You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/faq/faq.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -78,6 +78,7 @@
78
78
- remove quarantine SCP from newly created accounts
79
79
- we do not support forward slashes (`/`) in ou names, even though the AWS platform does
80
80
- More details:
81
+
- If an AWS account is renamed, an account email is changed, or an OU is renamed, on the next state machine execution, the config file will automatically be updated.
81
82
- If you edit an Accelerator controlled SCP through Organizations, we will reset it per what is defined in the Accelerator configuration files.
82
83
- If you add/remove an SCP from a top-level ou or Accelerator controlled account, we will put them back as defined in the Accelerator configuration file.
83
84
- If you move an account between top-level ou's, we will put it back to its original designated top-level ou.
- The full PBMM configuration file was based on feedback from customers moving into AWS at scale and at a rapid pace. Customers of this nature have indicated that they do not want to have to upsize their perimeter firewalls or add Interface endpoints as their developers start to use new AWS services. These are the two most expensive components of the deployed architecture solution.
19
-
2. Light weight PBMM configuration [file](../../reference-artifacts/SAMPLE_CONFIGS/config.lite-example.json) (`config.lite-example.json`) **(Recommended for most new PBMM customers)**
19
+
2.**Light weight PBMM configuration**[file](../../reference-artifacts/SAMPLE_CONFIGS/config.lite-example.json) (`config.lite-example.json`) **(Recommended for most new PBMM customers)**
20
20
- To reduce solution costs and allow customers to grow into more advanced AWS capabilities, we created this lighter weight configuration that does not sacrifice functionality, but could limit performance. This config file:
21
-
- only deploys the 6 required centralized Interface Endpoints (removes 56). All services remain accessible using the AWS public endpoints, but require traversing the perimeter firewalls
21
+
- only deploys the 9 required centralized Interface Endpoints (removes 50). All services remain accessible using the AWS public endpoints, but require traversing the perimeter firewalls
22
22
- removes the perimeter VPC Interface Endpoints
23
23
- reduces the Fortigate instance sizes from c5n.2xl to c5n.xl (VM08 to VM04)
24
24
- removes the Unclass ou and VPC
25
25
- The Accelerator allows customers to easily add or change this functionality in future, as and when required without any impact
- This configuration file was created to represent an extremely minimalistic Accelerator deployment, simply to demonstrate the art of the possible for an extremely simple config. This config has:
- This configuration file was created to represent an extremely minimalistic Accelerator deployment, simply to demonstrate the art of the possible for an extremely simple config. This example is NOT recommended as it violates many AWS best practices. This This config has:
28
28
- no `shared-network` or `perimeter` accounts
29
29
- no networking (VPC, TGW, ELB, SG, NACL, endpoints) or route53 (zones, resolvers) objects
30
30
- no Managed AD, AD Connector, rsyslog cluster, RDGW host, or 3rd party firewalls
31
31
- only enables/deploys AWS security services in 2 regions (ca-central-1, us-east-1) (Not recommended)
32
32
- only deploys 2 AWS config rules w/SSM remediation
- This configuration file was created to represent a more advanced multi-region version of the Full PBMM configuration file from bullet 1 above. This config:
36
36
- adds a TGW in us-east-1, peered to the TGW in ca-central-1
37
37
- adds TGW static routes, including several dummy sample static routes
@@ -44,6 +44,21 @@ Samples with Descriptions:
44
44
- local account VPC set to use central endpoints, associates appropriate centralized hosted zones to VPC (also creates 5 local endpoints)
45
45
- adds a VGW for DirectConnect to the perimeter VPC
46
46
- adds the 3rd AZ in ca-central-1 (MAD & ADC in AZ a & b)
47
+
5.**Test PBMM configuration**[file](../../reference-artifacts/SAMPLE_CONFIGS/config.test-example.json) (`config.test-example.json`) **(Use for testing PBMM configuration)**
48
+
- Further reduces solution costs, while demonstrating full solution functionality (NOT recommendend for production). This config file:
49
+
- uses the Light weight PBMM configuration as the starting point
50
+
- consolidates Dev/Test/Prod OU to a single Workloads OU/VPC
51
+
- only enables Security Hub, Config and Macie in ca-central-1 and us-east-1
52
+
- reduces the Fortigate instance sizes from c5n.xl to c5.xl
53
+
- reduces the rsyslog and RDGW instance sizes from t2.large to t2.medium
54
+
- removes the second rsyslog node
55
+
- reduces the size of the MAD from Enterprise to Standard edition
56
+
- removes the on-premise R53 resolvers (hybrid dns)
57
+
- reduced various log retention periods and the VPCFlow log interval
58
+
- removes the two example workload accounts
59
+
- The most expensive individual component of this sample is the perimeter 3rd party firewalls
60
+
- this example will be updated in the near future, removing the 3rd party firewalls
61
+
- we will add a NATGW for egress. For ingress, customers will need to manually target the perimeter ALB to point to each backend-ALB's IP's and manually update the IP's when they change (the next major SEA code release will include functionality to automate this capability)
Copy file name to clipboardExpand all lines: docs/installation/installation.md
+13-14Lines changed: 13 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -158,21 +158,20 @@ Before installing, you must first:
158
158
159
159
If deploying to an internal AWS employee account, to successfully install the solution with the 3rd party firewalls, you need to enable Private Marketplace (PMP) before starting:
160
160
161
-
**NOTE: As of Late January 2021 the process has changed - you must now also create an Account Group associated with your Organization management account number and associate this group with your default experience. Will update click-by-click instructions at a future time.**
162
-
163
161
1. In the Organization Management account go here: https://aws.amazon.com/marketplace/privatemarketplace/create
164
-
2. Click Create Marketplace
165
-
3. Go to Profile sub-tab, click the `Not Live` slider to make it `Live`
166
-
4. Click the `Software requests` slider to turn `Requests off`
167
-
5. Change the name field (i.e. append `-PMP`) and change the color, so it is clear PMP is enabled for users
168
-
6. Search Private Marketplace for Fortinet products
169
-
7. Unselect the `Approved Products` filter and then select:
8. Select "Add to Private Marketplace" in the top right
172
-
- Due to PMP provisioning delays, this sometimes fails when attempted immediately following enablement of PMP - retry after 20 minutes.
173
-
9. Wait a couple of minutes while it adds item to your PMP - do NOT subscribe or accept the EULA
174
-
- Repeat for `Fortinet FortiManager (BYOL) Centralized Security Management`
175
-
10. While not used in this account, you must now subscribe to the two subscriptions and accept the EULA for each product (you will need to do the same in the perimeter account, once provisioned below)
162
+
2. Click Create Marketplace, and wait for activation to complete
163
+
3. Go to the "Account Groups" sub-menu and add the Management/root account number in `Associate AWS account`
164
+
4. Use the default experience `New Private Marketplace`
165
+
5. Go to "Experiences" sub-menu, "Settings" sub-tab, and click the `Not Live` slider to make it `Live`
166
+
6. Ensure the `Software requests` slider is set to `Requests off`
167
+
7. Change the name field (i.e. append `-PMP`) and change the color, so it is clear PMP is enabled for users
168
+
8. Go to the "Products" sub-tab (in "Experiences"), then select the "All AWS Marketplace products" nested sub-tab
169
+
9. Search Private Marketplace for Fortinet products and select
170
+
-`Fortinet FortiGate (BYOL) Next-Generation Firewall` and
- Due to PMP provisioning delays, this sometimes fails when attempted immediately following enablement of PMP or if adding each product individually - retry after 20 minutes.
174
+
11. While not used in this account, you must now subscribe to the two subscriptions and accept the EULA for each product (you will need to do the same in the perimeter account, once provisioned below)
176
175
- If you are deploying in any region except ca-central-1 or wish to switch to a different license type, you need the new AMI id's. After successfully subscribing, continue one more step and click the “Continue to Configuration”. When you get the below screen, select your region and version (v6.4.4 recommended at this time). Marketplace will provide the required AMI id. Document the two AMI id's, as you will need to update them in your config.json file below.
0 commit comments