chore: in blueprint, update SCPs

* protect all LZA resource on member accounts
* allow only the use of global services in us-east-1
* enable quarantining new accounts

Author: schnipseljagd

blueprints/foundational/config.ts

@@ -275,6 +275,18 @@ export const templates: Template[] = [
     fileName: 'organization-config.yaml',
     parameters: {
       organizationalUnits,
+      denyGlobalRegionScpTargets: {
+        organizationalUnits: organizationalUnits
+          .filter((ou) => !ou.name.includes('/')) // pick only top-level OUs
+          .filter((ou) => !ou.ignore) // ignore OUs that are not managed by the LZA
+          .map((ou) => ou.name),
+      },
+      denyAllRegionsExceptEnabledRegionsScpTargets: {
+        organizationalUnits: organizationalUnits
+          .filter((ou) => !ou.name.includes('/')) // pick only top-level OUs
+          .filter((ou) => !ou.ignore) // ignore OUs that are not managed by the LZA
+          .map((ou) => ou.name),
+      },
     },
   },
   {
@@ -290,6 +302,19 @@ export const templates: Template[] = [
       environments: Object.values(environments),
     },
   },
+  {
+    fileName: 'service-control-policies/deny-global-region.json',
+    parameters: {
+      globalRegion: GLOBAL_REGION,
+    },
+  },
+  {
+    fileName:
+      'service-control-policies/deny-all-regions-except-enabled-regions.json',
+    parameters: {
+      enabledRegions: ENABLED_REGIONS,
+    },
+  },
 ];
 
 export const config: Config = {

blueprints/foundational/docs/runbooks/assume-control-tower-execution-role.md

@@ -0,0 +1,24 @@
+# Assume Control Tower Execution Role
+
+On member accounts of the AWS organization there are some custom guardrails in place that prevent even users with `AdministratorAccess` from specific actions like e.g., deleting a CloudFormation stack with an `LzaCustomization-` prefix.
+Therefore, to perform certain operations, you may need to assume the **Control Tower Execution Role**.
+This is particularly useful during development or debugging of LZA Customization stacks.
+
+## Requirements
+
+- You can access the `Management` account with `AdministratorAccess`.
+- You have the **account ID** of the target account in which you want to assume the `AWSControlTowerExecution` role.
+
+## Steps
+
+1. Open <https://<<AWS_IDENTITY_STORE_ID>>.awsapps.com/start>.
+2. You should see a list of AWS accounts that you have access to.
+3. Note down the **account ID** of the target account where you want to assume the role.
+4. Log in to the `Management` account with an admin permission set.
+5. In the upper-right corner of the AWS Console, click on your username and then the arrow next to **Add session**.
+6. Enter the **Account ID** of the target account.
+7. Select the `AWSControlTowerExecution` role.
+8. (Optional) Enter a display name for the session.
+9. (Optional) Choose a display color to help distinguish this session.
+10. Click **Switch role**.
+11. The session will now be available in the session menu for quick access in the future.

blueprints/foundational/templates/organization-config.yaml.liquid

@@ -4,37 +4,67 @@ organizationalUnits:
   - name: <% organizationalUnit.name %>
     {% if organizationalUnit.ignore %}ignore: true{% endif %}
   {% endfor %}
+# Enabling the quarantine service control policies (SCPs)
+quarantineNewAccounts:
+  enable: true
+  scpPolicyName: Quarantine
 serviceControlPolicies:
   # Foundational hardening: organization hardening SCPs
-  # Source: https://aws.amazon.com/solutions/guidance/establishing-an-initial-foundation-using-control-tower-on-aws
-  - name: PreventLeavingOrganization
-    description: Prevent member accounts from leaving the organization.
-    policy: ./service-control-policies/prevent-leaving-organization.json
+  # Sources:
+  #  - https://aws.amazon.com/solutions/guidance/establishing-an-initial-foundation-using-control-tower-on-aws
+  #  - https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#disallow-root-access-keys
+  - name: OrganizationHardening
+    description: >
+      - Prevent member accounts from leaving the organization.
+      - Prevents users from creating resource shares that allow sharing with IAM users and roles that aren't part of the organization.
+      - Secures your AWS accounts by disallowing creation of access keys for the root user.
+    policy: service-control-policies/organization-hardening.json
     type: customerManaged
     deploymentTargets:
       organizationalUnits:
         - Root
-  - name: PreventExternalSharing
-    description: Prevents users from creating resource shares that allow sharing with IAM users and roles that aren't part of the organization.
-    policy: ./service-control-policies/prevent-external-sharing.json
+  # Denies access to the global AWS region
+  - name: DenyGlobalRegion
+    description: Prevents the use of the global region except for global services.
+    policy: service-control-policies/deny-global-region.json
+    type: customerManaged
+    deploymentTargets:
+      organizationalUnits: <% denyGlobalRegionScpTargets.organizationalUnits | json %>
+  # Denies access to not allowed regions
+  - name: DenyAllRegionsExceptEnabledRegions
+    description: Prevents the use of any regions that are not enabled in the LZA configuration.
+    policy: service-control-policies/deny-all-regions-except-enabled-regions.json
+    type: customerManaged
+    deploymentTargets:
+      organizationalUnits: <% denyAllRegionsExceptEnabledRegionsScpTargets.organizationalUnits | json %>
+  # Best practices from the GovCloud Example (see: https://awslabs.github.io/landing-zone-accelerator-on-aws/v1.9.0/sample-configurations/govcloud-us/security-controls/)
+  - name: LzaGuardrails1
+    description: This protects LZA resources from being modified.
+    policy: service-control-policies/lza-guardrails-1.json
     type: customerManaged
     deploymentTargets:
       organizationalUnits:
-        # This should be set to Root, however:
-        # Currently, IPAM resource share sets AllowExternalPrincipals to true,
-        # and there is no way to deactivate it.
-        # See: https://github.com/awslabs/landing-zone-accelerator-on-aws/issues/230
-        - Sandbox
-        - Security
-        - Workloads
-  # https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#disallow-root-access-keys
-  - name: GrRestrictRootUserAccessKeys
-    description: Secures your AWS accounts by disallowing creation of access keys for the root user.
-    policy: ./service-control-policies/restrict-root-user-access-keys.json
+        - Root
+  - name: LzaGuardrails2
+    description: This protects LZA resources from being modified and prevents the creation and use of roles managed by the LZA.
+    policy: service-control-policies/lza-guardrails-2.json
     type: customerManaged
     deploymentTargets:
       organizationalUnits:
         - Root
+  - name: CustomizationsGuardrails
+    description: This protects Customizations resources from being modified and prevents the creation and use of roles managed by the Customizations.
+    policy: service-control-policies/customizations-guardrails.json
+    type: customerManaged
+    deploymentTargets:
+      organizationalUnits:
+        - Root
+  - name: Quarantine
+    description: This SCP is used to prevent changes to new accounts until the Accelerator has been executed successfully. This policy will be applied upon account creation if enabled.
+    policy: service-control-policies/quarantine.json
+    type: customerManaged
+    deploymentTargets:
+      organizationalUnits: []
 taggingPolicies:
   - name: EnforceDefaultTags
     description: Enforce default tags organization wide.

blueprints/foundational/templates/service-control-policies/customizations-guardrails.json

@@ -0,0 +1,114 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "LambdaStatement",
+      "Effect": "Deny",
+      "Action": [
+        "lambda:AddPermission",
+        "lambda:CreateEventSourceMapping",
+        "lambda:CreateFunction",
+        "lambda:DeleteEventSourceMapping",
+        "lambda:DeleteFunction",
+        "lambda:DeleteFunctionConcurrency",
+        "lambda:Invoke*",
+        "lambda:PutFunctionConcurrency",
+        "lambda:RemovePermission",
+        "lambda:UpdateEventSourceMapping",
+        "lambda:UpdateFunctionCode",
+        "lambda:UpdateFunctionConfiguration"
+      ],
+      "Resource": "arn:${PARTITION}:lambda:*:*:function:LzaCustomization-*",
+      "Condition": {
+        "ArnNotLike": {
+          "aws:PrincipalARN": [
+            "arn:${PARTITION}:iam::*:role/LzaCustomization-*",
+            "arn:${PARTITION}:iam::*:role/${ACCELERATOR_PREFIX}-*",
+            "arn:${PARTITION}:iam::*:role/${MANAGEMENT_ACCOUNT_ACCESS_ROLE}",
+            "arn:${PARTITION}:iam::*:role/cdk-accel-*"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "PreventCloudWatchLogsModification",
+      "Effect": "Deny",
+      "Action": [
+        "logs:DisassociateKmsKey",
+        "logs:DeleteLogGroup",
+        "logs:DeleteRetentionPolicy",
+        "logs:AssociateKmsKey",
+        "logs:PutRetentionPolicy",
+        "logs:CreateLogGroup"
+      ],
+      "Resource": [
+        "arn:${PARTITION}:logs:*:*:log-group:LzaCustomization-*",
+        "arn:${PARTITION}:logs:*:*:log-group:/aws/lambda/LzaCustomization-*"
+      ],
+      "Condition": {
+        "ArnNotLike": {
+          "aws:PrincipalARN": [
+            "arn:${PARTITION}:iam::*:role/LzaCustomization-*",
+            "arn:${PARTITION}:iam::*:role/${ACCELERATOR_PREFIX}-*",
+            "arn:${PARTITION}:iam::*:role/${MANAGEMENT_ACCOUNT_ACCESS_ROLE}",
+            "arn:${PARTITION}:iam::*:role/cdk-accel-*"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "PreventCloudWatchLogStreamModification",
+      "Effect": "Deny",
+      "Action": ["logs:DeleteLogStream"],
+      "Resource": [
+        "arn:${PARTITION}:logs:*:*:log-group:LzaCustomization-*:log-stream:*",
+        "arn:${PARTITION}:logs:*:*:log-group:/aws/lambda/LzaCustomization-*:log-stream:*"
+      ],
+      "Condition": {
+        "ArnNotLike": {
+          "aws:PrincipalARN": [
+            "arn:${PARTITION}:iam::*:role/LzaCustomization-*",
+            "arn:${PARTITION}:iam::*:role/${ACCELERATOR_PREFIX}-*",
+            "arn:${PARTITION}:iam::*:role/${MANAGEMENT_ACCOUNT_ACCESS_ROLE}",
+            "arn:${PARTITION}:iam::*:role/cdk-accel-*"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "IamRolesStatement",
+      "Effect": "Deny",
+      "Action": ["iam:*"],
+      "Resource": [
+        "arn:${PARTITION}:iam::*:role/LzaCustomization-*"
+      ],
+      "Condition": {
+        "ArnNotLike": {
+          "aws:PrincipalARN": [
+            "arn:${PARTITION}:iam::*:role/LzaCustomization-*",
+            "arn:${PARTITION}:iam::*:role/${ACCELERATOR_PREFIX}-*",
+            "arn:${PARTITION}:iam::*:role/cdk-accel-*",
+            "arn:${PARTITION}:iam::*:role/${MANAGEMENT_ACCOUNT_ACCESS_ROLE}",
+            "arn:${PARTITION}:iam::*:role/AWSServiceRoleForConfig"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "CloudFormationStatement",
+      "Effect": "Deny",
+      "Action": ["cloudformation:Delete*"],
+      "Resource": "arn:${PARTITION}:cloudformation:*:*:stack/LzaCustomization-*",
+      "Condition": {
+        "ArnNotLike": {
+          "aws:PrincipalARN": [
+            "arn:${PARTITION}:iam::*:role/LzaCustomization-*",
+            "arn:${PARTITION}:iam::*:role/${ACCELERATOR_PREFIX}-*",
+            "arn:${PARTITION}:iam::*:role/${MANAGEMENT_ACCOUNT_ACCESS_ROLE}",
+            "arn:${PARTITION}:iam::*:role/cdk-accel-*"
+          ]
+        }
+      }
+    }
+  ]
+}

blueprints/foundational/templates/service-control-policies/deny-all-regions-except-enabled-regions.json.liquid

@@ -0,0 +1,20 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Condition": {
+        "StringNotEquals": {
+          "aws:RequestedRegion": <% enabledRegions | json %>
+        },
+        "ArnNotLike": {
+          "aws:PrincipalARN": [
+            "arn:${PARTITION}:iam::*:role/${MANAGEMENT_ACCOUNT_ACCESS_ROLE}"
+          ]
+        }
+      },
+      "Resource": "*",
+      "Effect": "Deny",
+      "Action": "*"
+    }
+  ]
+}

blueprints/foundational/templates/service-control-policies/deny-global-region.json.liquid

@@ -0,0 +1,111 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Condition": {
+        "StringEquals": {
+          "aws:RequestedRegion": [<% globalRegion | json %>]
+        },
+        "ArnNotLike": {
+          "aws:PrincipalARN": [
+            "arn:${PARTITION}:iam::*:role/LzaCustomization-*",
+            "arn:${PARTITION}:iam::*:role/${ACCELERATOR_PREFIX}-*",
+            "arn:${PARTITION}:iam::*:role/${MANAGEMENT_ACCOUNT_ACCESS_ROLE}",
+            "arn:${PARTITION}:iam::*:role/cdk-accel-*"
+          ]
+        }
+      },
+      "Resource": "*",
+      "Effect": "Deny",
+      "NotAction": [
+        "a4b:*",
+        "access-analyzer:*",
+        "account:*",
+        "acm:*",
+        "activate:*",
+        "artifact:*",
+        "aws-marketplace-management:*",
+        "aws-marketplace:*",
+        "aws-portal:*",
+        "billing:*",
+        "billingconductor:*",
+        "budgets:*",
+        "ce:*",
+        "chatbot:*",
+        "chime:*",
+        "cloudformation:*",
+        "cloudfront:*",
+        "cloudtrail:LookupEvents",
+        "compute-optimizer:*",
+        "config:*",
+        "consoleapp:*",
+        "consolidatedbilling:*",
+        "cur:*",
+        "datapipeline:GetAccountLimits",
+        "devicefarm:*",
+        "directconnect:*",
+        "ec2:DescribeRegions",
+        "ec2:DescribeTransitGateways",
+        "ec2:DescribeVpnGateways",
+        "ecr-public:*",
+        "fms:*",
+        "freetier:*",
+        "globalaccelerator:*",
+        "health:*",
+        "iam:*",
+        "importexport:*",
+        "invoicing:*",
+        "iq:*",
+        "kms:*",
+        "license-manager:ListReceivedLicenses",
+        "lightsail:Get*",
+        "mobileanalytics:*",
+        "networkmanager:*",
+        "notifications-contacts:*",
+        "notifications:*",
+        "organizations:*",
+        "payments:*",
+        "pricing:*",
+        "quicksight:DescribeAccountSubscription",
+        "resource-explorer-2:*",
+        "route53-recovery-cluster:*",
+        "route53-recovery-control-config:*",
+        "route53-recovery-readiness:*",
+        "route53:*",
+        "route53domains:*",
+        "s3:CreateMultiRegionAccessPoint",
+        "s3:DeleteMultiRegionAccessPoint",
+        "s3:DescribeMultiRegionAccessPointOperation",
+        "s3:GetAccountPublicAccessBlock",
+        "s3:GetBucketLocation",
+        "s3:GetBucketPolicyStatus",
+        "s3:GetBucketPublicAccessBlock",
+        "s3:GetMultiRegionAccessPoint",
+        "s3:GetMultiRegionAccessPointPolicy",
+        "s3:GetMultiRegionAccessPointPolicyStatus",
+        "s3:GetStorageLensConfiguration",
+        "s3:GetStorageLensDashboard",
+        "s3:ListAllMyBuckets",
+        "s3:ListMultiRegionAccessPoints",
+        "s3:ListStorageLensConfigurations",
+        "s3:PutAccountPublicAccessBlock",
+        "s3:PutMultiRegionAccessPointPolicy",
+        "savingsplans:*",
+        "shield:*",
+        "sso:*",
+        "sts:*",
+        "support:*",
+        "supportapp:*",
+        "supportplans:*",
+        "sustainability:*",
+        "tag:GetResources",
+        "tax:*",
+        "trustedadvisor:*",
+        "vendor-insights:ListEntitledSecurityProfiles",
+        "waf-regional:*",
+        "waf:*",
+        "wafv2:*"
+      ]
+    }
+  ]
+}