diff --git a/reference-artifacts/Custom-Scripts/Region-OptIn-Script/README.md b/reference-artifacts/Custom-Scripts/Region-OptIn-Script/README.md new file mode 100644 index 000000000..7ae06ec69 --- /dev/null +++ b/reference-artifacts/Custom-Scripts/Region-OptIn-Script/README.md @@ -0,0 +1,43 @@ +## AWS SEA Multi-account Opt-In scripts + +The Opt In script is intended to assist in automatically enabling or disabling AWS Opt-In regions for already existing accounts in an ASEA deployment. + +The region must be manually enabled for the Management Account first and and [Trusted Access] (https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-trusted-access.html) also enabled + +## Details + +The logic of the script is the following: + +1. Intakes paramters for: Opt-In Region, Action, and ignored OUs + +2. Queries the Management Account's AWS Organizations API for account and OU structure + +3. Creates a structured list of account numbers + +4. Launches multiple threads and executes the enable/disable action based on the paramters passed + +## Instructions + +1. Log into the AWS console as a Full Administrator to the Organization Management account. +2. Start a CloudShell session. +3. Copy the files from this folder to the CloudShell session; +4. Create a virtual python environment. `python3 -m venv env` +5. Activate the python environment. `source env/bin/activate` +6. Install the python3 required libaries (ex: `pip install -r requirements.txt`). +7. Make the Python script executable (ex: `chmod +x region_optin.py`). +8. Execute the script with the following parameters: + `--OptInRegion` *region* + `--Action` *enable / disable / status* + + Optional: + `--IgnoreOU` *ou* + + Example: `python3 region_optin.py --OptInRegion ca-west-1 --Action=enable` + +## Requirements + +-boto3 +-autopep8 +-other + + diff --git a/reference-artifacts/Custom-Scripts/Region-OptIn-Script/region_optin.py b/reference-artifacts/Custom-Scripts/Region-OptIn-Script/region_optin.py new file mode 100755 index 000000000..e9bc7e1b0 --- /dev/null +++ b/reference-artifacts/Custom-Scripts/Region-OptIn-Script/region_optin.py @@ -0,0 +1,166 @@ +import os +import boto3 +from botocore.config import Config +import sys +import threading +import argparse +import time + +parser = argparse.ArgumentParser( + description='A development script that enables opt-in regions across all accounts. Use Administrator AWS credentials in the root account when running this script.' +) +parser.add_argument( + '--OptInRegion', + help='The opt-in region to enable/disable', + required=True) +parser.add_argument( + '--IgnoreOU', + default='Ignore', + help='AWS Accounts in this OU will be ignored') +parser.add_argument( + '--Action', + default='Enable', + help='AWS Accounts in this OU will be ignored', + required=True) + +organizations_client = boto3.client('organizations') +account_client = boto3.client('account') +sts = boto3.client('sts') + + +def get_all_accounts_by_ou(parentId, organizationUnits, + organizationUnitsToSkip): + all_accounts = [] + if parentId is None: + paginator = organizations_client.get_paginator('list_roots') + page_iterator = paginator.paginate() + for root_item in page_iterator: + item = root_item['Roots'][0] + if item['Name'] == 'Root' and item['Id'] and item['Arn']: + parentId = item['Id'] + break + + paginator = organizations_client.get_paginator( + 'list_organizational_units_for_parent') + page_iterator = paginator.paginate(ParentId=parentId) + for ous_paged in page_iterator: + for ou in ous_paged['OrganizationalUnits']: + if ou['Name'] not in organizationUnitsToSkip: + all_accounts = all_accounts + \ + get_accounts_by_parentId(ou['Id']) + + all_accounts = all_accounts + get_accounts_by_parentId(parentId) + + return all_accounts + + +def get_accounts_by_parentId(parent_id): + all_aws_accounts = [] + paginator = organizations_client.get_paginator('list_accounts_for_parent') + page_iterator = paginator.paginate(ParentId=parent_id) + for accounts_paged in page_iterator: + for aws_account in accounts_paged['Accounts']: + all_aws_accounts.append(aws_account['Id']) + return all_aws_accounts + + +def opt_in(region, all_accounts, action): + print('Opting in accounts for {}'.format(region)) + + aws_organziation = organizations_client.describe_organization() + + rootAccountId = aws_organziation['Organization']['MasterAccountId'] + + print('Opt-in for {} for management account {} must be done manually first'.format(region, rootAccountId)) + + threads = list() + try: + count = 0 + for accountId in all_accounts: + count = count + 1 + if count % 15 == 0: + for index, thread in enumerate(threads): + thread.join() + if accountId != rootAccountId: + t = threading.Thread( + target=thread_opt_in, args=( + region, accountId,action)) + threads.append(t) + t.start() + except BaseException: + print('Error', sys.exc_info()[0], 'occurred') + finally: + for index, thread in enumerate(threads): + thread.join() + print('Done. All opt in threads finished') + + +def thread_opt_in(region, accountId,action): + print('Processing {} for {} in TID={}'.format( + region, accountId, threading.get_ident())) + + config = Config( + retries={ + 'max_attempts': 3, + 'mode': 'standard' + } + ) + + account_client_tr = boto3.client('account', config=config) + + region_status = account_client_tr.get_region_opt_status( + AccountId=accountId, RegionName=region) + + print( + '{} is {} for {}'.format( + region_status['RegionName'], + region_status['RegionOptStatus'], + accountId)) + + if action == "status": + return + + #Enable region if disabled + if region_status['RegionOptStatus'] == 'DISABLED' and action=="enable": + print('Enabling {} for {}...'.format(region, accountId)) + try: + account_client_tr.enable_region( + AccountId=accountId, RegionName=region) + status = None + while status != 'ENABLED': + time.sleep(5) + region_status = account_client_tr.get_region_opt_status( + AccountId=accountId, RegionName=region) + status = region_status['RegionOptStatus'] + print( + 'Status: {} {} for {}'.format( + status, region, accountId)) + finally: + print('Enabling {} for {}. Done'.format(region, accountId)) + + #Disable region if enabled + + if region_status['RegionOptStatus'] == 'ENABLED' and action=="disable": + print('Disabling {} for {}...'.format(region, accountId)) + try: + account_client_tr.disable_region( + AccountId=accountId, RegionName=region) + status = None + while status != 'DISABLED': + time.sleep(5) + region_status = account_client_tr.get_region_opt_status( + AccountId=accountId, RegionName=region) + status = region_status['RegionOptStatus'] + print( + 'Status: {} {} for {}'.format( + status, region, accountId)) + finally: + print('Disabling {} for {}. Done'.format(region, accountId)) + + +if __name__ == '__main__': + parser.parse_args() + args = parser.parse_args() + all_accounts = get_all_accounts_by_ou(None, [], args.IgnoreOU) + print ("Action: " + args.Action) + opt_in(args.OptInRegion, all_accounts, args.Action) diff --git a/reference-artifacts/Custom-Scripts/Region-OptIn-Script/requirements.txt b/reference-artifacts/Custom-Scripts/Region-OptIn-Script/requirements.txt new file mode 100644 index 000000000..ccf15fd40 --- /dev/null +++ b/reference-artifacts/Custom-Scripts/Region-OptIn-Script/requirements.txt @@ -0,0 +1,2 @@ +boto3 +autopep8 \ No newline at end of file diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-multi-region-ca-west-1-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-multi-region-ca-west-1-example.json new file mode 100644 index 000000000..3e316fa80 --- /dev/null +++ b/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-multi-region-ca-west-1-example.json @@ -0,0 +1,9762 @@ +{ + "replacements": { + "addl_regions": { + "a": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "b": [ + "${HOME_REGION}", + "${GBL_REGION}", + "${ALT_REGION}" + ], + "c": [ + "${HOME_REGION}", + "${GBL_REGION}", + "${ALT_REGION}", + "us-east-2", + "us-west-1", + "us-west-2" + ] + }, + "INFO": "Deploying in us-east-1 requires removing ${GBL_REGION} from the above variables and replacing us-east-1 with a new 2nd region throughout the config file", + "INFO1": "If deploying the firewalls, both cidr values below MUST be supplied", + "ALT_REGION": "ca-west-1", + "cloud-cidr1": "10.0.0.0", + "cloud-mask1": "255.0.0.0", + "cloud-cidr2": "100.96.252.0", + "cloud-mask2": "255.255.254.0", + "range-restrict": [ + "10.0.0.0/8", + "100.96.252.0/23", + "100.96.250.0/23" + ], + "range-mad": "100.96.252.0/23", + "range-dev-test": [ + "0.0.0.0/0" + ], + "alarm-not-ip": "10.10.10.*" + }, + "global-options": { + "ct-baseline": false, + "default-s3-retention": 90, + "central-bucket": "AWSDOC-EXAMPLE-BUCKET", + "organization-admin-role": "OrganizationAccountAccessRole", + "default-cwl-retention": 731, + "workloadaccounts-suffix": 1, + "workloadaccounts-prefix": "config", + "workloadaccounts-param-filename": "config.json", + "ignored-ous": [ + "UnManaged" + ], + "additional-global-output-regions": [], + "supported-regions": [ + "ap-northeast-1", + "ap-northeast-2", + "ap-northeast-3", + "ap-south-1", + "ap-southeast-1", + "ap-southeast-2", + "ca-central-1", + "eu-central-1", + "eu-north-1", + "eu-west-1", + "eu-west-2", + "eu-west-3", + "sa-east-1", + "us-east-1", + "us-east-2", + "us-west-1", + "us-west-2", + "ca-west-1" + ], + "keep-default-vpc-regions": [], + "aws-org-management": { + "account": "management", + "region": "${HOME_REGION}", + "add-sns-topics": true + }, + "central-security-services": { + "account": "security", + "region": "${HOME_REGION}", + "security-hub-excl-regions": [], + "security-hub": true, + "guardduty": true, + "guardduty-excl-regions": [], + "guardduty-s3": true, + "guardduty-s3-excl-regions": [], + "guardduty-eks": true, + "guardduty-eks-excl-regions": [], + "guardduty-frequency": "FIFTEEN_MINUTES", + "cwl": true, + "access-analyzer": true, + "config-excl-regions": [], + "config-aggr-excl-regions": [], + "macie": true, + "macie-excl-regions": [ + "ca-west-1" + ], + "macie-frequency": "FIFTEEN_MINUTES", + "macie-sensitive-sh": true, + "fw-mgr-alert-level": "None", + "security-hub-findings-sns": "Low", + "add-sns-topics": true, + "config-aggr": true + }, + "central-operations-services": { + "account": "operations", + "region": "${HOME_REGION}", + "cwl": true, + "cwl-access-level": "full" + }, + "central-log-services": { + "account": "log-archive", + "region": "${HOME_REGION}", + "s3-retention": 730, + "cwl-glbl-exclusions": [], + "cwl-exclusions": [], + "ssm-to-s3": true, + "ssm-to-cwl": true, + "sns-excl-regions": [], + "sns-subscription-emails": { + "High": [ + "myemail+notifyT-high@example.com" + ], + "Medium": [ + "myemail+notifyT-medium@example.com" + ], + "Low": [ + "myemail+notifyT-low@example.com" + ] + }, + "dynamic-s3-log-partitioning": [ + { + "logGroupPattern": "/${ACCELERATOR_PREFIX_ND}/MAD", + "s3Prefix": "managed-ad" + }, + { + "logGroupPattern": "/${ACCELERATOR_PREFIX_ND}/rql", + "s3Prefix": "rql" + }, + { + "logGroupPattern": "/${ACCELERATOR_PREFIX_ND}/SecurityHub", + "s3Prefix": "security-hub" + }, + { + "logGroupPattern": "/${ACCELERATOR_PREFIX_ND}/Nfw", + "s3Prefix": "nfw" + }, + { + "logGroupPattern": "/${ACCELERATOR_PREFIX_ND}/rsyslog", + "s3Prefix": "rsyslog" + }, + { + "logGroupPattern": "/${ACCELERATOR_PREFIX_ND}/SSM", + "s3Prefix": "ssm" + } + ] + }, + "additional-cwl-regions": { + "${ALT_REGION}": { + "kinesis-stream-shard-count": 1 + } + }, + "reports": { + "cost-and-usage-report": { + "additional-schema-elements": [ + "RESOURCES" + ], + "compression": "Parquet", + "format": "Parquet", + "report-name": "Cost-and-Usage-Report", + "s3-prefix": "cur", + "time-unit": "HOURLY", + "additional-artifacts": [ + "ATHENA" + ], + "refresh-closed-reports": true, + "report-versioning": "OVERWRITE_REPORT" + } + }, + "vpc-flow-logs": { + "filter": "ALL", + "interval": 60, + "default-format": false, + "custom-fields": [ + "version", + "account-id", + "interface-id", + "srcaddr", + "dstaddr", + "srcport", + "dstport", + "protocol", + "packets", + "bytes", + "start", + "end", + "action", + "log-status", + "vpc-id", + "subnet-id", + "instance-id", + "tcp-flags", + "type", + "pkt-srcaddr", + "pkt-dstaddr", + "region", + "az-id", + "pkt-src-aws-service", + "pkt-dst-aws-service", + "flow-direction", + "traffic-path" + ] + }, + "security-hub-frameworks": { + "standards": [ + { + "name": "AWS Foundational Security Best Practices v1.0.0", + "controls-to-disable": [ + "IAM.1", + "EC2.10" + ] + }, + { + "name": "PCI DSS v3.2.1", + "controls-to-disable": [ + "PCI.IAM.3", + "PCI.S3.3", + "PCI.Lambda.2" + ] + }, + { + "name": "CIS AWS Foundations Benchmark v1.2.0", + "controls-to-disable": [ + "CIS.1.20", + "CIS.1.22", + "CIS.2.6" + ] + } + ] + }, + "iam-password-policies": { + "allow-users-to-change-password": true, + "hard-expiry": false, + "require-uppercase-characters": true, + "require-lowercase-characters": true, + "require-symbols": true, + "require-numbers": true, + "minimum-password-length": 14, + "password-reuse-prevention": 24, + "max-password-age": 90 + }, + "scps": [ + { + "name": "Guardrails-Part-0", + "description": "ASEA Guardrails Part 0 Workload Accounts", + "policy": "ASEA-Guardrails-Part0-WkldOUs.json" + }, + { + "name": "Guardrails-Part-1", + "description": "ASEA Guardrails Part 1", + "policy": "ASEA-Guardrails-Part1.json" + }, + { + "name": "Guardrails-Sensitive", + "description": "ASEA Guardrails Sensitive Environment Specific", + "policy": "ASEA-Guardrails-Sensitive.json" + }, + { + "name": "Guardrails-Unclass", + "description": "ASEA Guardrails Unclassified Environment Specific", + "policy": "ASEA-Guardrails-Unclass.json" + }, + { + "name": "Guardrails-Sandbox", + "description": "ASEA Guardrails Sandbox Environment Specific", + "policy": "ASEA-Guardrails-Sandbox.json" + }, + { + "name": "Quarantine-New-Object", + "description": "ASEA Quarantine policy - Apply to ACCOUNTS that need to be quarantined", + "policy": "Quarantine-New-Object.json" + }, + { + "name": "Guardrails-Part-0-Core", + "description": "ASEA Guardrails Part 0 Core Accounts", + "policy": "ASEA-Guardrails-Part0-CoreOUs.json" + } + ], + "cloudwatch": { + "metrics": [ + { + "filter-name": "SecurityGroupChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "SecurityGroupEventCount", + "metric-value": "1" + }, + { + "filter-name": "NetworkAclChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation)}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "NetworkAclEventCount", + "metric-value": "1" + }, + { + "filter-name": "GatewayChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway)}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "GatewayEventCount", + "metric-value": "1" + }, + { + "filter-name": "VpcChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "VpcEventCount", + "metric-value": "1" + }, + { + "filter-name": "Ec2InstanceChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = RunInstances) || ($.eventName = RebootInstances)|| ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName= TerminateInstances) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "EC2InstanceEventCount", + "metric-value": "1" + }, + { + "filter-name": "Ec2LargeInstanceChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ (($.eventName = RunInstances) || ($.eventName = RebootInstances)|| ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName= TerminateInstances)) && (($.requestParameters.instanceType= *.32xlarge) || ($.requestParameters.instanceType= *.24xlarge) || ($.requestParameters.instanceType= *.18xlarge) || ($.requestParameters.instanceType= *.16xlarge) || ($.requestParameters.instanceType= *.12xlarge) || ($.requestParameters.instanceType= *.10xlarge) || ($.requestParameters.instanceType= *.9xlarge) || ($.requestParameters.instanceType= *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge)) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "EC2LargeInstanceEventCount", + "metric-value": "1" + }, + { + "filter-name": "CloudTrailChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail)|| ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName= StopLogging) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "CloudTrailEventCount", + "metric-value": "1" + }, + { + "filter-name": "ConsoleSignInFailureMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "ConsoleSignInFailureCount", + "metric-value": "1" + }, + { + "filter-name": "AuthorizationFailureMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ (($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode =\"AccessDenied*\") && ($.userIdentity.principalId != \"*AWSConfig-BucketConfigCheck\")) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "AuthorizationFailureCount", + "metric-value": "1" + }, + { + "filter-name": "IamPolicyChangesMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "IAMPolicyEventCount", + "metric-value": "1" + }, + { + "filter-name": "ConsoleSignInWithoutMfaMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "ConsoleSignInWithoutMfaCount", + "metric-value": "1" + }, + { + "filter-name": "RootLoginMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "RootLoginEventCount", + "metric-value": "1" + }, + { + "filter-name": "DisableOrDeleteCMKMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventSource=kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "DisableOrDeleteCMKCount", + "metric-value": "1" + }, + { + "filter-name": "AWSConfigChangesMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventSource=config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "AWSConfigChangesCount", + "metric-value": "1" + }, + { + "filter-name": "RouteTableChangesMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable)}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "RouteTableChangesCount", + "metric-value": "1" + }, + { + "filter-name": "S3BucketPolicyChangesMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "S3BucketPolicyChangesCount", + "metric-value": "1" + }, + { + "filter-name": "SSOAuthUnapprovedIPMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != ${ALARM-NOT-IP}) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "SSOAuthUnapprovedIPCount", + "metric-value": "1" + }, + { + "filter-name": "IAMAuthUnapprovedIPMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != ${ALARM-NOT-IP}) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "IAMAuthUnapprovedIPCount", + "metric-value": "1" + }, + { + "filter-name": "UnencryptedFilesystemCreatedMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = CreateFileSystem) && ($.responseElements.encrypted IS FALSE) } ", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "UnencryptedFilesystemCreatedCount", + "metric-value": "1" + }, + { + "filter-name": "IgnoreAuthorizationFailureMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.errorCode=\"*UnauthorizedOperation\") || ($.errorCode=\"AccessDenied*\")}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "IgnoreAuthorizationFailureCount", + "metric-value": "1" + }, + { + "filter-name": "IgnoreConsoleSignInWithoutMfaMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "IgnoreConsoleSignInWithoutMfaCount", + "metric-value": "1" + } + ], + "alarms": { + "default-accounts": [ + "management" + ], + "default-regions": [ + "${HOME_REGION}" + ], + "default-namespace": "CloudTrailMetrics", + "default-statistic": "Sum", + "default-period": 300, + "default-threshold-type": "Static", + "default-comparison-operator": "GreaterThanOrEqualToThreshold", + "default-threshold": 1, + "default-evaluation-periods": 1, + "default-treat-missing-data": "notBreaching", + "default-in-org-mgmt-use-lcl-sns": true, + "definitions": [ + { + "alarm-name": "AWS-Security-Group-Changed", + "metric-name": "SecurityGroupEventCount", + "sns-alert-level": "Low", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete a Security Group (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Network-ACL-Changed", + "metric-name": "NetworkAclEventCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete a Network ACL (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Gateway-Changed", + "metric-name": "GatewayEventCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete a Customer or Internet Gateway (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-VPC-Changed", + "metric-name": "VpcEventCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete a VPC, VPC peering connection or VPC connection to classic (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-EC2-Instances-Changed", + "metric-name": "EC2InstanceEventCount", + "sns-alert-level": "Low", + "alarm-description": "Alarms when one or more API calls are made to create, terminate, start, stop or reboot any EC2 instance (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-EC2-Large-Instance-Changed", + "metric-name": "EC2LargeInstanceEventCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to create, terminate, start, stop or reboot a 4x, 8x, 9x, 10x, 12x, 16x, 18x, 24x, 32x-large EC2 instance (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-CloudTrail-Changed", + "metric-name": "CloudTrailEventCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete a CloudTrail trail, or to start or stop logging to a trail (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Console-SignIn-Failure", + "metric-name": "ConsoleSignInFailureCount", + "sns-alert-level": "High", + "threshold": 3, + "alarm-description": "Alarms when one or more unauthenticated API calls are made to sign into the console (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Authorization-Failure", + "metric-name": "AuthorizationFailureCount", + "sns-alert-level": "Low", + "alarm-description": "Alarms when one or more unauthorized API calls are made (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-IAM-Policy-Changed", + "metric-name": "IAMPolicyEventCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to change an IAM policy (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Console-SignIn-Without-MFA", + "metric-name": "ConsoleSignInWithoutMfaCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when MFA is NOT used to sign into the console with IAM (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Root-Login", + "metric-name": "RootLoginEventCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when the root user successfully logs in one or more times (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Disable-Or-Delete-KMS-CMK", + "metric-name": "DisableOrDeleteCMKCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when one or more Key Management Service Customer Managed Keys are disabled or scheduled for deletion (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Config-Changed", + "metric-name": "AWSConfigChangesCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when one or more modifications are made to AWS Config Settings (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Route-Table-Changed", + "metric-name": "RouteTableChangesCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete a Route table (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-S3-Bucket-Policy-Changed", + "metric-name": "S3BucketPolicyChangesCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete an S3 Bucket policy (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-SSO-Authentication-From-Unapproved-IP", + "metric-name": "SSOAuthUnapprovedIPCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range." + }, + { + "alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP", + "metric-name": "IAMAuthUnapprovedIPCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range." + }, + { + "alarm-name": "AWS-Unencrypted-Filesystem-Created", + "metric-name": "UnencryptedFilesystemCreatedCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when one or more API calls are made to create an Unencrypted filesystem (i.e. EFS) (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "IGNORE-AWS-Authorization-Failure", + "metric-name": "IgnoreAuthorizationFailureCount", + "sns-alert-level": "Ignore", + "alarm-description": "Alarms when one or more unauthorized API calls are made (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "IGNORE-AWS-Console-SignIn-Without-MFA", + "metric-name": "IgnoreConsoleSignInWithoutMfaCount", + "sns-alert-level": "Ignore", + "alarm-description": "Alarms when MFA is NOT used to sign into the console with IAM (in any account, any region of your AWS Organization)." + } + ] + } + }, + "ssm-automation": [ + { + "accounts": [ + "operations" + ], + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + { + "name": "SSM-ELB-Enable-Logging", + "description": "Calls the AWS CLI to enable access logs on a specified ELB.", + "template": "ssm-elb-enable-logging.yaml" + }, + { + "name": "Put-S3-Encryption", + "description": "Enables S3 encryption using KMS", + "template": "s3-encryption.yaml" + }, + { + "name": "Attach-IAM-Instance-Profile", + "description": "Attaches instance profiles to an EC2 instance", + "template": "attach-iam-instance-profile.yaml" + }, + { + "name": "Attach-IAM-Role-Policy", + "description": "Attachs Aws IAM Managed Policy to IAM Role.", + "template": "attach-iam-role-policy.yaml" + } + ] + } + ], + "aws-config": { + "defaults": { + "remediation": false, + "remediation-attempts": 5, + "remediation-retry-seconds": 60, + "remediation-concurrency": 10 + }, + "rules": [ + { + "name": "EC2-INSTANCE-PROFILE", + "type": "custom", + "resource-types": [ + "AWS::EC2::Instance" + ], + "runtime": "nodejs18.x", + "remediation-action": "Attach-IAM-Instance-Profile", + "remediation": true, + "remediation-params": { + "IamInstanceProfile": "EC2-Default-SSM-AD-Role-ip", + "InstanceId": "RESOURCE_ID" + } + }, + { + "name": "EC2-INSTANCE-PROFILE-PERMISSIONS", + "type": "custom", + "resource-types": [ + "AWS::IAM::Role" + ], + "runtime": "nodejs18.x", + "parameters": { + "AWSManagedPolicies": "AmazonSSMManagedInstanceCore, AmazonSSMDirectoryServiceAccess, CloudWatchAgentServerPolicy", + "CustomerManagedPolicies": "${SEA::EC2InstaceProfilePermissions}", + "ResourceId": "RESOURCE_ID" + }, + "remediation": true, + "remediation-action": "Attach-IAM-Role-Policy", + "remediation-params": { + "AWSManagedPolicies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "CustomerManagedPolicies": [ + "${SEA::EC2InstaceProfilePermissions}" + ], + "ResourceId": "RESOURCE_ID" + } + }, + { + "name": "ELB_LOGGING_ENABLED", + "remediation-action": "SSM-ELB-Enable-Logging", + "remediation": true, + "parameters": { + "s3BucketNames": "${SEA::LogArchiveAesBucket}" + }, + "remediation-params": { + "LoadBalancerArn": "RESOURCE_ID", + "LogDestination": "${SEA::LogArchiveAesBucket}" + } + }, + { + "name": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "remediation-action": "Put-S3-Encryption", + "remediation": true, + "remediation-params": { + "BucketName": "RESOURCE_ID", + "KMSMasterKey": "${SEA::S3BucketEncryptionKey}" + } + }, + { + "name": "ACM_CERTIFICATE_EXPIRATION_CHECK", + "parameters": { + "daysToExpiration": "90" + } + }, + { + "name": "ALB_WAF_ENABLED" + }, + { + "name": "API_GW_CACHE_ENABLED_AND_ENCRYPTED" + }, + { + "name": "CLOUD_TRAIL_ENABLED" + }, + { + "name": "CLOUDTRAIL_S3_DATAEVENTS_ENABLED" + }, + { + "name": "CLOUDTRAIL_SECURITY_TRAIL_ENABLED" + }, + { + "name": "CLOUDWATCH_ALARM_ACTION_CHECK", + "parameters": { + "alarmActionRequired": "TRUE", + "insufficientDataActionRequired": "TRUE", + "okActionRequired": "FALSE" + } + }, + { + "name": "CW_LOGGROUP_RETENTION_PERIOD_CHECK" + }, + { + "name": "DB_INSTANCE_BACKUP_ENABLED" + }, + { + "name": "DYNAMODB_IN_BACKUP_PLAN" + }, + { + "name": "DYNAMODB_TABLE_ENCRYPTED_KMS" + }, + { + "name": "EBS_IN_BACKUP_PLAN" + }, + { + "name": "EC2_INSTANCE_DETAILED_MONITORING_ENABLED" + }, + { + "name": "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK" + }, + { + "name": "EC2_VOLUME_INUSE_CHECK", + "parameters": { + "deleteOnTermination": "TRUE" + } + }, + { + "name": "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK" + }, + { + "name": "ELB_ACM_CERTIFICATE_REQUIRED" + }, + { + "name": "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED" + }, + { + "name": "EMR_KERBEROS_ENABLED" + }, + { + "name": "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "parameters": { + "daysHighSev": "1", + "daysLowSev": "30", + "daysMediumSev": "7" + } + }, + { + "name": "IAM_GROUP_HAS_USERS_CHECK" + }, + { + "name": "IAM_PASSWORD_POLICY", + "parameters": { + "MaxPasswordAge": "90", + "MinimumPasswordLength": "14", + "PasswordReusePrevention": "24", + "RequireLowercaseCharacters": "true", + "RequireNumbers": "true", + "RequireSymbols": "true", + "RequireUppercaseCharacters": "true" + } + }, + { + "name": "IAM_USER_GROUP_MEMBERSHIP_CHECK" + }, + { + "name": "INCOMING_SSH_DISABLED" + }, + { + "name": "INSTANCES_IN_VPC" + }, + { + "name": "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY" + }, + { + "name": "RDS_IN_BACKUP_PLAN" + }, + { + "name": "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "parameters": { + "clusterDbEncrypted": "TRUE", + "loggingEnabled": "TRUE" + } + }, + { + "name": "RESTRICTED_INCOMING_TRAFFIC", + "parameters": { + "blockedPort1": "20", + "blockedPort2": "21", + "blockedPort3": "3389", + "blockedPort4": "3306", + "blockedPort5": "4333" + } + }, + { + "name": "S3_BUCKET_POLICY_GRANTEE_CHECK" + }, + { + "name": "S3_BUCKET_VERSIONING_ENABLED" + }, + { + "name": "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED" + }, + { + "name": "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED" + }, + { + "name": "SECURITYHUB_ENABLED" + }, + { + "name": "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS", + "parameters": { + "authorizedTcpPorts": "443", + "authorizedUdpPorts": "1020-1025" + } + }, + { + "name": "WAFV2_LOGGING_ENABLED" + } + ] + }, + "cidr-pools": [ + { + "cidr": "10.0.0.0/13", + "pool": "main", + "description": "The main address pool used to dynamically assign CIDR ranges.", + "region": "${HOME_REGION}" + }, + { + "cidr": "100.96.252.0/23", + "pool": "RFC6598a", + "description": "Address pool used to dynamically assign CIDR ranges for the Managed Active Directory subnets in the Ops account.", + "region": "${HOME_REGION}" + }, + { + "cidr": "100.96.250.0/23", + "pool": "RFC6598b", + "description": "Address pool used to dynamically assign CIDR ranges for the Perimeter VPC.", + "region": "${HOME_REGION}" + }, + { + "cidr": "100.96.254.0/23", + "pool": "RFC6598c", + "description": "Address pool used to dynamically assign CIDR ranges for the Perimeter VPC in alternate Region.", + "region": "${ALT_REGION}" + }, + { + "cidr": "10.249.1.0/24", + "pool": "ForSSO", + "description": "A non-routable pool of addresses used to dynamically assign CIDR ranges for the Active Directory Connector subnets in the Organization Management/root account.", + "region": "${HOME_REGION}" + }, + { + "cidr": "10.96.0.0/13", + "pool": "main-${ALT_REGION}", + "description": "Address pool used to dynamically assign CIDR ranges for alternate Region.", + "region": "${ALT_REGION}" + } + ] + }, + "mandatory-account-configs": { + "shared-network": { + "account-name": "SharedNetwork", + "email": "myemail+aseaT-network@example.com---------------------REPLACE------------", + "ou": "Infrastructure", + "share-mad-from": "operations", + "src-filename": "config.json", + "description": "This Account is used for centralized or shared networking resources.", + "budget": { + "name": "SharedNetwork Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "limits": { + "Amazon VPC/Interface VPC endpoints per VPC": { + "value": 90, + "customer-confirm-inplace": false + }, + "Amazon VPC/VPCs per Region": { + "value": 15 + } + }, + "vpc": [ + { + "deploy": "local", + "name": "Endpoint", + "description": "This VPC is used to host AWS Service Endpoints, making AWS services available using private address space.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 22, + "pool": "main" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "Endpoint", + "definitions": [ + { + "az": "a", + "route-table": "EndpointVPC_Common", + "cidr": { + "pool": "main", + "size": 24 + } + }, + { + "az": "b", + "route-table": "EndpointVPC_Common", + "cidr": { + "pool": "main", + "size": 24 + } + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "EndpointVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "core" + ], + "tgw-rt-propagate": [ + "core", + "shared", + "standalone", + "segregated" + ], + "blackhole-route": false, + "attach-subnets": [ + "Endpoint" + ], + "options": [ + "DNS-support" + ] + }, + "interface-endpoints": { + "subnet": "Endpoint", + "endpoints": [ + "ec2", + "ec2messages", + "ssm", + "ssmmessages", + "secretsmanager", + "cloudformation", + "kms", + "logs", + "monitoring" + ] + }, + "resolvers": { + "subnet": "Endpoint", + "outbound": true, + "inbound": true + }, + "on-premise-rules": [ + { + "zone": "on-premise-privatedomain1.example.ca", + "outbound-ips": [ + "10.254.254.1", + "10.254.253.1" + ] + }, + { + "zone": "on-premise-privatedomain2.example.ca", + "outbound-ips": [ + "10.254.254.1", + "10.254.253.1" + ] + } + ], + "zones": { + "public": [ + "cloud-hosted-publicdomain.example.ca" + ], + "private": [ + "cloud-hosted-privatedomain.example.ca" + ] + }, + "central-endpoint": true + }, + { + "deploy": "local", + "name": "Endpoint-${ALT_REGION}", + "description": "This VPC is used to host AWS Service Endpoints for ${ALT_REGION}, making AWS services available using private address space.", + "cidr-src": "dynamic", + "cidr": [ + { + "pool": "main-${ALT_REGION}", + "size": 22 + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "Endpoint", + "definitions": [ + { + "az": "a", + "route-table": "Endpoint-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 24 + } + }, + { + "az": "b", + "route-table": "Endpoint-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 24 + } + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "Endpoint-${ALT_REGION}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "core" + ], + "tgw-rt-propagate": [ + "core", + "shared", + "standalone", + "segregated" + ], + "blackhole-route": false, + "attach-subnets": [ + "Endpoint" + ], + "options": [ + "DNS-support" + ] + }, + "interface-endpoints": { + "subnet": "Endpoint", + "endpoints": [ + "ec2", + "ec2messages", + "ssm", + "ssmmessages", + "secretsmanager", + "cloudformation", + "kms", + "logs", + "monitoring" + ] + }, + "resolvers": { + "subnet": "Endpoint", + "outbound": true, + "inbound": true + }, + "on-premise-rules": [ + { + "zone": "on-premise-privatedomain1.example.ca", + "outbound-ips": [ + "10.254.254.1", + "10.254.253.1" + ] + }, + { + "zone": "on-premise-privatedomain2.example.ca", + "outbound-ips": [ + "10.254.254.1", + "10.254.253.1" + ] + } + ], + "zones": { + "public": [ + "cloud-hosted-publicUSdomain.example.ca" + ], + "private": [ + "cloud-hosted-privateUSdomain.example.ca" + ] + }, + "central-endpoint": true + } + ], + "deployments": { + "tgw": [ + { + "name": "Main", + "asn": 65521, + "region": "${HOME_REGION}", + "features": { + "DNS-support": true, + "VPN-ECMP-support": true, + "Default-route-table-association": false, + "Default-route-table-propagation": false, + "Auto-accept-sharing-attachments": true + }, + "route-tables": [ + "core", + "shared", + "standalone", + "segregated" + ], + "tgw-routes": [] + }, + { + "name": "Main-${ALT_REGION}", + "asn": 64526, + "region": "${ALT_REGION}", + "features": { + "DNS-support": true, + "VPN-ECMP-support": true, + "Default-route-table-association": false, + "Default-route-table-propagation": false, + "Auto-accept-sharing-attachments": true + }, + "route-tables": [ + "core", + "shared", + "standalone", + "segregated" + ], + "tgw-routes": [] + } + ] + } + }, + "operations": { + "account-name": "Operations", + "email": "myemail+aseaT-operations@example.com---------------------REPLACE------------", + "ou": "Infrastructure", + "account-warming-required": true, + "limits": {}, + "src-filename": "config.json", + "description": "This Account is used for centralized IT Operational resources (MAD, rsyslog, ITSM, etc.).", + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + }, + { + "policy-name": "${ACCELERATOR_PREFIX_ND}-RDGW-Custom-Policy", + "policy": "rdgw-custom-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "${ACCELERATOR_PREFIX_ND}-RDGW-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy", + "${ACCELERATOR_PREFIX_ND}-RDGW-Custom-Policy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "CloudWatchAgentServerPolicy", + "AmazonS3ReadOnlyAccess" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "deployments": { + "mad": { + "dir-id": 1001, + "description": "This directory is a) shared to most accounts in the organization to provide centralized Windows and Linux authentication for cloud workloads, b) used as an identity source for AWS SSO, c) used to inter-connect with on-premises directory services, and d) provides a single identities source for instance and AWS console access.", + "deploy": true, + "vpc-name": "Central", + "region": "${HOME_REGION}", + "subnet": "App2", + "azs": [ + "a", + "b" + ], + "size": "Enterprise", + "dns-domain": "example.local", + "netbios-domain": "example", + "central-resolver-rule-account": "shared-network", + "central-resolver-rule-vpc": "Endpoint", + "log-group-name": "/${ACCELERATOR_PREFIX_ND}/MAD/example.local", + "restrict_srcips": "${RANGE-RESTRICT}", + "num-rdgw-hosts": 1, + "min-rdgw-hosts": 1, + "max-rdgw-hosts": 2, + "rdgw-max-instance-age": 7, + "rdgw-instance-type": "t3.large", + "image-path": "/aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base", + "rdgw-instance-role": "${ACCELERATOR_PREFIX_ND}-RDGW-Role", + "rdgw-enforce-imdsv2": true, + "password-policies": { + "history": 24, + "max-age": 90, + "min-age": 1, + "min-len": 14, + "complexity": true, + "reversible": false, + "failed-attempts": 6, + "lockout-duration": 30, + "lockout-attempts-reset": 30 + }, + "ad-groups": [ + "aws-Provisioning", + "aws-Billing" + ], + "ad-per-account-groups": [ + "*-Admin", + "*-PowerUser", + "*-View" + ], + "adc-group": "ADConnector-grp", + "ad-users": [ + { + "user": "adconnector-usr", + "email": "myemail+aseaT-adc-usr@example.com", + "groups": [ + "ADConnector-grp" + ] + }, + { + "user": "User1", + "email": "myemail+aseaT-User1@example.com", + "groups": [ + "aws-Provisioning", + "*-View", + "*-Admin", + "*-PowerUser", + "AWS Delegated Administrators" + ] + }, + { + "user": "User2", + "email": "myemail+aseaT-User2@example.com", + "groups": [ + "*-View" + ] + } + ], + "security-groups": [ + { + "name": "RemoteDesktopGatewaySG", + "inbound-rules": [ + { + "description": "Allow RDP Traffic Inbound", + "type": [ + "RDP" + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ] + }, + "rsyslog": { + "deploy": true, + "vpc-name": "Central", + "region": "${HOME_REGION}", + "log-group-name": "rsyslog/var/log/messages", + "security-groups": [ + { + "name": "rsyslog", + "inbound-rules": [ + { + "description": "Allow Traffic Inbound", + "tcp-ports": [ + 514 + ], + "udp-ports": [ + 514 + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "app-subnets": [ + { + "name": "App", + "az": "a" + }, + { + "name": "App", + "az": "b" + } + ], + "web-subnets": [ + { + "name": "Web", + "az": "a" + }, + { + "name": "Web", + "az": "b" + } + ], + "min-rsyslog-hosts": 1, + "desired-rsyslog-hosts": 2, + "max-rsyslog-hosts": 2, + "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2", + "rsyslog-instance-type": "t3.large", + "rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role", + "rsyslog-enforce-imdsv2": true, + "rsyslog-root-volume-size": 100, + "rsyslog-max-instance-age": 7 + } + } + }, + "perimeter": { + "account-name": "Perimeter", + "email": "myemail+aseaT-perimeter@example.com---------------------REPLACE------------", + "ou": "Infrastructure", + "account-warming-required": true, + "src-filename": "config.json", + "description": "This Account is used for internet facing ingress/egress security services.", + "populate-all-elbs-in-param-store": true, + "limits": { + "Amazon EC2/Number of EIPs": { + "value": 5, + "customer-confirm-inplace": false + } + }, + "budget": { + "name": "Perimeter Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "certificates": [ + { + "name": "PerimSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Public-Prod", + "scheme": "internet-facing", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Perimeter", + "subnets": "Public", + "cert-name": "PerimSelf-SignedCert", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Public-Prod-ALB", + "tg-stickiness": "1 hour", + "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", + "target-alarms-when": "Minimum", + "target-alarms-of": "Healthy Hosts", + "target-alarms-is": "<", + "target-alarms-Count": "2", + "target-alarms-for": "5", + "target-alarms-periods-of": "1", + "access-logs": true, + "targets": [ + { + "target-name": "Firewalls", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7001, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7001, + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "a" + }, + { + "target": "firewall", + "name": "Firewall", + "az": "b" + } + ], + "tg-weight": 1 + } + ] + }, + { + "name": "Public-DevTest", + "scheme": "internet-facing", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Perimeter", + "subnets": "Public", + "cert-name": "PerimSelf-SignedCert", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Public-DevTest-ALB", + "tg-stickiness": "1 hour", + "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", + "target-alarms-when": "Minimum", + "target-alarms-of": "Healthy Hosts", + "target-alarms-is": "<", + "target-alarms-Count": "2", + "target-alarms-for": "5", + "target-alarms-periods-of": "1", + "access-logs": true, + "targets": [ + { + "target-name": "Firewalls", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7002, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7001, + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "a" + }, + { + "target": "firewall", + "name": "Firewall", + "az": "b" + } + ], + "tg-weight": 1 + } + ] + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + }, + { + "policy-name": "Firewall-Policy", + "policy": "firewall-fg-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "Firewall-Role", + "type": "ec2", + "policies": [ + "Firewall-Policy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "vpc": [ + { + "deploy": "local", + "name": "Perimeter", + "description": "This VPC is used to hold centralized ingress/egress (perimeter) security services.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 22, + "pool": "main" + }, + { + "pool": "RFC6598b", + "size": 23 + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "igw": true, + "alb-forwarding": true, + "vgw": { + "asn": 65522 + }, + "subnets": [ + { + "name": "Public", + "definitions": [ + { + "az": "a", + "route-table": "Public_Shared", + "cidr": { + "pool": "RFC6598b", + "size": 26 + } + }, + { + "az": "b", + "route-table": "Public_Shared", + "cidr": { + "pool": "RFC6598b", + "size": 26 + } + } + ] + }, + { + "name": "FWMgmt", + "definitions": [ + { + "az": "a", + "route-table": "FWMgmt_azA", + "cidr": { + "pool": "RFC6598b", + "size": 27 + } + }, + { + "az": "b", + "route-table": "FWMgmt_azB", + "cidr": { + "pool": "RFC6598b", + "size": 27 + } + } + ] + }, + { + "name": "Proxy", + "definitions": [ + { + "az": "a", + "route-table": "Proxy_azA", + "cidr": { + "pool": "RFC6598b", + "size": 26 + } + }, + { + "az": "b", + "route-table": "Proxy_azB", + "cidr": { + "pool": "RFC6598b", + "size": 26 + } + } + ] + }, + { + "name": "OnPremise", + "definitions": [ + { + "az": "a", + "route-table": "OnPremise_Shared", + "cidr": { + "pool": "RFC6598b", + "size": 26 + } + }, + { + "az": "b", + "route-table": "OnPremise_Shared", + "cidr": { + "pool": "RFC6598b", + "size": 26 + } + } + ] + }, + { + "name": "Detonation", + "definitions": [ + { + "az": "a", + "route-table": "Detonation_Shared", + "cidr": { + "pool": "main", + "size": 24 + } + }, + { + "az": "b", + "route-table": "Detonation_Shared", + "cidr": { + "pool": "main", + "size": 24 + } + } + ] + } + ], + "gateway-endpoints": [ + "s3" + ], + "route-tables": [ + { + "name": "OnPremise_Shared" + }, + { + "name": "Public_Shared", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "FWMgmt_azA", + "routes": [ + { + "destination": "10.0.0.0/8", + "target": "VGW" + }, + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "FWMgmt_azB", + "routes": [ + { + "destination": "10.0.0.0/8", + "target": "VGW" + }, + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "Proxy_azA", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "Proxy" + } + ] + }, + { + "name": "Proxy_azB", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "Proxy" + } + ] + }, + { + "name": "Detonation_Shared" + } + ], + "security-groups": [ + { + "name": "Public-Prod-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": [ + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Public-DevTest-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": [ + "HTTPS" + ], + "source": "${RANGE-DEV-TEST}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "FirewallMgr", + "inbound-rules": [ + { + "description": "Allow Mgmt Traffic Inbound", + "tcp-ports": [ + 22, + 443, + 514, + 541, + 2032, + 3000, + 5199, + 6020, + 6028, + 8080 + ], + "udp-ports": [ + 9443 + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Firewalls", + "inbound-rules": [ + { + "description": "All Allowed Inbound Traffic", + "tcp-ports": [ + 443, + 8080 + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Mgmt Traffic, Customer Outbound traffic and ALBs", + "type": [ + "ALL" + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "interface-endpoints": { + "subnet": "Proxy", + "endpoints": [ + "ssm", + "ssmmessages", + "ec2messages", + "kms", + "logs", + "monitoring" + ] + } + }, + { + "deploy": "local", + "name": "Perimeter-${ALT_REGION}", + "description": "This VPC is used to hold centralized ingress/egress (perimeter) security services.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 22, + "pool": "main-${ALT_REGION}" + }, + { + "pool": "RFC6598c", + "size": 23 + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "igw": true, + "alb-forwarding": true, + "subnets": [ + { + "name": "Public", + "definitions": [ + { + "az": "a", + "route-table": "Public_Shared", + "cidr": { + "pool": "RFC6598c", + "size": 26 + } + }, + { + "az": "b", + "route-table": "Public_Shared", + "cidr": { + "pool": "RFC6598c", + "size": 26 + } + } + ] + }, + { + "name": "FWMgmt", + "definitions": [ + { + "az": "a", + "route-table": "FWMgmt_azA", + "cidr": { + "pool": "RFC6598c", + "size": 27 + } + }, + { + "az": "b", + "route-table": "FWMgmt_azB", + "cidr": { + "pool": "RFC6598c", + "size": 27 + } + } + ] + }, + { + "name": "Proxy", + "definitions": [ + { + "az": "a", + "route-table": "Proxy_azA", + "cidr": { + "pool": "RFC6598c", + "size": 26 + } + }, + { + "az": "b", + "route-table": "Proxy_azB", + "cidr": { + "pool": "RFC6598c", + "size": 26 + } + } + ] + }, + { + "name": "OnPremise", + "definitions": [ + { + "az": "a", + "route-table": "OnPremise_Shared", + "cidr": { + "pool": "RFC6598c", + "size": 26 + } + }, + { + "az": "b", + "route-table": "OnPremise_Shared", + "cidr": { + "pool": "RFC6598c", + "size": 26 + } + } + ] + }, + { + "name": "Detonation", + "definitions": [ + { + "az": "a", + "route-table": "Detonation_Shared", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 24 + } + }, + { + "az": "b", + "route-table": "Detonation_Shared", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 24 + } + } + ] + } + ], + "gateway-endpoints": [ + "s3" + ], + "route-tables": [ + { + "name": "OnPremise_Shared" + }, + { + "name": "Public_Shared", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "FWMgmt_azA", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "FWMgmt_azB", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "Proxy_azA", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "Proxy" + } + ] + }, + { + "name": "Proxy_azB", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "Proxy" + } + ] + }, + { + "name": "Detonation_Shared" + } + ], + "security-groups": [ + { + "name": "Public-Prod-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": [ + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Public-DevTest-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": [ + "HTTPS" + ], + "source": "${RANGE-DEV-TEST}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "FirewallMgr", + "inbound-rules": [ + { + "description": "Allow Mgmt Traffic Inbound", + "tcp-ports": [ + 22, + 443, + 514, + 541, + 2032, + 3000, + 5199, + 6020, + 6028, + 8080 + ], + "udp-ports": [ + 9443 + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Firewalls", + "inbound-rules": [ + { + "description": "All Allowed Inbound Traffic", + "tcp-ports": [ + 443, + 8080 + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Mgmt Traffic, Customer Outbound traffic and ALBs", + "type": [ + "ALL" + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "interface-endpoints": { + "subnet": "Proxy", + "endpoints": [ + "ssm", + "ssmmessages", + "ec2messages", + "kms", + "logs", + "monitoring" + ] + } + } + ], + "deployments": { + "firewalls": [ + { + "name": "Firewall", + "deploy": true, + "image-id": "ami-02b5eb49ec4cae519", + "instance-sizes": "c5n.2xlarge", + "region": "${HOME_REGION}", + "security-group": "Firewalls", + "fw-instance-role": "Firewall-Role", + "vpc": "Perimeter", + "ports": [ + { + "name": "Public", + "subnet": "Public", + "create-eip": true, + "create-cgw": true + }, + { + "name": "OnPremise", + "subnet": "OnPremise", + "create-eip": false, + "create-cgw": false + }, + { + "name": "FWMgmt", + "subnet": "FWMgmt", + "create-eip": false, + "create-cgw": false + }, + { + "name": "Proxy", + "subnet": "Proxy", + "create-eip": false, + "create-cgw": false + } + ], + "license": [ + "firewall/license1.lic", + "firewall/license2.lic" + ], + "config": "firewall/firewall-example.txt", + "block-device-mappings": [ + "/dev/sda1", + "/dev/sdb" + ], + "fw-cgw-name": "Perimeter_fw", + "fw-cgw-asn": 65523, + "fw-cgw-routing": "Dynamic", + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "name": "TGW-to-Perimeter", + "associate-type": "VPN", + "tgw-rt-associate": [ + "core" + ], + "tgw-rt-propagate": [ + "core", + "shared", + "standalone", + "segregated" + ], + "blackhole-route": false, + "attach-subnets": [], + "options": [ + "DNS-support" + ] + } + }, + { + "name": "Firewall-${ALT_REGION}", + "deploy": true, + "image-id": "ami-02b5eb49ec4cae519", + "instance-sizes": "c6i.xlarge", + "region": "${ALT_REGION}", + "security-group": "Firewalls", + "fw-instance-role": "Firewall-Role", + "vpc": "Perimeter-${ALT_REGION}", + "ports": [ + { + "name": "Public", + "subnet": "Public", + "create-eip": true, + "create-cgw": true + }, + { + "name": "OnPremise", + "subnet": "OnPremise", + "create-eip": false, + "create-cgw": false + }, + { + "name": "FWMgmt", + "subnet": "FWMgmt", + "create-eip": false, + "create-cgw": false + }, + { + "name": "Proxy", + "subnet": "Proxy", + "create-eip": false, + "create-cgw": false + } + ], + "license": [ + "firewall/license3.lic", + "firewall/license4.lic" + ], + "config": "firewall/firewall-example-${ALT_REGION}.txt", + "block-device-mappings": [ + "/dev/sda1", + "/dev/sdb" + ], + "fw-cgw-name": "Perimeter_fw", + "fw-cgw-asn": 65523, + "fw-cgw-routing": "Dynamic", + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "name": "TGW-to-Perimeter", + "associate-type": "VPN", + "tgw-rt-associate": [ + "core" + ], + "tgw-rt-propagate": [ + "core", + "shared", + "standalone", + "segregated" + ], + "blackhole-route": false, + "attach-subnets": [], + "options": [ + "DNS-support" + ] + } + }, + { + "type": "CGW", + "deploy": false, + "name": "OnPremFirewall-Example", + "region": "${HOME_REGION}", + "fw-cgw-name": "OnPremise_fw", + "fw-ips": [ + "99.80.205.24" + ], + "fw-cgw-asn": 65530, + "fw-cgw-routing": "Dynamic", + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "name": "TGW-to-Perimeter", + "associate-type": "VPN", + "tgw-rt-associate": [ + "core" + ], + "tgw-rt-propagate": [ + "core", + "shared", + "standalone", + "segregated" + ], + "blackhole-route": false, + "attach-subnets": [], + "options": [ + "DNS-support" + ] + } + } + ], + "xxfirewall-manager": { + "name": "FirewallMgr", + "image-id": "ami-080f1f0299ba8924f", + "instance-sizes": "c5.xlarge", + "block-device-mappings": [ + "/dev/sda1", + "/dev/sdb" + ], + "region": "${HOME_REGION}", + "vpc": "Perimeter", + "security-group": "FirewallMgr", + "subnet": { + "name": "FWMgmt", + "az": "a" + }, + "create-eip": true + } + } + }, + "management": { + "account-name": "ASEA-Main---------------------REPLACE------------", + "email": "myemail+aseaT-management@example.com---------------------REPLACE------------", + "ou": "Security", + "src-filename": "config.json", + "description": "This is the Organization Management or root account. Access must be highly restricted. This account should not contain customer resources.", + "gui-perm": true, + "budget": { + "name": "Organization Budget", + "period": "Monthly", + "amount": 10000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "s3-retention": 180, + "limits": {}, + "iam": { + "users": [ + { + "user-ids": [ + "bgUser1", + "bgUser2" + ], + "group": "BreakGlassAdmins", + "policies": [ + "AdministratorAccess" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "user-ids": [ + "OpsUser1", + "OpsUser2" + ], + "group": "OpsAdmins", + "policies": [ + "AdministratorAccess" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [] + }, + "vpc": [ + { + "deploy": "local", + "name": "ForSSO", + "description": "This VPC is deployed in the Organization Management/root account to enable the deployment of the Active Directory Connector, enabling the use of Active Directory as the Identity source for AWS SSO.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 24, + "pool": "ForSSO" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "ForSSO", + "definitions": [ + { + "az": "a", + "route-table": "ForSSO_Shared", + "cidr": { + "pool": "ForSSO", + "size": 27 + } + }, + { + "az": "b", + "route-table": "ForSSO_Shared", + "cidr": { + "pool": "ForSSO", + "size": 27 + } + }, + { + "az": "d", + "route-table": "ForSSO_Shared", + "cidr": { + "pool": "ForSSO", + "size": 27 + } + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "ForSSO_Shared", + "routes": [ + { + "destination": { + "account": "shared-network", + "vpc": "Central", + "subnet": "App2" + }, + "target": "pcx" + } + ] + } + ] + } + ], + "deployments": { + "adc": { + "deploy": true, + "vpc-name": "ForSSO", + "subnet": "ForSSO", + "azs": [ + "a", + "b" + ], + "size": "Small", + "restrict_srcips": [ + "10.249.1.0/24", + "${RANGE-MAD}" + ], + "connect-account-key": "operations", + "connect-dir-id": 1001 + } + } + }, + "log-archive": { + "account-name": "log-archive", + "ou": "Security", + "email": "myemail+aseaT-log@example.com---------------------REPLACE------------", + "src-filename": "config.json", + "description": "This Account is used to centralized and store immutable logs for the Organization.", + "gui-perm": true + }, + "security": { + "account-name": "security", + "ou": "Security", + "email": "myemail+aseaT-sec@example.com---------------------REPLACE------------", + "src-filename": "config.json", + "description": "This Account is used to centralized access to AWS security tooling and consoles.", + "gui-perm": true + } + }, + "workload-account-configs": { + "fun-acct": { + "account-name": "TheFunAccount", + "email": "myemail+aseaT-funacct@example.com---------------------REPLACE------------", + "src-filename": "config.json", + "ou": "Sandbox", + "description": "This is an OPTIONAL SAMPLE workload account. As this is a Sandbox account, it is used for extreme FUN!" + }, + "mydevacct1": { + "account-name": "MyDev1", + "email": "myemail+aseaT-dev1@example.com---------------------REPLACE------------", + "src-filename": "config.json", + "ou": "Dev", + "description": "This is an OPTIONAL SAMPLE workload account. As this is a Dev account, it is to be used for Development." + } + }, + "organizational-units": { + "Security": { + "type": "ignore", + "description": "The Security OU is used to hold AWS accounts containing AWS security resources shared or utilized by the rest of the Organization.", + "scps": [ + "Guardrails-Part-0-Core", + "Guardrails-Part-1", + "Guardrails-Sensitive" + ], + "ssm-inventory-collection": true, + "gui-perm": true, + "default-budgets": { + "name": "Default Security Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_VERSIONING_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + }, + { + "excl-regions": [ + "ap-northeast-3", + "${ALT_REGION}" + ], + "rules": [ + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "ALB_WAF_ENABLED", + "EC2_VOLUME_INUSE_CHECK", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "DYNAMODB_IN_BACKUP_PLAN", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "EMR_KERBEROS_ENABLED", + "ELB_ACM_CERTIFICATE_REQUIRED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "IAM_GROUP_HAS_USERS_CHECK", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "SECURITYHUB_ENABLED", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "IAM_PASSWORD_POLICY", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "RDS_IN_BACKUP_PLAN", + "EBS_IN_BACKUP_PLAN", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + }, + "Infrastructure": { + "type": "ignore", + "description": "The Infrastructure OU is used to hold AWS accounts containing AWS infrastructure resources shared or utilized by the rest of the Organization.", + "scps": [ + "Guardrails-Part-0-Core", + "Guardrails-Part-1", + "Guardrails-Sensitive" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Infrastructure Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_VERSIONING_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + }, + { + "excl-regions": [ + "ap-northeast-3", + "${ALT_REGION}" + ], + "rules": [ + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "ALB_WAF_ENABLED", + "EC2_VOLUME_INUSE_CHECK", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "DYNAMODB_IN_BACKUP_PLAN", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "EMR_KERBEROS_ENABLED", + "ELB_ACM_CERTIFICATE_REQUIRED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "IAM_GROUP_HAS_USERS_CHECK", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "SECURITYHUB_ENABLED", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "IAM_PASSWORD_POLICY", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "RDS_IN_BACKUP_PLAN", + "EBS_IN_BACKUP_PLAN", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + }, + "Central": { + "type": "mandatory", + "description": "The Central OU is used to hold AWS accounts which contain group or team resources used across OU boundaries like code promotion tools.", + "share-mad-from": "operations", + "scps": [ + "Guardrails-Part-0", + "Guardrails-Part-1", + "Guardrails-Sensitive" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Central Budget", + "period": "Monthly", + "amount": 500, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "vpc": [ + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to the Operations account and every account in the Central OU.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main" + }, + { + "pool": "RFC6598a", + "size": 23 + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "pcx": { + "source": "management", + "source-vpc": "ForSSO", + "source-subnets": "ForSSO", + "local-subnets": "App2" + }, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + }, + "disabled": true + } + ] + }, + { + "name": "App2", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_App2", + "cidr": { + "pool": "RFC6598a", + "size": 25 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_App2", + "cidr": { + "pool": "RFC6598a", + "size": 25 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_App2", + "cidr": { + "pool": "RFC6598a", + "size": 25 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::VPC_NAME}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + }, + { + "name": "${CONFIG::VPC_NAME}VPC_App2", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + }, + { + "destination": { + "account": "management", + "vpc": "ForSSO", + "subnet": "ForSSO" + }, + "target": "pcx" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "shared" + ], + "tgw-rt-propagate": [ + "core", + "segregated" + ], + "blackhole-route": false, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + }, + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}-${ALT_REGION}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to the Operations account and every account in the Central OU in ${ALT_REGION}.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main-${ALT_REGION}" + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "shared" + ], + "tgw-rt-propagate": [ + "core", + "segregated" + ], + "blackhole-route": false, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_VERSIONING_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + }, + { + "excl-regions": [ + "ap-northeast-3", + "${ALT_REGION}" + ], + "rules": [ + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "ALB_WAF_ENABLED", + "EC2_VOLUME_INUSE_CHECK", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "DYNAMODB_IN_BACKUP_PLAN", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "EMR_KERBEROS_ENABLED", + "ELB_ACM_CERTIFICATE_REQUIRED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "IAM_GROUP_HAS_USERS_CHECK", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "SECURITYHUB_ENABLED", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "IAM_PASSWORD_POLICY", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "RDS_IN_BACKUP_PLAN", + "EBS_IN_BACKUP_PLAN", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + }, + "Dev": { + "type": "workload", + "description": "The Dev OU is used to hold accounts at the Development or similiarly permissioned stage of the SDLC cycle containing sensitive unclassified data or workloads.", + "share-mad-from": "operations", + "scps": [ + "Guardrails-Part-0", + "Guardrails-Part-1", + "Guardrails-Sensitive" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Dev Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "certificates": [ + { + "name": "DevSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Dev", + "subnets": "Web", + "cert-name": "DevSelf-SignedCert", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-dev-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Dev OU.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::VPC_NAME}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + }, + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}-${ALT_REGION}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Dev OU in ${ALT_REGION}.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main-${ALT_REGION}" + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_VERSIONING_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + }, + { + "excl-regions": [ + "ap-northeast-3", + "${ALT_REGION}" + ], + "rules": [ + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "ALB_WAF_ENABLED", + "EC2_VOLUME_INUSE_CHECK", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "DYNAMODB_IN_BACKUP_PLAN", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "EMR_KERBEROS_ENABLED", + "ELB_ACM_CERTIFICATE_REQUIRED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "IAM_GROUP_HAS_USERS_CHECK", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "SECURITYHUB_ENABLED", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "IAM_PASSWORD_POLICY", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "RDS_IN_BACKUP_PLAN", + "EBS_IN_BACKUP_PLAN", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + }, + "Test": { + "type": "workload", + "description": "The Test OU is used to hold accounts at the Test or similiarly permissioned (i.e. QA) stage of the SDLC cycle containing sensitive unclassified data or workloads.", + "share-mad-from": "operations", + "scps": [ + "Guardrails-Part-0", + "Guardrails-Part-1", + "Guardrails-Sensitive" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Test Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "certificates": [ + { + "name": "TestSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Test", + "subnets": "Web", + "cert-name": "TestSelf-SignedCert", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-test-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Test OU.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::VPC_NAME}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + }, + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}-${ALT_REGION}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Dev OU in ${ALT_REGION}.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main-${ALT_REGION}" + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_VERSIONING_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + }, + { + "excl-regions": [ + "ap-northeast-3", + "${ALT_REGION}" + ], + "rules": [ + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "ALB_WAF_ENABLED", + "EC2_VOLUME_INUSE_CHECK", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "DYNAMODB_IN_BACKUP_PLAN", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "EMR_KERBEROS_ENABLED", + "ELB_ACM_CERTIFICATE_REQUIRED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "IAM_GROUP_HAS_USERS_CHECK", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "SECURITYHUB_ENABLED", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "IAM_PASSWORD_POLICY", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "RDS_IN_BACKUP_PLAN", + "EBS_IN_BACKUP_PLAN", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + }, + "Prod": { + "type": "workload", + "description": "The Prod OU is used to hold accounts at the Production or similiarly permissioned (i.e. Pre-Prod) stage of the SDLC cycle containing sensitive unclassified data or workloads.", + "share-mad-from": "operations", + "scps": [ + "Guardrails-Part-0", + "Guardrails-Part-1", + "Guardrails-Sensitive" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Prod Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "certificates": [ + { + "name": "ProdSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Prod", + "subnets": "Web", + "cert-name": "ProdSelf-SignedCert", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-prod-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Prod OU.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::VPC_NAME}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + }, + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}-${ALT_REGION}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Dev OU in ${ALT_REGION}.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main-${ALT_REGION}" + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_VERSIONING_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + }, + { + "excl-regions": [ + "ap-northeast-3", + "${ALT_REGION}" + ], + "rules": [ + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "ALB_WAF_ENABLED", + "EC2_VOLUME_INUSE_CHECK", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "DYNAMODB_IN_BACKUP_PLAN", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "EMR_KERBEROS_ENABLED", + "ELB_ACM_CERTIFICATE_REQUIRED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "IAM_GROUP_HAS_USERS_CHECK", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "SECURITYHUB_ENABLED", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "IAM_PASSWORD_POLICY", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "RDS_IN_BACKUP_PLAN", + "EBS_IN_BACKUP_PLAN", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + }, + "UnClass": { + "type": "workload", + "description": "Non-sensitive workloads should be placed with sensitive worksloads (Dev/Test/Prod/Central OU's). Used for accounts with AWS Console users without appropriate security clearance or deploying AWS services not approved for use with sensitive data.", + "share-mad-from": "operations", + "scps": [ + "Guardrails-Part-0", + "Guardrails-Part-1", + "Guardrails-Unclass" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Unclass Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "vpc": [ + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Unclass OU.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::VPC_NAME}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + }, + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}-${ALT_REGION}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Dev OU in ${ALT_REGION}.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main-${ALT_REGION}" + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "ALB_WAF_ENABLED", + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "DYNAMODB_IN_BACKUP_PLAN", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "EBS_IN_BACKUP_PLAN", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "EC2_VOLUME_INUSE_CHECK", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "ELB_ACM_CERTIFICATE_REQUIRED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "EMR_KERBEROS_ENABLED", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "IAM_GROUP_HAS_USERS_CHECK", + "IAM_PASSWORD_POLICY", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "RDS_IN_BACKUP_PLAN", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "S3_BUCKET_VERSIONING_ENABLED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "SECURITYHUB_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + } + ] + }, + "Sandbox": { + "type": "workload", + "description": "The Sandbox OU offers the most cloud native, agile experience and is used for experimentation. It is not to be used to hold production workloads or data as it offers the fewest security controls.", + "scps": [ + "Guardrails-Part-0", + "Guardrails-Part-1", + "Guardrails-Sandbox" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Sandbox Budget", + "period": "Monthly", + "amount": 200, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "vpc": [ + { + "deploy": "local", + "name": "${CONFIG::OU_NAME}", + "description": "This VPC is deployed locally in each Sandbox account and each account/VPC is deployed with the same identical CIDR range. This VPC has no access to the rest of the Organizations networking and has direct internet access and does not use the perimeter ingress/egress services.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "igw": true, + "natgw": { + "subnet": { + "name": "Web", + "az": "a" + } + }, + "subnets": [ + { + "name": "Web", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_IGW", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "SandboxVPC_IGW", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "SandboxVPC_IGW", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Sandbox", + "subnet": [ + "Web" + ] + }, + { + "account": "shared-network", + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Sandbox", + "subnet": [ + "Web" + ] + }, + { + "account": "shared-network", + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "SandboxVPC_IGW", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "SandboxVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "NATGW_Web_azA" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ] + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}" + ], + "documents": [ + "Put-S3-Encryption" + ] + } + ], + "aws-config": [ + { + "excl-regions": [], + "rules": [ + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + } + } +} \ No newline at end of file diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-multi-region-ca-west-1-tgw-peering-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-multi-region-ca-west-1-tgw-peering-example.json new file mode 100644 index 000000000..c357c7601 --- /dev/null +++ b/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-multi-region-ca-west-1-tgw-peering-example.json @@ -0,0 +1,10065 @@ +{ + "replacements": { + "addl_regions": { + "a": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "b": [ + "${HOME_REGION}", + "${GBL_REGION}", + "${ALT_REGION}" + ], + "c": [ + "${HOME_REGION}", + "${GBL_REGION}", + "${ALT_REGION}", + "us-east-2", + "us-west-1", + "us-west-2" + ] + }, + "INFO": "Deploying in us-east-1 requires removing ${GBL_REGION} from the above variables and replacing us-east-1 with a new 2nd region throughout the config file", + "INFO1": "If deploying the firewalls, both cidr values below MUST be supplied", + "ALT_REGION": "ca-west-1", + "cloud-cidr1": "10.0.0.0", + "cloud-mask1": "255.0.0.0", + "cloud-cidr2": "100.96.252.0", + "cloud-mask2": "255.255.254.0", + "range-restrict": [ + "10.0.0.0/8", + "100.96.252.0/23", + "100.96.250.0/23" + ], + "range-mad": "100.96.252.0/23", + "range-dev-test": [ + "0.0.0.0/0" + ], + "alarm-not-ip": "10.10.10.*" + }, + "global-options": { + "ct-baseline": false, + "default-s3-retention": 90, + "central-bucket": "AWSDOC-EXAMPLE-BUCKET", + "organization-admin-role": "OrganizationAccountAccessRole", + "default-cwl-retention": 731, + "workloadaccounts-suffix": 1, + "workloadaccounts-prefix": "config", + "workloadaccounts-param-filename": "config.json", + "ignored-ous": [ + "UnManaged" + ], + "additional-global-output-regions": [], + "supported-regions": [ + "ap-northeast-1", + "ap-northeast-2", + "ap-northeast-3", + "ap-south-1", + "ap-southeast-1", + "ap-southeast-2", + "ca-central-1", + "eu-central-1", + "eu-north-1", + "eu-west-1", + "eu-west-2", + "eu-west-3", + "sa-east-1", + "us-east-1", + "us-east-2", + "us-west-1", + "us-west-2", + "ca-west-1" + ], + "keep-default-vpc-regions": [], + "aws-org-management": { + "account": "management", + "region": "${HOME_REGION}", + "add-sns-topics": true + }, + "central-security-services": { + "account": "security", + "region": "${HOME_REGION}", + "security-hub-excl-regions": [], + "security-hub": true, + "guardduty": true, + "guardduty-excl-regions": [], + "guardduty-s3": true, + "guardduty-s3-excl-regions": [], + "guardduty-eks": true, + "guardduty-eks-excl-regions": [], + "guardduty-frequency": "FIFTEEN_MINUTES", + "cwl": true, + "access-analyzer": true, + "config-excl-regions": [], + "config-aggr-excl-regions": [], + "macie": true, + "macie-excl-regions": [ + "ca-west-1" + ], + "macie-frequency": "FIFTEEN_MINUTES", + "macie-sensitive-sh": true, + "fw-mgr-alert-level": "None", + "security-hub-findings-sns": "Low", + "add-sns-topics": true, + "config-aggr": true + }, + "central-operations-services": { + "account": "operations", + "region": "${HOME_REGION}", + "cwl": true, + "cwl-access-level": "full" + }, + "central-log-services": { + "account": "log-archive", + "region": "${HOME_REGION}", + "s3-retention": 730, + "cwl-glbl-exclusions": [], + "cwl-exclusions": [], + "ssm-to-s3": true, + "ssm-to-cwl": true, + "sns-excl-regions": [], + "sns-subscription-emails": { + "High": [ + "myemail+notifyT-high@example.com" + ], + "Medium": [ + "myemail+notifyT-medium@example.com" + ], + "Low": [ + "myemail+notifyT-low@example.com" + ] + }, + "dynamic-s3-log-partitioning": [ + { + "logGroupPattern": "/${ACCELERATOR_PREFIX_ND}/MAD", + "s3Prefix": "managed-ad" + }, + { + "logGroupPattern": "/${ACCELERATOR_PREFIX_ND}/rql", + "s3Prefix": "rql" + }, + { + "logGroupPattern": "/${ACCELERATOR_PREFIX_ND}/SecurityHub", + "s3Prefix": "security-hub" + }, + { + "logGroupPattern": "/${ACCELERATOR_PREFIX_ND}/Nfw", + "s3Prefix": "nfw" + }, + { + "logGroupPattern": "/${ACCELERATOR_PREFIX_ND}/rsyslog", + "s3Prefix": "rsyslog" + }, + { + "logGroupPattern": "/${ACCELERATOR_PREFIX_ND}/SSM", + "s3Prefix": "ssm" + } + ] + }, + "additional-cwl-regions": { + "${ALT_REGION}": { + "kinesis-stream-shard-count": 1 + } + }, + "reports": { + "cost-and-usage-report": { + "additional-schema-elements": [ + "RESOURCES" + ], + "compression": "Parquet", + "format": "Parquet", + "report-name": "Cost-and-Usage-Report", + "s3-prefix": "cur", + "time-unit": "HOURLY", + "additional-artifacts": [ + "ATHENA" + ], + "refresh-closed-reports": true, + "report-versioning": "OVERWRITE_REPORT" + } + }, + "vpc-flow-logs": { + "filter": "ALL", + "interval": 60, + "default-format": false, + "custom-fields": [ + "version", + "account-id", + "interface-id", + "srcaddr", + "dstaddr", + "srcport", + "dstport", + "protocol", + "packets", + "bytes", + "start", + "end", + "action", + "log-status", + "vpc-id", + "subnet-id", + "instance-id", + "tcp-flags", + "type", + "pkt-srcaddr", + "pkt-dstaddr", + "region", + "az-id", + "pkt-src-aws-service", + "pkt-dst-aws-service", + "flow-direction", + "traffic-path" + ] + }, + "security-hub-frameworks": { + "standards": [ + { + "name": "AWS Foundational Security Best Practices v1.0.0", + "controls-to-disable": [ + "IAM.1", + "EC2.10" + ] + }, + { + "name": "PCI DSS v3.2.1", + "controls-to-disable": [ + "PCI.IAM.3", + "PCI.S3.3", + "PCI.Lambda.2" + ] + }, + { + "name": "CIS AWS Foundations Benchmark v1.2.0", + "controls-to-disable": [ + "CIS.1.20", + "CIS.1.22", + "CIS.2.6" + ] + } + ] + }, + "iam-password-policies": { + "allow-users-to-change-password": true, + "hard-expiry": false, + "require-uppercase-characters": true, + "require-lowercase-characters": true, + "require-symbols": true, + "require-numbers": true, + "minimum-password-length": 14, + "password-reuse-prevention": 24, + "max-password-age": 90 + }, + "scps": [ + { + "name": "Guardrails-Part-0", + "description": "ASEA Guardrails Part 0 Workload Accounts", + "policy": "ASEA-Guardrails-Part0-WkldOUs.json" + }, + { + "name": "Guardrails-Part-1", + "description": "ASEA Guardrails Part 1", + "policy": "ASEA-Guardrails-Part1.json" + }, + { + "name": "Guardrails-Sensitive", + "description": "ASEA Guardrails Sensitive Environment Specific", + "policy": "ASEA-Guardrails-Sensitive.json" + }, + { + "name": "Guardrails-Unclass", + "description": "ASEA Guardrails Unclassified Environment Specific", + "policy": "ASEA-Guardrails-Unclass.json" + }, + { + "name": "Guardrails-Sandbox", + "description": "ASEA Guardrails Sandbox Environment Specific", + "policy": "ASEA-Guardrails-Sandbox.json" + }, + { + "name": "Quarantine-New-Object", + "description": "ASEA Quarantine policy - Apply to ACCOUNTS that need to be quarantined", + "policy": "Quarantine-New-Object.json" + }, + { + "name": "Guardrails-Part-0-Core", + "description": "ASEA Guardrails Part 0 Core Accounts", + "policy": "ASEA-Guardrails-Part0-CoreOUs.json" + } + ], + "cloudwatch": { + "metrics": [ + { + "filter-name": "SecurityGroupChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "SecurityGroupEventCount", + "metric-value": "1" + }, + { + "filter-name": "NetworkAclChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation)}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "NetworkAclEventCount", + "metric-value": "1" + }, + { + "filter-name": "GatewayChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway)}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "GatewayEventCount", + "metric-value": "1" + }, + { + "filter-name": "VpcChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "VpcEventCount", + "metric-value": "1" + }, + { + "filter-name": "Ec2InstanceChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = RunInstances) || ($.eventName = RebootInstances)|| ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName= TerminateInstances) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "EC2InstanceEventCount", + "metric-value": "1" + }, + { + "filter-name": "Ec2LargeInstanceChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ (($.eventName = RunInstances) || ($.eventName = RebootInstances)|| ($.eventName = StartInstances) || ($.eventName = StopInstances) || ($.eventName= TerminateInstances)) && (($.requestParameters.instanceType= *.32xlarge) || ($.requestParameters.instanceType= *.24xlarge) || ($.requestParameters.instanceType= *.18xlarge) || ($.requestParameters.instanceType= *.16xlarge) || ($.requestParameters.instanceType= *.12xlarge) || ($.requestParameters.instanceType= *.10xlarge) || ($.requestParameters.instanceType= *.9xlarge) || ($.requestParameters.instanceType= *.8xlarge) || ($.requestParameters.instanceType = *.4xlarge)) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "EC2LargeInstanceEventCount", + "metric-value": "1" + }, + { + "filter-name": "CloudTrailChangeMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail)|| ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName= StopLogging) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "CloudTrailEventCount", + "metric-value": "1" + }, + { + "filter-name": "ConsoleSignInFailureMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "ConsoleSignInFailureCount", + "metric-value": "1" + }, + { + "filter-name": "AuthorizationFailureMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ (($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode =\"AccessDenied*\") && ($.userIdentity.principalId != \"*AWSConfig-BucketConfigCheck\")) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "AuthorizationFailureCount", + "metric-value": "1" + }, + { + "filter-name": "IamPolicyChangesMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "IAMPolicyEventCount", + "metric-value": "1" + }, + { + "filter-name": "ConsoleSignInWithoutMfaMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\") && ($.userIdentity.type != \"AssumedRole\")}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "ConsoleSignInWithoutMfaCount", + "metric-value": "1" + }, + { + "filter-name": "RootLoginMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "RootLoginEventCount", + "metric-value": "1" + }, + { + "filter-name": "DisableOrDeleteCMKMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventSource=kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion))}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "DisableOrDeleteCMKCount", + "metric-value": "1" + }, + { + "filter-name": "AWSConfigChangesMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventSource=config.amazonaws.com) && (($.eventName=StopConfigurationRecorder) || ($.eventName=DeleteDeliveryChannel) || ($.eventName=PutDeliveryChannel) || ($.eventName=PutConfigurationRecorder))}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "AWSConfigChangesCount", + "metric-value": "1" + }, + { + "filter-name": "RouteTableChangesMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventName=CreateRoute) || ($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || ($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || ($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable)}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "RouteTableChangesCount", + "metric-value": "1" + }, + { + "filter-name": "S3BucketPolicyChangesMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventSource=s3.amazonaws.com) && (($.eventName=PutBucketAcl) || ($.eventName=PutBucketPolicy) || ($.eventName=PutBucketCors) || ($.eventName=PutBucketLifecycle) || ($.eventName=PutBucketReplication) || ($.eventName=DeleteBucketPolicy) || ($.eventName=DeleteBucketCors) || ($.eventName=DeleteBucketLifecycle) || ($.eventName=DeleteBucketReplication))}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "S3BucketPolicyChangesCount", + "metric-value": "1" + }, + { + "filter-name": "SSOAuthUnapprovedIPMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != ${ALARM-NOT-IP}) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "SSOAuthUnapprovedIPCount", + "metric-value": "1" + }, + { + "filter-name": "IAMAuthUnapprovedIPMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != ${ALARM-NOT-IP}) }", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "IAMAuthUnapprovedIPCount", + "metric-value": "1" + }, + { + "filter-name": "UnencryptedFilesystemCreatedMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{ ($.eventName = CreateFileSystem) && ($.responseElements.encrypted IS FALSE) } ", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "UnencryptedFilesystemCreatedCount", + "metric-value": "1" + }, + { + "filter-name": "IgnoreAuthorizationFailureMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.errorCode=\"*UnauthorizedOperation\") || ($.errorCode=\"AccessDenied*\")}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "IgnoreAuthorizationFailureCount", + "metric-value": "1" + }, + { + "filter-name": "IgnoreConsoleSignInWithoutMfaMetric", + "accounts": [ + "management" + ], + "regions": [ + "${HOME_REGION}" + ], + "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail", + "filter-pattern": "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed !=\"Yes\")}", + "metric-namespace": "CloudTrailMetrics", + "metric-name": "IgnoreConsoleSignInWithoutMfaCount", + "metric-value": "1" + } + ], + "alarms": { + "default-accounts": [ + "management" + ], + "default-regions": [ + "${HOME_REGION}" + ], + "default-namespace": "CloudTrailMetrics", + "default-statistic": "Sum", + "default-period": 300, + "default-threshold-type": "Static", + "default-comparison-operator": "GreaterThanOrEqualToThreshold", + "default-threshold": 1, + "default-evaluation-periods": 1, + "default-treat-missing-data": "notBreaching", + "default-in-org-mgmt-use-lcl-sns": true, + "definitions": [ + { + "alarm-name": "AWS-Security-Group-Changed", + "metric-name": "SecurityGroupEventCount", + "sns-alert-level": "Low", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete a Security Group (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Network-ACL-Changed", + "metric-name": "NetworkAclEventCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete a Network ACL (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Gateway-Changed", + "metric-name": "GatewayEventCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete a Customer or Internet Gateway (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-VPC-Changed", + "metric-name": "VpcEventCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete a VPC, VPC peering connection or VPC connection to classic (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-EC2-Instances-Changed", + "metric-name": "EC2InstanceEventCount", + "sns-alert-level": "Low", + "alarm-description": "Alarms when one or more API calls are made to create, terminate, start, stop or reboot any EC2 instance (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-EC2-Large-Instance-Changed", + "metric-name": "EC2LargeInstanceEventCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to create, terminate, start, stop or reboot a 4x, 8x, 9x, 10x, 12x, 16x, 18x, 24x, 32x-large EC2 instance (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-CloudTrail-Changed", + "metric-name": "CloudTrailEventCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete a CloudTrail trail, or to start or stop logging to a trail (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Console-SignIn-Failure", + "metric-name": "ConsoleSignInFailureCount", + "sns-alert-level": "High", + "threshold": 3, + "alarm-description": "Alarms when one or more unauthenticated API calls are made to sign into the console (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Authorization-Failure", + "metric-name": "AuthorizationFailureCount", + "sns-alert-level": "Low", + "alarm-description": "Alarms when one or more unauthorized API calls are made (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-IAM-Policy-Changed", + "metric-name": "IAMPolicyEventCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to change an IAM policy (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Console-SignIn-Without-MFA", + "metric-name": "ConsoleSignInWithoutMfaCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when MFA is NOT used to sign into the console with IAM (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Root-Login", + "metric-name": "RootLoginEventCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when the root user successfully logs in one or more times (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Disable-Or-Delete-KMS-CMK", + "metric-name": "DisableOrDeleteCMKCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when one or more Key Management Service Customer Managed Keys are disabled or scheduled for deletion (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Config-Changed", + "metric-name": "AWSConfigChangesCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when one or more modifications are made to AWS Config Settings (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-Route-Table-Changed", + "metric-name": "RouteTableChangesCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete a Route table (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-S3-Bucket-Policy-Changed", + "metric-name": "S3BucketPolicyChangesCount", + "sns-alert-level": "Medium", + "alarm-description": "Alarms when one or more API calls are made to create, update or delete an S3 Bucket policy (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "AWS-SSO-Authentication-From-Unapproved-IP", + "metric-name": "SSOAuthUnapprovedIPCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when someone authenticates using AWS SSO from an unauthorized IP address range." + }, + { + "alarm-name": "AWS-IAM-Authentication-From-Unapproved-IP", + "metric-name": "IAMAuthUnapprovedIPCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when someone authenticates using AWS IAM from an unauthorized IP address range." + }, + { + "alarm-name": "AWS-Unencrypted-Filesystem-Created", + "metric-name": "UnencryptedFilesystemCreatedCount", + "sns-alert-level": "High", + "alarm-description": "Alarms when one or more API calls are made to create an Unencrypted filesystem (i.e. EFS) (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "IGNORE-AWS-Authorization-Failure", + "metric-name": "IgnoreAuthorizationFailureCount", + "sns-alert-level": "Ignore", + "alarm-description": "Alarms when one or more unauthorized API calls are made (in any account, any region of your AWS Organization)." + }, + { + "alarm-name": "IGNORE-AWS-Console-SignIn-Without-MFA", + "metric-name": "IgnoreConsoleSignInWithoutMfaCount", + "sns-alert-level": "Ignore", + "alarm-description": "Alarms when MFA is NOT used to sign into the console with IAM (in any account, any region of your AWS Organization)." + } + ] + } + }, + "ssm-automation": [ + { + "accounts": [ + "operations" + ], + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + { + "name": "SSM-ELB-Enable-Logging", + "description": "Calls the AWS CLI to enable access logs on a specified ELB.", + "template": "ssm-elb-enable-logging.yaml" + }, + { + "name": "Put-S3-Encryption", + "description": "Enables S3 encryption using KMS", + "template": "s3-encryption.yaml" + }, + { + "name": "Attach-IAM-Instance-Profile", + "description": "Attaches instance profiles to an EC2 instance", + "template": "attach-iam-instance-profile.yaml" + }, + { + "name": "Attach-IAM-Role-Policy", + "description": "Attachs Aws IAM Managed Policy to IAM Role.", + "template": "attach-iam-role-policy.yaml" + } + ] + } + ], + "aws-config": { + "defaults": { + "remediation": false, + "remediation-attempts": 5, + "remediation-retry-seconds": 60, + "remediation-concurrency": 10 + }, + "rules": [ + { + "name": "EC2-INSTANCE-PROFILE", + "type": "custom", + "resource-types": [ + "AWS::EC2::Instance" + ], + "runtime": "nodejs18.x", + "remediation-action": "Attach-IAM-Instance-Profile", + "remediation": true, + "remediation-params": { + "IamInstanceProfile": "EC2-Default-SSM-AD-Role-ip", + "InstanceId": "RESOURCE_ID" + } + }, + { + "name": "EC2-INSTANCE-PROFILE-PERMISSIONS", + "type": "custom", + "resource-types": [ + "AWS::IAM::Role" + ], + "runtime": "nodejs18.x", + "parameters": { + "AWSManagedPolicies": "AmazonSSMManagedInstanceCore, AmazonSSMDirectoryServiceAccess, CloudWatchAgentServerPolicy", + "CustomerManagedPolicies": "${SEA::EC2InstaceProfilePermissions}", + "ResourceId": "RESOURCE_ID" + }, + "remediation": true, + "remediation-action": "Attach-IAM-Role-Policy", + "remediation-params": { + "AWSManagedPolicies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "CustomerManagedPolicies": [ + "${SEA::EC2InstaceProfilePermissions}" + ], + "ResourceId": "RESOURCE_ID" + } + }, + { + "name": "ELB_LOGGING_ENABLED", + "remediation-action": "SSM-ELB-Enable-Logging", + "remediation": true, + "parameters": { + "s3BucketNames": "${SEA::LogArchiveAesBucket}" + }, + "remediation-params": { + "LoadBalancerArn": "RESOURCE_ID", + "LogDestination": "${SEA::LogArchiveAesBucket}" + } + }, + { + "name": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "remediation-action": "Put-S3-Encryption", + "remediation": true, + "remediation-params": { + "BucketName": "RESOURCE_ID", + "KMSMasterKey": "${SEA::S3BucketEncryptionKey}" + } + }, + { + "name": "ACM_CERTIFICATE_EXPIRATION_CHECK", + "parameters": { + "daysToExpiration": "90" + } + }, + { + "name": "ALB_WAF_ENABLED" + }, + { + "name": "API_GW_CACHE_ENABLED_AND_ENCRYPTED" + }, + { + "name": "CLOUD_TRAIL_ENABLED" + }, + { + "name": "CLOUDTRAIL_S3_DATAEVENTS_ENABLED" + }, + { + "name": "CLOUDTRAIL_SECURITY_TRAIL_ENABLED" + }, + { + "name": "CLOUDWATCH_ALARM_ACTION_CHECK", + "parameters": { + "alarmActionRequired": "TRUE", + "insufficientDataActionRequired": "TRUE", + "okActionRequired": "FALSE" + } + }, + { + "name": "CW_LOGGROUP_RETENTION_PERIOD_CHECK" + }, + { + "name": "DB_INSTANCE_BACKUP_ENABLED" + }, + { + "name": "DYNAMODB_IN_BACKUP_PLAN" + }, + { + "name": "DYNAMODB_TABLE_ENCRYPTED_KMS" + }, + { + "name": "EBS_IN_BACKUP_PLAN" + }, + { + "name": "EC2_INSTANCE_DETAILED_MONITORING_ENABLED" + }, + { + "name": "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK" + }, + { + "name": "EC2_VOLUME_INUSE_CHECK", + "parameters": { + "deleteOnTermination": "TRUE" + } + }, + { + "name": "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK" + }, + { + "name": "ELB_ACM_CERTIFICATE_REQUIRED" + }, + { + "name": "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED" + }, + { + "name": "EMR_KERBEROS_ENABLED" + }, + { + "name": "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "parameters": { + "daysHighSev": "1", + "daysLowSev": "30", + "daysMediumSev": "7" + } + }, + { + "name": "IAM_GROUP_HAS_USERS_CHECK" + }, + { + "name": "IAM_PASSWORD_POLICY", + "parameters": { + "MaxPasswordAge": "90", + "MinimumPasswordLength": "14", + "PasswordReusePrevention": "24", + "RequireLowercaseCharacters": "true", + "RequireNumbers": "true", + "RequireSymbols": "true", + "RequireUppercaseCharacters": "true" + } + }, + { + "name": "IAM_USER_GROUP_MEMBERSHIP_CHECK" + }, + { + "name": "INCOMING_SSH_DISABLED" + }, + { + "name": "INSTANCES_IN_VPC" + }, + { + "name": "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY" + }, + { + "name": "RDS_IN_BACKUP_PLAN" + }, + { + "name": "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "parameters": { + "clusterDbEncrypted": "TRUE", + "loggingEnabled": "TRUE" + } + }, + { + "name": "RESTRICTED_INCOMING_TRAFFIC", + "parameters": { + "blockedPort1": "20", + "blockedPort2": "21", + "blockedPort3": "3389", + "blockedPort4": "3306", + "blockedPort5": "4333" + } + }, + { + "name": "S3_BUCKET_POLICY_GRANTEE_CHECK" + }, + { + "name": "S3_BUCKET_VERSIONING_ENABLED" + }, + { + "name": "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED" + }, + { + "name": "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED" + }, + { + "name": "SECURITYHUB_ENABLED" + }, + { + "name": "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS", + "parameters": { + "authorizedTcpPorts": "443", + "authorizedUdpPorts": "1020-1025" + } + }, + { + "name": "WAFV2_LOGGING_ENABLED" + } + ] + }, + "cidr-pools": [ + { + "cidr": "10.0.0.0/13", + "pool": "main", + "description": "The main address pool used to dynamically assign CIDR ranges.", + "region": "${HOME_REGION}" + }, + { + "cidr": "100.96.252.0/23", + "pool": "RFC6598a", + "description": "Address pool used to dynamically assign CIDR ranges for the Managed Active Directory subnets in the Ops account.", + "region": "${HOME_REGION}" + }, + { + "cidr": "100.96.250.0/23", + "pool": "RFC6598b", + "description": "Address pool used to dynamically assign CIDR ranges for the Perimeter VPC.", + "region": "${HOME_REGION}" + }, + { + "cidr": "100.96.254.0/23", + "pool": "RFC6598c", + "description": "Address pool used to dynamically assign CIDR ranges for the Perimeter VPC in alternate Region.", + "region": "${ALT_REGION}" + }, + { + "cidr": "10.249.1.0/24", + "pool": "ForSSO", + "description": "A non-routable pool of addresses used to dynamically assign CIDR ranges for the Active Directory Connector subnets in the Organization Management/root account.", + "region": "${HOME_REGION}" + }, + { + "cidr": "10.96.0.0/13", + "pool": "main-${ALT_REGION}", + "description": "Address pool used to dynamically assign CIDR ranges for alternate Region.", + "region": "${ALT_REGION}" + } + ] + }, + "mandatory-account-configs": { + "shared-network": { + "account-name": "SharedNetwork", + "email": "myemail+aseaT-network@example.com---------------------REPLACE------------", + "ou": "Infrastructure", + "share-mad-from": "operations", + "src-filename": "config.json", + "description": "This Account is used for centralized or shared networking resources.", + "budget": { + "name": "SharedNetwork Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "limits": { + "Amazon VPC/Interface VPC endpoints per VPC": { + "value": 90, + "customer-confirm-inplace": false + }, + "Amazon VPC/VPCs per Region": { + "value": 15 + } + }, + "vpc": [ + { + "deploy": "local", + "name": "Endpoint", + "description": "This VPC is used to host AWS Service Endpoints, making AWS services available using private address space.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 22, + "pool": "main" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "Endpoint", + "definitions": [ + { + "az": "a", + "route-table": "EndpointVPC_Common", + "cidr": { + "pool": "main", + "size": 24 + } + }, + { + "az": "b", + "route-table": "EndpointVPC_Common", + "cidr": { + "pool": "main", + "size": 24 + } + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "EndpointVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "core" + ], + "tgw-rt-propagate": [ + "core", + "shared", + "standalone", + "segregated", + "dev_segregated", + "test_segregated", + "prod_segregated", + "unclass_segregated" + ], + "blackhole-route": false, + "attach-subnets": [ + "Endpoint" + ], + "options": [ + "DNS-support" + ] + }, + "interface-endpoints": { + "subnet": "Endpoint", + "endpoints": [ + "ec2", + "ec2messages", + "ssm", + "ssmmessages", + "secretsmanager", + "cloudformation", + "kms", + "logs", + "monitoring" + ] + }, + "resolvers": { + "subnet": "Endpoint", + "outbound": true, + "inbound": true + }, + "on-premise-rules": [ + { + "zone": "on-premise-privatedomain1.example.ca", + "outbound-ips": [ + "10.254.254.1", + "10.254.253.1" + ] + }, + { + "zone": "on-premise-privatedomain2.example.ca", + "outbound-ips": [ + "10.254.254.1", + "10.254.253.1" + ] + } + ], + "zones": { + "public": [ + "cloud-hosted-publicdomain.example.ca" + ], + "private": [ + "cloud-hosted-privatedomain.example.ca" + ] + }, + "central-endpoint": true + }, + { + "deploy": "local", + "name": "Endpoint-${ALT_REGION}", + "description": "This VPC is used to host AWS Service Endpoints for ${ALT_REGION}, making AWS services available using private address space.", + "cidr-src": "dynamic", + "cidr": [ + { + "pool": "main-${ALT_REGION}", + "size": 22 + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "Endpoint", + "definitions": [ + { + "az": "a", + "route-table": "Endpoint-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 24 + } + }, + { + "az": "b", + "route-table": "Endpoint-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 24 + } + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "Endpoint-${ALT_REGION}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "core" + ], + "tgw-rt-propagate": [ + "core", + "shared", + "standalone", + "segregated", + "dev_segregated", + "test_segregated", + "prod_segregated", + "unclass_segregated" + ], + "blackhole-route": false, + "attach-subnets": [ + "Endpoint" + ], + "options": [ + "DNS-support" + ] + }, + "interface-endpoints": { + "subnet": "Endpoint", + "endpoints": [ + "ec2", + "ec2messages", + "ssm", + "ssmmessages", + "secretsmanager", + "cloudformation", + "kms", + "logs", + "monitoring" + ] + }, + "resolvers": { + "subnet": "Endpoint", + "outbound": true, + "inbound": true + }, + "on-premise-rules": [ + { + "zone": "on-premise-privatedomain1.example.ca", + "outbound-ips": [ + "10.254.254.1", + "10.254.253.1" + ] + }, + { + "zone": "on-premise-privatedomain2.example.ca", + "outbound-ips": [ + "10.254.254.1", + "10.254.253.1" + ] + } + ], + "zones": { + "public": [ + "cloud-hosted-publicUSdomain.example.ca" + ], + "private": [ + "cloud-hosted-privateUSdomain.example.ca" + ] + }, + "central-endpoint": true + } + ], + "deployments": { + "tgw": [ + { + "name": "Main", + "asn": 65521, + "region": "${HOME_REGION}", + "features": { + "DNS-support": true, + "VPN-ECMP-support": true, + "Default-route-table-association": false, + "Default-route-table-propagation": false, + "Auto-accept-sharing-attachments": true + }, + "route-tables": [ + "core", + "shared", + "standalone", + "segregated", + "dev_segregated", + "test_segregated", + "prod_segregated", + "unclass_segregated" + ], + "tgw-routes": [ + { + "name": "core", + "routes": [ + { + "destination": "10.96.0.0/13", + "target-tgw": "Main-${ALT_REGION}" + } + ] + }, + { + "name": "shared", + "routes": [ + { + "destination": "10.96.0.0/13", + "target-tgw": "Main-${ALT_REGION}" + } + ] + }, + { + "name": "dev_segregated", + "routes": [ + { + "destination": "10.3.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.4.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.5.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.96.0.0/22", + "target-tgw": "Main-${ALT_REGION}" + }, + { + "destination": "10.97.0.0/16", + "target-tgw": "Main-${ALT_REGION}" + }, + { + "destination": "10.98.0.0/16", + "target-tgw": "Main-${ALT_REGION}" + }, + { + "destination": "10.99.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.100.0.0/16", + "blackhole-route": true + } + ] + }, + { + "name": "test_segregated", + "routes": [ + { + "destination": "10.2.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.4.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.5.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.96.0.0/22", + "target-tgw": "Main-${ALT_REGION}" + }, + { + "destination": "10.97.0.0/16", + "target-tgw": "Main-${ALT_REGION}" + }, + { + "destination": "10.98.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.99.0.0/16", + "target-tgw": "Main-${ALT_REGION}" + }, + { + "destination": "10.100.0.0/16", + "blackhole-route": true + } + ] + }, + { + "name": "prod_segregated", + "routes": [ + { + "destination": "10.2.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.3.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.5.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.96.0.0/22", + "target-tgw": "Main-${ALT_REGION}" + }, + { + "destination": "10.97.0.0/16", + "target-tgw": "Main-${ALT_REGION}" + }, + { + "destination": "10.98.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.99.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.100.0.0/16", + "target-tgw": "Main-${ALT_REGION}" + } + ] + } + ] + }, + { + "name": "Main-${ALT_REGION}", + "asn": 64526, + "region": "${ALT_REGION}", + "features": { + "DNS-support": true, + "VPN-ECMP-support": true, + "Default-route-table-association": false, + "Default-route-table-propagation": false, + "Auto-accept-sharing-attachments": true + }, + "route-tables": [ + "core", + "shared", + "standalone", + "segregated", + "dev_segregated", + "test_segregated", + "prod_segregated", + "unclass_segregated" + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "region": "${HOME_REGION}", + "tgw-rt-associate-local": ["core"], + "tgw-rt-associate-remote": ["core"] + }, + "tgw-routes": [ + { + "name": "core", + "routes": [ + { + "destination": "10.0.0.0/13", + "target-tgw": "Main" + } + ] + }, + { + "name": "shared", + "routes": [ + { + "destination": "10.0.0.0/13", + "target-tgw": "Main" + } + ] + }, + { + "name": "dev_segregated", + "routes": [ + { + "destination": "10.0.0.0/22", + "target-tgw": "Main" + }, + { + "destination": "10.1.0.0/16", + "target-tgw": "Main" + }, + { + "destination": "10.2.0.0/16", + "target-tgw": "Main" + }, + { + "destination": "10.3.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.4.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.5.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.99.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.100.0.0/16", + "blackhole-route": true + } + ] + }, + { + "name": "test_segregated", + "routes": [ + { + "destination": "10.0.0.0/22", + "target-tgw": "Main" + }, + { + "destination": "10.1.0.0/16", + "target-tgw": "Main" + }, + { + "destination": "10.2.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.3.0.0/16", + "target-tgw": "Main" + }, + { + "destination": "10.4.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.5.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.98.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.100.0.0/16", + "blackhole-route": true + } + ] + }, + { + "name": "prod_segregated", + "routes": [ + { + "destination": "10.0.0.0/22", + "target-tgw": "Main" + }, + { + "destination": "10.1.0.0/16", + "target-tgw": "Main" + }, + { + "destination": "10.2.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.3.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.4.0.0/16", + "target-tgw": "Main" + }, + { + "destination": "10.5.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.98.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.99.0.0/16", + "blackhole-route": true + } + ] + } + ] + } + ] + } + }, + "operations": { + "account-name": "Operations", + "email": "myemail+aseaT-operations@example.com---------------------REPLACE------------", + "ou": "Infrastructure", + "account-warming-required": true, + "limits": {}, + "src-filename": "config.json", + "description": "This Account is used for centralized IT Operational resources (MAD, rsyslog, ITSM, etc.).", + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + }, + { + "policy-name": "${ACCELERATOR_PREFIX_ND}-RDGW-Custom-Policy", + "policy": "rdgw-custom-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "${ACCELERATOR_PREFIX_ND}-RDGW-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy", + "${ACCELERATOR_PREFIX_ND}-RDGW-Custom-Policy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "CloudWatchAgentServerPolicy", + "AmazonS3ReadOnlyAccess" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "deployments": { + "mad": { + "dir-id": 1001, + "description": "This directory is a) shared to most accounts in the organization to provide centralized Windows and Linux authentication for cloud workloads, b) used as an identity source for AWS SSO, c) used to inter-connect with on-premises directory services, and d) provides a single identities source for instance and AWS console access.", + "deploy": true, + "vpc-name": "Central", + "region": "${HOME_REGION}", + "subnet": "App2", + "azs": [ + "a", + "b" + ], + "size": "Enterprise", + "dns-domain": "example.local", + "netbios-domain": "example", + "central-resolver-rule-account": "shared-network", + "central-resolver-rule-vpc": "Endpoint", + "log-group-name": "/${ACCELERATOR_PREFIX_ND}/MAD/example.local", + "restrict_srcips": "${RANGE-RESTRICT}", + "num-rdgw-hosts": 1, + "min-rdgw-hosts": 1, + "max-rdgw-hosts": 2, + "rdgw-max-instance-age": 7, + "rdgw-instance-type": "t3.large", + "image-path": "/aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base", + "rdgw-instance-role": "${ACCELERATOR_PREFIX_ND}-RDGW-Role", + "rdgw-enforce-imdsv2": true, + "password-policies": { + "history": 24, + "max-age": 90, + "min-age": 1, + "min-len": 14, + "complexity": true, + "reversible": false, + "failed-attempts": 6, + "lockout-duration": 30, + "lockout-attempts-reset": 30 + }, + "ad-groups": [ + "aws-Provisioning", + "aws-Billing" + ], + "ad-per-account-groups": [ + "*-Admin", + "*-PowerUser", + "*-View" + ], + "adc-group": "ADConnector-grp", + "ad-users": [ + { + "user": "adconnector-usr", + "email": "myemail+aseaT-adc-usr@example.com", + "groups": [ + "ADConnector-grp" + ] + }, + { + "user": "User1", + "email": "myemail+aseaT-User1@example.com", + "groups": [ + "aws-Provisioning", + "*-View", + "*-Admin", + "*-PowerUser", + "AWS Delegated Administrators" + ] + }, + { + "user": "User2", + "email": "myemail+aseaT-User2@example.com", + "groups": [ + "*-View" + ] + } + ], + "security-groups": [ + { + "name": "RemoteDesktopGatewaySG", + "inbound-rules": [ + { + "description": "Allow RDP Traffic Inbound", + "type": [ + "RDP" + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ] + }, + "rsyslog": { + "deploy": true, + "vpc-name": "Central", + "region": "${HOME_REGION}", + "log-group-name": "rsyslog/var/log/messages", + "security-groups": [ + { + "name": "rsyslog", + "inbound-rules": [ + { + "description": "Allow Traffic Inbound", + "tcp-ports": [ + 514 + ], + "udp-ports": [ + 514 + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "app-subnets": [ + { + "name": "App", + "az": "a" + }, + { + "name": "App", + "az": "b" + } + ], + "web-subnets": [ + { + "name": "Web", + "az": "a" + }, + { + "name": "Web", + "az": "b" + } + ], + "min-rsyslog-hosts": 1, + "desired-rsyslog-hosts": 2, + "max-rsyslog-hosts": 2, + "ssm-image-id": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2", + "rsyslog-instance-type": "t3.large", + "rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role", + "rsyslog-enforce-imdsv2": true, + "rsyslog-root-volume-size": 100, + "rsyslog-max-instance-age": 7 + } + } + }, + "perimeter": { + "account-name": "Perimeter", + "email": "myemail+aseaT-perimeter@example.com---------------------REPLACE------------", + "ou": "Infrastructure", + "account-warming-required": true, + "src-filename": "config.json", + "description": "This Account is used for internet facing ingress/egress security services.", + "populate-all-elbs-in-param-store": true, + "limits": { + "Amazon EC2/Number of EIPs": { + "value": 5, + "customer-confirm-inplace": false + } + }, + "budget": { + "name": "Perimeter Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "certificates": [ + { + "name": "PerimSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Public-Prod", + "scheme": "internet-facing", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Perimeter", + "subnets": "Public", + "cert-name": "PerimSelf-SignedCert", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Public-Prod-ALB", + "tg-stickiness": "1 hour", + "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", + "target-alarms-when": "Minimum", + "target-alarms-of": "Healthy Hosts", + "target-alarms-is": "<", + "target-alarms-Count": "2", + "target-alarms-for": "5", + "target-alarms-periods-of": "1", + "access-logs": true, + "targets": [ + { + "target-name": "Firewalls", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7001, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7001, + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "a" + }, + { + "target": "firewall", + "name": "Firewall", + "az": "b" + } + ], + "tg-weight": 1 + } + ] + }, + { + "name": "Public-DevTest", + "scheme": "internet-facing", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Perimeter", + "subnets": "Public", + "cert-name": "PerimSelf-SignedCert", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Public-DevTest-ALB", + "tg-stickiness": "1 hour", + "target-alarms-notify": "AWS-Landing-Zone-Security-Notification", + "target-alarms-when": "Minimum", + "target-alarms-of": "Healthy Hosts", + "target-alarms-is": "<", + "target-alarms-Count": "2", + "target-alarms-for": "5", + "target-alarms-periods-of": "1", + "access-logs": true, + "targets": [ + { + "target-name": "Firewalls", + "target-type": "instance", + "protocol": "HTTPS", + "port": 7002, + "health-check-protocol": "HTTPS", + "health-check-path": "/health-check", + "health-check-port": 7001, + "target-instances": [ + { + "target": "firewall", + "name": "Firewall", + "az": "a" + }, + { + "target": "firewall", + "name": "Firewall", + "az": "b" + } + ], + "tg-weight": 1 + } + ] + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + }, + { + "policy-name": "Firewall-Policy", + "policy": "firewall-fg-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "role": "Firewall-Role", + "type": "ec2", + "policies": [ + "Firewall-Policy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "vpc": [ + { + "deploy": "local", + "name": "Perimeter", + "description": "This VPC is used to hold centralized ingress/egress (perimeter) security services.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 22, + "pool": "main" + }, + { + "pool": "RFC6598b", + "size": 23 + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "igw": true, + "alb-forwarding": true, + "vgw": { + "asn": 65522 + }, + "subnets": [ + { + "name": "Public", + "definitions": [ + { + "az": "a", + "route-table": "Public_Shared", + "cidr": { + "pool": "RFC6598b", + "size": 26 + } + }, + { + "az": "b", + "route-table": "Public_Shared", + "cidr": { + "pool": "RFC6598b", + "size": 26 + } + } + ] + }, + { + "name": "FWMgmt", + "definitions": [ + { + "az": "a", + "route-table": "FWMgmt_azA", + "cidr": { + "pool": "RFC6598b", + "size": 27 + } + }, + { + "az": "b", + "route-table": "FWMgmt_azB", + "cidr": { + "pool": "RFC6598b", + "size": 27 + } + } + ] + }, + { + "name": "Proxy", + "definitions": [ + { + "az": "a", + "route-table": "Proxy_azA", + "cidr": { + "pool": "RFC6598b", + "size": 26 + } + }, + { + "az": "b", + "route-table": "Proxy_azB", + "cidr": { + "pool": "RFC6598b", + "size": 26 + } + } + ] + }, + { + "name": "OnPremise", + "definitions": [ + { + "az": "a", + "route-table": "OnPremise_Shared", + "cidr": { + "pool": "RFC6598b", + "size": 26 + } + }, + { + "az": "b", + "route-table": "OnPremise_Shared", + "cidr": { + "pool": "RFC6598b", + "size": 26 + } + } + ] + }, + { + "name": "Detonation", + "definitions": [ + { + "az": "a", + "route-table": "Detonation_Shared", + "cidr": { + "pool": "main", + "size": 24 + } + }, + { + "az": "b", + "route-table": "Detonation_Shared", + "cidr": { + "pool": "main", + "size": 24 + } + } + ] + } + ], + "gateway-endpoints": [ + "s3" + ], + "route-tables": [ + { + "name": "OnPremise_Shared" + }, + { + "name": "Public_Shared", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "FWMgmt_azA", + "routes": [ + { + "destination": "10.0.0.0/8", + "target": "VGW" + }, + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "FWMgmt_azB", + "routes": [ + { + "destination": "10.0.0.0/8", + "target": "VGW" + }, + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "Proxy_azA", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "Proxy" + } + ] + }, + { + "name": "Proxy_azB", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "Proxy" + } + ] + }, + { + "name": "Detonation_Shared" + } + ], + "security-groups": [ + { + "name": "Public-Prod-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": [ + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Public-DevTest-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": [ + "HTTPS" + ], + "source": "${RANGE-DEV-TEST}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "FirewallMgr", + "inbound-rules": [ + { + "description": "Allow Mgmt Traffic Inbound", + "tcp-ports": [ + 22, + 443, + 514, + 541, + 2032, + 3000, + 5199, + 6020, + 6028, + 8080 + ], + "udp-ports": [ + 9443 + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Firewalls", + "inbound-rules": [ + { + "description": "All Allowed Inbound Traffic", + "tcp-ports": [ + 443, + 8080 + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Mgmt Traffic, Customer Outbound traffic and ALBs", + "type": [ + "ALL" + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "interface-endpoints": { + "subnet": "Proxy", + "endpoints": [ + "ssm", + "ssmmessages", + "ec2messages", + "kms", + "logs", + "monitoring" + ] + } + }, + { + "deploy": "local", + "name": "Perimeter-${ALT_REGION}", + "description": "This VPC is used to hold centralized ingress/egress (perimeter) security services.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 22, + "pool": "main-${ALT_REGION}" + }, + { + "pool": "RFC6598c", + "size": 23 + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "igw": true, + "alb-forwarding": true, + "subnets": [ + { + "name": "Public", + "definitions": [ + { + "az": "a", + "route-table": "Public_Shared", + "cidr": { + "pool": "RFC6598c", + "size": 26 + } + }, + { + "az": "b", + "route-table": "Public_Shared", + "cidr": { + "pool": "RFC6598c", + "size": 26 + } + } + ] + }, + { + "name": "FWMgmt", + "definitions": [ + { + "az": "a", + "route-table": "FWMgmt_azA", + "cidr": { + "pool": "RFC6598c", + "size": 27 + } + }, + { + "az": "b", + "route-table": "FWMgmt_azB", + "cidr": { + "pool": "RFC6598c", + "size": 27 + } + } + ] + }, + { + "name": "Proxy", + "definitions": [ + { + "az": "a", + "route-table": "Proxy_azA", + "cidr": { + "pool": "RFC6598c", + "size": 26 + } + }, + { + "az": "b", + "route-table": "Proxy_azB", + "cidr": { + "pool": "RFC6598c", + "size": 26 + } + } + ] + }, + { + "name": "OnPremise", + "definitions": [ + { + "az": "a", + "route-table": "OnPremise_Shared", + "cidr": { + "pool": "RFC6598c", + "size": 26 + } + }, + { + "az": "b", + "route-table": "OnPremise_Shared", + "cidr": { + "pool": "RFC6598c", + "size": 26 + } + } + ] + }, + { + "name": "Detonation", + "definitions": [ + { + "az": "a", + "route-table": "Detonation_Shared", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 24 + } + }, + { + "az": "b", + "route-table": "Detonation_Shared", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 24 + } + } + ] + } + ], + "gateway-endpoints": [ + "s3" + ], + "route-tables": [ + { + "name": "OnPremise_Shared" + }, + { + "name": "Public_Shared", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "FWMgmt_azA", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "FWMgmt_azB", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "OnPremise" + }, + { + "destination": "s3", + "target": "s3" + } + ] + }, + { + "name": "Proxy_azA", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "a", + "port": "Proxy" + } + ] + }, + { + "name": "Proxy_azB", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "firewall", + "name": "Firewall", + "az": "b", + "port": "Proxy" + } + ] + }, + { + "name": "Detonation_Shared" + } + ], + "security-groups": [ + { + "name": "Public-Prod-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": [ + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Public-DevTest-ALB", + "inbound-rules": [ + { + "description": "TLS Traffic Inbound", + "type": [ + "HTTPS" + ], + "source": "${RANGE-DEV-TEST}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "FirewallMgr", + "inbound-rules": [ + { + "description": "Allow Mgmt Traffic Inbound", + "tcp-ports": [ + 22, + 443, + 514, + 541, + 2032, + 3000, + 5199, + 6020, + 6028, + 8080 + ], + "udp-ports": [ + 9443 + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Firewalls", + "inbound-rules": [ + { + "description": "All Allowed Inbound Traffic", + "tcp-ports": [ + 443, + 8080 + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Mgmt Traffic, Customer Outbound traffic and ALBs", + "type": [ + "ALL" + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "interface-endpoints": { + "subnet": "Proxy", + "endpoints": [ + "ssm", + "ssmmessages", + "ec2messages", + "kms", + "logs", + "monitoring" + ] + } + } + ], + "deployments": { + "firewalls": [ + { + "name": "Firewall", + "deploy": true, + "image-id": "ami-02b5eb49ec4cae519", + "instance-sizes": "c5n.2xlarge", + "region": "${HOME_REGION}", + "security-group": "Firewalls", + "fw-instance-role": "Firewall-Role", + "vpc": "Perimeter", + "ports": [ + { + "name": "Public", + "subnet": "Public", + "create-eip": true, + "create-cgw": true + }, + { + "name": "OnPremise", + "subnet": "OnPremise", + "create-eip": false, + "create-cgw": false + }, + { + "name": "FWMgmt", + "subnet": "FWMgmt", + "create-eip": false, + "create-cgw": false + }, + { + "name": "Proxy", + "subnet": "Proxy", + "create-eip": false, + "create-cgw": false + } + ], + "license": [ + "firewall/license1.lic", + "firewall/license2.lic" + ], + "config": "firewall/firewall-example.txt", + "block-device-mappings": [ + "/dev/sda1", + "/dev/sdb" + ], + "fw-cgw-name": "Perimeter_fw", + "fw-cgw-asn": 65523, + "fw-cgw-routing": "Dynamic", + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "name": "TGW-to-Perimeter", + "associate-type": "VPN", + "tgw-rt-associate": [ + "core" + ], + "tgw-rt-propagate": [ + "core", + "shared", + "standalone", + "segregated", + "dev_segregated", + "test_segregated", + "prod_segregated", + "unclass_segregated" + ], + "blackhole-route": false, + "attach-subnets": [], + "options": [ + "DNS-support" + ] + } + }, + { + "name": "Firewall-${ALT_REGION}", + "deploy": true, + "image-id": "ami-02b5eb49ec4cae519", + "instance-sizes": "c6i.xlarge", + "region": "${ALT_REGION}", + "security-group": "Firewalls", + "fw-instance-role": "Firewall-Role", + "vpc": "Perimeter-${ALT_REGION}", + "ports": [ + { + "name": "Public", + "subnet": "Public", + "create-eip": true, + "create-cgw": true + }, + { + "name": "OnPremise", + "subnet": "OnPremise", + "create-eip": false, + "create-cgw": false + }, + { + "name": "FWMgmt", + "subnet": "FWMgmt", + "create-eip": false, + "create-cgw": false + }, + { + "name": "Proxy", + "subnet": "Proxy", + "create-eip": false, + "create-cgw": false + } + ], + "license": [ + "firewall/license3.lic", + "firewall/license4.lic" + ], + "config": "firewall/firewall-example-${ALT_REGION}.txt", + "block-device-mappings": [ + "/dev/sda1", + "/dev/sdb" + ], + "fw-cgw-name": "Perimeter_fw", + "fw-cgw-asn": 65523, + "fw-cgw-routing": "Dynamic", + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "name": "TGW-to-Perimeter", + "associate-type": "VPN", + "tgw-rt-associate": [ + "core" + ], + "tgw-rt-propagate": [ + "core", + "shared", + "standalone", + "segregated", + "dev_segregated", + "test_segregated", + "prod_segregated", + "unclass_segregated" + ], + "blackhole-route": false, + "attach-subnets": [], + "options": [ + "DNS-support" + ] + } + }, + { + "type": "CGW", + "deploy": false, + "name": "OnPremFirewall-Example", + "region": "${HOME_REGION}", + "fw-cgw-name": "OnPremise_fw", + "fw-ips": [ + "99.80.205.24" + ], + "fw-cgw-asn": 65530, + "fw-cgw-routing": "Dynamic", + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "name": "TGW-to-Perimeter", + "associate-type": "VPN", + "tgw-rt-associate": [ + "core" + ], + "tgw-rt-propagate": [ + "core", + "shared", + "standalone", + "segregated", + "dev_segregated", + "test_segregated", + "prod_segregated", + "unclass_segregated" + ], + "blackhole-route": false, + "attach-subnets": [], + "options": [ + "DNS-support" + ] + } + } + ], + "xxfirewall-manager": { + "name": "FirewallMgr", + "image-id": "ami-080f1f0299ba8924f", + "instance-sizes": "c5.xlarge", + "block-device-mappings": [ + "/dev/sda1", + "/dev/sdb" + ], + "region": "${HOME_REGION}", + "vpc": "Perimeter", + "security-group": "FirewallMgr", + "subnet": { + "name": "FWMgmt", + "az": "a" + }, + "create-eip": true + } + } + }, + "management": { + "account-name": "ASEA-Main---------------------REPLACE------------", + "email": "myemail+aseaT-management@example.com---------------------REPLACE------------", + "ou": "Security", + "src-filename": "config.json", + "description": "This is the Organization Management or root account. Access must be highly restricted. This account should not contain customer resources.", + "gui-perm": true, + "budget": { + "name": "Organization Budget", + "period": "Monthly", + "amount": 10000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "s3-retention": 180, + "limits": {}, + "iam": { + "users": [ + { + "user-ids": [ + "bgUser1", + "bgUser2" + ], + "group": "BreakGlassAdmins", + "policies": [ + "AdministratorAccess" + ], + "boundary-policy": "Default-Boundary-Policy" + }, + { + "user-ids": [ + "OpsUser1", + "OpsUser2" + ], + "group": "OpsAdmins", + "policies": [ + "AdministratorAccess" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [] + }, + "vpc": [ + { + "deploy": "local", + "name": "ForSSO", + "description": "This VPC is deployed in the Organization Management/root account to enable the deployment of the Active Directory Connector, enabling the use of Active Directory as the Identity source for AWS SSO.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 24, + "pool": "ForSSO" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "ForSSO", + "definitions": [ + { + "az": "a", + "route-table": "ForSSO_Shared", + "cidr": { + "pool": "ForSSO", + "size": 27 + } + }, + { + "az": "b", + "route-table": "ForSSO_Shared", + "cidr": { + "pool": "ForSSO", + "size": 27 + } + }, + { + "az": "d", + "route-table": "ForSSO_Shared", + "cidr": { + "pool": "ForSSO", + "size": 27 + } + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "ForSSO_Shared", + "routes": [ + { + "destination": { + "account": "shared-network", + "vpc": "Central", + "subnet": "App2" + }, + "target": "pcx" + } + ] + } + ] + } + ], + "deployments": { + "adc": { + "deploy": true, + "vpc-name": "ForSSO", + "subnet": "ForSSO", + "azs": [ + "a", + "b" + ], + "size": "Small", + "restrict_srcips": [ + "10.249.1.0/24", + "${RANGE-MAD}" + ], + "connect-account-key": "operations", + "connect-dir-id": 1001 + } + } + }, + "log-archive": { + "account-name": "log-archive", + "ou": "Security", + "email": "myemail+aseaT-log@example.com---------------------REPLACE------------", + "src-filename": "config.json", + "description": "This Account is used to centralized and store immutable logs for the Organization.", + "gui-perm": true + }, + "security": { + "account-name": "security", + "ou": "Security", + "email": "myemail+aseaT-sec@example.com---------------------REPLACE------------", + "src-filename": "config.json", + "description": "This Account is used to centralized access to AWS security tooling and consoles.", + "gui-perm": true + } + }, + "workload-account-configs": { + "fun-acct": { + "account-name": "TheFunAccount", + "email": "myemail+aseaT-funacct@example.com---------------------REPLACE------------", + "src-filename": "config.json", + "ou": "Sandbox", + "description": "This is an OPTIONAL SAMPLE workload account. As this is a Sandbox account, it is used for extreme FUN!" + }, + "mydevacct1": { + "account-name": "MyDev1", + "email": "myemail+aseaT-dev1@example.com---------------------REPLACE------------", + "src-filename": "config.json", + "ou": "Dev", + "description": "This is an OPTIONAL SAMPLE workload account. As this is a Dev account, it is to be used for Development." + } + }, + "organizational-units": { + "Security": { + "type": "ignore", + "description": "The Security OU is used to hold AWS accounts containing AWS security resources shared or utilized by the rest of the Organization.", + "scps": [ + "Guardrails-Part-0-Core", + "Guardrails-Part-1", + "Guardrails-Sensitive" + ], + "ssm-inventory-collection": true, + "gui-perm": true, + "default-budgets": { + "name": "Default Security Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_VERSIONING_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + }, + { + "excl-regions": [ + "ap-northeast-3", + "${ALT_REGION}" + ], + "rules": [ + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "ALB_WAF_ENABLED", + "EC2_VOLUME_INUSE_CHECK", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "DYNAMODB_IN_BACKUP_PLAN", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "EMR_KERBEROS_ENABLED", + "ELB_ACM_CERTIFICATE_REQUIRED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "IAM_GROUP_HAS_USERS_CHECK", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "SECURITYHUB_ENABLED", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "IAM_PASSWORD_POLICY", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "RDS_IN_BACKUP_PLAN", + "EBS_IN_BACKUP_PLAN", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + }, + "Infrastructure": { + "type": "ignore", + "description": "The Infrastructure OU is used to hold AWS accounts containing AWS infrastructure resources shared or utilized by the rest of the Organization.", + "scps": [ + "Guardrails-Part-0-Core", + "Guardrails-Part-1", + "Guardrails-Sensitive" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Infrastructure Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_VERSIONING_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + }, + { + "excl-regions": [ + "ap-northeast-3", + "${ALT_REGION}" + ], + "rules": [ + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "ALB_WAF_ENABLED", + "EC2_VOLUME_INUSE_CHECK", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "DYNAMODB_IN_BACKUP_PLAN", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "EMR_KERBEROS_ENABLED", + "ELB_ACM_CERTIFICATE_REQUIRED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "IAM_GROUP_HAS_USERS_CHECK", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "SECURITYHUB_ENABLED", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "IAM_PASSWORD_POLICY", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "RDS_IN_BACKUP_PLAN", + "EBS_IN_BACKUP_PLAN", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + }, + "Central": { + "type": "mandatory", + "description": "The Central OU is used to hold AWS accounts which contain group or team resources used across OU boundaries like code promotion tools.", + "share-mad-from": "operations", + "scps": [ + "Guardrails-Part-0", + "Guardrails-Part-1", + "Guardrails-Sensitive" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Central Budget", + "period": "Monthly", + "amount": 500, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "vpc": [ + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to the Operations account and every account in the Central OU.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main" + }, + { + "pool": "RFC6598a", + "size": 23 + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "pcx": { + "source": "management", + "source-vpc": "ForSSO", + "source-subnets": "ForSSO", + "local-subnets": "App2" + }, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + }, + "disabled": true + } + ] + }, + { + "name": "App2", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_App2", + "cidr": { + "pool": "RFC6598a", + "size": 25 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_App2", + "cidr": { + "pool": "RFC6598a", + "size": 25 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_App2", + "cidr": { + "pool": "RFC6598a", + "size": 25 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::VPC_NAME}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + }, + { + "name": "${CONFIG::VPC_NAME}VPC_App2", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + }, + { + "destination": { + "account": "management", + "vpc": "ForSSO", + "subnet": "ForSSO" + }, + "target": "pcx" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "shared" + ], + "tgw-rt-propagate": [ + "core", + "segregated", + "dev_segregated", + "test_segregated", + "prod_segregated", + "unclass_segregated" + ], + "blackhole-route": false, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + }, + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}-${ALT_REGION}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to the Operations account and every account in the Central OU in ${ALT_REGION}.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main-${ALT_REGION}" + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [ + "operations" + ], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "shared" + ], + "tgw-rt-propagate": [ + "core", + "segregated", + "dev_segregated", + "test_segregated", + "prod_segregated", + "unclass_segregated" + ], + "blackhole-route": false, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_VERSIONING_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + }, + { + "excl-regions": [ + "ap-northeast-3", + "${ALT_REGION}" + ], + "rules": [ + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "ALB_WAF_ENABLED", + "EC2_VOLUME_INUSE_CHECK", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "DYNAMODB_IN_BACKUP_PLAN", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "EMR_KERBEROS_ENABLED", + "ELB_ACM_CERTIFICATE_REQUIRED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "IAM_GROUP_HAS_USERS_CHECK", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "SECURITYHUB_ENABLED", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "IAM_PASSWORD_POLICY", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "RDS_IN_BACKUP_PLAN", + "EBS_IN_BACKUP_PLAN", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + }, + "Dev": { + "type": "workload", + "description": "The Dev OU is used to hold accounts at the Development or similiarly permissioned stage of the SDLC cycle containing sensitive unclassified data or workloads.", + "share-mad-from": "operations", + "scps": [ + "Guardrails-Part-0", + "Guardrails-Part-1", + "Guardrails-Sensitive" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Dev Budget", + "period": "Monthly", + "amount": 2000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "certificates": [ + { + "name": "DevSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Dev", + "subnets": "Web", + "cert-name": "DevSelf-SignedCert", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-dev-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Dev OU.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::VPC_NAME}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "dev_segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + }, + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}-${ALT_REGION}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Dev OU in ${ALT_REGION}.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main-${ALT_REGION}" + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "dev_segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_VERSIONING_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + }, + { + "excl-regions": [ + "ap-northeast-3", + "${ALT_REGION}" + ], + "rules": [ + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "ALB_WAF_ENABLED", + "EC2_VOLUME_INUSE_CHECK", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "DYNAMODB_IN_BACKUP_PLAN", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "EMR_KERBEROS_ENABLED", + "ELB_ACM_CERTIFICATE_REQUIRED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "IAM_GROUP_HAS_USERS_CHECK", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "SECURITYHUB_ENABLED", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "IAM_PASSWORD_POLICY", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "RDS_IN_BACKUP_PLAN", + "EBS_IN_BACKUP_PLAN", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + }, + "Test": { + "type": "workload", + "description": "The Test OU is used to hold accounts at the Test or similiarly permissioned (i.e. QA) stage of the SDLC cycle containing sensitive unclassified data or workloads.", + "share-mad-from": "operations", + "scps": [ + "Guardrails-Part-0", + "Guardrails-Part-1", + "Guardrails-Sensitive" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Test Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "certificates": [ + { + "name": "TestSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Test", + "subnets": "Web", + "cert-name": "TestSelf-SignedCert", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-test-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Test OU.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::VPC_NAME}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "test_segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + }, + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}-${ALT_REGION}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Dev OU in ${ALT_REGION}.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main-${ALT_REGION}" + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "test_segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_VERSIONING_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + }, + { + "excl-regions": [ + "ap-northeast-3", + "${ALT_REGION}" + ], + "rules": [ + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "ALB_WAF_ENABLED", + "EC2_VOLUME_INUSE_CHECK", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "DYNAMODB_IN_BACKUP_PLAN", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "EMR_KERBEROS_ENABLED", + "ELB_ACM_CERTIFICATE_REQUIRED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "IAM_GROUP_HAS_USERS_CHECK", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "SECURITYHUB_ENABLED", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "IAM_PASSWORD_POLICY", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "RDS_IN_BACKUP_PLAN", + "EBS_IN_BACKUP_PLAN", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + }, + "Prod": { + "type": "workload", + "description": "The Prod OU is used to hold accounts at the Production or similiarly permissioned (i.e. Pre-Prod) stage of the SDLC cycle containing sensitive unclassified data or workloads.", + "share-mad-from": "operations", + "scps": [ + "Guardrails-Part-0", + "Guardrails-Part-1", + "Guardrails-Sensitive" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Prod Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "certificates": [ + { + "name": "ProdSelf-SignedCert", + "type": "import", + "priv-key": "certs/example1-cert.key", + "cert": "certs/example1-cert.crt" + } + ], + "alb": [ + { + "name": "Core", + "scheme": "internal", + "action-type": "forward", + "ip-type": "ipv4", + "listeners": "HTTPS", + "ports": 443, + "vpc": "Prod", + "subnets": "Web", + "cert-name": "ProdSelf-SignedCert", + "security-policy": "ELBSecurityPolicy-FS-1-2-Res-2019-08", + "security-group": "Web", + "access-logs": true, + "targets": [ + { + "target-name": "health-check-Lambda", + "target-type": "lambda", + "health-check-path": "/health-check", + "lambda-filename": "internal-prod-alb-lambda.txt" + } + ] + } + ], + "vpc": [ + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Prod OU.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::VPC_NAME}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "prod_segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + }, + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}-${ALT_REGION}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Dev OU in ${ALT_REGION}.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main-${ALT_REGION}" + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "prod_segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_VERSIONING_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + }, + { + "excl-regions": [ + "ap-northeast-3", + "${ALT_REGION}" + ], + "rules": [ + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "ALB_WAF_ENABLED", + "EC2_VOLUME_INUSE_CHECK", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "DYNAMODB_IN_BACKUP_PLAN", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "EMR_KERBEROS_ENABLED", + "ELB_ACM_CERTIFICATE_REQUIRED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "IAM_GROUP_HAS_USERS_CHECK", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "SECURITYHUB_ENABLED", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "IAM_PASSWORD_POLICY", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "RDS_IN_BACKUP_PLAN", + "EBS_IN_BACKUP_PLAN", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + }, + "UnClass": { + "type": "workload", + "description": "Non-sensitive workloads should be placed with sensitive worksloads (Dev/Test/Prod/Central OU's). Used for accounts with AWS Console users without appropriate security clearance or deploying AWS services not approved for use with sensitive data.", + "share-mad-from": "operations", + "scps": [ + "Guardrails-Part-0", + "Guardrails-Part-1", + "Guardrails-Unclass" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Unclass Budget", + "period": "Monthly", + "amount": 1000, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "vpc": [ + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Unclass OU.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::VPC_NAME}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::VPC_NAME}VPC_Common", + "cidr": { + "pool": "main", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::VPC_NAME}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "unclass_segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + }, + { + "deploy": "shared-network", + "name": "${CONFIG::OU_NAME}-${ALT_REGION}", + "description": "This VPC is deployed in the shared network account and it's subnets are shared out to every account in the Dev OU in ${ALT_REGION}.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main-${ALT_REGION}" + } + ], + "region": "${ALT_REGION}", + "use-central-endpoints": true, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "subnets": [ + { + "name": "TGW", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 27 + }, + "disabled": true + } + ] + }, + { + "name": "Web", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": true, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "${CONFIG::OU_NAME}-${ALT_REGION}", + "subnet": [ + "Web" + ] + }, + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "b", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + } + }, + { + "az": "d", + "route-table": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "cidr": { + "pool": "main-${ALT_REGION}", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [ + "s3", + "dynamodb" + ], + "route-tables": [ + { + "name": "${CONFIG::OU_NAME}-${ALT_REGION}VPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "TGW" + }, + { + "destination": "s3", + "target": "s3" + }, + { + "destination": "DynamoDB", + "target": "DynamoDB" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Central VPC Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "vpc": "Central-${ALT_REGION}", + "subnet": [ + "Web", + "App", + "Mgmt", + "App2" + ] + } + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ], + "tgw-attach": { + "associate-to-tgw": "Main-${ALT_REGION}", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": [ + "unclass_segregated" + ], + "tgw-rt-propagate": [ + "core", + "shared" + ], + "blackhole-route": true, + "attach-subnets": [ + "TGW" + ], + "options": [ + "DNS-support" + ] + } + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ], + "documents": [ + "SSM-ELB-Enable-Logging", + "Put-S3-Encryption", + "Attach-IAM-Instance-Profile", + "Attach-IAM-Role-Policy" + ] + } + ], + "aws-config": [ + { + "excl-regions": [ + "ap-northeast-3" + ], + "rules": [ + "EC2-INSTANCE-PROFILE", + "EC2-INSTANCE-PROFILE-PERMISSIONS", + "ELB_LOGGING_ENABLED", + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED", + "ACM_CERTIFICATE_EXPIRATION_CHECK", + "ALB_WAF_ENABLED", + "API_GW_CACHE_ENABLED_AND_ENCRYPTED", + "CLOUD_TRAIL_ENABLED", + "CLOUDTRAIL_S3_DATAEVENTS_ENABLED", + "CLOUDTRAIL_SECURITY_TRAIL_ENABLED", + "CLOUDWATCH_ALARM_ACTION_CHECK", + "CW_LOGGROUP_RETENTION_PERIOD_CHECK", + "DB_INSTANCE_BACKUP_ENABLED", + "DYNAMODB_IN_BACKUP_PLAN", + "DYNAMODB_TABLE_ENCRYPTED_KMS", + "EBS_IN_BACKUP_PLAN", + "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", + "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK", + "EC2_VOLUME_INUSE_CHECK", + "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", + "ELB_ACM_CERTIFICATE_REQUIRED", + "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", + "EMR_KERBEROS_ENABLED", + "GUARDDUTY_NON_ARCHIVED_FINDINGS", + "IAM_GROUP_HAS_USERS_CHECK", + "IAM_PASSWORD_POLICY", + "IAM_USER_GROUP_MEMBERSHIP_CHECK", + "INCOMING_SSH_DISABLED", + "INSTANCES_IN_VPC", + "INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY", + "RDS_IN_BACKUP_PLAN", + "REDSHIFT_CLUSTER_CONFIGURATION_CHECK", + "RESTRICTED_INCOMING_TRAFFIC", + "S3_BUCKET_POLICY_GRANTEE_CHECK", + "S3_BUCKET_VERSIONING_ENABLED", + "SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED", + "SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED", + "SECURITYHUB_ENABLED", + "VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS", + "WAFV2_LOGGING_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}", + "${ALT_REGION}" + ] + } + ] + }, + "Sandbox": { + "type": "workload", + "description": "The Sandbox OU offers the most cloud native, agile experience and is used for experimentation. It is not to be used to hold production workloads or data as it offers the fewest security controls.", + "scps": [ + "Guardrails-Part-0", + "Guardrails-Part-1", + "Guardrails-Sandbox" + ], + "ssm-inventory-collection": true, + "default-budgets": { + "name": "Default Sandbox Budget", + "period": "Monthly", + "amount": 200, + "include": [ + "Upfront-reservation-fees", + "Recurring-reservation-charges", + "Other-subscription-costs", + "Taxes", + "Support-charges", + "Discounts" + ], + "alerts": [ + { + "type": "Actual", + "threshold-percent": 50, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 75, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 90, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + }, + { + "type": "Actual", + "threshold-percent": 100, + "emails": [ + "myemail+aseaT-budg@example.com" + ] + } + ] + }, + "vpc": [ + { + "deploy": "local", + "name": "${CONFIG::OU_NAME}", + "description": "This VPC is deployed locally in each Sandbox account and each account/VPC is deployed with the same identical CIDR range. This VPC has no access to the rest of the Organizations networking and has direct internet access and does not use the perimeter ingress/egress services.", + "cidr-src": "dynamic", + "cidr": [ + { + "size": 16, + "pool": "main" + } + ], + "region": "${HOME_REGION}", + "use-central-endpoints": false, + "flow-logs": "BOTH", + "dns-resolver-logging": true, + "igw": true, + "natgw": { + "subnet": { + "name": "Web", + "az": "a" + } + }, + "subnets": [ + { + "name": "Web", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_IGW", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "SandboxVPC_IGW", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "SandboxVPC_IGW", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ] + }, + { + "name": "App", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 19 + } + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 19 + }, + "disabled": true + } + ] + }, + { + "name": "Data", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 20 + } + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 20 + }, + "disabled": true + } + ], + "nacls": [ + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": true, + "cidr-blocks": [ + { + "vpc": "Sandbox", + "subnet": [ + "Web" + ] + }, + { + "account": "shared-network", + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": true, + "cidr-blocks": [ + "0.0.0.0/0" + ] + }, + { + "rule": 100, + "protocol": -1, + "ports": -1, + "rule-action": "deny", + "egress": false, + "cidr-blocks": [ + { + "vpc": "Sandbox", + "subnet": [ + "Web" + ] + }, + { + "account": "shared-network", + "vpc": "Central", + "subnet": [ + "Data" + ] + } + ] + }, + { + "rule": 32000, + "protocol": -1, + "ports": -1, + "rule-action": "allow", + "egress": false, + "cidr-blocks": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Mgmt", + "share-to-ou-accounts": false, + "share-to-specific-accounts": [], + "definitions": [ + { + "az": "a", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "b", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 21 + } + }, + { + "az": "d", + "route-table": "SandboxVPC_Common", + "cidr": { + "pool": "main", + "size": 21 + }, + "disabled": true + } + ] + } + ], + "gateway-endpoints": [], + "route-tables": [ + { + "name": "SandboxVPC_IGW", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "IGW" + } + ] + }, + { + "name": "SandboxVPC_Common", + "routes": [ + { + "destination": "0.0.0.0/0", + "target": "NATGW_Web_azA" + } + ] + } + ], + "security-groups": [ + { + "name": "Mgmt", + "inbound-rules": [ + { + "description": "Mgmt RDP/SSH Traffic Inbound", + "type": [ + "RDP", + "SSH" + ], + "source": "${RANGE-RESTRICT}" + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Web", + "inbound-rules": [ + { + "description": "World Web Traffic Inbound", + "type": [ + "HTTP", + "HTTPS" + ], + "source": [ + "0.0.0.0/0" + ] + }, + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "App", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local Web Tier Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Web" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + }, + { + "name": "Data", + "inbound-rules": [ + { + "description": "Local Mgmt Traffic Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Mgmt" + ] + } + ] + }, + { + "description": "Local App DB Traffic Inbound", + "type": [ + "MSSQL", + "MYSQL/AURORA", + "REDSHIFT", + "POSTGRESQL", + "ORACLE-RDS" + ], + "source": [ + { + "security-group": [ + "App" + ] + } + ] + }, + { + "description": "Allow East/West Communication Inbound", + "type": [ + "ALL" + ], + "source": [ + { + "security-group": [ + "Data" + ] + } + ] + } + ], + "outbound-rules": [ + { + "description": "All Outbound", + "type": [ + "ALL" + ], + "source": [ + "0.0.0.0/0" + ] + } + ] + } + ] + } + ], + "iam": { + "users": [], + "policies": [ + { + "policy-name": "Default-Boundary-Policy", + "policy": "boundary-policy.txt" + } + ], + "roles": [ + { + "role": "EC2-Default-SSM-AD-Role", + "type": "ec2", + "ssm-log-archive-write-access": true, + "policies": [ + "AmazonSSMManagedInstanceCore", + "AmazonSSMDirectoryServiceAccess", + "CloudWatchAgentServerPolicy" + ], + "boundary-policy": "Default-Boundary-Policy" + } + ] + }, + "ssm-automation": [ + { + "account": "operations", + "regions": [ + "${HOME_REGION}" + ], + "documents": [ + "Put-S3-Encryption" + ] + } + ], + "aws-config": [ + { + "excl-regions": [], + "rules": [ + "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED" + ], + "remediate-regions": [ + "${HOME_REGION}" + ] + } + ] + } + } +} \ No newline at end of file diff --git a/src/mkdocs/docs/installation/ca-west-1-region-configuration.md b/src/mkdocs/docs/installation/ca-west-1-region-configuration.md new file mode 100644 index 000000000..765cc106f --- /dev/null +++ b/src/mkdocs/docs/installation/ca-west-1-region-configuration.md @@ -0,0 +1,211 @@ +# 1. CA-West-1 (Calgary) Region Configurations and Customizations + +## 1.1. Introduction + +### 1.1.1 Summary + +The configurations described in this documentation section explains how to enable the Calgary (ca-west-1) region. This currently depends on ASEA version > 1.6.1, and extends into ca-west-1 (i.e. ca-west-1 is NOT the home region). Before applying any of the configuration below, be sure to review the networking architecture, and deploy in a test ASEA instance first if possible. + +### 1.1.2 Activating the Calgary opt-in Region + +Since March 20, 2019, when AWS adds a Region, the new Region is disabled by default. If you want your users to be able to create and manage resources in a new Region, you first need to enable that Region. The Calgary region (ca-west-1) is an 'Opt-in' region that requires enablement configuration for all AWS accounts. + +To update the enabled Regions for member accounts of your AWS Organizations, perform the steps in the following procedure. +1. _Requires:_ Enable trusted access for the AWS Account Management service. To set this up, see [Enabling trusted access for AWS Account Management.](https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-trusted-access.html) +2. Sign in to the AWS Organizations console with your organization's management account credentials. +3. On the AWS accounts page, select the account that you want to update. +4. Choose the Account settings tab. +5. Under Regions, select the Region you want to enable or disable. +6. Choose Actions, and then choose either Enable or Disable option. +7. If you chose the Enable option, review the displayed text and then choose Enable region. + +This can also be executed using the AWS CLI & SDKs, review this [page](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-update-account-enabled) for detail. Alternatively, you can also use the sample script provided here (insert hyperlink to reference artifacts) to enable or disable the Opt-in region programatically using the following instructions: + +1. Log into the AWS console as a Full Administrator to the Organization Management account. +2. Start a CloudShell session. +3. Create a virtual python environment. `python3 -m venv env` +4. Activate the python environment. `source env/bin/activate` +5. Install the python3 required libaries (ex: `pip install -r requirements.txt`) +6. Make the Python script executable (ex: `chmod +x region_optin.py`) +7. Execute the script with the following parameters: + `--OptInRegion` *region* + `--Action` *enable / disable / status* + + Optional: + `--IgnoreOU` *ou* + + Example: `python3 region_optin.py --OptInRegion ca-west-1 --Action=enable` + +**Note:** These instructions will need to be repeated for all new accounts that are added in the future and that will be used for workloads that use the ca-west-1 region + +## 1.2. Network Architecture -- Mirrored from Home Region +![Mirrored ca-west-1 Networking](./img/mirrored-ca-west-1-network.png) + +The _Mirrored from Home Region_ network architecture mirrors the network architecture from the home region (e.g. ca-central-1). In the diagram above, ca-west-1 has its own Transit Gateway, same set of VPCs, Endpoint configuration, and Perimeter VPC/Firewall configuration. Additionaly, this configuration sample does not connect ca-central-1 with ca-west-1 via Transit Gateway Peering (see #1.3 below). Note that in the sample config provided, the IP CIDR ranges are different than the home region. + +## 1.3. Network Architecture -- Cross Region Peering +![Mirrored ca-west-1 Networking with Peering](./img/mirrored-ca-west-1-network-peering.png) + +The cross Region peering network architecture adds cross Region peering to enable cross Region communication. To continue following the [Government of Canada Cloud guardrail](https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32787) "segment and separate" the workload VPCs would need individual segregated Transit Gateway Route Tables instead of the common Segregated route table to maintain segregation across Regions. + +![Segregated Route Tables](./img/segregated-rt.png) + +The sample segregated route tables have routes to shared resources in the central and endpoint VPCs of each region and only to the corresponding workload VPC in the remote region. Internet bound traffic would route to the local Region Perimeter firewalls. For example, lets look at the dev workload VPC and what it's allowed to route to based on the sample config. +``` + dev (ca-central-1) <--> dev (ca-west-1) + dev (ca-central-1 and ca-west-1) <--> central (ca-central-1 and ca-west-1) + dev (ca-central-1 and ca-west-1) <--> endpoint (ca-central-1 and ca-west-1) + dev (ca-central-1) <--> perimeter (ca-central-1) + dev (ca-west-1) <--> perimeter (ca-west-1) +``` + + +## 1.4. How to apply Mirrored from Home Region configuration +The general strategy is to compare your existing deployed configuration (**config.json** in CodeCommit) with the sample provided [here](https://github.com/aws-samples/aws-secure-environment-accelerator/tree/main/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-multi-region-ca-west-1-example.json). Using your preferred file compare tool (e.g. Visual Studio Code), you will see differences that need to be applied. Here is a list of changes that should be made: +1. Add the use of '${ALT_REGION}' +2. Set '${ALT_REGION}': 'ca-west-1' +3. Add 'ca-west-1' to list of Supported Regions +4. Add 'ca-west-1' to list of Macie Excluded Regions (until service is launched in region) +5. 'fw-mgr-alert-level': 'None' +6. Add 'ca-west-1' to additional-cwl-regions +7. Add '${ALT_REGION}' to list of ssm-automation regions (global and OU config sections) +8. Add '${ALT_REGION}' cidr-pools +9. Add TGW for '${ALT_REGION}' +10. Add firewalls (Fortinet) to deploy in '${ALT_REGION}' + 1. Follow ASEA installation instructions for Marketplace and enabling the Fortigate Subscriptions in ca-west-1 +11. AWS Config configuration is split into supported region rules. Remediate-regions updated with '${ALT_REGION}' +12. Endpoint VPC created in Shared-Network account in '${ALT_REGION}'. Note available Interface Endpoints is a subset of ca-central-1. Sample deploys minimum needed. +13. Dev/Test/Prod VPCs created in Shared-Network account in '${ALT_REGION}' with TGW attachments + +Current Known Limitations: + +1. Managed Active Directory should be manually 'shared' to ca-west-1 once the service is updated to support ca-west-1 +2. Rsyslog servers (used as an option for Fortigate logging destination) can only be deployed to a single region. This would need to be configured outside ASEA (manually or with your own created IaC). +3. Fortigate firewalls config use c6i EC2 instance types in lieu of c5n until it becomes available in ca-west-1. + +## 1.5. How to apply Cross Region Peering configuration +The general strategy is to compare your existing deployed configuration (**config.json** in CodeCommit) with the sample provided [here](https://github.com/aws-samples/aws-secure-environment-accelerator/tree/main/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-multi-region-ca-west-1-tgw-peering-example.json). Using your preferred file compare tool (e.g. Visual Studio Code), you will see differences that need to be applied. Here is a list of changes that should be made: + +## 1.5.1 Create Segregated Route Tables and Propogations +In preparation for the Transit Gateway peering, you need to create a segregated route table for each workload VPC in each Region. This allows you the flexibility to customize the routes specific to each workload VPC which is used to only allow routing to the corresponding workload VPC in the remote Region. You also need to propagate the routes from the Endpoint VPC, Central VPC, and Firewall attachments to maintain communication to these locations. +1. Create workload segregated Transit Gateway route tables by adding them to the home Region Transit Gateway `["mandatory-account-configs"]["shared-network"].deployments.tgw[0]["route-tables"]` and remote Region Transit Gateway `["mandatory-account-configs"]["shared-network"].deployments.tgw[1]["route-tables"]` sections. +```json + "route-tables": [ + "core", + "shared", + "standalone", + "segregated", + "dev_segregated", + "test_segregated", + "prod_segregated", + "unclass_segregated" + ], +``` +2. Add the workload segregated Transit Gateway route tables to the `tgw-rt-propagated` section under `tgw-attach` for the Endpoint VPCs, Central VPCs, and the Firewalls Transit Gateway attachments in Perimeters of each Region. +```json + "tgw-rt-propagate": [ + "core", + "shared", + "standalone", + "segregated", + "dev_segregated", + "test_segregated", + "prod_segregated", + "unclass_segregated" + ], +``` +3. Commit the changes and run the `ASEA-MainStateMachine_sm` State Machine (SM) with the input of `{"scope": "FULL", "mode": "APPLY", "verbose": "0"}`. Wait for successful completion. +4. Verify the new TGW route tables are created and have the routes to central, endpoint and firewall tgw attachments. + +## 1.5.2 Associate Workload VPC to Workload Segregated Transit Gateway Route Table +This process will switch the workload VPC from the segregated TGW route table to the workload specific segregated TGW route table. + +>**NOTE:** Following this process will isolate the respective resources in the workload VPC. Any communication within the VPC will be unaffected however any communication that has to transfer through the Transit Gateway will be interrupted. Recommend performing this process on one workload VPC at a time during a maintenance window. For example, only start with the Dev VPC. + +1. Undeploy the TGW attachment by prefixing the `tgw-attach` with "xx" to be `xxtgw-attach` to the corresponding workload VPC. This will be an unknown field, which is the same a deleting the section. +```json + "xxtgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["segregated"], + "tgw-rt-propagate": ["core", "shared"], + "blackhole-route": true, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + } +``` +2. Commit the changes and run the `ASEA-MainStateMachine_sm` State Machine (SM) with the input of `{"scope": "FULL", "mode": "APPLY", "verbose": "0"}`. Wait for successful completion. +3. Redeploy the TGW attachment by removing the "xx" to be `tgw-attach` and update the `tgw-rt-associate` with the respective workload segregated TGW route table. For example changing from `segregated` to `dev_segregated`. +```json + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "associate-type": "ATTACH", + "tgw-rt-associate": ["dev_segregated"], + "tgw-rt-propagate": ["core", "shared"], + "blackhole-route": true, + "attach-subnets": ["TGW"], + "options": ["DNS-support"] + } +``` +4. Commit the changes and run the `ASEA-MainStateMachine_sm` State Machine (SM) with the input of `{"scope": "FULL", "mode": "APPLY", "verbose": "0"}`. Wait for successful completion. +5. Validate communication has been restored to original status. +6. Repeat steps 1-5 for each workload VPC. + +## 1.5.3 Configure Transit Gateway Peering +The Transit Gateway peering process is achieved by creating a TGW peering attachment and creating static routes in each of the TGW route tables. +1. Create the Transit Gateway peering attachment by adding the following section to the remote Region TGW deployment section to associate to TGW in home Region. + ```json + "tgw-attach": { + "associate-to-tgw": "Main", + "account": "shared-network", + "region": "${HOME_REGION}", + "tgw-rt-associate-local": ["core"], + "tgw-rt-associate-remote": ["core"] + }, +``` +2. Commit the changes and run the `ASEA-MainStateMachine_sm` State Machine (SM) with the input of `{"scope": "FULL", "mode": "APPLY", "verbose": "0"}`. Wait for successful completion. +3. Create static routes for each of the TGW route tables in each Region. You are creating these routes to allow workload traffic to its workload VPC peer, Central VPC and Endpoint VPC in remote Region. Refer to the `Segregated Route Tables` above and the sample multi-region config file for examples [here](https://github.com/aws-samples/aws-secure-environment-accelerator/tree/main/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-multi-region-ca-west-1-tgw-peering-example.json). This is an example of the static routes in the `dev_segregated` TGW route table in the home Region assuming CIDR ranges follows example above. +```json + { + "name": "dev_segregated", + "routes": [ + { + "destination": "10.3.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.4.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.5.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.96.0.0/22", + "target-tgw": "Main-${ALT_REGION}" + }, + { + "destination": "10.97.0.0/16", + "target-tgw": "Main-${ALT_REGION}" + }, + { + "destination": "10.98.0.0/16", + "target-tgw": "Main-${ALT_REGION}" + }, + { + "destination": "10.99.0.0/16", + "blackhole-route": true + }, + { + "destination": "10.100.0.0/16", + "blackhole-route": true + } + ] + }, +``` +4. Commit the changes and run the `ASEA-MainStateMachine_sm` State Machine (SM) with the input of `{"scope": "FULL", "mode": "APPLY", "verbose": "0"}`. Wait for successful completion. +5. Validate communication across the TGW peering connection between Regions. + diff --git a/src/mkdocs/docs/installation/customization-index.md b/src/mkdocs/docs/installation/customization-index.md index d35b0d867..a5da92f42 100644 --- a/src/mkdocs/docs/installation/customization-index.md +++ b/src/mkdocs/docs/installation/customization-index.md @@ -112,6 +112,38 @@ - AWS Control Tower: No - Firewall: AWS Network Firewall +### 1.2.6. **Lite weight Multi-Region ca-west-1 configuration ([config.lite-VPN-multi-region-ca-west-1-example.json](https://github.com/aws-samples/aws-secure-environment-accelerator/tree/main/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-multi-region-ca-west-1-example.json))** files + +- This configuration file was created to represent a more advanced multi-region version of the Full configuration file from configuration 1 above. This config: + + - adds ca-west-1 to list of supported regions + - adds a TGW in ca-west-1 + - adds a central Endpoint VPC in ca-west-1 with ca-west-1 endpoints configured + - adds a shared VPCs for Dev,Test,Prod,Unclass OU accounts in ca-west-1 + - Sends ca-west-1 CloudWatch Logs to the central S3 log-archive bucket in ca-central-1 + - Deploys SSM documents to ca-west-1 and remediates configured rules Dev,Test,Prod,Unclass OU + - adds VPC to Perimeter account in ca-west-1 + - Deploys Fortigate Firewalls to Perimeter account in ca-west-1 + - Disables Macie in ca-west-1 (Service not available yet) + - Deploys available AWS Config Rules to ca-west-1 + - requires 3rd party licensing (BYOL or PAYGO) + +- Default Settings: + - AWS Control Tower: No + - Firewall: IPSec VPN with Active/Active Fortinet cluster (uses BGP+ECMP) + +- To reduce solution costs and allow customers to grow into more advanced AWS capabilities, we created these lite weight configurations that does not sacrifice functionality, but could limit performance. These config files: + + - only deploys the 9 required centralized Interface Endpoints (removes 50 from full config). All services remain accessible using the AWS public endpoints, but require traversing the perimeter firewalls + - removes the perimeter VPC Interface Endpoints + - reduces the Fortigate instance sizes from c5n.2xl to c6i.xl (VM08 to VM04) in _Variant 2: IPSec VPN with Active/Active Fortinet cluster_ option + + +- Review additional details [here](./ca-west-1-region-configuration.md) + + +- The Accelerator allows customers to easily add or change this functionality in future, as and when required without any impact + ## 1.3. Deployment Customizations ### 1.3.1. [Multi-file config file and YAML formatting option](./multi-file-config-capabilities.md) diff --git a/src/mkdocs/docs/installation/img/mirrored-ca-west-1-network-peering.png b/src/mkdocs/docs/installation/img/mirrored-ca-west-1-network-peering.png new file mode 100644 index 000000000..d614edb61 Binary files /dev/null and b/src/mkdocs/docs/installation/img/mirrored-ca-west-1-network-peering.png differ diff --git a/src/mkdocs/docs/installation/img/mirrored-ca-west-1-network.png b/src/mkdocs/docs/installation/img/mirrored-ca-west-1-network.png new file mode 100644 index 000000000..5c3e21727 Binary files /dev/null and b/src/mkdocs/docs/installation/img/mirrored-ca-west-1-network.png differ diff --git a/src/mkdocs/docs/installation/img/segregated-rt.png b/src/mkdocs/docs/installation/img/segregated-rt.png new file mode 100644 index 000000000..9da64ce3a Binary files /dev/null and b/src/mkdocs/docs/installation/img/segregated-rt.png differ diff --git a/src/mkdocs/docs/installation/index.md b/src/mkdocs/docs/installation/index.md index 726da31d7..01a4ef3b5 100644 --- a/src/mkdocs/docs/installation/index.md +++ b/src/mkdocs/docs/installation/index.md @@ -5,6 +5,7 @@ This section contains information on the installation and upgrade procedures for - Installation - [Installation Guide](../installation/install.md) - [Sample Configurations and Customization](../installation/customization-index.md) + - [Calgary Region Configuration Sample](../installation/ca-west-1-region-configuration.md) - [State Machine Behavior](../installation/sm_inputs.md) - [Splitting the Config File](../installation/multi-file-config-capabilities.md) - [Considerations with Existing Organizations](../installation/existing-orgs.md) diff --git a/src/mkdocs/mkdocs.yml b/src/mkdocs/mkdocs.yml index f862217bb..8603da921 100644 --- a/src/mkdocs/mkdocs.yml +++ b/src/mkdocs/mkdocs.yml @@ -11,6 +11,7 @@ nav: - Installation: - Installation Guide: installation/install.md - Sample Configurations and Customization: installation/customization-index.md + - Calgary Region Configuration Sample: installation/ca-west-1-region-configuration.md - State Machine Behavior: installation/sm_inputs.md - Splitting the Config File: installation/multi-file-config-capabilities.md - Considerations with Existing Organizations: installation/existing-orgs.md