Automated deployment - StackSets

Note

We recommend deploying with StackSets. However, for single account deployments or for testing or evaluation purposes, consider the stacks deployment option.

Before you launch the solution, review the architecture, solution components, security, and design considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your AWS Organizations.

Time to deploy: Approximately 30 minutes per account, depending upon StackSet parameters.

Prerequisites

AWS Organizations helps you centrally manage and govern your multi-account AWS environment and resources. StackSets work best with AWS Organizations.

If you have previously deployed v1.3.x or earlier of this solution, you must uninstall the existing solution. For more information, refer to Solution updates.

Before you deploy this solution, review your AWS Security Hub deployment:

• There must be a delegated Security Hub admin account in your AWS Organization.

• Security Hub should be configured to aggregate findings across Regions. For more information, refer to Aggregating findings across Regions in the AWS Security Hub User Guide.

• You should activate Security Hub for your organization in each Region where you have AWS usage.

This procedure assumes that you have multiple accounts using AWS Organizations, and have delegated an AWS Organizations admin account and an AWS Security Hub admin account.

Deployment overview

Note

StackSets deployment for this solution uses a combination of service-managed and self-managed StackSets. Self-Managed StackSets must be used currently as they use nested StackSets, which are not yet supported with service-managed StackSets.

Deploy the StackSets from a delegated administrator account in your AWS Organizations.

Planning

Use the following form to help with StackSets deployment. Prepare your data, then copy and paste the values during deployment.

AWS Organizations admin account ID: _______________
Security Hub admin account ID: _______________
CloudTrail Logs Group: ______________________________
Member account IDs (comma-separated list): 
___________________,
___________________,
___________________,
___________________,
___________________
AWS Organizations OUs (comma-separated list): 
___________________,
___________________,
___________________,
___________________,
___________________ 

Step 1: Launch the admin stack in the delegated Security Hub admin account

• Using a self-managed StackSet, launch the aws-sharr-deploy.template AWS CloudFormation template into your AWS Security Hub admin account in the same Region as your Security Hub admin. This template uses nested stacks.

• Choose which Security Standards to install. By default, only SC is selected (Recommended).

• Choose an existing Orchestrator log group to use. Select Yes if SO0111-SHARR- Orchestrator already exists from a previous installation.

For more information on self-managed StackSets, refer to Grant self-managed permissions in the AWS CloudFormation User Guide.

Step 2: Install the remediation roles into each AWS Security Hub member account

Wait for Step 1 to complete deployment, because the template in Step 2 references IAM roles created by Step 1.

• Using a service-managed StackSet, launch the aws-sharr-member-roles.template AWS CloudFormation template into a single Region in each account in your AWS Organizations.

• Choose to install this template automatically when a new account joins the organization.

• Enter the account ID of your AWS Security Hub admin account.

Step 3: Launch the member stack into each AWS Security Hub member account and Region

• Using self-managed StackSets, launch the aws-sharr-member.template AWS CloudFormation template into all Regions where you have AWS resources in every account in your AWS Organization managed by the same Security Hub admin.

  Note

  Until service-managed StackSets support nested stacks, you must do this step for any new accounts that join the organization.

• Choose which Security Standard playbooks to install.

• Provide the name of a CloudTrail logs group (used by some remediations).

• Enter the account ID of your AWS Security Hub admin account.

Step 1: Launch the admin stack in the delegated Security Hub admin account

1. Launch the admin stack, aws-sharr-deploy.template, with your Security Hub admin account. Typically, one per organization in a single Region. Because this stack uses nested stacks, you must deploy this template as a self-managed StackSet.

   

   Configure StackSet options

2. For the Account numbers parameter, enter the account ID of the AWS Security Hub admin account.

3. For the Specify regions parameter, select only the Region where Security Hub admin is turned on. Wait for this step to complete before going on to Step 2.

Step 2: Install the remediation roles into each AWS Security Hub member account

Use a service-managed StackSets to deploy the member roles template, aws-sharr-member-roles.template. This StackSet must be deployed in one Region per member account. It defines the global roles that allow cross-account API calls from the SHARR Orchestrator step function.

1. Deploy to the entire organization (typical) or to organizational units, as per your organizations policies.

2. Turn on automatic deployment so new accounts in the AWS Organizations receive these permissions.

3. For the Specify regions parameter, select a single Region. IAM roles are global. You can continue to Step 3 while this StackSet deploys.

   

   Specify StackSet details

Step 3: Launch the member stack into each AWS Security Hub member account and Region

Because the member stack uses nested stacks, you must deploy as a self-managed StackSet. This does not support automatic deployment to new accounts in the AWS Organization.

Parameters

LogGroup Configuration: Choose the log group that receives CloudTrail logs. If none exists, or if the log group is different for each account, choose a convenient value. Account administrators must update the Systems Manager – Parameter Store /Solutions/SO0111/Metrics_LogGroupName parameter after creating a CloudWatch Logs Group for CloudTrail logs. This is required for remediations that create metrics alarms on API calls.

Standards: Choose the standards to load in the member account. This only installs the AWS Systems Manager runbooks – it does not enable the Security Standard.

SecHubAdminAccount: Enter the account ID of the AWS Security Hub Admin account where you installed the solution's admin template.

Accounts

Deployment locations: You may specify a list of account numbers or organizational units.

Specify regions: Select all of the Regions where you want to remediate findings. You can adjust Deployment options as appropriate for the number of accounts and Regions. Region Concurrency can be parallel.