Properties
Optional additional-cwl-regions
additional-cwl-regions: {}
Title: Additional CloudWatch Log Regions
Description: By default, only CloudWatch Logs from the Accelerator home region are centralized into the central S3 logging bucket, this allows centralizing CloudWatch Logs for additional regions. Each region requires an entry in the format: "us-east-1": { "kinesis-stream-shard-count": 1 }.
Optional additional-global-output-regions
additional-global-output-regions: string[]
Title: Additional Global Output Regions
Description: By default, Parameter Store is only populated with parameters for Accelerator deployed objects in the Accelerator home region, this allows for populating Parameter Store in additional regions.
Optional aws-config
Title: AWS Config
Description: This section within `global-options` is used to *define* AWS Config rules. These rules are deployed into accounts within designated organizational units or to specific accounts based on settings at the organizational-unit or account level. AWS Config rules continuously evaluate the configuration settings of your AWS resources and when AWS Config detects that a resource violates the conditions in your rule(s), it flags the resource as noncompliant.
aws-org-management
Title: AWS Organizational Management Account
Description: The Accelerator has the concept of grouping certain sets of functionality (security, logs, ITOps, Management) together and centralizing their respective capabilities into a single account. This section identifies the Organization management account and provides the ability to enable/disable services associated with it which are applicable across the organization. The Organization management account will be defined in the `mandatory-account-configs` section of the config file.
central-bucket
central-bucket: string
Title: Customer S3 Input Bucket
Description: The S3 bucket used by customers to provide a customers customized configuration files, including the config.json file. These files are used by the Accelerator to defined the deployed architecture and configuration or override default. During deployment, the core configuration file is copied to CodeCommit and customers must make configuration changes in CodeCommit after the initial install.
central-log-services
Title: Central Log Services
Description: The Accelerator has the concept of grouping certain sets of functionality (security, logs, ITOps, Management) together and centralizing their respective capabilities into a single account. This section identifies the Logging account and provides the ability to enable/disable services associated with it which are applicable across the organization. The Logging account will be defined in the `mandatory-account-configs` section of the config file. Organization wide Logging Services will be defined here.
central-operations-services
Title: Central Operations Services
Description: The Accelerator has the concept of grouping certain sets of functionality (security, logs, ITOps, Management) together and centralizing their respective capabilities into a single account. This section identifies the Operations account and provides the ability to enable/disable services associated with it which are applicable across the organization. The Operations account will be defined in the `mandatory-account-configs` section of the config file. Organization wide Operations Services will be defined here.
central-security-services
Title: Central Security Services
Description: The Accelerator has the concept of grouping certain sets of functionality (security, logs, ITOps, Management) together and centralizing their respective capabilities into a single account. This section identifies the Security Tooling account and provides the ability to enable/disable services associated with it which are applicable across the organization. The Security Tooling account will be defined in the `mandatory-account-configs` section of the config file. Organization wide Security Services will be defined here.
Optional cidr-pools
Title: CIDR Pools
Description: CIDR Pools are used to enable the automatic allocation of IP addresses to VPCs and Subnets. Multiple named pools can be created which can each contain multiple CIDR blocks, each assigned to a specific region.
Optional cloudwatch
Title: CloudWatch
Description: This section is used to *define* and *deploy* CloudWatch metrics and alarms. These metrics and alarms can be installed in a list of named accounts, or to all accounts in the organization within this ssection. CloudWatch metrics and alarms are currently only supported in the Accelerator home region.
Optional control-tower-supported-regions
control-tower-supported-regions: string[]
Title: Control Tower Supported Regions
Description: This field needs to be populated with the list of regions both supported and enabled by Control Tower. As customers enable new regions, including when new regions are supported by Control Tower, they need to be added to this list.
ct-baseline
ct-baseline: boolean
Title: ControlTower Baseline
Description: Indicates this installation depends on Control Tower and Control Tower deployed functionality. Control Tower must be installed before beginning an Accelerator installation. Upgrades from a standalone install to a Control Tower based install are not currently possible. This flag cannot be changed after initial installation.
default-cwl-retention
default-cwl-retention: number
Title: CloudWatch Logs Retention Period
Description: Defines the default retention period for CloudWatch Log Groups in all Accelerator managed accounts, in days. Valid values include: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653.
default-s3-retention
default-s3-retention: number
Title: Default account S3 logging bucket retention period
Description: In certain cases logs are delivered to the local account before being centralized to the central logging bucket (i.e. VPC Flow logs). This setting determines the default retention for the local account copy of the logs in S3.
Optional default-ssm-documents
default-ssm-documents: string[]
Title: Deprecated
Description: Deprecated
Optional endpoint-port-overrides
endpoint-port-overrides: {}
Title: Endpoint Port Overrides
Description: The Accelerator locked down all interface endpoint security groups to 0.0.0.0/0:443 inbound, no outbound-rules. As certain endpoints a different set of ports, this setting enables customers to overide the defaults for a specific endpoint. If a customer needs to lockdown an endpoint to a specific CIDR range, that is set at the VPC level. Example: "endpoint-port-overrides": {"logs": ["TCP:443", "UDP:9418"], "ssmmessages": ["TCP:443", "TCP:8080"] }
Optional iam-password-policies
Title: IAM Password Policies
Description: This group of settings enables setting the AWS IAM password policies for all accounts in the organization.
Optional ignored-ous
ignored-ous: string[]
Title: Ignored OUs
Description: Accounts placed within any OU defined here fall outside the governance structure of the Accelerator and do not need to be listed in the config file. The Accelerator does not apply guardrails to accounts within this OU.
Optional install-cloudformation-master-role
install-cloudformation-master-role: boolean
Title: Install Cloudformation Management Role
Description: This flag enables disabling the creation of the CloudFormation role in the Organization management account. Only required when repurposing an old sub-account as a new Organization management account.
Optional keep-default-vpc-regions
keep-default-vpc-regions: string[]
Title: Keep Default VPC Regions
Description: The Accelerator deletes default VPCs in every region, this specifies regions where the Accelerator will not delete default VPCs across all accounts in the Organization. This can also be specified at the account level.
Optional organization-admin-role
organization-admin-role: string
Title: Organization Admin Role
Description: The initial default role that exists in every new AWS account and will be used by Accelerator and Control Tower when creating new accounts. Must be specified by customers when creating new AWS accounts through AWS Organizations. This must be set to AWSControlTowerExecution when ct-baseline is set to true.
reports
Title: Cost and Usage Reports
Description: This section enables customers to deploy and configure Cost and Usage Reports for the organization.
scps
Title: SCPs
Description: This section within `global-options` is used to *define* AWS Service Control Policies (SCPs). Defined SCPs are referenced in the `organizational-units` or `account-configs` sections, which assigns these SCPs for application.
security-hub-frameworks
Title: Security Hub Frameworks
Description: Defines the Security Hub frameworks to be deployed to all accounts in the organization and any individual controls within the frameworks to be disabled.
Optional separate-s3-dp-org-trail
separate-s3-dp-org-trail: boolean
Title: Seperate S3 DataPlane Organization Tail
Description: Added to enable Control Tower support, as the Control Tower CloudTrails do not include data plane logging. This allows for the creation of a second trail only containing Data Plane events.
Optional ssm-automation
Title: SSM Automation
Description: This section within `global-options` is used to *defined* and *deploy* SSM automation documents into a limited number of central accounts. These Automation documents are then shared into accounts within designated organizational units or to specific accounts based on settings at the organizational-unit or account level. SSM Automation documents can be invoked from AWS Config rules to remediate non-compliant rules.
supported-regions
supported-regions: string[]
Title: Accelerator Managed Regions
Description: This is the list of regions where security and governance controls will be deployed by default. It is recommended this list include all enabled by default regions, but, this list MUST include the Accelerator home region, us-east-1 and any regions where the Accelerator deploys functionality like VPCs, TGWs, Zones or Automation documents.
vpc-flow-logs
Title: VPC Flow Logs
Description: This section within `global-options` is used to define a consistent set of VPC Flog Log settings, which will be utilized when VPC Flow logging is enabled on a VPC within either `organizational-units` or `account-configs`.
workloadaccounts-param-filename
workloadaccounts-param-filename: string
Title: Workload Accounts Parameter Filename
Description: This is the filename of the main configuration file which contains all the top-level config sections (i.e. config.json). As the config file can be broken into multiple parts, this enables finding the top-level file and all other sub-files.
Optional workloadaccounts-prefix
workloadaccounts-prefix: string
Title: Workload Accounts Config Filename Prefix
Description: When the config file reaches a certain size (line count), the Accelerator will place all new workload accounts in a new config file. This is the prefix to be used for any new filenames (i.e. config).
Optional workloadaccounts-suffix
workloadaccounts-suffix: number
Title: Workload Accounts Config Filename Suffix
Description: When the config file reaches a certain size (line count), the Accelerator will place all new workload accounts in a new config file. This is the suffix to be used for the NEXT new filename (any integer), after assigned, it is incremented by 1.
This section defines parameters or configurations that apply across the entire Accelerator installation.