AWS Secure Environment Accelerator Deployment Capabilities(link)
Overview(link)
Deploys, creates, manages and updates the following objects across a multi-region, multi-account AWS environment
| TASK | Accelerator - What happens, WHERE, under what condition, on each state machine execution |
|---|---|
| AWS Accounts | |
| - Creates mandatory accounts (accounts which other accounts are dependent on) | organization management (root) account, global scope |
| - Creates workload accounts (individually or in bulk), base personality determined by ou placement | organization management (root) account, global scope |
| - Supports native AWS Organization account and OU activities (OU and account rename, move account between OU's, create accounts, etc.) | organization management (root) account, global scope |
| - Applies a Deny All SCP on any newly created account(s) until successfully guardrailed | organization management (root) account, new account scope (failure to apply guardrails fails the Accelerator and leaves account blocked until remediated) |
| - Allows bulk parallel* account creation, configuration, updates and guardrail application | creates, guardrails and configures new accounts and regions in parallel per defined personas, organization management (root) account. Control Tower account ingestion is sequential at this time. |
| - Performs 'account warming' to establish initial limits, when required | state Machine region only, defined accounts (per region potential) |
| - Checks limit increases, when required (complies with initial limits until increased) | per account, per region (supported limits only) |
| - Automatically submits limit increases, when required | state Machine region only, defined accounts (per region potential) |
| - Leverages AWS Control Tower | Accelerator and Control Tower home regions must match, the Accelerator supports all on-by-default regions and will require a standalone install in regions not yet supported by Control Tower |
| Networking | |
| - Creates Transit Gateways and TGW route tables incl. static routes and inter-region TGW peering | in the defined region(s), defined account(s) |
| - Creates centralized and/or local account (bespoke) VPC's | in the defined region(s), defined account(s) |
| ...all completely and individually customizable (per account, VPC, subnet, or OU), Static or Dynamic VPC and subnet CIDR assignments | |
| - Creates Subnets, Route tables, NACLs, Security groups, NATGWs, IGWs, VGWs, CGWs (per customer specs) | part of any VPC, in the defined region(s), defined account(s) - allows detailed CIDR allocation, and cross-account security group referencing |
| - Deletes default VPC's (worldwide) | in all regions, in all accounts, can disable regions (all accounts or specific account) |
| - Creates VPC Endpoints (Gateway and Interface) | part of any VPC, in the defined region(s), defined account(s) |
| - Configures centralized endpoints (R53 zones populated, shared and attached to local and cross-account VPC's) | configures regional central endpoints (only one 'central' VPC per region) |
| - Creates Route 53 Private and Public Zones | in the defined account(s), defined region(s), defined VPC(s), global scope |
| - Creates Resolver Rules and Resolver (inbound/outbound) Endpoints | part of a specific VPC(s), in the defined region(s), defined account(s) (i.e. per region possible) |
| ...including MAD R53 DNS resolver rule creation | created in same region as MAD only, shared to same region VPC's when use-central-endpoints set |
| - Automatically creates R53 VPC Endpoint Overloaded Zones | same region(s), same account(s) as the endpoint and VPC(s) |
| - Deploys and configures AWS Network Firewall | on any VPC, any region, any account |
| Cross-Account Object Sharing | |
| - VPC and Subnet sharing, including account level retagging/naming (and per account security group 'replication') | VPC's are shared to accounts within the SAME REGION as the source VPC only An OU could have additional VPC's defined for additional regions and would be shared to the appropriate accounts in the same additional regions |
| - VPC peering and TGW attachments (local and cross-account) | in the defined region, no cross-region attachments or peering supported |
| - Managed Active Directory sharing | state machine region only (consider same region as the MAD only)(unshare method not implemented) |
| - Automated TGW inter-region peering | cross-region, cross-account or same-account |
| - Shares SSM remediation documents | from defined account(s), to defined OU's, in defined regions |
| Zone sharing and VPC associations | |
| - Public Hosted Zones | no sharing, no association required (any account, any VPC, any region) |
| - Private Hosted Zones - i.e. Cloud DNS domains | associated worldwide to all VPCs with use-central-endpoints |
| - Endpoint Private Hosted Zones | associate within region, for all VPC use-central-endpoints (including cross-account) |
| - On-premise resolver rules | associate within region, for all VPC use-central-endpoints (including cross-account) |
| - MAD resolver rule association | same region as the MAD resolver only, assoc. w/all VPC use-central-endpoints |
| Identity | |
| - Creates Directory services (Managed Active Directory and Active Directory Connectors) | in a specific VPC, in the defined region, defined account - only 1 per account, therefore can't have a second region in the same account (ADC creation only supported in mandatory accounts) |
| - Creates Windows admin bastion host auto-scaling group | once per above MAD (once per account), same region as MAD |
| - Set Windows domain password policies (initial installation only) | once per above MAD (once per account), same region as MAD |
| - Set IAM account password policies | once per account, global scope |
| - Creates Windows domain users and groups (initial installation only) | once per above MAD (once per account), same region as MAD |
| - Creates IAM Policies, Roles, Users, and Groups | once per account, global scope |
| Cloud Security Services | |
| - Enables and configs the following AWS services, worldwide w/central specified admin account: | (each service can have specified regions disabled) |
| - GuardDuty w/S3 protection | enabled all regions, all accounts, admin account per region |
| - Security Hub (Enables specified security standards, and disables specified individual controls) | enabled all regions, all accounts, admin account per region |
| - Firewall Manager | enabled once per account (global scope), single admin account |
| - CloudTrail w/Insights and S3 data plane logging | enabled all regions (using Organization trail, stored in Organization Management account) |
| - Config Recorders/Aggregator | enabled all regions, all regions include global events, aggregator set to specified region in Organization Management account |
| - Macie | enabled all regions, admin account per region |
| - IAM Access Analyzer | enabled once per account (global scope), single admin account |
| - Enables CloudWatch access from central specified admin account | enabled once per account (global scope), two admin accounts (Ops & Security) |
| - Deploys customer provided SSM remediation documents (four provided out-of-box today) | customized per OU, defined regions, defined accounts |
| ...remediates S3 buckets without KMS CMK encryption and ALB's without centralized logging | customized per OU, all regions, integrated w/SSM remediation, when desired |
| - Deploys AWS Config rules (managed and custom) including AWS Conformance packs (NIST 800-53 deployed by default + 2 custom) | customized per OU, all regions, all accounts integrated w/SSM remediation, when desired |
| Other Security Capabilities | |
| - Creates, deploys and applies Service Control Policies | at the top OU level only, sub-ou's managed directly through AWS Organizations |
| - Creates Customer Managed KMS Keys w/automatic key rotation (SSM, EBS, S3) | SSM and EBS keys are created if a VPC exists in the region, S3 if we need an Accelerator bucket in the region, per account |
| - Enables account level default EBS KMS CMK encryption | set if a VPC exists in the region, per account |
| - Enables S3 Block Public Access | once per account, global scope |
| - Configures Systems Manager Session Manager w/KMS CMK encryption and centralized logging | set if a VPC exists in the region, per account |
| - Imports or requests certificates into AWS Certificate Manager | State Machine region only (per region potential, required for ALB deployments) |
| - Deploys both perimeter and account level ALB's w/Lambda health checks, certs & TLS policies | State Machine region only (per region potential) |
| - Deploys & configures 3rd party firewall clusters and management instances | in the defined region(s), defined account(s) |
| ...Gateway Load Balancer w/auto-scaling (NEW) and VPN IPSec BGP ECMP deployment options | |
| - Configuration is fully managed and maintained in AWS CodeCommit - full multi-account configuration history | organization management (root) account |
| ...breaking configuration changes block Accelerator execution | Idempotent - extensive error handling and failure cleanup - Accelerator can be stopped, started, and rerun without implication |
| Centralized Logging | |
| - Deploys an rsyslog auto-scaling cluster behind an NLB, all syslogs forwarded to CWL | State Machine region only (per region potential) |
| - Centralizes logging to a single centralized S3 KMS CMK encrypted bucket (enables, configures and centralizes) incl: | Sets S3 ownership flag, sets bucket retentions |
| - VPC Flow logs (w/Enhanced metadata fields and optional CWL destination) | part of a specific VPC, in the defined region, defined account (to local account bucket in state machine region, replicated to log-archive primary region) |
| - Organizational Cost and Usage Reports | once per organization, global scope (to local account bucket in state machine region, replicated to log-archive primary region) |
| - CloudTrail Logs including S3 Data Plane Logs (also sent to CWL) | directly back to log-archive, specified primary region |
| - All CloudWatch Logs (includes rsyslog logs) (and setting Log group retentions) | State machine region, plus configured regions |
| - Config History and Snapshots | directly back to log-archive account specified primary region |
| - Route 53 Public Zone Logs, DNS Resolver Query Logs | to CloudWatch Logs in us-east-1 (which are sent to S3) |
| - GuardDuty Findings | directly back to log-archive, specified primary region |
| - Macie Discovery results | directly back to security, specified primary region, replicated to log-archive |
| - ALB Logs | State Machine region only (same as ALB deployment) |
| - SSM Session Logs (also sent to CWL) | All regions currently send back to central region, log-archive account |
| Extensibility | |
| - Populates each accounts Parameter Store with the Accelerator deployed objects (allows customer IaC to extend/leverage) | each account, defined regions (all ELB's across the environment are populated in specified accounts, i.e. perimeter, to enable automated end-to-end plumbing) |
| - Every execution outputs the execution status and a list of successfully guardrailed accounts to a SNS topic | allows 3rd party framework to execute after every Accelerator execution by hooking to SNS topic |
| ...which emails a customer defined email address | ...or hooking to the email alert |
| - Deploys roles with customized access (read-only,write) to the log-archive buckets (enabling customer SIEM deployments, SSM, EC2 CWL) | defined account, global scope |
| - Designed for Day 1, 2 and day 10. Customers get new features without any customization effort no matter the deployed architecture | Upgradable from any version to any version, no customization or professional services required (Customer production proven across multiple releases) |
| Alerting | |
| - Deploys global High, Medium, Low, Ignore priority SNS topics and email subscriptions | in the defined account, org accessible regional topics, each region subscribed to a single defined central region which has the email subscriptions |
| - Deploys customer defined CloudWatch Log Metrics and Alarms w/prioritized alarms (19 out-of-box) | all accounts, home region only, as this is where the Org/account CloudTrail exists |
| - Creates and configures AWS budgets w/alerting (customizable per OU and per account) | once per account, global scope |
| - Configures email alerting for CloudTrail Metric Alarms, Firewall Manager Events, Security Hub Findings incl. GuardDuty Findings |
General(link)
- "defined" region, "defined" account, means "customer defined", either at installation, upgrade, or any time they decide to reconfigure
- all items are created per customer defined parameters and configurations and are fully customizable without changing a single line of code
- security services are enabled and deployed globally, but, each service can be disabled per region. A single region deployment is possible.
- customer can enable/disable features, or change the configuration of each feature in the Accelerator config file
- customers can evolve their configurations over time, as they evolve and as their requirements change, without the requirement for code changes or professional services
Region support(link)
- All AWS commercial regions are supported. Lack of availability of CodeBuild, CodeCommit, or AWS Organizations in the Accelerator primary or installation region will prevent installation directly in that region. In these cases, customers can select a different installation region and the Accelerator can remotely deploy configurations and guardrails to that unsupported installation region.
- Prior to v1.2.5, we utilized a single StackSet, which blocked several additional installation regions. The Accelerator no longer leverages any StackSets, unblocking installing directly in several additional regions.
- As most features can be toggled on/off (per region), we expect most regions should be supportable both as a primary (or installation) region with the three above noted exceptions, and in these cases should still be fully supported as a managed (or secondary) region.
- Opt-in regions are not yet supported, but given enough demand, could easily be added.