######################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 Description: This template enables an AWS Organizations Macie in the Control Tower Audit or another delegated admin account with a customer managed KMS key created in the Audit account sending the encrypted findings to an S3 bucket created within the Log Archive account. - 'macie_org' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5m) Metadata: SRA: Version: 1.2 Entry: Parameters for deploying solution resolving SSM parameters Order: 1 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Properties Parameters: - pSRASolutionName - pSRASolutionVersion - pSRAStagingS3BucketName - pSRAAlarmEmail - pAuditAccountId - pLogArchiveAccountId - pRootOrganizationalUnitId - Label: default: Macie Delivery Properties Parameters: - pMacieOrgDeliveryBucketPrefix - pMacieOrgDeliveryKeyAlias - Label: default: Macie Configuration Properties Parameters: - pDisableMacie - pControlTowerRegionsOnly - pEnabledRegions - pFindingPublishingFrequency - pOrganizationId - Label: default: General Lambda Function Properties Parameters: - pCreateLambdaLogGroup - pLambdaLogGroupRetention - pLambdaLogGroupKmsKey - pLambdaLogLevel ParameterLabels: pAuditAccountId: default: Audit Account ID pControlTowerRegionsOnly: default: Control Tower Regions Only pCreateLambdaLogGroup: default: Create Lambda Log Group pDisableMacie: default: Disable Macie in All Accounts pEnabledRegions: default: (Optional) Enabled Regions pFindingPublishingFrequency: default: Finding Publishing Frequency pLambdaLogGroupKmsKey: default: (Optional) Lambda Logs KMS Key pLambdaLogGroupRetention: default: Lambda Log Group Retention pLambdaLogLevel: default: Lambda Log Level pLogArchiveAccountId: default: Log Archive Account ID pMacieOrgDeliveryBucketPrefix: default: Macie Delivery Bucket Prefix pMacieOrgDeliveryKeyAlias: default: Macie Delivery KMS Key Alias pOrganizationId: default: Organization ID pRootOrganizationalUnitId: default: Root Organizational Unit ID pSRAAlarmEmail: default: (Optional) SRA Alarm Email pSRASolutionName: default: SRA Solution Name pSRASolutionVersion: default: SRA Solution Version pSRAStagingS3BucketName: default: SRA Staging S3 Bucket Name Parameters: pAuditAccountId: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/control-tower/audit-account-id Description: SSM Parameter for AWS Account ID of the Control Tower account to delegate administration. Type: AWS::SSM::Parameter::Value pControlTowerRegionsOnly: Type: String Description: Only enable in the Control Tower governed regions Default: 'true' AllowedValues: ['true', 'false'] pCreateLambdaLogGroup: AllowedValues: ['true', 'false'] Default: 'false' Description: Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String pDisableMacie: AllowedValues: ['true', 'false'] Default: 'false' Description: Update to 'true' to disable Macie in all accounts and regions before deleting the stack. Type: String pEnabledRegions: AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$' ConstraintDescription: Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. us-east-1,ap-southeast-2) Default: '' Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. Type: String pFindingPublishingFrequency: AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS] Default: FIFTEEN_MINUTES Description: Finding publishing frequency Type: String pMacieOrgDeliveryBucketPrefix: AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: sra-macie-org-delivery Description: Macie Delivery S3 bucket prefix. The account and region will get added to the end. e.g. macie-delivery-123456789012-us-east-1 Type: String pMacieOrgDeliveryKeyAlias: AllowedPattern: '^[a-zA-Z0-9/_-]+$' ConstraintDescription: The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Default: sra-macie-org-delivery-key Description: Macie Delivery KMS Key Alias Type: String pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. Type: String pLambdaLogGroupRetention: AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] Default: 14 Description: Specifies the number of days you want to retain log events Type: String pLambdaLogLevel: AllowedValues: [INFO, ERROR, DEBUG] Default: INFO Description: Lambda Function Logging Level Type: String pLogArchiveAccountId: AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$ ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/control-tower/log-archive-account-id Description: SSM Parameter for AWS Account ID of the Control Tower Log Archive account. Type: AWS::SSM::Parameter::Value pOrganizationId: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/control-tower/organization-id Description: SSM Parameter for AWS Organizations ID Type: AWS::SSM::Parameter::Value pRootOrganizationalUnitId: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/control-tower/root-organizational-unit-id Description: SSM Parameter for Root Organizational Unit ID Type: AWS::SSM::Parameter::Value pSRAAlarmEmail: AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' ConstraintDescription: Must be a valid email address. Default: '' Description: (Optional) Email address for receiving SRA alarms Type: String pSRASolutionName: AllowedValues: [sra-macie-org] Default: sra-macie-org Description: The SRA solution name. The default value is the folder name of the solution Type: String pSRAStagingS3BucketName: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/staging-s3-bucket-name Description: SSM Parameter for SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: AWS::SSM::Parameter::Value pSRASolutionVersion: AllowedValues: [v1.2] Default: v1.2 Description: The SRA solution version. Used to trigger updates on the nested StackSets. Type: String Resources: rMacieDisableRoleStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-macie-org-disable-role AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: false CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !Sub ${pSRASolutionVersion} - Deploys an IAM role via ${pSRASolutionName} for disabling Macie. ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 100 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SERVICE_MANAGED StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: - !Ref pRootOrganizationalUnitId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-macie-org-disable-role.yaml Parameters: - ParameterKey: pManagementAccountId ParameterValue: !Ref AWS::AccountId Tags: - Key: sra-solution Value: !Ref pSRASolutionName rMacieDisableRoleStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-macie-org-disable-role.yaml Tags: - Key: sra-solution Value: !Ref pSRASolutionName Parameters: pManagementAccountId: !Ref AWS::AccountId rMacieConfigurationIAMRoleStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-macie-org-configuration-role AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !Sub ${pSRASolutionVersion} - Deploys an IAM role via ${pSRASolutionName} for configuring Macie ExecutionRoleName: AWSControlTowerExecution ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 0 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SELF_MANAGED StackInstancesGroup: - DeploymentTargets: Accounts: - !Ref pAuditAccountId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-macie-org-configuration-role.yaml Parameters: - ParameterKey: pManagementAccountId ParameterValue: !Ref AWS::AccountId Tags: - Key: sra-solution Value: !Ref pSRASolutionName rMacieDeliveryKMSKeyStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-macie-org-delivery-kms-key AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole CallAs: SELF Description: !Sub ${pSRASolutionVersion} - Deploys a KMS Key via ${pSRASolutionName} for encrypting Macie findings ExecutionRoleName: AWSControlTowerExecution ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 0 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SELF_MANAGED StackInstancesGroup: - DeploymentTargets: Accounts: - !Ref pAuditAccountId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-macie-org-delivery-kms-key.yaml Parameters: - ParameterKey: pMacieOrgDeliveryKeyAlias ParameterValue: !Ref pMacieOrgDeliveryKeyAlias - ParameterKey: pLogArchiveAccountId ParameterValue: !Ref pLogArchiveAccountId - ParameterKey: pManagementAccountId ParameterValue: !Ref AWS::AccountId - ParameterKey: pSRASecretsKeyAliasArn ParameterValue: !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${pAuditAccountId}:alias/sra-secrets-key Tags: - Key: sra-solution Value: !Ref pSRASolutionName rMacieDeliveryS3BucketStackSet: Type: AWS::CloudFormation::StackSet DependsOn: rMacieDeliveryKMSKeyStackSet Properties: StackSetName: sra-macie-org-delivery-s3-bucket AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole CallAs: SELF Description: !Sub ${pSRASolutionVersion} - Deploys an S3 bucket via ${pSRASolutionName} for storing Macie findings ExecutionRoleName: AWSControlTowerExecution ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 0 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SELF_MANAGED StackInstancesGroup: - DeploymentTargets: Accounts: - !Ref pLogArchiveAccountId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-macie-org-delivery-s3-bucket.yaml Parameters: - ParameterKey: pDelegatedAdminAccountId ParameterValue: !Ref pAuditAccountId - ParameterKey: pMacieOrgDeliveryBucketPrefix ParameterValue: !Ref pMacieOrgDeliveryBucketPrefix - ParameterKey: pMacieOrgDeliveryKMSKeyArn ParameterValue: !Sub '{{resolve:secretsmanager:arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${pAuditAccountId}:secret:sra/macie_org_delivery_key_arn:SecretString:MacieOrgDeliveryKeyArn:AWSCURRENT}}' Tags: - Key: sra-solution Value: !Ref pSRASolutionName rMacieConfigurationStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete DependsOn: - rMacieDisableRoleStackSet - rMacieDisableRoleStack - rMacieConfigurationIAMRoleStackSet - rMacieDeliveryS3BucketStackSet UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-macie-org-configuration.yaml Parameters: pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup pDelegatedAdminAccountId: !Ref pAuditAccountId pDisableMacie: !Ref pDisableMacie pEnabledRegions: !Ref pEnabledRegions pFindingPublishingFrequency: !Ref pFindingPublishingFrequency pKMSKeyArn: !Sub '{{resolve:secretsmanager:arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${pAuditAccountId}:secret:sra/macie_org_delivery_key_arn:SecretString:MacieOrgDeliveryKeyArn:AWSCURRENT}}' pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel pOrganizationId: !Ref pOrganizationId pPublishingDestinationBucketName: !Sub ${pMacieOrgDeliveryBucketPrefix}-${pLogArchiveAccountId}-${AWS::Region} pSRAAlarmEmail: !Ref pSRAAlarmEmail pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName Tags: - Key: sra-solution Value: !Ref pSRASolutionName