Contributions

• Thank you to @tekdj7 for his collaboration in this release

Summary

• All solutions modified to use the new staging script and nested stacks to simplify deployments.
• All documentation, diagrams, templates, and python scripts updated for consistency across all solutions.
• Secrets Manager used for sharing CloudFormation output values with the management account for other StackSet input parameters.
• SNS fanout used for scaling service configurations across all accounts and regions.
• A new Security Hub Organization solution was added with features including adding existing accounts as members, syncing enabled standards across all accounts and regions, and a region aggregator within the Control Tower home region.

What was added?

• Added new document DOWNLOAD-AND-STAGE-SOLUTIONS.md to explain the steps for downloading the SRA example code and staging the solutions within the S3 staging bucket.
• Added Security Hub Organization solution to configure Security Hub using AWS Organizations. All existing accounts are added to the central admin account, standards are enabled/disabled per
  provided parameters, a region aggregator is created per the provided paramenter, and a parameter is provided for disabling Security Hub within all accounts and regions via SNS fanout.

What was changed?

• Updated the CFCT-DEPLOYMENT-INSTRUCTIONS.md document to remove references to the common_cfct_setup solution.
• CloudTrail solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Added integration with Secrets Manager to share CloudFormation output values with the management account.
  • Updated the bucket policy to use aws:SourceArn to align with the updated documentation
    Organization Trail Bucket Policy.
  • Updated the CFCT configuration to use the main templates and parameters.
• Common CFCT Setup solution
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Removed the Lambda function that created a new OU and moved the management account. This is no longer required due to the latest version of the CFCT solution supporting deployments to the management account within the root OU.
• Common Prerequisites solution
  • Added a template to create a KMS key for sharing CloudFormation outputs via Secrets Manager secrets.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Updated the staging bucket policy to fix the reference to the AWSControlTowerExecution role ARN.
  • Added SRA version parameter to main templates for triggering updates to StackSets.
  • Added logic within the descriptions to reference the rControlTowerExecutionRoleStack resource if the cCreateAWSControlTowerExecutionRole condition is met. This logic avoids creating an empty stack when the condition is false.
• Common Register Delegated Administrator solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Updated the CFCT configuration to use the main templates and parameters.
  • Added integration with Secrets Manager to share CloudFormation output values with the management account.
  • Updated the Lambda function to align with latest coding standards.
• AWS Config Aggregator solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated the CFCT configuration to use the main templates and parameters.
  • Added pRegisterDelegatedAdminAccount parameter to determine whether or not to register the delegated administrator account. This allows the ability to register the delegated admin accounts outside of this solution.
• AWS Config Conformance Pack solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Updated the CFCT configuration to use the main templates and parameters.
  • Added pRegisterDelegatedAdminAccount parameter to determine whether or not to register the delegated administrator account.
  • Moved the list_config_recorder_status.py script from the utils/aws_control_tower/helper_scripts to the solution scripts folder.
  • Updated and moved the Operational-Best-Practices-for-Encryption-and-Keys.yaml conformance pack template to the templates/aws_config_conformance_packs folder.
• AWS Config Management Account solution
  • Added SRA version parameter to main templates for triggering updates to StackSets.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
• EC2 Default EBS Encryption solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
• Firewall Manager solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
• GuardDuty solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Added a parameter and logic to disable GuardDuty within all accounts and regions using SNS fanout.
• IAM Access Analyzer solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
• IAM Password Policy solution
  • Renamed solution and files to remove _acct suffix
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
• Macie solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Added a parameter and logic to disable Macie within all accounts and regions using SNS fanout.
• S3 Block Account Public Access solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.

What was removed?

• The Account Security Hub Enabler solution was replaced with the Security Hub Organization solution.
• The package-lambda.sh script was replaced by the stage_solution.sh script.
• The Prerequisites for AWS Control Tower solutions files were replaced with the Common Prerequisites solution.

What was fixed?

• Fixed checkov metadata entries to use updated check suppression via CFN Metadata.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.