awslabs/landing-zone-accelerator-on-aws awslabs/landing-zone-accelerator-on-aws

  • Stars
    star
    330
  • Rank 122,722 (Top 3 %)
  • Language
    TypeScript
  • License
    Apache License 2.0
  • Created almost 2 years ago
  • Updated 9 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
awslabs/landing-zone-accelerator-on-aws
github

awslabs

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.

Landing Zone Accelerator on AWS

The Landing Zone Accelerator on AWS solution helps you quickly deploy a secure, resilient, scalable, and fully automated cloud foundation that accelerates your readiness for your cloud compliance program. A landing zone is a cloud environment that offers a recommended starting point, including default accounts, account structure, network and security layouts, and so forth. From a landing zone, you can deploy workloads that utilize your solutions and applications.

The Landing Zone Accelerator (LZA) is architected to align with AWS best practices and in conformance with multiple, global compliance frameworks. When used in coordination with services such as AWS Control Tower, the Landing Zone Accelerator provides a comprehensive no-code solution across 35+ AWS services to manage and govern a multi-account environment built to support customers with highly-regulated workloads and complex compliance requirements. The LZA helps you establish platform readiness with security, compliance, and operational capabilities.

This solution is provided as an open-source project that is built using the AWS Cloud Development Kit (CDK). You install directly into your environment giving you full access to the infrastructure as code (IaC) solution. Through a simplified set of configuration files, you are able to configure additional functionality, guardrails and security services (eg. AWS Managed Config Rules, and AWS SecurityHub), manage your foundational networking topology (eg. VPCs, Transit Gateways, and Network Firewall), and generate additional workload accounts using the AWS Control Tower Account Factory.

There are no additional charges or upfront commitments required to use Landing Zone Accelerator on AWS. You pay only for AWS services enabled in order to set up your platform and operate your guardrails. This solution can also support non-standard AWS partitions, including AWS GovCloud (US), and the US Secret and Top Secret regions.

For an overview and solution deployment guide, please visit Landing Zone Accelerator on AWS

IMPORTANT: This solution will not, by itself, make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated. The information contained in this solution implementation guide is not exhaustive. You must be review, evaluate, assess, and approve the solution in compliance with your organizationโ€™s particular security features, tools, and configurations. It is the sole responsibility of you and your organization to determine which regulatory requirements are applicable and to ensure that you comply with all requirements. Although this solution discusses both the technical and administrative requirements, this solution does not help you comply with the non-technical administrative requirements.

This solution collects anonymous operational metrics to help AWS improve the quality of features of the solution. For more information, including how to disable this capability, please see the implementation guide.

Included Services, Features, and Configuration References

Account Configuration

Used to manage all of the AWS accounts within the AWS Organization. Adding a new account configuration to accounts-config.yaml will invoke the account creation process from Landing Zone Accelerator on AWS.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
AWS Accounts Account AccountsConfig AccountConfig / GovCloudAccountConfig Define commercial or GovCloud (US) accounts to be deployed by the accelerator.

Global Configuration

Used to manage all of the global properties that can be inherited across the AWS Organization. Defined in global-config.yaml.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
AWS Backup Backup Vaults GlobalConfig BackupConfig Define AWS Backup Vaults that can be used to store backups in accounts across the AWS Organization.
AWS Budgets Budget Reports GlobalConfig / ReportConfig BudgetReportConfig Define Budget report configurations for account(s) and/or organizational unit(s).
AWS CloudTrail Organization and Account Trails GlobalConfig / LoggingConfig CloudTrailConfig When specified, Organization and/or account-level trails are deployed.
Amazon CloudWatch Log Group Dynamic Partitioning GlobalConfig / LoggingConfig CloudWatchLogsConfig Custom partition values for CloudWatch Log Groups sent to centralized logging S3 bucket.
AWS Control Tower Control Tower GlobalConfig ControlTowerConfig It is recommended that AWS Control Tower is enabled, if available, in the desired home region for your environment prior to installing the accelerator. When enabled, the accelerator will integrate with resources and guardrails deployed by AWS Control Tower.
AWS Cost and Usage Cost and Usage Report GlobalConfig / ReportConfig CostAndUsageReportConfig Define a global Cost and Usage report configuration for the AWS Organization.
AWS Regions Enabled Regions GlobalConfig GlobalConfig.enabledRegions Define one or more AWS Regions for the solution to manage.
Amazon S3 Lifecycle Rules GlobalConfig / LoggingConfig AccessLogBucketConfig / CentralLogBucketConfig Define global lifecycle rules for S3 access log buckets and the central log bucket deployed by the accelerator.
AWS Systems Manager Session Manager Session Manager logging configuration GlobalConfig / LoggingConfig SessionManagerConfig Define global logging configuration settings for Session Manager.
AWS SNS Topics SNS Topics Configuration GlobalConfig SnsTopicConfig Define SNS topics for notifications.

Identity and Access Management (IAM) Configuration

Used to manage all of the IAM resources across the AWS Organization. Defined in iam-config.yaml.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
AWS IAM Users IamConfig UserSetConfig Define IAM users to be deployed to specified account(s) and/or organizational unit(s).
AWS IAM Groups IamConfig GroupSetConfig Define IAM groups to be deployed to specified account(s) and/or organizational unit(s).
AWS IAM Policies IamConfig PolicySetConfig Define customer-managed IAM policies to be deployed to specified account(s) and/or organizational unit(s).
AWS IAM Roles IamConfig RoleSetConfig Define customer-managed IAM roles to be deployed to specified account(s) and/or organizational unit(s).
AWS IAM SAML identity providers IamConfig SamlProviderConfig Define a SAML identity provider to allow federated IAM access to the AWS Organization.
AWS IAM Identity Center Permission sets IamConfig IdentityCenterConfig Define IAM Identity Center (formerly AWS SSO) permission sets and assignments.
AWS Managed Microsoft AD Managed directory IamConfig ManagedActiveDirectoryConfig Define a Managed Microsoft AD directory.

Network Configuration

Used to manage and implement network resources to establish a WAN/LAN architecture to support cloud operations and application workloads in AWS. Defined in network-config.yaml.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
Delete Default Amazon VPC Default VPC NetworkConfig DefaultVpcsConfig If enabled, deletes the default VPC in each account and region managed by the accelerator.
AWS Direct Connect Gateways, virtual interfaces, and gateway associations NetworkConfig DxGatewayConfig Define Direct Connect gateways, virtual interfaces, and Direct Connect Gateway associations.
Amazon Elastic Load Balancing Gateway Load Balancers, endpoint services, and endpoints NetworkConfig / CentralNetworkServicesConfig GwlbConfig Define a centrally-managed Gateway Load Balancer with an associated VPC endpoint service. Define Gateway Load Balancer endpoints that consume the service, allowing for deep packet inspection of workloads.
AWS Network Firewall Network Firewalls, policies, and rule groups NetworkConfig / CentralNetworkServicesConfig NfwConfig Define centrally-managed firewall rule groups and policies. Define Network Firewall endpoints that consume the policies, allowing for deep packet inspection of workloads.
Amazon Route 53 Resolver Resolver endpoints, rules, DNS firewall rule groups, and query logging configurations NetworkConfig / CentralNetworkServicesConfig ResolverConfig Define centrally-managed Resolver endpoints, Resolver rules, DNS firewall rule groups, and query logging configurations. DNS firewall rule groups, Resolver rules, and query logging configurations can be associated to VPCs defined in VpcConfig / VpcTemplatesConfig.
AWS Site-to-Site VPN Customer gateways and VPN connections NetworkConfig CustomerGatewayConfig Define Customer gateways and VPN connections that terminate on Transit Gateways or Virtual Private Gateways.
AWS Transit Gateway Transit Gateways and Transit Gateway route tables NetworkConfig TransitGatewayConfig Define Transit Gateways to deploy to a specified account and region in the AWS Organization.
AWS Transit Gateway Transit Gateway peering connections NetworkConfig TransitGatewayPeeringConfig Create Transit Gateway peering connections between two Transit Gateways defined in TransitGatewayConfig.
Amazon VPC Customer-managed prefix lists NetworkConfig PrefixListConfig Define customer-managed prefix lists to deploy to account(s) and region(s) in the AWS Organization. Prefix lists can be referenced in place of CIDR ranges in subnet route tables, security groups, and Transit Gateway route tables.
Amazon VPC DHCP options sets NetworkConfig DhcpOptsConfig Define custom DHCP options sets to deploy to account(s) and region(s) in the AWS Organization. DHCP options sets can be used by VPCs defined in VpcConfig / VpcTemplatesConfig.
Amazon VPC Flow Logs (global) NetworkConfig VpcFlowLogsConfig Define a global VPC flow log configuration for VPCs deployed by the accelerator. VPC-specific flow logs can also be created in VpcConfig / VpcTemplatesConfig.
Amazon VPC VPCs, subnets, security groups, NACLs, route tables, NAT Gateways, and VPC endpoints NetworkConfig VpcConfig Define VPCs to deploy to a specified account and region in the AWS Organization.
Amazon VPC VPC endpoint policies NetworkConfig EndpointPolicyConfig Define custom VPC endpoint policies to deploy to account(s) and region(s) in the AWS Organization. Endpoint policies can be used by interface endpoints and/or gateway endpoints defined in VpcConfig / VpcTemplatesConfig.
Amazon VPC VPC peering connections NetworkConfig VpcPeeringConfig Create a peering connection between two VPCs defined in VpcConfig. NOTE: Not supported with VPCs deployed using VpcTemplatesConfig.
Amazon VPC IP Address Manager (IPAM) IPAM pools and scopes NetworkConfig / CentralNetworkServicesConfig IpamConfig Enable IPAM delegated administrator and configuration settings for IPAM pools and scopes. NOTE: IPAM is required for VPCs and subnets configured to use dynamic IPAM CIDR allocations.
Amazon VPC Templates VPCs, subnets, security groups, NACLs, route tables, NAT Gateways, and VPC endpoints NetworkConfig VpcTemplatesConfig Deploys a standard-sized VPC to multiple defined account(s) and/or organizational unit(s).

AWS Organizations Configuration

Used to manage organizational units and policies in the AWS Organization. Defined in organization-config.yaml.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
AWS Account Quarantine Quarantine OrganizationConfig QuarantineNewAccountsConfig If enabled, a Service Control Policy (SCP) is applied to newly-created accounts that denies all API actions from principles outside of the accelerator. This SCP is stripped from the new account when the accelerator completes resource provisioning for the new account.
AWS Organizations Backup Policies OrganizationConfig BackupPolicyConfig Define organizational backup policies to be deployed to account(s) and/or organizational unit(s).
AWS Organizations Organizational Units OrganizationConfig OrganizationalUnitConfig Define organizational units (OUs) for the AWS Organization. NOTE: When using AWS Control Tower, OUs must be registered in the Control Tower console prior to defining them in the configuration.
AWS Organizations Service Control Policies (SCPs) OrganizationConfig ServiceControlPolicyConfig Define organizational service control policies to be deployed to account(s) and/or organizational unit(s).
AWS Organizations Tag Policies OrganizationConfig TaggingPolicyConfig Define organizational tag policies to be deployed to account(s) and/or organizational unit(s).

Security Configuration

Used to manage configuration of AWS security services. Defined in security-config.yaml.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
AWS Audit Manager Audit Manager SecurityConfig / CentralSecurityServicesConfig AuditManagerConfig Enable Audit Manager delegated administrator and configuration settings.
Amazon CloudWatch Metrics, Alarms, and Log Groups SecurityConfig CloudWatchConfig Define CloudWatch metrics, alarms, and log groups to deploy into account(s) and/or organizational unit(s). You can also import existing log groups into your configuration.
AWS Config Config Recorder, Delivery Channel, Rules, and Remediations SecurityConfig AwsConfig Define an AWS Config Recorder, Delivery Channel, and custom and/or managed rule sets to deploy across the AWS Organization.
Amazon Detective Detective SecurityConfig / CentralSecurityServicesConfig DetectiveConfig Enable Detective delegated administrator and configuration settings. Note: Requires Amazon GuardDuty to be enabled for at least 48 hours.
Amazon EBS Default Volume Encryption SecurityConfig / CentralSecurityServicesConfig EbsDefaultVolumeEncryptionConfig Enable EBS default volume encryption across the AWS Organization.
Amazon GuardDuty GuardDuty SecurityConfig / CentralSecurityServicesConfig GuardDutyConfig Enable GuardDuty delegated administrator and configuration settings.
AWS IAM Access Analyzer SecurityConfig AccessAnalyzerConfig If enabled, IAM Access Analyzer analyzes policies and reports a list of findings for resources that grant public or cross-account access from outside your AWS Organizations in the IAM console and through APIs.
AWS IAM Password Policy SecurityConfig IamPasswordPolicyConfig Define a password policy for IAM users in the AWS Organization.
AWS KMS Customer-Managed Keys SecurityConfig KeyManagementServiceConfig Define customer-managed KMS keys to be deployed to account(s) and/or organizational unit(s).
Amazon Macie Macie SecurityConfig / CentralSecurityServicesConfig MacieConfig Enable Macie delegated administrator and configuration settings.
Amazon S3 S3 Public Access Block SecurityConfig / CentralSecurityServicesConfig S3PublicAccessBlockConfig Enable S3 public access block setting across the AWS Organization.
AWS Security Hub Security Hub SecurityConfig / CentralSecurityServicesConfig SecurityHubConfig Enable Security Hub delegated administrator and configuration settings.
Amazon SNS Subscriptions SecurityConfig / CentralSecurityServicesConfig SnsSubscriptionConfig Configure email subscriptions for security-related SNS notifications. NOTE: DEPRECATED Use SnsTopicConfig in the global configuration instead.
AWS Systems Manager Automation Automation Documents SecurityConfig / CentralSecurityServicesConfig SsmAutomationConfig Define SSM Automation Documents to be deployed to account(s) and/or organizational unit(s).

Customization Configuration

Used to manage configuration of custom applications and CloudFormation stacks. Defined in the optional file customizations-config.yaml.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
AWS CloudFormation Stacks CustomizationsConfig / CustomizationConfig CloudFormationStackConfig Define custom CloudFormation Stacks.
AWS CloudFormation StackSets CustomizationsConfig / CustomizationConfig CloudFormationStackSetConfig Define custom CloudFormation Stacksets.
Amazon Elastic Load Balancing Application Load Balancers CustomizationsConfig / AppConfigItem ApplicationLoadBalancerConfig Define an Application Load Balancer to be used for a custom application.
Amazon Elastic Load Balancing Network Load Balancers CustomizationsConfig / AppConfigItem NetworkLoadBalancerConfig Define a Network Load Balancer to be used for a custom application.
Amazon Elastic Load Balancing Target Groups CustomizationsConfig / AppConfigItem TargetGroupItemConfig Define a Target Group to be used with an Elastic Load Balancer.
Amazon EC2 Autoscaling Groups CustomizationsConfig / AppConfigItem AutoScalingConfig Define an autoscaling group to be used for a custom application.
Amazon EC2 Launch Template CustomizationsConfig / AppConfigItem LaunchTemplateConfig Define a launch template to be used for a custom application.
Amazon EC2 Next-generation firewalls (standalone or autoscaling) and firewall management appliances CustomizationsConfig Ec2FirewallConfig Define third-party EC2-based firewall appliances.
AWS Service Catalog Portfolios, products, and shares CustomizationsConfig / CustomizationConfig PortfolioConfig Define Service Catalog portfolios, products, and grant access permissions. You may also share portfolios to other accounts and OUs.

Other Services and Features

Other mandatory and non-configurable services/features deployed by the solution are described in the Architecture overview and Architecture details section of the solution Implementation Guide.

Centralized Logging

The Landing Zone Accelerator Centralized Logging solution provides the ability to consolidate and manage log files from various sources into a Centralized Logging Account. This enables users to consolidate logs such as audit logs for access, configuration changes, and billing events. You can also collect Amazon CloudWatch Logs from multiple accounts and AWS Regions. The following sections discuss the types of logs that are centralized and the mechanisms used by the accelerator to centralize them.

Supported Log Types

  • ELB Logs
  • VPC Flow Logs
  • Macie Reports
  • Cost and Usage Reports
  • Config History
  • Config Snapshots
  • GuardDuty Findings
  • CloudWatch Logs
  • CloudTrail Digest
  • CloudTrail Insights
  • CloudTrail Logs
  • CloudTrail S3 Access Logs / S3 Access Logs
  • SSM Inventory
  • SSM Session Manager
  • Security Hub Findings

Log Centralization Methods

  • S3 Replication - Logs are stored in account specific S3 buckets and have bucket replication enabled to replicate logs to Centralized Logging S3 Bucket in Central Logging Account.
  • Service-Native - The AWS Service writes directly to the centralized logging bucket in the central-logging account.
  • Log Streaming - Some services do not support native centralized-logging capability and do not allow writing directly to S3 in a centralized account. In order to enable this functionality, the accelerator utilizes CloudWatch and native log forwarding capabilities via the following workflow:
    • Log Group is created in CloudWatch.
    • A subscription filter is added to the CloudWatch Log Group.
    • The subscription filter points to a Log Destination.
    • The Log Destination is a region specific Kinesis Stream in the Central Logging Account.
      • Each enabled region has its own Kinesis Stream in the Central Logging Account.
    • The Kinesis Streams are forwarded into a Kinesis Firehose in the same specific region.
    • The logs are processed by a Lambda function and written to the Central Logging S3 Bucket in the Home Region.
Bucket Type Bucket Name Purpose
Centralized Logging Bucket aws-accelerator-central-logs-{account#}-{region} Stores all Landing Zone Accelerator centralized logs that have been enabled via the accelerator. This mechanism allows the solution to store a combined set of logs in a single account and single region.
ELB Access Logs aws-accelerator-elb-access-logs-{account#}-{region} Stores ELB Access logs on a per account/per region basis.
S3 Access Logs aws-accelerator-s3-access-logs-{account#}-{region} Stores S3 Access logs on a per account/region basis.
Log Type S3 Path Example Supported Centralization Methods
ELB {account#}/{region}/* s3://aws-accelerator-elb-access-logs-123456789016-us-east-1/{account#}/{region}/*.log.gz
VPC Flow Logs vpc-flow-logs/AWSLogs/{account#}/vpcflowlogs/{region}/{year}/{month}/{day}/* s3://aws-accelerator-central-logs-123456789016-us-east-1/vpc-flow-logs/AWSLogs/123456789016/vpcflowlogs/us-east-1/2023/04/14/*.log.gz Log Streaming / S3
Macie Reports macie/{account#}/AWSLogs/{account#}/Macie/{region}/* s3://aws-accelerator-central-logs-123456789016-us-east-1/macie/123456789016/AWSLogs/123456789016/Macie/us-east-1/*.jsonl.gz Service
Cost and Usage Reports cur/{account#}/accelerator-cur/* s3://aws-accelerator-central-logs-123456789016-us-east-1/cur/123456789016/accelerator-cur/20220901-20221001/*.snappy.parquet S3 Bucket Replication from Bucket in Home Region
Config History config/AWSLogs/{account#}/Config/{region}/{year}/{month}/{day}/ConfigHistory/* s3://aws-accelerator-central-logs-123456789016-us-east-1/AWSLogs/123456789016/Config/us-east-1/2023/4/10/ConfigHistory/*.json.gz Service
Config Snapshots config/AWSLogs/{account#}/Config/{region}/{year}/{month}/{day}/ConfigSnapshot/* s3://aws-accelerator-central-logs-123456789016-us-east-1/AWSLogs/123456789016/Config/us-east-1/2023/4/10/ConfigSnapshot/*.json.gz Service
GuardDuty guardduty/AWSLogs/{account#}/GuardDuty/region/{year}/{month}/{day}/* s3://aws-accelerator-central-logs-123456789016-us-east-1/guardduty/AWSLogs/123456789016/GuardDuty/us-east-1/2023/04/08/*.jsonl.gz Service
CloudWatch Logs CloudWatchLogs/{year}/{month}/{day}/{hour}/* s3://aws-accelerator-central-logs-123456789016-us-east-1/CloudWatchLogs/2023/04/17/14/*.parquet Log Streaming
CloudTrail Organization Digest cloudtrail-organization/AWSLogs/{organizationId}/{account#}/CloudTrail-Digest/{region}/{year}/{month}/{day}/* s3://aws-accelerator-central-logs-123456789016-us-east-1/cloudtrail-organization/AWSLogs/o-abc12cdefg/123456789016/CloudTrail-Digest/us-east-1/2023/04/14/*.json.gz Service
CloudTrail Organization Insights cloudtrail-organization/AWSLogs/{organizationID}/{account#}/CloudTrail-Insight/* s3://aws-accelerator-central-logs-123456789016-us-east-1/cloudtrail-organization/AWSLogs/o-abc12cdefg/123456789016/CloudTrail-Insight/*.json.gz Service
CloudTrail Organization Logs cloudtrail-organization/AWSLogs/{organizationId}/{account#}/CloudTrail/{region}/{year}/{month}/{day}/* s3://aws-accelerator-central-logs-123456789016-us-east-1/cloudtrail-organization/AWSLogs/o-abc12cdefg//123456789016/CloudTrail/us-east-1/2023/04/14/*.json.gz Service / Log Streaming
S3 Access Logs aws-accelerator-central-logs-{account#}-{region}/* s3://aws-accelerator-s3-access-logs-123456789016-us-east-1/aws-accelerator-central-logs-123456789016-us-east-1/* Service
SSM Inventory ssm-inventory/* s3://aws-accelerator-central-logs-123456789016-us-east-1/ssm-inventory/AWS:ComplianceSummary/accountid=123456789016/region=us-east-1/resourcetype=ManagedInstanceInventory/*.json Service
SSM Sessions Manager session/{account#}/{region}/* s3://aws-accelerator-central-logs-123456789016-us-east-1/session/123456789016/us-east-1/*.log Log Streaming / S3
Security Hub CloudWatchLogs/{year}/{month}/{day}/* s3://aws-accelerator-central-logs-123456789016-us-east-1/CloudWatchLogs/2023/04/21/00/*.parquet Log Streaming

Package Structure

@aws-accelerator/accelerator

A CDK Application. The core of the accelerator solution. Contains all the stack definitions and deployment pipeline for the accelerator. This also includes the CDK Toolkit orchestration.

@aws-accelerator/config

A pure typescript library containing modules to manage the accelerator config files.

@aws-accelerator/constructs

Contains L2/L3 constructs that have been built to support accelerator actions, such as creating an AWS Organizational Unit or VPC. These constructs are intended to be fully reusable, independent of the accelerator, and do not directly access the accelerator configuration files. Example: CentralLogsBucket, an S3 bucket that is configured with a CMK with the proper key and bucket policies to allow services and accounts in the organization to publish logs to the bucket.

@aws-accelerator/installer

Contains a CDK Application that defines the accelerator Installer stack.

@aws-accelerator/ui (future)

A web application that utilizes the aws-ui-components library to present a console to configure the accelerator

@aws-accelerator/utils

Contains common utilities and types that are needed by @aws-accelerator/* packages. For example, throttling and backoff for AWS SDK calls

@aws-cdk-extensions/cdk-extensions

Contains L2 constructs that extend the functionality of the CDK repo. The CDK repo is an actively developed project. As the accelerator team identifies missing features of the CDK, those features will be initially developed locally within this repo and submitted to the CDK project as a pull request.

@aws-cdk-extensions/tester

Accelerator tester CDK app. This package creates AWS Config custom rules for every test cases defined in test case manifest file.

--- |

Creating an Installer Stack

The Installer Stack, a CDK Application, can be deployed through a CloudFormation template produced by your CLI by navigating to the directory for the installer and running a CDK synthesis. The template can either be deployed directly via the AWS CLI or console. Below are the commands for completing the deployment of the Installer stack.

1. Build the Installer stack for deployment

  • Install dependencies for the Installer stack
- [Node](https://nodejs.org/en/)
- [AWS CDK](https://aws.amazon.com/cdk/)
- [Yarn](https://yarnpkg.com/)
- [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
  • Install project dependencies
cd <rootDir>/source
yarn install && yarn lerna link
  • To run the CDK synthesis
cd <rootDir>/source/packages/@aws-accelerator/installer
yarn build && yarn cdk synth

After running these commands, the Installer stack template will be saved to <rootDir>/source/packages/@aws-accelerator/installer/cdk.out/AWSAccelerator-InstallerStack.template.json

2. Create a GitHub personal access token

Follow the instructions on GitHub Docs to create a personal access token (Classic).

When creating the token select public_repo for the selected scope.

3. Store Token in Secrets Manager

Store the personal access token in Secrets Manager.

  1. In the AWS Management Console, navigate to Secrets Manager
  2. Click Store a new secret
  3. On the Choose secret type step select Other type of secret
  4. Select the Plaintext tab
  5. Completely remove the example text and paste your secret with no formatting no leading or trailing spaces
  6. Select the aws/secretsmanager encryption key
  7. Click Next
  8. On the Configure secret step set the Secret name to accelerator/github-token
  9. On the Configure rotation step click Next
  10. On the Review step click Store

4. Deploy the Installer stack

  • Configure the AWS CLI CloudFormation command for the Installer stack

  • Create an S3 bucket and copy the generated template file.

cd <rootDir>/source/packages/@aws-accelerator/installer
aws s3 mb s3://<bucket name>
aws s3 cp ./cdk.out/AWSAccelerator-InstallerStack.template.json s3://<bucket name>
  • Create the Installer stack with AWS CLI command:
aws cloudformation create-stack --stack-name AWSAccelerator-InstallerStack --template-body https://<bucket name>.s3.<region>.amazonaws.com/AWSAccelerator-InstallerStack.template.json \
--parameters ParameterKey=RepositoryName,ParameterValue=<Repository_Name> \
ParameterKey=RepositoryBranchName,ParameterValue=<Branch_Name> \
ParameterKey=ManagementAccountEmail,ParameterValue=<Management_Email> \
ParameterKey=LogArchiveAccountEmail,ParameterValue=<LogArchive_Email> \
ParameterKey=AuditAccountEmail,ParameterValue=<Audit_Email> \
ParameterKey=EnableApprovalStage,ParameterValue=Yes \
ParameterKey=ApprovalStageNotifyEmailList,ParameterValue=comma-delimited-notify-emails \
ParameterKey=ControlTowerEnabled,ParameterValue=Yes \
--capabilities CAPABILITY_IAM
  • Alternate deployment of CloudFormation via AWS console:

- From your Management account, navigate to CloudFormation page in the AWS console
- Select โ€˜Create Stackโ€™ and from the dropdown pick โ€˜with new resources (standard)โ€™
- For the prerequisite template, select โ€˜Template is readyโ€™
- When specifying the template, select โ€˜Upload a template fileโ€™
- Ensure that you select the correct file โ€˜AWSLandingZoneAccelerator-InstallerStack.template.jsonโ€™
- Fill out the required parameters in the UI, and create the stack once the parameters are inputted.

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

Licensed under the Apache License Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at

http://www.apache.org/licenses/

or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions and limitations under the License.

More Repositories

1

git-secrets

Prevents you from committing secrets and credentials into git repositories
Shell
11,616
star
2

llrt

LLRT (Low Latency Runtime) is an experimental, lightweight JavaScript runtime designed to address the growing demand for fast and efficient Serverless applications.
JavaScript
7,555
star
3

aws-shell

An integrated shell for working with the AWS CLI.
Python
7,116
star
4

autogluon

AutoGluon: AutoML for Image, Text, and Tabular Data
Python
4,348
star
5

aws-cloudformation-templates

A collection of useful CloudFormation templates
Python
4,302
star
6

mountpoint-s3

A simple, high-throughput file client for mounting an Amazon S3 bucket as a local file system.
Rust
3,986
star
7

gluonts

Probabilistic time series modeling in Python
Python
3,686
star
8

deequ

Deequ is a library built on top of Apache Spark for defining "unit tests for data", which measure data quality in large datasets.
Scala
2,871
star
9

aws-lambda-rust-runtime

A Rust runtime for AWS Lambda
Rust
2,829
star
10

aws-sdk-rust

AWS SDK for the Rust Programming Language
2,754
star
11

amazon-redshift-utils

Amazon Redshift Utils contains utilities, scripts and view which are useful in a Redshift environment
Python
2,643
star
12

diagram-maker

A library to display an interactive editor for any graph-like data.
TypeScript
2,359
star
13

amazon-ecr-credential-helper

Automatically gets credentials for Amazon ECR on docker push/docker pull
Go
2,261
star
14

amazon-eks-ami

Packer configuration for building a custom EKS AMI
Shell
2,164
star
15

aws-lambda-powertools-python

A developer toolkit to implement Serverless best practices and increase developer velocity.
Python
2,148
star
16

aws-well-architected-labs

Hands on labs and code to help you learn, measure, and build using architectural best practices.
Python
1,834
star
17

aws-config-rules

[Node, Python, Java] Repository of sample Custom Rules for AWS Config.
Python
1,473
star
18

smithy

Smithy is a protocol-agnostic interface definition language and set of tools for generating clients, servers, and documentation for any programming language.
Java
1,356
star
19

aws-support-tools

Tools and sample code provided by AWS Premium Support.
Python
1,290
star
20

open-data-registry

A registry of publicly available datasets on AWS
Python
1,199
star
21

sockeye

Sequence-to-sequence framework with a focus on Neural Machine Translation based on PyTorch
Python
1,181
star
22

aws-lambda-powertools-typescript

Powertools is a developer toolkit to implement Serverless best practices and increase developer velocity.
TypeScript
1,179
star
23

dgl-ke

High performance, easy-to-use, and scalable package for learning large-scale knowledge graph embeddings.
Python
1,144
star
24

aws-sdk-ios-samples

This repository has samples that demonstrate various aspects of the AWS SDK for iOS, you can get the SDK source on Github https://github.com/aws-amplify/aws-sdk-ios/
Swift
1,038
star
25

aws-sdk-android-samples

This repository has samples that demonstrate various aspects of the AWS SDK for Android, you can get the SDK source on Github https://github.com/aws-amplify/aws-sdk-android/
Java
1,018
star
26

aws-solutions-constructs

The AWS Solutions Constructs Library is an open-source extension of the AWS Cloud Development Kit (AWS CDK) that provides multi-service, well-architected patterns for quickly defining solutions
TypeScript
1,013
star
27

aws-cfn-template-flip

Tool for converting AWS CloudFormation templates between JSON and YAML formats.
Python
981
star
28

amazon-kinesis-video-streams-webrtc-sdk-c

Amazon Kinesis Video Streams Webrtc SDK is for developers to install and customize realtime communication between devices and enable secure streaming of video, audio to Kinesis Video Streams.
C
975
star
29

aws-lambda-go-api-proxy

lambda-go-api-proxy makes it easy to port APIs written with Go frameworks such as Gin (https://gin-gonic.github.io/gin/ ) to AWS Lambda and Amazon API Gateway.
Go
967
star
30

eks-node-viewer

EKS Node Viewer
Go
947
star
31

multi-model-server

Multi Model Server is a tool for serving neural net models for inference
Java
936
star
32

ec2-spot-labs

Collection of tools and code examples to demonstrate best practices in using Amazon EC2 Spot Instances.
Jupyter Notebook
905
star
33

aws-mobile-appsync-sdk-js

JavaScript library files for Offline, Sync, Sigv4. includes support for React Native
TypeScript
902
star
34

aws-saas-boost

AWS SaaS Boost is a ready-to-use toolset that removes the complexity of successfully running SaaS workloads in the AWS cloud.
Java
901
star
35

fargatecli

CLI for AWS Fargate
Go
891
star
36

aws-api-gateway-developer-portal

A Serverless Developer Portal for easily publishing and cataloging APIs
JavaScript
879
star
37

ecs-refarch-continuous-deployment

ECS Reference Architecture for creating a flexible and scalable deployment pipeline to Amazon ECS using AWS CodePipeline
Shell
842
star
38

fortuna

A Library for Uncertainty Quantification.
Python
836
star
39

dynamodb-data-mapper-js

A schema-based data mapper for Amazon DynamoDB.
TypeScript
818
star
40

goformation

GoFormation is a Go library for working with CloudFormation templates.
Go
812
star
41

flowgger

A fast data collector in Rust
Rust
796
star
42

aws-js-s3-explorer

AWS JavaScript S3 Explorer is a JavaScript application that uses AWS's JavaScript SDK and S3 APIs to make the contents of an S3 bucket easy to browse via a web browser.
HTML
771
star
43

aws-icons-for-plantuml

PlantUML sprites, macros, and other includes for Amazon Web Services services and resources
Python
737
star
44

aws-devops-essential

In few hours, quickly learn how to effectively leverage various AWS services to improve developer productivity and reduce the overall time to market for new product capabilities.
Shell
674
star
45

aws-apigateway-lambda-authorizer-blueprints

Blueprints and examples for Lambda-based custom Authorizers for use in API Gateway.
C#
660
star
46

amazon-ecs-nodejs-microservices

Reference architecture that shows how to take a Node.js application, containerize it, and deploy it as microservices on Amazon Elastic Container Service.
Shell
650
star
47

amazon-kinesis-client

Client library for Amazon Kinesis
Java
621
star
48

aws-deployment-framework

The AWS Deployment Framework (ADF) is an extensive and flexible framework to manage and deploy resources across multiple AWS accounts and regions based on AWS Organizations.
Python
617
star
49

aws-lambda-web-adapter

Run web applications on AWS Lambda
Rust
610
star
50

dgl-lifesci

Python package for graph neural networks in chemistry and biology
Python
594
star
51

aws-security-automation

Collection of scripts and resources for DevSecOps and Automated Incident Response Security
Python
585
star
52

aws-glue-libs

AWS Glue Libraries are additions and enhancements to Spark for ETL operations.
Python
565
star
53

python-deequ

Python API for Deequ
Python
535
star
54

aws-athena-query-federation

The Amazon Athena Query Federation SDK allows you to customize Amazon Athena with your own data sources and code.
Java
507
star
55

data-on-eks

DoEKS is a tool to build, deploy and scale Data & ML Platforms on Amazon EKS
HCL
504
star
56

shuttle

Shuttle is a library for testing concurrent Rust code
Rust
465
star
57

ami-builder-packer

An example of an AMI Builder using CI/CD with AWS CodePipeline, AWS CodeBuild, Hashicorp Packer and Ansible.
465
star
58

route53-dynamic-dns-with-lambda

A Dynamic DNS system built with API Gateway, Lambda & Route 53.
Python
461
star
59

aws-servicebroker

AWS Service Broker
Python
461
star
60

amazon-ecs-local-container-endpoints

A container that provides local versions of the ECS Task Metadata Endpoint and ECS Task IAM Roles Endpoint.
Go
456
star
61

datawig

Imputation of missing values in tables.
JavaScript
454
star
62

aws-jwt-verify

JS library for verifying JWTs signed by Amazon Cognito, and any OIDC-compatible IDP that signs JWTs with RS256, RS384, and RS512
TypeScript
452
star
63

amazon-dynamodb-lock-client

The AmazonDynamoDBLockClient is a general purpose distributed locking library built on top of DynamoDB. It supports both coarse-grained and fine-grained locking.
Java
447
star
64

ecs-refarch-service-discovery

An EC2 Container Service Reference Architecture for providing Service Discovery to containers using CloudWatch Events, Lambda and Route 53 private hosted zones.
Go
444
star
65

ssosync

Populate AWS SSO directly with your G Suite users and groups using either a CLI or AWS Lambda
Go
443
star
66

handwritten-text-recognition-for-apache-mxnet

This repository lets you train neural networks models for performing end-to-end full-page handwriting recognition using the Apache MXNet deep learning frameworks on the IAM Dataset.
Jupyter Notebook
442
star
67

awscli-aliases

Repository for AWS CLI aliases.
437
star
68

aws-config-rdk

The AWS Config Rules Development Kit helps developers set up, author and test custom Config rules. It contains scripts to enable AWS Config, create a Config rule and test it with sample ConfigurationItems.
Python
436
star
69

snapchange

Lightweight fuzzing of a memory snapshot using KVM
Rust
427
star
70

aws-security-assessment-solution

An AWS tool to help you create a point in time assessment of your AWS account using Prowler and Scout as well as optional AWS developed ransomware checks.
423
star
71

lambda-refarch-mapreduce

This repo presents a reference architecture for running serverless MapReduce jobs. This has been implemented using AWS Lambda and Amazon S3.
JavaScript
422
star
72

aws-lambda-cpp

C++ implementation of the AWS Lambda runtime
C++
409
star
73

aws-cloudsaga

AWS CloudSaga - Simulate security events in AWS
Python
389
star
74

amazon-kinesis-producer

Amazon Kinesis Producer Library
C++
385
star
75

soci-snapshotter

Go
383
star
76

pgbouncer-fast-switchover

Adds query routing and rewriting extensions to pgbouncer
C
381
star
77

serverless-photo-recognition

A collection of 3 lambda functions that are invoked by Amazon S3 or Amazon API Gateway to analyze uploaded images with Amazon Rekognition and save picture labels to ElasticSearch (written in Kotlin)
Kotlin
378
star
78

amazon-sagemaker-workshop

Amazon SageMaker workshops: Introduction, TensorFlow in SageMaker, and more
Jupyter Notebook
378
star
79

serverless-rules

Compilation of rules to validate infrastructure-as-code templates against recommended practices for serverless applications.
Go
378
star
80

logstash-output-amazon_es

Logstash output plugin to sign and export logstash events to Amazon Elasticsearch Service
Ruby
374
star
81

kinesis-aggregation

AWS libraries/modules for working with Kinesis aggregated record data
Java
370
star
82

smithy-rs

Code generation for the AWS SDK for Rust, as well as server and generic smithy client generation.
Rust
369
star
83

syne-tune

Large scale and asynchronous Hyperparameter and Architecture Optimization at your fingertips.
Python
363
star
84

aws-sdk-kotlin

Multiplatform AWS SDK for Kotlin
Kotlin
359
star
85

dynamodb-transactions

Java
354
star
86

amazon-kinesis-client-python

Amazon Kinesis Client Library for Python
Python
354
star
87

aws-serverless-data-lake-framework

Enterprise-grade, production-hardened, serverless data lake on AWS
Python
349
star
88

threat-composer

A simple threat modeling tool to help humans to reduce time-to-value when threat modeling
TypeScript
346
star
89

amazon-kinesis-agent

Continuously monitors a set of log files and sends new data to the Amazon Kinesis Stream and Amazon Kinesis Firehose in near-real-time.
Java
342
star
90

rds-snapshot-tool

The Snapshot Tool for Amazon RDS automates the task of creating manual snapshots, copying them into a different account and a different region, and deleting them after a specified number of days
Python
337
star
91

amazon-kinesis-scaling-utils

The Kinesis Scaling Utility is designed to give you the ability to scale Amazon Kinesis Streams in the same way that you scale EC2 Auto Scaling groups โ€“ up or down by a count or as a percentage of the total fleet. You can also simply scale to an exact number of Shards. There is no requirement for you to manage the allocation of the keyspace to Shards when using this API, as it is done automatically.
Java
333
star
92

amazon-kinesis-video-streams-producer-sdk-cpp

Amazon Kinesis Video Streams Producer SDK for C++ is for developers to install and customize for their connected camera and other devices to securely stream video, audio, and time-encoded data to Kinesis Video Streams.
C++
332
star
93

route53-infima

Library for managing service-level fault isolation using Amazon Route 53.
Java
326
star
94

aws-automated-incident-response-and-forensics

326
star
95

mxboard

Logging MXNet data for visualization in TensorBoard.
Python
326
star
96

aws-sigv4-proxy

This project signs and proxies HTTP requests with Sigv4
Go
325
star
97

statelint

A Ruby gem that provides a command-line validator for Amazon States Language JSON files.
Ruby
324
star
98

graphstorm

Enterprise graph machine learning framework for billion-scale graphs for ML scientists and data scientists.
Python
317
star
99

ecs-nginx-reverse-proxy

Reference architecture for deploying Nginx on ECS, both as a basic static resource server, and as a reverse proxy in front of a dynamic application server.
Nginx
317
star
100

simplebeerservice

Simple Beer Service (SBS) is a cloud-connected kegerator that streams live sensor data to AWS.
JavaScript
316
star