Enter the email addresses for your
Log Archive
andAudit
accounts, change theAudit
account name toSecurity
, clickNext
- OU and account names can ONLY be customized during initial installation. OU names, account names and email addresses _must* match identically with the values supplied in the Accelerator config file. - Select
Enabled
for AWS CloudTrail configuration (if not selected), clickNext
- Click
Set up landing zone
and wait ~60 minutes for the Control Tower installation to complete - Select
Add or register organizational units
, ClickAdd an OU
- Type
Dev
, clickAdd
, wait until the OU is finished provisioning (or it will error) - Repeat step 9 for each OU (i.e.
Test
,Prod
,Central
,Sandbox
) - Select
Account factory
, Edit, Subnets: 0, Deselect all regions, clickSave
- In AWS Organizations, move the Management account from the
root
OU into theSecurity
OU
- Go to the AWS Control Tower console and click
- Verify:
- AWS Organizations is enabled in
All features
mode- if required, navigate to AWS Organizations, click
Create Organization
,Create Organization
- if required, navigate to AWS Organizations, click
- Service Control Policies are enabled
- if required, in Organizations, select
Policies
,Service control policies
,Enable service control policies
- if required, in Organizations, select
- AWS Organizations is enabled in
- Verify the Organization Management (root) account email address
- In AWS Organizations, Settings, "Send Verification Request"
- Once it arrives, complete the validation by clicking the validation link in the email
- Create a new KMS key to encrypt your source configuration bucket (you can use an existing key)
- AWS Key Management Service, Customer Managed Keys, Create Key, Symmetric, and then provide a key name (
ASEA-Source-Bucket-Key
), Next - Select a key administrator (Admin Role or Group for the Organization Management account), Next
- Select key users (Admin Role or Group for the Organization Management account), Next
- Validate an entry exists to "Enable IAM User Permissions" (critical step if using an existing key)
"arn:aws:iam::123456789012:root"
, where123456789012
is your Organization Management account ID.
- Click Finish
- Select the new key, Select
Key Rotation
,Automatically rotate this CMK every year
, click Save.
- AWS Key Management Service, Customer Managed Keys, Create Key, Symmetric, and then provide a key name (
- Enable
"Cost Explorer"
(My Account, Cost Explorer, Enable Cost Explorer)- With recent platform changes, Cost Explorer may now be auto-enabled (unable to confirm)
- Enable
"Receive Billing Alerts"
(My Account, Billing Preferences, Receive Billing Alerts) -
It is extremely important that all the account contact details be validated in the Organization Management (root) account before deploying any new sub-accounts.
- This information is copied to every new sub-account on creation.
- Subsequent changes to this information require manually updating it in each sub-account.
- Go to
My Account
and verify/update the information lists under both theContact Information
section and theAlternate Contacts
section. - Please ESPECIALLY make sure the email addresses and Phone numbers are valid and regularly monitored. If we need to reach you due to suspicious account activity, billing issues, or other urgent problems with your account - this is the information that is used. It is CRITICAL it is kept accurate and up to date at all times.
1.4.2. Create GitHub Personal Access Token and Store in Secrets Manager(link)
As of v1.5.0, the Accelerator offers deployment from either GitHub or CodeCommit:
GitHub (recommended)
- You require a GitHub access token to access the code repository
- Instructions on how to create a personal access token are located here.
- Select the scope
public_repo
underneath the sectionrepo: Full control over private repositories
. - Store the personal access token in Secrets Manager as plain text. Name the secret
accelerator/github-token
(case sensitive).- Via AWS console
- Store a new secret, and select
Other type of secrets
,Plaintext
- Paste your secret with no formatting no leading or trailing spaces (i.e. completely remove the example text)
- Select the key you created above (
ASEA-Source-Bucket-Key
), - Set the secret name to
accelerator/github-token
(case sensitive) - Select
Disable rotation
- Store a new secret, and select
- Via AWS console
CodeCommit (alternative option)
Multiple options exist for downloading the GitHub Accelerator codebase and pushing it into CodeCommit. As this option is only for advanced users, detailed instructions are not provided.
- In your AWS Organization Management account, open CodeCommit and create a new repository named
aws-secure-environment-accelerator
- Go to GitHub and download the repository
Source code
zip or tarball for the release you wish to deploy- Do NOT download the code off the main GitHub branch, this will leave you in a completely unsupported state (and with beta code)
- Push the extracted codebase into the newly created CodeCommit repository, maintaining the file/folder hierarchy
- Set the default CodeCommit branch for the new repository to main
- Create a branch following the Accelerator naming format for your release (i.e.
release/v1.5.5
)
1.4.3. AWS Internal (Employee) Accounts Only(link)
If deploying to an internal AWS employee account and installing the solution with a 3rd party firewall, you need to enable Private Marketplace (PMP) before starting:
- In the Organization Management account go here: https://aws.amazon.com/marketplace/privatemarketplace/create
- Click
Create a Private Marketplace
, and wait for activation to complete - Go to the "Account Groups" sub-menu, click
Create account group
- Enter an Account Group Title (i.e.
Default
) andAdd
the Management (root) account number inAssociate AWS account
- Associate the default experience
New Private Marketplace
, then clickCreate account group
and wait for it to create - Go to "Experiences" sub-menu, select
New Private Marketplace
- Select the "Settings" sub-tab, and click the
Not Live
slider to make itLive
and wait for it to complete - Ensure the "Software requests" slider is set to
Requests off
and wait for it to complete - Change the name field (i.e. append
-PMP
) and change the color, so it is clear PMP is enabled for users, clickUpdate
- Go to the "Products" sub-tab, then select the
All AWS Marketplace products
nested sub-tab -
Search Private Marketplace for the Fortinet or Checkpoint products and select
Fortinet FortiGate (BYOL) Next-Generation Firewall
andFortinet FortiManager (BYOL) Centralized Security Management
orCloudGuard Network Security for Gateway Load Balancer - BYOL
andCheck Point Security Management (BYOL)
-
Select "Add" in the top right
- Due to PMP provisioning delays, this sometimes fails when attempted immediately following enablement of PMP or if adding each product individually - retry after 20 minutes.
-
While not used in this account, you must now subscribe to the two subscriptions and accept the EULA for each product (you will need to do the same in the perimeter account, once provisioned below)
- To subscribe, select the "Approved products" tab
- Click on the product you want to subscribe, in this case
Fortinet FortiGate (BYOL) Next-Generation Firewall
andFortinet FortiManager (BYOL Centralized Security Management
orCloudGuard Network Security for Gateway Load Balancer - BYOL
andCheck Point Security Management (BYOL)
- Click on "Continue to Subscribe"
- Click on "Accept Terms" and wait for subscription to be completed
- If you are deploying in any region except ca-central-1 or wish to switch to a different license type, you need the new AMI IDs. After successfully subscribing, continue one more step and click the “Continue to Configuration”. When you get the below screen, select your region and version (Fortinet
v6.4.7
, Checkpoint MgmtR81.10-335.883
and CloudGuardR80.40-294.374
recommended at this time). Marketplace will provide the required AMI ID. Document the two AMI IDs, as you will need to update them in your config.json file below.
1.5. Basic Accelerator Configuration(link)
- Select a sample config file as a baseline starting point
- IMPORTANT: Use a config file from the GitHub code branch you are deploying from, as valid parameters change over time. The
main
branch is NOT the current release and often will not work with the GA releases. - sample config files can be found in this folder;
- descriptions of the sample config files and customization guidance can be found here;
- unsure where to start, use the
config.lite-CTNFW-example.json
, where CTNFW is for Control Tower w/NFW; - These configuration files can be used, as-is, with only minor modification to successfully deploy the sample architectures;
- On upgrades, compare your deployed configuration file with the latest branch configuration file for any new or changed parameters;
- IMPORTANT: Use a config file from the GitHub code branch you are deploying from, as valid parameters change over time. The
- At minimum, you MUST update the AWS account names and email addresses in the sample file:
- For existing accounts, they must match identically to both the account names and email addresses defined in AWS Organizations (including the management account);
- For new accounts, they must reflect the new account name/email you want created;
- All new AWS accounts require a unique email address which has never before been used to create an AWS account;
- When updating the budget or SNS notification email addresses within the sample config, a single email address for all is sufficient;
- Update the IP address in the "alarm-not-ip" variable with your on-premise IP ranges (used for the AWS-SSO-Authentication-From-Unapproved-IP alarm);
- If deploying the Managed AD, update the dns-domain, netbios-domain, log-group-name, as well as the AD users and groups that will be created;
- For a test deployment, the remainder of the values can be used as-is;
- While it is generally supported, we recommend not adding more than 1 or 2 workload accounts to the config file during the initial deployment as it will increase risks of hitting a limit. Once the Accelerator is successfully deployed, add the additional accounts to the config file and rerun the state machine.
- More information here on the fields in the config file that need to be updated.
- A successful deployment of the prescriptive architecture requires VPC access to 9 AWS endpoints, you cannot remove both the perimeter firewalls (all public endpoints) and the 9 required central VPC endpoints from the config file (ec2, ec2messages, ssm, ssmmessages, cloudformation, secretsmanager, kms, logs, monitoring).
- When deploying to regions other than
ca-central-1
, you need to modify your config file as follows (for Canada Central 1, the AMI IDs are pre-populated for you):- Update the firewall and firewall manager AMI IDs to reflect your home regions regional AMI IDs (see 2.3.3, item 13), making sure you select the right version and region per the recommendations.
- Validate all the Interface Endpoints defined in your config file are supported in your home region (i.e. Endpoint VPC). Remove unsupported endpoints from the config file, add additional endpoints as available.
- If you are installing into a home region which is explicitly named in any of the replacements\addl_regions_x, remove it from the list. If deploying in us-east-1, remove ${GBL_REGION}.
- Create an S3 bucket in your Organization Management account
your-bucket-name
- you must supply this bucket name in the CFN parameters and in the config file (
global-options\central-bucket
) - the bucket name must be the same in both spots
- the bucket must have versioning enabled
- the bucket must be
S3-KMS
encrypted using theASEA-Source-Bucket-Key
created above
- you must supply this bucket name in the CFN parameters and in the config file (
- Place your customized config file(s), named
config.json
(orconfig.yaml
), in your new bucket - If required, place the firewall configuration and license files in the folder and path defined in the config file
- For AWS Network Firewall:
nfw/nfw-example-policy.json
- For Fortinet:
firewall/firewall-example.txt
,firewall/license1.lic
andfirewall/license2.lic
- We have made a sample available here:
./reference-artifacts/Third-Party/
- the sample configures an active / active firewall pair with two tunnels per firewall
- If you updated your perimeter VPC subnet names, you must also make these changes in your firewall-example.txt file
- If you don't have any license files, update the config file with an empty array (
"license": []
). Do NOT use the following:[""]
.
- We have made a sample available here:
- The basic Checkpoint configuration is stored directly in config.json
- For AWS Network Firewall:
- Place any defined certificate files in the folder and path defined in the config file
- i.e.
certs/example1-cert.key
,certs/example1-cert.crt
- Sample available here:
./reference-artifacts/Certs-Sample/*
- Ideally you would generate real certificates using your existing certificate authority
- Should you wish, instructions are provided to aid in generating your own self-signed certificates (Self signed certificates are NOT secure and simply for demo purposes)
- Use the examples to demonstrate Accelerator TLS functionality only
- i.e.
- Detach ALL SCPs (except
FullAWSAccess
which remains in place) from all OU's and accounts before proceeding- For Control Tower based installs do NOT detach Control Tower SCPs (i.e. aws-guardrails-xxxxxx)
- Installation will fail if this step is skipped
1.6. Installation(link)
- You can find the latest release in the repository here.
- We only support new installations of v1.5.5 or above (older releases continue to function)
- Download the CloudFormation (CFN) template for the release you plan to install (either
AcceleratorInstallerXXX.template.json
for GitHub orAcceleratorInstallerXXX-CodeCommit.template.json
for CodeCommit) - Use the provided CloudFormation template to deploy a new stack in your Management (root) AWS account
- As previously stated we do not support installation in sub-accounts
- Login to your Organization Management account and make sure you are in your desired
home
region (i.e.ca-central-1
) (your desired primary or control region) - Navigate to CloudFormation in the AWS Console and click
Create stack with new resources (standard)
, then- Select "Template is ready"
- For the "Specify template" select "Upload a template file"
- Select the
*.template.json
file you downloaded in step 2 above - Click Next
- Fill out the required parameters - LEAVE THE DEFAULTS UNLESS SPECIFIED BELOW
- Specify
Stack Name
STARTING withASEA-
(case sensitive) suggest a suffix oforgname
orusername
- Change
ConfigS3Bucket
to the name of the bucket you created aboveyour-bucket-name
- Add an
Email
address to be used for State Machine Status notification - The
GitHub Branch
should point to the release you selected- if upgrading, change it to point to the desired release
- the latest stable branch is currently
release/v1.5.5
, case sensitive - click
Next
- Specify
- Finish deploying the stack
- Apply a tag on the stack, Key=
Accelerator
, Value=ASEA
(case sensitive). - ENABLE STACK TERMINATION PROTECTION under
Stack creation options
- Click
Next
, Acknowledge resource creation, and clickCreate stack
- The stack typically takes under 5 minutes to deploy.
- Apply a tag on the stack, Key=
- Once deployed, you should see a CodePipeline project named
ASEA-InstallerPipeline
in your account. This pipeline connects to GitHub, pulls the code from the prescribed branch and deploys the Accelerator state machine.- if the CloudFormation fails to deploy with an
Internal Failure
, or, if the pipeline fails connecting to GitHub, then:- fix the issue with your GitHub secret created in section 2.3.2, then delete the Installer CloudFormation stack you just deployed, and restart at step 3 of this section.
- if the CloudFormation fails to deploy with an
- For new stack deployments, when the stack deployment completes, the Accelerator state machine will automatically execute (in Code Pipeline). When upgrading you must manually
Release Change
to start the pipeline. - While the pipeline is running:
- review the list of Known Installation Issues in the section below
- review the Accelerator Basic Operation and Frequently Asked Questions (FAQ) Document
- Once the pipeline completes (~10 mins), the main state machine, named
ASEA-MainStateMachine_sm
, will start in Step Functions - The state machine time is dependent on the quantity of resources being deployed. On an initial installation of a more complex sample configuration files, it takes approximately 2 hours to execute (depending on the configuration file). Timing for subsequent executions depends entirely on what resources are changed in the configuration file, but often takes as little as 20 minutes.
- While you can watch the state machine in Step Functions, you will also be notified via email when the State Machine completes (or fails). Successful state machine executions include a list of all accounts which were successfully processed by the Accelerator.
- The configuration file will be automatically moved into Code Commit (and deleted from S3). From this point forward, you must update your configuration file in CodeCommit.
- You will receive an email from the State Machine SNS topic and the 3 SNS alerting topics. Please confirm all four (4) email subscriptions to enable receipt of state machine status and security alert messages. Until completed, you will not receive any email messages (must be completed within 7-days).
-
If the state machine fails:
- Refer to the Troubleshooting Guide for instructions on how to inspect and retrieve the error
- You can also refer to the FAQ and Known Installation Issues
- Once the error is resolved, re-run the step function
ASEA-MainStateMachine_sm
using{"scope": "FULL","mode": "APPLY"}
as input
-
If deploying a prescriptive architecture with 3rd party firewalls, after the perimeter account is created in AWS Organizations, but before the Accelerator reaches Stage 2:
- NOTE: If you miss the step, or fail to execute it in time, no need to be concerned, you will simply need to re-run the main state machine (
ASEA-MainStateMachine_sm
) to deploy the firewall (no SM input parameters required) - Login to the perimeter sub-account (Assume your
organization-admin-role
) - Activate the 3rd party vendor firewall and firewall manager AMI's in the AWS Marketplace
- Navigate back to your private marketplace
- Note: Employees should see the private marketplace, including the custom color specified in prerequisite step 4 above.
- Select "Discover products" from the side bar, then in the "Refine Results" select "Private Marketplace => Approved Products"
- Subscribe and Accept the Terms for each product (firewall and firewall manager)
- When complete, you should see the marketplace products as subscriptions in the Perimeter account:
- NOTE: If you miss the step, or fail to execute it in time, no need to be concerned, you will simply need to re-run the main state machine (
-
If deploying the prescriptive architecture, once the main state machine (
ASEA-MainStateMachine_sm
) completes successfully, confirm the status of your perimeter firewall deployment- If you have t2.micro ec2 instances running in any account which had the account-warming flag set to true, they will be removed on the next state machine execution;
- If your perimeter firewalls were defined but not deployed on first run, you will need to rerun the state machine. This happens when:
- you were unable to activate the firewall AMI's before stage 2 (step 16)
- we were not able to fully activate your account before we were ready to deploy your firewalls. This case can be identified by a running EC2 micro instance in the account, or by looking for the following log entry 'Minimum 15 minutes of account warming required for account'.
- In these cases, simply select the
ASEA-MainStateMachine_sm
in Step Functions and selectStart Execution
(no SM input parameters required)
1.6.1. Known Installation Issues(link)
Current Issues:
-
If dns-resolver-logging is enabled, VPC names containing spaces are not supported at this time as the VPC name is used as part of the log group name and spaces are not supported in log group names. By default in many of the sample config files, the VPC name is auto-generated from the OU name using a variable. In this situation, spaces are also not permitted in OU names (i.e. if any account in the OU has a VPC with resolver logging enabled and the VPC is using the OU as part of its name)
-
On larger deployments we are occasionally seeing state machine failures when
Creating Config Recorders
. Simply rerun the state machine with the input of{"scope": "FULL", "mode": "APPLY"}
. -
Occasionally CloudFormation fails to return a completion signal. After the credentials eventually fail (1 hr), the state machine fails. Simply rerun the state machine with the input of
{"scope": "FULL", "mode": "APPLY"}
-
If the State Machine fails on an initial execution of NEW-ACCOUNTS, it must be re-run to target the failed accounts (i.e. with
{"scope": "FULL", "mode": "APPLY"}
) or the new sub-accounts will fail to be properly guardrailed
Issues in Older Releases:
- New installs to releases prior to v1.5.5 are no longer supported.
- Upgrades to releases prior to v1.5.5 are no longer supported.
- Upgrades to v1.3.9 in preparation for an upgrade to v1.5.5 may be possible with manual workarounds.
-
FROM 2022-08-07 to 2022-10-12: An issue with the version of cfn-init in the "latest" AWS standard Windows AMI will cause the state machine to fail during a new installation when deploying an RDGW host. RDGW hosts in existing deployments will fail to fully initialize if the state machine is or has been recently run and the auto-scaling group subsequently refreshes the host (default every 7 days).
- To temporarily workaround this issue, assume an administrative role in your
operations
account, open Systems Manager Parameter Store, andCreate parameter
with a Name of/asea/windows-ami
and a value ofami-0d336ea070bc06fb8
(which is the previous good AMI in ca-central-1), accepting the other default values. Update your config file to point to this new parameter by changingimage-path
(under \deployments\mad) to/asea/windows-ami
instead of/aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base
. Rerun your state machine. If you have an existing RDGW instance it should be terminated to allow the auto-scaling group to redeploy it. In other regions you will need to lookup the previous working ami-id (you cannot useami-0d336ea070bc06fb8
) - This issue was resolved with the 2022-10-12 Windows AMI release. Customers that implemented this workaround must revert the above config file entry and rerun their state machines (the above AMI has been deprecated).
- To temporarily workaround this issue, assume an administrative role in your
1.7. Post-Installation(link)
The Accelerator installation is complete, but several manual steps remain:
-
Enable and configure AWS SSO in your
home
region (i.e. ca-central-1)-
NOTE: AWS SSO has been renamed to AWS IAM Identity Center (IdC). The IdC GUI has also been reworked. The below steps are no longer click-by-click accurate. An update to the below documentation is planned, which will also include instructions to delegate AWS IdC administration to the Operations account enabling connecting IdC directly to MAD, rather than through an ADC.
-
Login to the AWS Console using your Organization Management account
- Navigate to AWS Single Sign-On, click
Enable SSO
- Set the SSO directory to AD ("Settings" => "Identity Source" => "Identity Source" => click
Change
, Select Active Directory, and select your domain from the list) - Under "Identity Source" section, Click
Edit
beside "Attribute mappings", then set theemail
attribute to:${dir:email}
and clickSave Changes
- Configure Multi-factor authentication, we recommend the following minimum settings:
- Every time they sign in (always-on)
- Security key and built-in authenticators
- Authenticator apps
- Require them to provide a one-time password sent by email to sign in
- Users can add and manage their own MFA devices
- Create all the default permission sets and any desired custom permission sets
- e.g. Select
AWS accounts
from the side bar, select "Permission sets" tab thenCreate permission set
Use an existing job function policy
=> Next- Select job function policy
AdministratorAccess
- Add Tags, Review and Create
- repeat for each default permission set and any required custom permission sets
- e.g. Select
- For Control Tower based installations, remove the orphaned Permission Sets from each AWS accounts (select the account, expand Permission Sets, click Remove for each)
- Map MAD groups to permission sets and accounts
- Select
AWS accounts
from the side bar and selectAWS organization
tab - Select the accounts you want to map to each MAD group and click
Assign users
- Select your DNS domain e.g.
example.local
, and search for the group you would like to assign (e.g.aws-
for the pre-created groups) and clickSearch connected directory
- Select the desired group
aws-log-archive-View
- Select the permission set you would like to assign to the MAD group to (e.g.
ViewOnlyAccess
) - Click
Finish
(Note: if it fails during provisioning, simply select the failed accounts and click on "Retry changes")
- Select
- AWS SSO should be the primary mechanism for all access to all AWS accounts in your Organization, to determine or update the login page for your organization:
- Click on
Dashboard
within the AWS SSO console and note theUser portal URL
- Share this url with all your users
- NOTE: the url prefix can only be changed ONCE (ever) using the settings tab, so update with caution
- Click on
- Any pre-created AWS MAD users passwords are available in secrets manager in the AWS management account. To reset these passwords login to the Operations account through AWS SSO, then:
- Navigate to "Directory Service" , select the directory => Actions => Reset user password
- Users can change their passwords from any MAD domain connected instance
-
-
Configure the new alb-forwarding feature (added in v1.5.0)
- AWS ALB's are published using DNS names which resolve to backing IP's which could silently change at any time due to a scaling event, maintenance, or a hardware failure. While published as a DNS name, ALB's can only target IP addresses. This presents a challenge as we need the ALB's in the perimeter account to target ALB's in the various back-end workload accounts;
- Alb-forwarding solves this problem by executing a small snippet of code every 60 seconds which updates managed ALB listeners with any IP changes, ensuring any managed flows do not go offline. This removes the requirement to leverage a 3rd party appliance to perform NAT to a DNS name;
- Alb-forwarding is enabled on the perimeter VPC in the perimeter account in many of the sample configs and can be used with Accelerator created or customer created ALB's. This setting causes a new DynamoDB table named
ASEA-Alb-Ip-Forwarding-vpc-*
to be created in the perimeter account. Additionally the parameter store in the perimeter account contains the details of all Accelerator deployed ALB's across the environment for easy reference; - Steps to configure:
- First you need to manually create a listener on the front-end ALB (without a target group), multiple listeners are supported;
- Next, for each application that needs to be published, a record needs to be added to the DynamoDB table, see sample below;
- Records can be added to the table for any ALB in the account running the alb-forwarding tool. Records can be added at any time. DDB change logs will trigger the initial creation of the appropriate target group(s) and IP addresses will be verified and updated every 60 seconds thereafter.
Sample DynamoDB JSON to add an entry to the table:
{ "id": "App1", "targetAlbDnsName": "internal-Core-mydevacct1-alb-123456789.ca-central-1.elb.amazonaws.com", "targetGroupDestinationPort": 443, "targetGroupProtocol": "HTTPS", "vpcId": "vpc-0a6f44a80514daaaf", "rule": { "sourceListenerArn": "arn:aws:elasticloadbalancing:ca-central-1:123456789012:listener/app/Public-DevTest-perimeter-alb/b1b12e7a0c412bf3/ef9b022a4fdd8bdf", "condition": { "paths": ["/img/*", "/myApp2"], "hosts": ["aws.amazon.com"], "priority": 30 } } }
- where `id` is any unique text, `targetAlbDnsName` is the DNS address for the backend ALB for this application (found in parameter store), `vpcId` is the vpc ID containing the front-end ALB (in this account), `sourceListenerArn` is the arn of the listener of the front-end ALB, `paths` and `hosts` are both optional, but one of the two must be supplied. Finally, `priority` must be unique and is used to order the listener rules. Priorities should be spaced at least 40 apart to allow for easy insertion of new applications and forwarder rules. - the provided `targetAlbDnsName` must resolve to addresses within a [supported](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html) IP address space.
-
On a per role basis, you need to enable the CWL Account Selector in the Security and the Operations accounts, in each account:
- Go to CloudWatch, Settings, Under
Cross-account cross-region
selectConfigure
, UnderView cross-account cross-region
selectEdit
, chooseAWS Organization account selector
, clickSave changes
- Go to CloudWatch, Settings, Under
-
Configure central Ingress/Egress firewalls, if deployed
- Layer 3/4
appliance
based inspection is an optional feature
General
- If deployed, login to any 3rd party firewalls and firewall manager appliances and update any default passwords;
- Tighten security groups on the 3rd party firewall instances (using the Accelerator configuration file), further limiting access to firewall management interfaces to a set of designated and controlled CIDR ranges;
- Update the firewall configuration per your organization's security requirements and best practices;
- Diagrams reflecting perimeter traffic flows when NFW and/or GWLB are used can be found here on slides 6 through 9.
AWS Network Firewall
- The AWS Network Firewall policies and rules deployed by the Accelerator, can only be updated using the Accelerator. Customers wishing to manage the AWS Network Firewall from the console GUI, must create a new policy with new rules created through the console and then manually associate this new policy to the Accelerator deployed Network Firewall. Customers can choose either option, but they cannot be mixed to ensures that Accelerator updates do not overwrite console based updates.
Fortinet
- Manually update firewall configuration to forward all logs to the Accelerator deployed NLB addresses fronting the rsyslog cluster
- login to each firewall, select
Log Settings
, checkSend logs to syslog
, put the NLB FQDN in theIP Address/FQDN
field (stored in parameter store of perimeter account)
- login to each firewall, select
- Manually update the firewall configuration to connect perimeter ALB high port flows through to internal account ALB's
- Note: while this option is still available, a new alb-forwarding mechanism is available in v1.5.0+ (see section 2 above) which simplifies and eliminates this more complicated "NAT to DNS name" option;
- login to each firewall, switch to
FG-traffic
vdom, selectPolicies & Objects
, selectAddresses
, ExpandAddresses
- Set
Prod1-ALB-FQDN
to point to a reliable sub-account ALB FQDN, this is used for full-path health checks on all ALB's - Set additional
DevX-ALB-FQDN
,TestX-ALB-FQDN
andProdX-ALB-FQDN
to point to workload account ALB FQDNs- Two of each type of ALB FQDN records have been created, when you need more, you need to create BOTH an additional FQDN and a new VIP, per ALB
- Each new VIP will use a new high port (i.e. 7007, 7008, etc.), all of which map back to port 443
- Detailed steps can be read here.
- Set
Checkpoint
- Download and install Checkpoint SmartConsole client on your PC (only available for Windows, if you have a Mac, you can use Workspaces to install the client)
- Retrieve the firewall and firewall manager SSL certificate from secrets manager in the perimeter account and save to a pem file (convert to ppk on Windows)
- Login to the
AWS Console
for thePerimeter
account - Navigate to
Secrets Manager
and selectSecrets
- Look for Secret name
ASEA/keypair/ASEA-Appliances
and click on it - Go to the
Secret value
section and click onRetrieve secret value
- Make sure you have the
Plaintext
tab selected and copy the content to a .pem file using your preferred text editor. (the file will need to be converted to ppk format on Windows)
- Login to the
- Wait approx. 25 min. after the managers "Launch time" and then SSH into the Firewall Manager using the SSL certificate (.pem file retrieved above) and login user
admin
- The firewall manager EC2 instance name is
ASEA-Checkpoint-FirewallMgr
- Once you SSH successfully, execute the following commands:
set user admin password
set expert-password
set user admin shell /bin/bash
save config
- The firewall manager EC2 instance name is
- The following commands are useful for troubleshooting (in expert mode):
autoprov_cfg -v
(check cme at Take 155 or greater)autoprov_cfg show all
(check cme configuration)cat /var/log/aws-user-data.log
(validate bootstrap, file should end with"Publish operation" succeeded (100%)
)tail -f /var/log/CPcme/cme.log
(watch to ensure it finds the instances, establishes SIC and adds the nodes)
- Login to SmartConsole, and update the firewall policy per your organizations security requirements
- An outbound rule allowing http and https should exist
- From the RDGW host in Operations, test to see if outbound web browsing is enabled
- NOTES:
- No best practice or security configuration has been configured on the Checkpoint firewalls. These firewalls have been configured to work with GWLB, but otherwise have the default/basic Checkpoint out-of-box configuration installed
- Do NOT reboot the Checkpoint appliances until bootstrap is complete (~25 minutes for the manager), or you will be required to redeploy the instance
- Layer 3/4
-
Recover root passwords for all sub-accounts and apply strong passwords
- Process documented here
-
Enable MFA for all IAM users and all root account users, recommendations:
- Yubikeys provide the strongest form of MFA protection and are strongly encouraged for all account root users and all IAM users in the Organization Management (root) account
- the Organization Management (root) account requires a dedicated Yubikey (if access is required to a sub-account root user, we do not want to expose the Organization Management accounts Yubikey)
- every ~50 sub-accounts requires a dedicated Yubikey (minimize the required number of Yubikeys and the scope of impact should a Yubikey be lost or compromised)
- each IAM breakglass user requires a dedicated Yubikey, as do any additional IAM users in the Organization Management (root) account. While some CSPs do not recommend MFA on the breakglass users, it is strongly encouraged in AWS
- all other AWS users (AWS SSO, IAM in sub-accounts, etc.) can leverage virtual MFA devices (like Google Authenticator on a mobile device)
-
Customers are responsible for the ongoing management and rotation of all passwords on a regular basis per their organizational password policy. This includes the passwords of all IAM users, MAD users, firewall users, or other users, whether deployed by the Accelerator or not. We do NOT automatically rotate any passwords, but strongly encourage customers do so, on a regular basis.
-
During the installation we request required limit increases, resources dependent on these limits will not be deployed
- Limit increase requests are controlled through the Accelerator configuration file
"limits":{}
setting - The sample configuration file requests increases to your EIP count in the perimeter account and to the VPC count and Interface Endpoint count in the shared-network account
- You should receive emails from support confirming the limit increases
- On the next state machine execution, resources blocked by limits should be deployed (i.e. additional VPC's and Endpoints)
- If more than 2 days elapses without the limits being increased, on the next state machine execution, they will be re-requested
- Limit increase requests are controlled through the Accelerator configuration file
-
Note: After a successful install the Control Tower
Organizational units'
dashboard will indicate2 of 3
in theAccounts enrolled
column for the Security OU, as it does not enable enrollment of the management account in guardrails. The Accelerator compliments Control Tower and enables guardrails in the management account which is important to high compliance customers.
1.8. Other Operational Considerations(link)
- The Organization Management (root) account does NOT have any preventative controls to protect the integrity of the Accelerator codebase, deployed objects or guardrails. Do not delete, modify, or change anything in the Organization Management (root) account unless you are certain as to what you are doing. More specifically, do NOT delete, or change any buckets in the Organization Management (root) account.
- While generally protected, do not delete/update/change S3 buckets with cdk-asea-, or asea- in any sub-accounts.
- ALB automated deployments only supports Forward and not redirect rules.
- AWS generally discourages cross-account KMS key usage. As the Accelerator centralizes logs across an entire organization as a security best practice, this is an exception/example of a unique situation where cross-account KMS key access is required.
- Only 1 auto-deployed MAD in any mandatory-account is supported today.
- VPC Endpoints have no Name tags applied as CloudFormation does not currently support tagging VPC Endpoints.
- If the Organization Management (root) account coincidentally already has an ADC with the same domain name, we do not create/deploy a new ADC. You must manually create a new ADC (it won't cause issues).
- 3rd party firewall updates are to be performed using the firewall OS based update capabilities. To update the AMI using the Accelerator, you must first remove the firewalls and then redeploy them (as the EIP's will block a parallel deployment), or deploy a second parallel FW cluster and de-provision the first cluster when ready.
- When adding more than 100 accounts to an OU which uses shared VPC's, you must first increase the Quota
Participant accounts per VPC
in the shared VPC owner account (i.e. shared-network). Trapping this quota before the SM fails has been added to the backlog. - The default limit for Directory Sharing is 125 accounts for an Enterprise Managed Active Directory (MAD), a quota increase needs to be manually requested through support from the account containing the MAD before this limit is reached. Standard MAD has a sharing limit of 5 accounts (and only supports a small quota increase). The MAD sharing limit is not available in the Service Quota's tools.