Automated deployment - StackSets
Note
We recommend deploying with StackSets. However, for single account deployments or for testing or evaluation purposes, consider the stacks deployment option.
Before you launch the solution, review the architecture, solution components, security, and design considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your AWS Organizations.
Time to deploy: Approximately 30 minutes per account, depending upon StackSet parameters.
Prerequisites
AWS Organizations
If you have previously deployed v1.3.x or earlier of this solution, you must uninstall the existing solution. For more information, refer to Update the solution.
Before you deploy this solution, review your AWS Security Hub deployment:
-
There must be a delegated Security Hub admin account in your AWS Organization.
-
Security Hub should be configured to aggregate findings across Regions. For more information, refer to Aggregating findings across Regions in the AWS Security Hub User Guide.
-
You should activate Security Hub for your organization in each Region where you have AWS usage.
This procedure assumes that you have multiple accounts using AWS Organizations, and have delegated an AWS Organizations admin account and an AWS Security Hub admin account.
Deployment overview
Note
StackSets deployment for this solution uses a combination of service-managed and self-managed StackSets. Self-Managed StackSets must be used currently as they use nested StackSets, which are not yet supported with service-managed StackSets.
Deploy the StackSets from a delegated administrator account in your AWS Organizations.
Planning
Use the following form to help with StackSets deployment. Prepare your data, then copy and paste the values during deployment.
AWS Organizations admin account ID: _______________ Security Hub admin account ID: _______________ CloudTrail Logs Group: ______________________________ Member account IDs (comma-separated list): ___________________, ___________________, ___________________, ___________________, ___________________ AWS Organizations OUs (comma-separated list): ___________________, ___________________, ___________________, ___________________, ___________________
Step 1: Launch the admin stack in the delegated Security Hub admin account
-
Using a self-managed StackSet, launch the
aws-sharr-deploy.template
AWS CloudFormation template into your AWS Security Hub admin account in the same Region as your Security Hub admin. This template uses nested stacks. -
Choose which Security Standards to install. By default, only SC is selected (Recommended).
-
Choose an existing Orchestrator log group to use. Select
Yes
ifSO0111-SHARR- Orchestrator
already exists from a previous installation.
For more information on self-managed StackSets, refer to Grant self-managed permissions in the AWS CloudFormation User Guide.
Step 2: Install the remediation roles into each AWS Security Hub member account
Wait for Step 1 to complete deployment, because the template in Step 2 references IAM roles created by Step 1.
-
Using a service-managed StackSet, launch the
aws-sharr-member-roles.template
AWS CloudFormation template into a single Region in each account in your AWS Organizations. -
Choose to install this template automatically when a new account joins the organization.
-
Enter the account ID of your AWS Security Hub admin account.
Step 3: Launch the member stack into each AWS Security Hub member account and Region
-
Using self-managed StackSets, launch the
aws-sharr-member.template
AWS CloudFormation template into all Regions where you have AWS resources in every account in your AWS Organization managed by the same Security Hub admin.Note
Until service-managed StackSets support nested stacks, you must do this step for any new accounts that join the organization.
-
Choose which Security Standard playbooks to install.
-
Provide the name of a CloudTrail logs group (used by some remediations).
-
Enter the account ID of your AWS Security Hub admin account.
Step 1: Launch the admin stack in the delegated Security Hub admin account
-
Launch the admin stack
, aws-sharr-deploy.template
, with your Security Hub admin account. Typically, one per organization in a single Region. Because this stack uses nested stacks, you must deploy this template as a self-managed StackSet. -
For the Account numbers parameter, enter the account ID of the AWS Security Hub admin account.
-
For the Specify regions parameter, select only the Region where Security Hub admin is turned on. Wait for this step to complete before going on to Step 2.
Step 2: Install the remediation roles into each AWS Security Hub member account
Use a service-managed StackSets to deploy the member roles templateaws-sharr-member-roles.template
. This StackSet must be
deployed in one Region per member account. It defines the global roles that allow
cross-account API calls from the SHARR Orchestrator step function.
-
Deploy to the entire organization (typical) or to organizational units, as per your organizations policies.
-
Turn on automatic deployment so new accounts in the AWS Organizations receive these permissions.
-
For the Specify regions parameter, select a single Region. IAM roles are global. You can continue to Step 3 while this StackSet deploys.
Step 3: Launch the member stack into each AWS Security Hub member account and Region
Because the member stack
Parameters
LogGroup Configuration: Choose the log group that receives CloudTrail logs. If none exists, or if the log group is different for each account, choose a convenient value. Account administrators must update the Systems Manager – Parameter Store /Solutions/SO0111/Metrics_LogGroupName parameter after creating a CloudWatch Logs Group for CloudTrail logs. This is required for remediations that create metrics alarms on API calls.
Standards: Choose the standards to load in the member account. This only installs the AWS Systems Manager runbooks – it does not enable the Security Standard.
SecHubAdminAccount: Enter the account ID of the AWS Security Hub Admin account where you installed the solution's admin template.
Deployment locations: You may specify a list of account numbers or organizational units.
Specify regions: Select all of the Regions where you want to remediate findings. You can adjust Deployment options as appropriate for the number of accounts and Regions. Region Concurrency can be parallel.