## Overview Deploy a service managed stack set to all member accounts which subscribes and configures Shield Advanced. _____ ## CloudFormation Details __Template__: `sns/cfn/org-accessable-sns-topic.yaml` __Mechanism__: `CloudFormation StackSet` __Location(s)__: `Payer Account` __Region(s)__: `All Regions` ## How it works #### Native CloudFormation SNS Topic, CloudWatch event (Cron), Lambda Function #### CloudWatch event (Cron) Driven The created CloudWatch event invokes lambda every cron rate (default 12 hour). Lambda lists all AWS accounts in the Organization and constructs a SNS Access Policy allowing CloudWatch Alarms from all member accounts to publish to the SNS topic. This is required as conditions for Org wide access are not possible for CloudWatch alarms and each source account must be specified as a unique source. ### Custom Lambda Backed On stack deployment, a custom lambda backed call is also made to Lambda. This ensures the initial configuration of SNS includes all existing accounts in the access policy. _____ ## Dependencies * [Service Managed Stack Sets](../../prerequisites.md) _____ ## Parameter details: #### CodeS3BucketPrefix Modules use this consistent value to calculate the S3 bucket where relevant code is in place. This includes lambda zip objects and other cfn templates for reference. When consumed, the local region will be added as a suffix to this value. __Required:__: Yes __Type__: String __AllowedPattern__: See [Bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html). Note, the full bucket name will include the local region, ensure this value plus the longest region you intent to use is less than the maximum length for a bucket name allowed. #### CodeS3Key S3 Key path to zip file. By default, this should be the same for all parameters with this name __Required__: Yes __Type__: String __Default__: lambda.zip __Minimum__: 1 __Maximum__: 1024 #### EmergencyContactCount Number of emergency contacts to configure __Required__: Yes __Type__: Number __Default__: 1 __Minimum__: 1 __Maximum__: 2 #### EmergencyContactEmail1 E-mail address for Shield Advanced contact __Required__: Yes __Type__: String __Minimum__: 1 __Maximum__: 1024 #### EmergencyContactEmail2 E-mail address for Shield Advanced contact. __Required__: Yes __Type__: String __Minimum__: 1 __Maximum__: 1024 #### EmergencyContactPhone1 E-mail address for Shield Advanced contact __Required__: Yes __Type__: String __Minimum__: 1 __Maximum__: 1024 #### EmergencyContactPhone2 E-mail address for Shield Advanced contact __Required__: Yes __Type__: String __Minimum__: 1 __Maximum__: 1024 #### EnableProactiveEngagement If Proactive Engagement feature should be enabled. If yes, emergency contacts are also added to this feature __Required__: Yes __Type__: Boolean __Default__: True #### EnableDRTAccess If SRT IAM role and permissions should be created and configured. __Required__: Yes __Type__: Boolean __Default__: True _____ ## Deployment scripts ### Create stack Set ``` aws cloudformation create-stack-set --stack-set-name Enable-Shield-Advanced --template-body file://code/shield/enableConfigure/cfn/shield-enable-configure.yaml --capabilities CAPABILITY__AUTO__EXPAND CAPABILITY__NAMED__IAM CAPABILITY__IAM --permission-model SERVICE__MANAGED --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false --parameters ParameterKey=CodeS3BucketPrefix,ParameterValue=$BucketPrefix-$PayerAccountId ParameterKey=CodeS3Key,ParameterValue=lambda.zip ParameterKey=EmergencyContactCount,ParameterValue=2 ParameterKey=EmergencyContactEmail1,ParameterValue=someone@example.com ParameterKey=EmergencyContactEmail2,ParameterValue=someone@example.com ParameterKey=EmergencyContactPhone1,ParameterValue=+15555555555 ParameterKey=EmergencyContactPhone2,ParameterValue=+15555555555 ParameterKey=EnabledProactiveEngagement,ParameterValue=true ParameterKey=EnableDRTAccess,ParameterValue=false ``` ### Add stacks to stack set ``` aws cloudformation create-stack-instances --stack-set-name Enable-Shield-Advanced --regions us-east-1 --deployment-targets OrganizationalUnitIds=$ParentRoot --operation-preferences RegionConcurrencyType=PARALLEL,MaxConcurrentPercentage=100 ```