+
Skip to content

p0-security/cf-templates

BranchesTags

Repository files navigation

cf-templates

Cloudformation templates for AWS Integration with P0 Security

Table of Contents

Setting up IAM assessment in P0 Security

Summary: We will be using a cloudformation template to deploy a stackset in order to create an IAM Role and an Access Analyzer for P0 across all children accounts for an organization. Individual stacks will be deployed to a single region across all children accounts.

In order to cover the management account, we will then deploy a single stack via the same stackset to create the role and access analyzer in the management account.

Instructions: Please copy the current directory to your local instance and execute the following using the AWS Console.

Step 1: Access CloudFormation StackSets

  1. Sign in to the AWS Management Console
  2. Navigate to the CloudFormation service
  3. In the left navigation pane, click on StackSets
  4. Click the Create StackSet button

Step 2: Choose Template

  1. Select Template is ready
  2. Choose Upload a template file
  3. Click Choose file and select the assessment-template.yaml
  4. Click Next

Step 3: Specify StackSet Details

  1. Enter a StackSet name (e.g., "P0SecurityRolesAndAnalyzers")
  2. Enter a Description (e.g., "Deploys P0 security roles across organization")
  3. Configure the parameters:
    • GoogleFederationAudience: Leave as default (102346994864456724606)
    • UnusedAccessAge: Leave as default (90) or adjust as needed
    • CreateAccessAnalyzer: Leave as default ("Yes"), only set "No" to avoid the conflict with the existing analyzer
  4. Click Next

Step 4: Configure StackSet Options

  1. Under Permissions, select Service-managed permissions
  2. Add any tags if desired (optional)
  3. For Execution configuration:
    • Choose Active for deployments to run immediately
  4. Click Next

Step 5: Set Deployment Options

  1. Under Deployment targets, select Deploy to organization
  2. For Organizational Units - optional, you can leave it empty to deploy to all accounts or specify specific OUs
  3. For Automatic deployment, select Enabled to automatically deploy to new accounts
  4. Under Specify regions, select "us-east-1"
  5. For Deployment options:
    • Maximum concurrent accounts: Choose a percentage (e.g., 25%) or number
    • Failure tolerance: Choose a percentage (e.g., 25%) or number
    • Region concurrency: Choose "Sequential" or "Parallel" based on preference
  6. Click Next

Step 6: Review and Create

  1. Review all your settings and configuration
  2. Check the acknowledgment that confirms that IAM resources might be created
  3. Click Submit

Step 7: Deploy to Management account in an organization:

  1. Modify the inline policy of the CloudFormationStackSetAdministrationRole and add the policy defined in CloudFormationStackSetAdministrationRole.json to the existing inline policy.
  2. Navigate to the CloudFormation service and to the Stacks section
  3. Create a new Stack using a new resource
  4. Use the same assessment-template.yaml to create a new Stack.
  5. Choose CloudFormationStackSetAdministrationRole to deploy this Stack.
  6. Click Submit

Setting up Resource Management in P0 Security

Summary: We will be using a cloudformation template to deploy a stackset in order to create an IAM Role for P0 across all children accounts for an organization. Individual stacks will be deployed to a single region across all the children accounts.

In order to cover the management account, we will then be deploying a stack manually via the same stackset to target the management account and create the same IAM Role for P0.

Instructions: Please copy the current directory to your local instance and execute the following using the AWS Console

Step 1: Create P0-IAMRole

Create IAMRole stack-set

For children accounts in an organization:

  1. AWS -> Management Account -> Cloudformation -> StackSets
  2. Create StackSet
    1. Service-managed permissions
    2. Upload the iam_management.json template
    3. Provide a StackSet name like P0IAMRoleStackSet
    4. Enter Google Audience ID for P0
    5. Deploy New stacks
    6. Deploy to organization (This will ONLY deploy to children accounts)
    7. Pick a single active region aka us-west-2
    8. Submit

For the management account in the organization

  1. AWS -> Management Account -> Cloudformation -> Stack
  2. Create stack with new resources
    1. Choose an existing template
    2. Upload the iam_management.json template
    3. Provide a Stack name like P0IAMRoleStack
    4. Enter the Google Audience ID for P0
    5. Submit

Step 2: Create Resource Explorer Default View

1. Create Resource Lister Role for P0 for children accounts

  1. AWS -> Cloudformation -> StackSets
  2. Create a new stackset using the 'iam_resource_lister.yaml` template
    1. Use service-managed permissions
    2. Upload the iam_resource_lister.yaml template
    3. Provide a StackSet name like P0IAMRoleListerStackSet
    4. Enter Google Audience ID for P0
    5. Enter TargetAccountID as the parent Account ID (the value doesn't really matter, it'll be overridden)
    6. Deploy new stacks
    7. Deploy to organization
    8. Specify a single region (us-west-2), its not relevant as the IAM role will be global
    9. Submit

2. Create Resource Lister Role for P0 for management account

  1. AWS -> Cloudformation -> Stack
  2. Create a new stack using existing resources
    1. Choose an existing template
    2. Upload the iam_resource_lister.yaml template
    3. Provide a Stack name like P0IAMRoleListerStack
    4. Enter Google Audience ID for P0
    5. Enter TargetAccountID as the parent Account ID
    6. Submit

B. Create Resource Explorer Local Indexes for children accounts

  1. AWS -> Cloudformation -> StackSets
  2. Create a new stackset
    1. Use service-managed permissions
    2. Upload the resource_explorer_local_index.yaml template
    3. Provide a StackSet name like LocalIndexStackSetForChildAccounts
    4. Deploy new stacks
    5. Deploy to organization
    6. Specify all active regions except one (which will be used for the aggregator index, we can use us-west-2 as the exception)
    7. Submit

C. Create Resource Explorer Local Indexes for the management account

  1. We'll be creating new IAM roles to use for self-managed permissions for the CF templates.
  2. AWS -> Cloudformation -> Stacks
  3. Create a new stack using existing resources
    1. Choose an existing template
    2. Upload the stack_set_roles.yaml template
    3. Provide a Stack Name like StackSetRoles
    4. Submit
  4. Now we'll create the local indexes in the management account
  5. AWS -> Cloudformation -> StackSets
  6. Create a new stack set
    1. Use self-service permissions
    2. Use IAM admin role created in step 3 - AWSCloudFormationStackSetAdministrationRole
    3. Use IAM execution role created in step 3 - AWSCloudFormationStackSetExecutionRole
    4. Upload same template from Step B.2 - resource_explorer_local_index.yaml
    5. Provide a StackSet name like LocalIndexStackSetForParentAccount
    6. Deploy stack sets in accounts: Put in the management account ID
    7. Specify all active regions except one (which will be used for the aggregator index, we can use us-west-2 as the exception)
    8. Submit

D. Create Resource Explorer Aggregator Index for children accounts

  1. AWS -> Cloudformation -> StackSets
  2. Create a new stackset
    1. Use service-managed permissions
    2. Upload the resource_explorer_aggregator_index.yaml template
    3. Provide a StackSet name like AggregatorIndexStackSetForChildAccounts
    4. Deploy new stacks
    5. Deploy to organization
    6. Specify the excluded active region from Step B.2.vi (e.g. us-west-2)
    7. Submit

E. Create Resource Explorer Aggregator Index for the management account

  1. We'll be using the same IAM roles as in Step C.3
  2. AWS -> Cloudformation -> StackSets
  3. Create a new stack set
    1. Use self-service permissions
    2. Use IAM admin role created in step C.3 - AWSCloudFormationStackSetAdministrationRole
    3. Use IAM execution role created in step C.3 - AWSCloudFormationStackSetExecutionRole
    4. Upload same template from Step D.2 - resource_explorer_aggregator_index.yaml
    5. Provide a StackSet name like AggregatorIndexStackSetForParentAccount
    6. Deploy stack sets in accounts: Put in the management account ID
    7. Specify the excluded active region from Step C.6.vii (e.g. us-west-2)
    8. Submit

F. Create default view in the aggregator index for children accounts

  1. AWS -> Cloudformation -> StackSets
  2. Create a new stackset
    1. Use service-managed permissions
    2. Upload the resource_explorer_view.yaml template
    3. Provide a StackSet name like ResourceExplorerViewStackSetForChildAccounts
    4. Set aggregator region to us-west-2
    5. Deploy new stacks
    6. Deploy to organization
    7. Specify the same aggregator region as Step D.2.vi
    8. Submit

G. Create default view in the aggregator index for the management account

  1. AWS -> Cloudformation -> Stacks
  2. Create a new stack using existing resources
    1. Choose an existing template
    2. Upload the resource_explorer_view.yaml template
    3. Provide a Stack name like ResourceExplorerViewStack
    4. Specify the aggregator region as Step E.3.vii (us-west-2)
    5. Enter TargetAccountID as the parent Account ID
    6. Submit

About

Cloudformation templates

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载