Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Related tags

Third-party APIs Wrappers aws security automation control-tower eventbridge aws-web-services
Overview

Automate activities in Control Tower provisioned AWS accounts

Table of contents

  1. Introduction
  2. Architecture
  3. Prerequisites
  4. Tools and services
  5. Usage
  6. Clean up
  7. Reference
  8. Contributing
  9. License

Introduction

This project will configure the following settings on a new AWS account provisioned by AWS Control Tower:

  1. Deletes the default VPC in every region
  2. Adds a CloudWatch Logs resource policy that allows Route53 to log DNS requests to CloudWatch in the us-east-1 (Northern Virginia) region
  3. Enables the account-wide public S3 block setting
  4. Modifies account-level ECS settings
  5. Associates specific principals to shared AWS Service Catalog portfolios
  6. Grants specific AWS SSO groups access to the new account

Architecture

architecture

  1. When AWS Control Tower provisions a new account, a CreateManagedAccount event is sent to the Amazon EventBridge default event bus.
  2. An Amazon EventBridge rule matches the CreateManagedAccount event and triggers an AWS Step Functions state machine that executes AWS Lambda functions in parallel.
  3. The "Delete Default VPC Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and deletes the default VPC from every region.
  4. The "Route53 Logs Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and creates a CloudWatch Logs resource policy in the us-east-1 region that allows Route53 to write DNS query logs to CloudWatch.
  5. The "Public S3 Block Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and enables the account-level S3 public block setting.
  6. The "ECS Settings Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and enables various ECS settings.
  7. The "Portfolio Share Lambda" function assumes the AWSControlTowerExecution IAM role in the new account and accepts shared Service Catalog portfolios in the new account and grants specific principals access to those portfolios.
  8. The "SSO Group Assignment Lambda" function assigns any AWS SSO groups that start with AWS-O-<PermissionSetName> access to the new account with the <PermissionSetName> permission set.

Prerequisites

Tools and services

  • AWS SAM - The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications. It provides shorthand syntax to express functions, APIs, databases, and event source mappings.
  • AWS Lambda - AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers, creating workload-aware cluster scaling logic, maintaining event integrations, or managing runtimes.
  • AWS Control Tower - AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone.
  • AWS Organizations - AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources.
  • Amazon EventBridge - Amazon EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources.
  • AWS Service Catalog - AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.
  • AWS Single Sign-On - AWS Single Sign-On (AWS SSO) is where you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization.

Usage

Parameters

Parameter Type Default Description
OrganizationGroups String us-east-1 List of AWS SSO groups that should have access to all accounts
ExecutionRoleName String AWSControlTowerExecution Execution IAM role name
PortfolioIds String None Service Catalog Portfolio IDs
PermissionSets String None AWS SSO Permission Set names
SigningProfileVersionArn String None Code Signing Profile Version ARN

Installation

The CloudFormation stack must be deployed in the same AWS account and region where the AWS Control Tower landing zone has been created. This is usually the AWS Organizations Management account.

git clone https://github.com/aws-samples/aws-control-tower-account-setup-using-step-functions
cd aws-control-tower-account-setup-using-step-functions
aws signer put-signing-profile --platform-id "AWSLambda-SHA384-ECDSA" --profile-name AccountSetupProfile
sam build
sam deploy \
  --guided \
  --signing-profiles \
    S3PublicBlockFunction=AccountSetupProfile \
    DeleteDefaultVpcFunction=AccountSetupProfile \
    Route53QueryLogsFunction=AccountSetupProfile \
    ECSAccountSettingsFunction=AccountSetupProfile \
    SSOAssignmentFunction=AccountSetupProfile \
    ServiceCatalogPortfolioFunction=AccountSetupProfile \
    DependencyLayer=AccountSetupProfile \
  --tags "GITHUB_ORG=aws-samples GITHUB_REPO=aws-control-tower-account-setup-using-step-functions"

Clean up

Deleting the CloudFormation Stack will remove the Lambda functions, state machine and EventBridge rule and new accounts will no longer be updated after they are created.

sam delete

Reference

This solution is inspired by these references:

Contributing

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Comments
  • Use Step Functions native role assumption

    Use Step Functions native role assumption

    Issue #, if available:

    Description of changes:

    This change removes custom code from the Lambda functions in favor of Step Functions new ability to assume a role

    By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

    enhancement 
    opened by jplock 0
  • New IdentityStore APIs

    New IdentityStore APIs

    Issue #, if available:

    Description of changes:

    Migrate to new IdentityStore GetGroupId API. Discover organizational groups instead of needing to specify them through an environment variable.

    By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

    enhancement 
    opened by jplock 0
  • Block public SSM documents

    Block public SSM documents

    • https://research.checkpoint.com/2021/the-need-to-protect-public-aws-ssm-documents-what-the-research-shows/
    • https://aws.amazon.com/blogs/mt/best-practice-considerations-aws-systems-manager-document-sharing/
    enhancement good first issue 
    opened by jplock 0
  • IAM password policy

    IAM password policy

    We should configure the default IAM password policy to match SecurityHub's finding at https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-7

    • RequireUppercaseCharacters: true
    • RequireLowercaseCharacters: true
    • RequireSymbols: true
    • RequireNumbers: true
    • MinimumPasswordLength: 8
    enhancement good first issue 
    opened by jplock 0
  • [FEATURE] Refactor iteration logic into Step Functions

    [FEATURE] Refactor iteration logic into Step Functions

    Issue #, if available: #2, #3, #4

    Description of changes: Moves region iteration into Step Functions. Also adds:

    • Block public SSM document sharing in each region
    • Enables EBS encryption by default in each region
    • Add an IAM password policy

    By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

    enhancement 
    opened by jplock 0
Owner
AWS Samples
AWS Samples
GitHub https://aws.amazon.com/controltower/
Unauthenticated enumeration of services, roles, and users in an AWS account or in every AWS account in existence.

Quiet Riot ?? C'mon, Feel The Noise ?? An enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, roo

Wes Ladd 89 Jan 5, 2023
An simple python script for remove rockstar account for fivem, very useful for cheating or change account for unban from an server, remember change steam account.

This tool is used for be unbanned from servers, u need disconnect the discord, use other steam account and uninstall xbox for be unbanned 100%, it only work for unban in server, not global

MiguDEV 4 Oct 10, 2022
Step by Step Guide To Install Discord Py Master Branch on Replit

Guide to Install Discord Py Master Branch on Replit Step 1 Create an empty repl on replit Step 2 Add this Basic Code to the file main.py so as to chec

Pranav Saxena 7 Nov 18, 2022
Repositório para a Live Coding do dia 22/12/2021 sobre AWS Step Functions

DIO Live Step Functions - 22/12/2021 Serviços AWS utilizados AWS Step Functions AWS Lambda Amazon S3 Amazon Rekognition Amazon DynamoDB Amazon Cloudwa

Cassiano Ricardo de Oliveira Peres 5 Mar 1, 2022
DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

CRED 71 Dec 29, 2022
Check and write all account info + Check nitro on account

Discord-Token-Checker Check and write all account info + Check nitro on account Also check https://github.com/GuFFy12/Discord-Token-Parser (Parse disc

null 36 Jan 1, 2023
A tiktok mass account creator with undetected selenium and email verification, to bot an account

⚠️ STILL UNDER DEVELOPEMENT - v1.1-beta ⚠️ Adding PROXY ROTATION Adding EMAIL VERIFICATION Adding USERNAME COMPILER Tiktok Mass Bot Creator v1.1-beta

xtekky 11 Aug 1, 2022
You can share your Chegg account for answers using this bot with your friends without getting your account blocked/flagged

Chegg-Answer-Bot You can share your Chegg account for answers using this bot with your friends without getting your account blocked/flagged Reuirement

Ammey Saini 27 Dec 24, 2022
A discord account nuker with lots of tools that will destroy a discord account

A discord account nuker with lots of tools that will destroy a discord account (token destroyer... and much more).

firexi 10 Apr 28, 2022
Discord Account Generator that will create Account with hCaptcha bypass. Using socks4 proxies

Account-Generator [!] This was made for education. Please use socks4 proxies for nice experiences. [!] Please install these modules - "pip3 install ht

RyanzSantos 10 Feb 23, 2022
Deleting someone else's Instagram account, repeat until the target account is blocked.

Program Features ?? Instagram report V4. ?? Coded with the latest version of Python. ?? Has automatic scheduling. ?? Full account report. ?? Report a

hack4lx 16 Oct 25, 2022
Roblox-Account-Gen - A simple account generator not using paid solving services

Roblox Account Generator Star this if it helped to spread awareness! No 2captcha

x 1 Feb 17, 2022
A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

Amazon Web Services - Labs 1.9k Jan 7, 2023
Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

aws-allowlister Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance fr

Salesforce 189 Dec 8, 2022
Sunflower-farmers-automated-bot - Sunflower Farmers NFT Game automated bot.IT IS NOT a cheat or hack bot

Sunflower-farmers-auto-bot Sunflower Farmers NFT Game automated bot.IT IS NOT a

Arthur Alves 17 Nov 9, 2022
Implement backup and recovery with AWS Backup across your AWS Organizations using a CI/CD pipeline (AWS CodePipeline).

Backup and Recovery with AWS Backup This repository provides you with a management and deployment solution for implementing Backup and Recovery with A

AWS Samples 8 Nov 22, 2022
Python3 program to control Elgato Ring Light on your local network without Elgato's Control Center software

Elgato Light Controller I'm really happy with my Elgato Key Light from an illumination perspective. However, their control software has been glitchy f

Jeff Tarr 14 Nov 16, 2022
Project to list all resources in an AWS account with tags.

AWS-ListAll Project to list all resources in an AWS account with tags. This script works on any system Get started: Install python3 and pip3 along wit

Connor Shubham Verlekar 3 Jan 30, 2022
AWS EC2 S3 Automated With python

AWS_EC2_S3_Automated Description This programme is a Python3 script that utilizes Boto3 to automate the process of creating an AWS EC2 instance with a

niall_crowe 2 Nov 16, 2021