Readonly
audit(OPTIONAL) Amazon Audit Manager Configuration
Readonly
delegatedDesignated administrator account name for accelerator security services. AWS organizations designate a member account as a delegated administrator for the organization users and roles from that account can perform administrative actions for security services like Macie, GuardDuty, Detective and Security Hub. Without designated administrator account administrative tasks for security services are performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of these security services. Accelerator use Audit account as designated administrator account.
Audit
To make Audit account as designated administrator account for every security services configured by accelerator, you need to provide below value for this parameter
delegatedAdminAccount: Audit
Readonly
detective(OPTIONAL) Amazon Detective Configuration
Readonly
ebsAWS Elastic Block Store default encryption configuration
Accelerator use this parameter to configure EBS default encryption. Accelerator will create KMS key for every AWS environment (account and region), which will be used as default EBS encryption key.
To enable EBS default encryption in every region accelerator implemented, you need to provide below value for this parameter.
ebsDefaultVolumeEncryption:
enable: true
excludeRegions: []
Readonly
guarddutyAmazon GuardDuty Configuration
Readonly
macieAmazon Macie Configuration
Accelerator use this parameter to define AWS Macie configuration.
To enable Macie in every region accelerator implemented and set fifteen minutes of frequency to publish updates to policy findings for the account with publishing sensitive data findings to Security Hub. you need to provide below value for this parameter.
macie:
enable: true
excludeRegions: []
policyFindingsPublishingFrequency: FIFTEEN_MINUTES
publishSensitiveDataFindings: true
Readonly
s3AWS S3 public access block configuration
Accelerator use this parameter to block AWS S3 public access
To enable S3 public access blocking in every region accelerator implemented, you need to provide below value for this parameter.
s3PublicAccessBlock:
enable: true
excludeAccounts: []
Readonly
scp(OPTIONAL) AWS Service Control Policies Revert Manual Changes configuration
scpRevertChangesConfig:
enable: true
snsTopicName: Security
Readonly
securityAWS Security Hub configuration
Accelerator use this parameter to define AWS Security Hub configuration.
To enable AWS Security Hub for all regions and enable "AWS Foundational Security Best Practices v1.0.0" security standard, deployment targets and disable controls you need provide below value for this parameter.
securityHub:
enable: true
regionAggregation: true
snsTopicName: Security
notificationLevel: HIGH
excludeRegions: []
standards:
- name: AWS Foundational Security Best Practices v1.0.0
deploymentTargets:
organizationalUnits:
- Root
enable: true
controlsToDisable:
# Refer to the document for the control ID
# https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html
- Control1
- Control2
Readonly
snsAWS SNS subscription configuration Deprecated
NOTICE: The configuration of SNS topics is being moved to the Global Config. This block is deprecated and will be removed in a future release
Accelerator use this parameter to define AWS SNS notification configuration.
To enable high, medium and low SNS notifications, you need to provide below value for this parameter.
snsSubscriptions:
- level: High
email: <notify-high>@example.com
- level: Medium
email: <notify-medium>@example.com
- level: Low
email: <notify-low>@example.com
Readonly
ssmAWS Systems Manager Document configuration
Accelerator use this parameter to define AWS Systems Manager documents configuration. SSM documents are created in designated administrator account for security services, i.e. Audit account.
To create a SSM document named as "SSM-ELB-Enable-Logging" in every region accelerator implemented and share this document with Root organizational unit(OU), you need to provide below value for this parameter. To share document to specific account uncomment accounts list. A valid SSM document template file ssm-documents/ssm-elb-enable-logging.yaml must be present in Accelerator config repository. Accelerator will use this template file to create the document.
ssmAutomation:
excludeRegions: []
documentSets:
- shareTargets:
organizationalUnits:
- Root
# accounts:
# - Network
documents:
- name: SSM-ELB-Enable-Logging
template: ssm-documents/ssm-elb-enable-logging.yaml
Generated using TypeDoc
SecurityConfig / CentralSecurityServicesConfig
AWS Accelerator central security services configuration
Example