(docs) Documentation and sample config file updates for v133 release (#723)

* Various tweaks for 133 release
- update vpc CIDR2 to array
- remove CIDR2 from subnets
- update sample snippets to include account level SCPs
- update sample snippets to include interface endpoint sg enhancements
- fix assumerole block for SEA created roles
* Update installation.md
* Move non VPC CIDRs to update top of file
- enables updating all CIDRs in one spot, top of config file
- ensures customers don't miss updating a IP list
- no impact on existing deployments as replacements happen pre-execution
* Update sm_inputs.md
* Update faq.md
* switch default organization-admin-role to AWS default

Author: Brian969

docs/faq/faq.md

@@ -70,19 +70,20 @@
   - create, rename, modify, apply and remove SCP's
 - What can't I do:
   - modify Accelerator controlled SCP's
-  - add/remove SCP's on top-level OU's (these are Accelerator controlled)
-    - users can change SCP's on non-top-level ou's and accounts as they please
+  - add/remove SCP's on top-level OU's (these are Accelerator controlled) or specific accounts that have Accelerator controlled SCPs
+    - users can change SCP's on non-top-level ou's and non-Accelerator controlled accounts as they please
   - move an AWS account between top-level ou's (i.e. `Sandbox` to `Prod` is a security violation)
     - moving between `Prod/sub-ou-1` to `Prod/sub-ou2` or `Prod/sub-ou2/sub-ou2a/sub-ou2ab` is fully supported
   - create a top-level ou (need to validate, as they require config file entries)
   - remove quarantine SCP from newly created accounts
   - we do not support forward slashes (`/`) in ou names, even though the AWS platform does
 - More details:
   - If you edit an Accelerator controlled SCP through Organizations, we will reset it per what is defined in the Accelerator configuration files.
-  - If you add/remove an SCP from a top-level ou, we will put them back as defined in the Accelerator configuration file.
+  - If you add/remove an SCP from a top-level ou or Accelerator controlled account, we will put them back as defined in the Accelerator configuration file.
   - If you move an account between top-level ou's, we will put it back to its original designated top-level ou.
-  - The Accelerator fully supports nested ou's, customers can create any depth ou structure in AWS Organizations and add/remove/change SCP's _below_ the top-level as they desire or move accounts between these ou's without restriction. Users can create ou's to the full AWS ou structure/depth.
+  - The Accelerator fully supports nested ou's, customers can create any depth ou structure in AWS Organizations and add/remove/change SCP's _below_ the top-level as they desire or move accounts between these ou's without restriction. Users can create ou's to the full AWS ou structure/depth
   - Except for the Quarantine SCP applied to specific accounts, we do not 'control' SCP's below the top level, customers can add/create/customize SCP's
+    - as of v1.3.3 customers can optionally control account level SCP's through the configuration file
 
 ### 1.1.3. How do I make changes to items I defined in the Accelerator configuration file during installation?
 

docs/installation/installation.md

@@ -231,7 +231,7 @@ If deploying to an internal AWS employee account, to successfully install the so
 8. Add an `Email` address to be used for State Machine Status notification
 9. The `GithubBranch` should point to the release you selected
    - if upgrading, change it to point to the desired release
-   - the latest stable branch is currently `release/v1.3.2`, case sensitive
+   - the latest stable branch is currently `release/v1.3.3`, case sensitive
 10. Apply a tag on the stack, Key=`Accelerator`, Value=`PBMM` (case sensitive).
 11. **ENABLE STACK TERMINATION PROTECTION** under `Stack creation options`
 12. The stack typically takes under 5 minutes to deploy.
@@ -330,7 +330,7 @@ Issues in Older Releases:
 - Upgrades to `v1.2.6 and above` from `v1.2.5 and below` - Ensure you apply the config file changes described in the release notes:
   - Cut-paste the new `"replacements": {},` section at the top of the example config file into your config file, as-is
     - Enables customers to leverage the repo provided SCP's without customization, simplifying upgrades, while allowing SCP region customization
-    - the cloud-cidrX/cloud-maskX variables are examples of customer provided values that can be used to consistently auto-replace values throughout config files, these 4 specific variables are required for the firewalls to successfully deploy
+    - the cloud-cidrX/cloud-maskX variables are examples of customer provided values that can be used to consistently auto-replace values throughout config files, these 4 specific variables are ***all*** required for the firewalls to successfully deploy
   - The new ${variable} are auto-replaced across your config files, SCP's and firewall config files.
     - as the variables should resolve to their existing values, you can leave your config file using hardcoded region and Accelerator prefix naming, or you can update them to make subsequent file comparisons easier for future upgrades. These are most useful for new installations in non ca-central-1 regions
   - Some repo provide filenames have changed, where they are referenced within the config file, you must update them to their new filenames

docs/installation/sm_inputs.md

@@ -45,6 +45,26 @@ Providing any one or more of the following flags will only override the specifie
  }
 ```
 
+## 1.4. Generate verbose logging ithin state machine
+
+- Added "verbose": "1" state machine input options
+- parameter is optional
+- parameter defaults to 0
+
+```
+{"scope":"FULL", "mode":"APPLY", "verbose":"1"}
+```
+
+## 1.5. ADDITIONAL MANDATORY STATE MACHINE INPUT FUNCTIONALITY
+
+See [NEW: State Machine Behavior](https://github.com/aws-samples/aws-secure-environment-accelerator/blob/main/docs/installation/customization-index.md#2-new-state-machine-behavior).
+
+- {"scope":"FULL", "mode":"APPLY"}
+- {"scope":"NEW-ACCOUNTS", "mode":"APPLY"}
+- {"scope":"GLOBAL-OPTIONS", "mode":"APPLY"}
+- {"scope":"OU", "targetOUs":[X], "mode":"APPLY"}
+- {"scope":"ACCOUNT", "targetAccounts":[X], "mode":"APPLY"}
+
 ---
 
 [...Return to Accelerator Table of Contents](../index.md)

reference-artifacts/SAMPLE_CONFIGS/config.example.json

@@ -5,19 +5,23 @@
       "b": ["${HOME_REGION}", "${GBL_REGION}"],
       "c": ["${HOME_REGION}", "${GBL_REGION}", "us-east-2", "us-west-1", "us-west-2"]
     },
-    "INFO": "This file will not work in us-east-1 without removing references to GBL_REGION",
-    "INFO1": "If deploying the firewalls, both cidr values below must be supplied",
+    "INFO": "Deploying in us-east-1 requires removing ${GBL_REGION} from the above variables",
+    "INFO1": "If deploying the firewalls, both cidr values below MUST be supplied",
     "cloud-cidr1": "10.0.0.0",
     "cloud-mask1": "255.0.0.0",
     "cloud-cidr2": "100.96.252.0",
-    "cloud-mask2": "255.255.254.0"
+    "cloud-mask2": "255.255.254.0",
+    "range-restrict": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"],
+    "range-mad": "100.96.252.0/23",
+    "range-dev-test": ["0.0.0.0/0"],
+    "alarm-not-ip": "10.10.10.*"
   },
   "global-options": {
     "alz-baseline": false,
     "ct-baseline": false,
     "default-s3-retention": 90,
     "central-bucket": "AWSDOC-EXAMPLE-BUCKET",
-    "organization-admin-role": "AWSCloudFormationStackSetExecutionRole",
+    "organization-admin-role": "OrganizationAccountAccessRole",
     "default-cwl-retention": 731,
     "workloadaccounts-suffix": 1,
     "workloadaccounts-prefix": "config",
@@ -365,7 +369,7 @@
           "accounts": ["management"],
           "regions": ["${HOME_REGION}"],
           "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail",
-          "filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != 10.10.10.*) }",
+          "filter-pattern": "{ ($.eventSource=sso.amazonaws.com) && ($.eventName=Authenticate) && ($.sourceIPAddress != ${ALARM-NOT-IP}) }",
           "metric-namespace": "CloudTrailMetrics",
           "metric-name": "SSOAuthUnapprovedIPCount",
           "metric-value": "1"
@@ -375,7 +379,7 @@
           "accounts": ["management"],
           "regions": ["${HOME_REGION}"],
           "loggroup-name": "/${ACCELERATOR_PREFIX_ND}/CloudTrail",
-          "filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != 10.10.10.*) }",
+          "filter-pattern": "{ ($.eventName=ConsoleLogin) && ($.userIdentity.type=IAMUser) && ($.sourceIPAddress != ${ALARM-NOT-IP}) }",
           "metric-namespace": "CloudTrailMetrics",
           "metric-name": "IAMAuthUnapprovedIPCount",
           "metric-value": "1"
@@ -1059,7 +1063,7 @@
           "central-resolver-rule-vpc": "Endpoint",
           "log-group-name": "/${ACCELERATOR_PREFIX_ND}/MAD/example.local",
           "share-to-account": "",
-          "restrict_srcips": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"],
+          "restrict_srcips": "${RANGE-RESTRICT}",
           "num-rdgw-hosts": 1,
           "min-rdgw-hosts": 1,
           "max-rdgw-hosts": 2,
@@ -1104,7 +1108,7 @@
                 {
                   "description": "Allow RDP Traffic Inbound",
                   "type": ["RDP"],
-                  "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"]
+                  "source": "${RANGE-RESTRICT}"
                 }
               ],
               "outbound-rules": [
@@ -1130,7 +1134,7 @@
                   "description": "Allow Traffic Inbound",
                   "tcp-ports": [514],
                   "udp-ports": [514],
-                  "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"]
+                  "source": "${RANGE-RESTRICT}"
                 }
               ],
               "outbound-rules": [
@@ -1389,7 +1393,7 @@
           "deploy": "local",
           "name": "Perimeter",
           "cidr": "10.7.4.0/22",
-          "cidr2": "100.96.250.0/23",
+          "cidr2": ["100.96.250.0/23"],
           "region": "${HOME_REGION}",
           "use-central-endpoints": false,
           "flow-logs": "BOTH",
@@ -1573,7 +1577,7 @@
                 {
                   "description": "TLS Traffic Inbound",
                   "type": ["HTTPS"],
-                  "source": ["0.0.0.0/0"]
+                  "source": "${RANGE-DEV-TEST}"
                 }
               ],
               "outbound-rules": [
@@ -1591,7 +1595,7 @@
                   "description": "Allow Mgmt Traffic Inbound",
                   "tcp-ports": [22, 443, 514, 541, 2032, 3000, 5199, 6020, 6028, 8080],
                   "udp-ports": [9443],
-                  "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"]
+                  "source": "${RANGE-RESTRICT}"
                 }
               ],
               "outbound-rules": [
@@ -1613,7 +1617,7 @@
                 {
                   "description": "Mgmt Traffic, Customer Outbound traffic and ALBs",
                   "type": ["ALL"],
-                  "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"]
+                  "source": "${RANGE-RESTRICT}"
                 }
               ],
               "outbound-rules": [
@@ -1824,7 +1828,7 @@
           "vpc-name": "ForSSO",
           "subnet": "ForSSO",
           "size": "Small",
-          "restrict_srcips": ["10.249.1.0/24", "100.96.252.0/23"],
+          "restrict_srcips": ["10.249.1.0/24", "${RANGE-MAD}"],
           "connect-account-key": "operations",
           "connect-dir-id": 1001
         }
@@ -1997,7 +2001,7 @@
           "deploy": "shared-network",
           "name": "Central",
           "cidr": "10.1.0.0/16",
-          "cidr2": "100.96.252.0/23",
+          "cidr2": ["100.96.252.0/23"],
           "region": "${HOME_REGION}",
           "use-central-endpoints": true,
           "flow-logs": "BOTH",
@@ -2179,17 +2183,17 @@
                 {
                   "az": "a",
                   "route-table": "CentralVPC_GCWide",
-                  "cidr2": "100.96.252.0/25"
+                  "cidr": "100.96.252.0/25"
                 },
                 {
                   "az": "b",
                   "route-table": "CentralVPC_GCWide",
-                  "cidr2": "100.96.252.128/25"
+                  "cidr": "100.96.252.128/25"
                 },
                 {
                   "az": "d",
                   "route-table": "CentralVPC_GCWide",
-                  "cidr2": "100.96.253.0/25",
+                  "cidr": "100.96.253.0/25",
                   "disabled": true
                 }
               ]
@@ -2247,7 +2251,7 @@
                 {
                   "description": "Mgmt RDP/SSH Traffic Inbound",
                   "type": ["RDP", "SSH"],
-                  "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"]
+                  "source": "${RANGE-RESTRICT}"
                 }
               ],
               "outbound-rules": [
@@ -2736,7 +2740,7 @@
                 {
                   "description": "Mgmt RDP/SSH Traffic Inbound",
                   "type": ["RDP", "SSH"],
-                  "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"]
+                  "source": "${RANGE-RESTRICT}"
                 },
                 {
                   "description": "Central VPC Traffic Inbound",
@@ -3265,7 +3269,7 @@
                 {
                   "description": "Mgmt RDP/SSH Traffic Inbound",
                   "type": ["RDP", "SSH"],
-                  "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"]
+                  "source": "${RANGE-RESTRICT}"
                 },
                 {
                   "description": "Central VPC Traffic Inbound",
@@ -3794,7 +3798,7 @@
                 {
                   "description": "Mgmt RDP/SSH Traffic Inbound",
                   "type": ["RDP", "SSH"],
-                  "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"]
+                  "source": "${RANGE-RESTRICT}"
                 },
                 {
                   "description": "Central VPC Traffic Inbound",
@@ -4290,7 +4294,7 @@
                 {
                   "description": "Mgmt RDP/SSH Traffic Inbound",
                   "type": ["RDP", "SSH"],
-                  "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"]
+                  "source": "${RANGE-RESTRICT}"
                 },
                 {
                   "description": "Central VPC Traffic Inbound",
@@ -4771,7 +4775,7 @@
                 {
                   "description": "Mgmt RDP/SSH Traffic Inbound",
                   "type": ["RDP", "SSH"],
-                  "source": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"]
+                  "source": "${RANGE-RESTRICT}"
                 }
               ],
               "outbound-rules": [