From c55cf2dec5e44e21ed501e8be19b365aee8961f5 Mon Sep 17 00:00:00 2001 From: bhoff Date: Wed, 6 Nov 2024 17:17:07 -0800 Subject: [PATCH 1/2] Run nessus script installation daily, not hourly --- org-formation/090-systems-manager/_tasks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/org-formation/090-systems-manager/_tasks.yaml b/org-formation/090-systems-manager/_tasks.yaml index 07b5faec..5119e239 100644 --- a/org-formation/090-systems-manager/_tasks.yaml +++ b/org-formation/090-systems-manager/_tasks.yaml @@ -83,7 +83,7 @@ StackArmorAgentInstallation: Account: '*' IncludeMasterAccount: true Parameters: - EventBridgeRuleSchedule: "cron(0 * * * ? *)" + EventBridgeRuleSchedule: "cron(0 2 * * ? *)" TargetRegionIds: "us-east-1" TargetTagName: execute-script TargetTagValue: install-stack-armor-agent From fd299e58e566a4460a79c2f17555f7f1ff142c8f Mon Sep 17 00:00:00 2001 From: bhoff Date: Wed, 13 Aug 2025 13:54:34 -0700 Subject: [PATCH 2/2] IT-4431: Activate IAM Access Analyzer on all accounts --- org-formation/077-macie/README.md | 2 +- org-formation/079-access-analyzer/README.md | 8 ++++++++ org-formation/079-access-analyzer/_tasks.yaml | 15 +++++++++++++++ .../079-access-analyzer/access_analyzer.yaml | 10 ++++++++++ org-formation/README.md | 2 ++ org-formation/_tasks.yaml | 5 +++++ 6 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 org-formation/079-access-analyzer/README.md create mode 100644 org-formation/079-access-analyzer/_tasks.yaml create mode 100644 org-formation/079-access-analyzer/access_analyzer.yaml diff --git a/org-formation/077-macie/README.md b/org-formation/077-macie/README.md index 061c2487..37005433 100644 --- a/org-formation/077-macie/README.md +++ b/org-formation/077-macie/README.md @@ -1,5 +1,5 @@ ### Purpose of these templates -The templates in this folder enables +The templates in this folder enable [AWS Macie](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html) across our AWS organization. diff --git a/org-formation/079-access-analyzer/README.md b/org-formation/079-access-analyzer/README.md new file mode 100644 index 00000000..d9e04c2d --- /dev/null +++ b/org-formation/079-access-analyzer/README.md @@ -0,0 +1,8 @@ +### Purpose of these templates +The templates in this folder enable +[IAM Access Analyzer](https://aws.amazon.com/iam/access-analyzer/) +across our AWS organization. + +IAM Access Analyzer is a security feature in AWS that helps you identify +and analyze potential access risks within your AWS environment by examining +your IAM policies and resource policies. diff --git a/org-formation/079-access-analyzer/_tasks.yaml b/org-formation/079-access-analyzer/_tasks.yaml new file mode 100644 index 00000000..519b6afd --- /dev/null +++ b/org-formation/079-access-analyzer/_tasks.yaml @@ -0,0 +1,15 @@ +Parameters: + <<: !Include '../_parameters.yaml' + + appName: + Type: String + Default: 'access_analyzer' + +AccessAnalyzer: + Type: update-stacks + Template: access_analyzer.yaml + StackName: !Sub '${resourcePrefix}-${appName}' + StackDescription: Setup IAM Access Analyzer service + DefaultOrganizationBindingRegion: !Ref primaryRegion + DefaultOrganizationBinding: + Account: '*' diff --git a/org-formation/079-access-analyzer/access_analyzer.yaml b/org-formation/079-access-analyzer/access_analyzer.yaml new file mode 100644 index 00000000..3fe50c86 --- /dev/null +++ b/org-formation/079-access-analyzer/access_analyzer.yaml @@ -0,0 +1,10 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: "Setup IAM Access Analyzer" +Resources: + AccessAnalyzer: + Type: AWS::AccessAnalyzer::Analyzer + Properties: + # External access analyzers help you identify potential risks of accessing + # resources by enabling you to identify any resource policies that grant access + # to an external principal. + Type: ACCOUNT diff --git a/org-formation/README.md b/org-formation/README.md index d7c7b631..29dc7de1 100644 --- a/org-formation/README.md +++ b/org-formation/README.md @@ -28,6 +28,8 @@ prefixed with numbers to enforce the order they are deployed in. Configure Security Hub for all accounts. - 077 [Macie](./077-macie) \ Configure AWS Macie for all accounts. +- 079 [Access Analyzer](./079-access-analyzer) \ + Configure IAM Access Analyzer for all accounts. - 080 [AWS Config](./080-aws-config-inventory) \ Configure AWS Config for all accounts. - 090 [Systems Manager](./090-systems-manager) \ diff --git a/org-formation/_tasks.yaml b/org-formation/_tasks.yaml index a4fa3bed..29b375a2 100644 --- a/org-formation/_tasks.yaml +++ b/org-formation/_tasks.yaml @@ -36,6 +36,11 @@ Macie: DependsOn: [ Types ] Path: ./077-macie/_tasks.yaml +AccessAnalyzer: + Type: include + DependsOn: [ Types ] + Path: ./079-access-analyzer/_tasks.yaml + AwsConfigInventory: Type: include DependsOn: [ Types ]