diff --git a/VISION.md b/VISION.md index 2df5071..3de2fdb 100644 --- a/VISION.md +++ b/VISION.md @@ -49,7 +49,7 @@ Root - [ ] Security Hub - [ ] GuardDuty - [ ] Macie - - [ ] Config + - [x] Config - [ ] Access Analyzer - [ ] Access Logs - [ ] DNS Logs @@ -61,23 +61,23 @@ Root - [x] Org CloudTrail - [x] CLI: - [x] Start Logging - - Stack 2: Source of Truth - - Security Hub - - Inspector - - Artifact - - Audit Manager - - Config Aggregator - - Event Bridge - - Firewall Manager - - Lambda (response) - - Detective - - Private CA + - [ ]Stack 2: Source of Truth + - [ ] Security Hub + - [ ] Inspector + - [ ] Artifact + - [ ] Audit Manager + - [ ] Config Aggregator + - [ ] Event Bridge + - [ ] Firewall Manager + - [ ] Lambda (response) + - [ ] Detective + - [ ] Private CA - Stack 3: Local - - Security Hub - - GuardDuty - - Macie - - Config - - Access Analyzer + - [ ] Security Hub + - [ ] GuardDuty + - [ ] Macie + - [x] Config + - [ ] Access Analyzer - Network Account - Stack 1: @@ -93,11 +93,11 @@ Root - Resolver DNS - Network Access Analyzer - Stack 2: Local - - Security Hub - - GuardDuty - - Macie - - Config - - Access Analyzer + - [ ] Security Hub + - [ ] GuardDuty + - [ ] Macie + - [x] Config + - [ ] Access Analyzer - Shared Account - Stack 1: @@ -105,11 +105,11 @@ Root - Identity Center - Systems Manager - Stack 2: Local - - Security Hub - - GuardDuty - - Macie - - Config - - Access Analyzer + - [ ] Security Hub + - [ ] GuardDuty + - [ ] Macie + - [x] Config + - [ ] Access Analyzer - Forensics Account - Stack 1: @@ -124,11 +124,11 @@ Root - Management Account: - Stack 3: Local - - Security Hub - - GuardDuty - - Macie - - Config - - Access Analyzer + - [ ] Security Hub + - [ ] GuardDuty + - [ ] Macie + - [x] Config + - [ ] Access Analyzer ### Setup PIPELINE diff --git a/src/deploy.ts b/src/deploy.ts index 5e2d9ce..9896319 100644 --- a/src/deploy.ts +++ b/src/deploy.ts @@ -69,6 +69,8 @@ new LogarchiveAccountStack2(app, 'p6-lz-logarchive-2', { account: logarchiveAccountId, region: env.region, }, + principals, + centralBucketArn: organizationStack.centralBucketArn, }) // Audit Account @@ -111,6 +113,8 @@ new NetworkAccountStack2(app, 'p6-lz-network-2', { account: networkAccountId, region: env.region, }, + principals, + centralBucketArn: organizationStack.centralBucketArn, }) // Shared Account @@ -128,6 +132,8 @@ new SharedAccountStack2(app, 'p6-lz-shared-2', { account: sharedAccountId, region: env.region, }, + principals, + centralBucketArn: organizationStack.centralBucketArn, }) // Management Account diff --git a/src/stacks/audit-1.ts b/src/stacks/audit-1.ts index c14a584..f98a8dc 100644 --- a/src/stacks/audit-1.ts +++ b/src/stacks/audit-1.ts @@ -20,7 +20,7 @@ export class AuditAccountStack1 extends cdk.Stack { }) const cw = new P6LzSraCloudWatch(this, 'P6LzSraCloudWatch', { - accountAlias: 'p6m7g8-audit', + accountAlias: props.accountAlias, }) const bucket = s3.Bucket.fromBucketArn(this, 'CentralBucket', props.centralBucketArn.toString()) diff --git a/src/stacks/logarchive-2.ts b/src/stacks/logarchive-2.ts index a742fd8..5b6e3dd 100644 --- a/src/stacks/logarchive-2.ts +++ b/src/stacks/logarchive-2.ts @@ -1,10 +1,20 @@ import type { Construct } from 'constructs' +import type { LogarchiveBucketArn, ShareWithOrg } from '../types' import * as cdk from 'aws-cdk-lib' +import * as s3 from 'aws-cdk-lib/aws-s3' +import { P6LzSraConfig } from '../constructs/p6-lz-sra-config' -interface LogarchiveAccountStack2Props extends cdk.StackProps {} +interface LogarchiveAccountStack2Props extends cdk.StackProps, LogarchiveBucketArn, ShareWithOrg {} export class LogarchiveAccountStack2 extends cdk.Stack { constructor(scope: Construct, id: string, props: LogarchiveAccountStack2Props) { super(scope, id, props) + + const bucket = s3.Bucket.fromBucketArn(this, 'CentralBucket', props.centralBucketArn.toString()) + + new P6LzSraConfig(this, 'P6LzSraConfig', { + principals: props.principals, + centralBucket: bucket, + }) } } diff --git a/src/stacks/network-2.ts b/src/stacks/network-2.ts index 976836c..51e82d6 100644 --- a/src/stacks/network-2.ts +++ b/src/stacks/network-2.ts @@ -1,10 +1,20 @@ import type { Construct } from 'constructs' +import type { LogarchiveBucketArn, ShareWithOrg } from './../types' import * as cdk from 'aws-cdk-lib' +import * as s3 from 'aws-cdk-lib/aws-s3' +import { P6LzSraConfig } from '../constructs/p6-lz-sra-config' -interface NetworkAccountStack2Props extends cdk.StackProps {} +interface NetworkAccountStack2Props extends cdk.StackProps, LogarchiveBucketArn, ShareWithOrg {} export class NetworkAccountStack2 extends cdk.Stack { constructor(scope: Construct, id: string, props: NetworkAccountStack2Props) { super(scope, id, props) + + const bucket = s3.Bucket.fromBucketArn(this, 'CentralBucket', props.centralBucketArn.toString()) + + new P6LzSraConfig(this, 'P6LzSraConfig', { + principals: props.principals, + centralBucket: bucket, + }) } } diff --git a/src/stacks/shared-2.ts b/src/stacks/shared-2.ts index 3144119..929916e 100644 --- a/src/stacks/shared-2.ts +++ b/src/stacks/shared-2.ts @@ -1,10 +1,20 @@ import type { Construct } from 'constructs' +import type { LogarchiveBucketArn, ShareWithOrg } from '../types' import * as cdk from 'aws-cdk-lib' +import * as s3 from 'aws-cdk-lib/aws-s3' +import { P6LzSraConfig } from '../constructs/p6-lz-sra-config' -interface SharedAccountStack2Props extends cdk.StackProps {} +interface SharedAccountStack2Props extends cdk.StackProps, LogarchiveBucketArn, ShareWithOrg {} export class SharedAccountStack2 extends cdk.Stack { constructor(scope: Construct, id: string, props: SharedAccountStack2Props) { super(scope, id, props) + + const bucket = s3.Bucket.fromBucketArn(this, 'CentralBucket', props.centralBucketArn.toString()) + + new P6LzSraConfig(this, 'P6LzSraConfig', { + principals: props.principals, + centralBucket: bucket, + }) } }