More doc tweaks (#421)

- add unofficial roadmap
- add PDF ZIP to ToC
- minor doc tweaks

Author: Brian969

README.md

@@ -132,13 +132,14 @@ This summarizes the installation process, the full installation document can be
     - deploy, configure and guardrail multiple accounts at the same time
     - change Accelerator configuration settings
 
-# **Documentation** (Linked)
+# **Documentation**
 
 ### - [Installation, Upgrades and Basic Operations Guide](./docs/installation/installation.md)
 
 - Link to [releases](https://github.com/aws-samples/aws-secure-environment-accelerator/releases)
-- [Link](./docs/installation/customization-index.md) to sample config file and customization details
-- [Link](./docs/architectures/pbmm/log-file-locations.md) to AWS SEA Central Logging Bucket Structures
+- [Link](./docs/installation/customization-index.md) to sample config files and customization details
+- AWS SEA Central Logging [Bucket Structures](./docs/architectures/pbmm/log-file-locations.md)
+- Unofficial [Roadmap](./docs/roadmap.md)
 
 ### - [Accelerator Operations/Troubleshooting Guide](./docs/operations/operations-troubleshooting-guide.md)
 
@@ -152,4 +153,8 @@ This summarizes the installation process, the full installation document can be
 
 ---
 
-[...Go to Accelerator Table of Contents](./docs/index.md)
+Note: A ZIP file containing a PDF version of all documentation can be found [here](https://github.com/aws-samples/aws-secure-environment-accelerator/actions?query=workflow%3A%22Generate+Documentation%22).
+
+---
+
+[Go to Accelerator Table of Contents](./docs/index.md)

docs/index.md

@@ -1,14 +1,16 @@
 # AWS Secure Environment Accelerator
 
-## **Documentation** (Linked)
+## **Documentation**
 
-### - [Solution Summary / Repo Root](../README.md)
+### - [Solution Summary / Repo root](../README.md)
+
+- Unofficial [Roadmap](./roadmap.md)
 
 ### - [Installation, Upgrades and Basic Operations Guide](./installation/installation.md)
 
 - Link to [releases](https://github.com/aws-samples/aws-secure-environment-accelerator/releases)
-- [Link](./installation/customization-index.md) to sample config file and customization details
-- [Link](./architectures/pbmm/log-file-locations.md) to AWS SEA Central Logging Bucket Structures
+- [Link](./installation/customization-index.md) to sample config files and customization details
+- AWS SEA Central Logging [Bucket Structures](./architectures/pbmm/log-file-locations.md)
 
 ### - [Accelerator Operations/Troubleshooting Guide](./operations/operations-troubleshooting-guide.md)
 
@@ -18,6 +20,10 @@
 
 ### - [Prescriptive PBMM Architecture Design Document](./architectures/pbmm/architecture.md) (Early Draft)
 
-### - [Frequently Asked Questions](./faq/faq.md)
+### - [Frequently Asked Questions](./faq/faq.md) (Future)
+
+---
+
+Note: A ZIP file containing a PDF version of all documentation can be found [here](https://github.com/aws-samples/aws-secure-environment-accelerator/actions?query=workflow%3A%22Generate+Documentation%22).
 
 ---

docs/installation/installation.md

@@ -117,10 +117,11 @@ If deploying to an internal AWS account, to successfully install the entire solu
 
 ### 1.2.2. Basic Accelerator Configuration
 
-1. You can use the [`config.example.json`](../../reference-artifacts/config.example.json) file as base
+1. You can use the [`config.example.json`](../../reference-artifacts/config.example.json) or [`config.lite-example.json`](../../reference-artifacts/config.lite-example.json) files as base
    - Use the version from the Github code branch you are deploying from as some parameters have changed over time
    - On upgrades, compare your deployed configuration file with the latest branch configuration file for any new or changed parameters
-   - This configuration file can be used, as-is, with only minor modification to successfully deploy the standard architecture
+   - These configuration files can be used, as-is, with only minor modification to successfully deploy the standard architecture
+   - These files are described in more detail [here](./customization-index.md)
 2. At minimum, you MUST update the AWS account names and email addresses in the sample file:
 
    1. For existing accounts, they must match identically to the account names and email addresses defined in AWS Organizations;
@@ -383,7 +384,7 @@ Finally, while we started with a goal of delivering on the 12 guardrails, we bel
 ## 3.1. Upgrades
 
 - Always compare your configuration file with the config file from the latest release to validate new or changed parameters or changes in parameter types / formats.
-- Upgrades to `v1.2.1 and above` from v1.2.0 and below - if more than 5 VPC endpoints are deployed in any account (i.e. endpoint vpc in the shared network account), before upgrade, they must be removed from the config file and state machine executed to de-provision them. Endpoints can be re-deployed during the upgrade state machine execution. Skipping this step will result in an upgrade failure due to throttling issues.
+- Upgrades to `v1.2.1 and above` from v1.2.0 and below - if more than 5 VPC endpoints are deployed in any account (i.e. endpoint vpc in the shared network account), before upgrade, they must be removed from the config file and state machine executed to de-provision them. Up to approximately 50 endpoints can be re-deployed during the upgrade state machine execution. Skipping this step will result in an upgrade failure due to throttling issues.
 - Upgrades to `v1.2.0 and above` from v1.1.9 and below require setting `account-warming-required` to `false`, (Perimeter and Ops accounts) or the rsyslog and firewalls will be removed and then re-installed on the subsequent state machine execution
 - Upgrades from `v1.1.7 and below` require the one-time removal of incorrectly created and associated resolver rules for private DNS domains. While we created a manual [script](../reference-artifacts/Custom-Scripts/resolver-rule-cleanup.sh) to remove the incorrect associations, it is quicker to manually delete the incorrect associations using the console (`shared-network` account, Route 53, Resolvers).
 - Upgrades from `v1.1.6 and below` require updating the `GithubRepository` in the CFN stack, as we renamed the GitHub repo with release v1.1.7 to `aws-secure-environment-accelerator`.
@@ -411,7 +412,7 @@ Finally, while we started with a goal of delivering on the 12 guardrails, we bel
   - Shard count - can only increase/reduce by half the current limit. i.e. you can change from `1`-`2`, `2`-`3`, `4`-`6`
 - Always add any new items to the END of all lists or sections in the config file, otherwise
   - Update validation checks will fail (vpc's, subnets, share-to, etc.)
-  - VPC endpoint deployments will fail - do NOT re-order or insert VPC endpoints (unless you first remove them all completely, execute the state machine, then re-add them, and again run the state machine)
+  - VPC endpoint deployments will fail - do NOT re-order or insert VPC endpoints (unless you first remove them all completely, execute the state machine, then re-add them, and again run the state machine) - this challenge no longer exists as of v1.2.1.
 - To skip, remove or uninstall a component, you can simply change the section header, instead of removing the section
   - change "deployments"/"firewalls" to "deployments"/"xxfirewalls" and it will uninstall the firewalls and maintain the old config file settings for future use
   - Objects with the parameter deploy: true, support setting the value to false to remove the deployment

docs/roadmap.md

@@ -0,0 +1,68 @@
+# AWS Secure Environment Accelerator
+
+# **Roadmap**
+
+- This is an unofficial roadmap to provide customers with a general product direction
+- This roadmap does not constitute a commitment, items can be added, removed, and re-prioritized at any time, for any reason
+- We are not providing any feature release timelines or commitments
+
+---
+
+## In-Progress
+
+- Deploy SSM Automation documents (needed for AWS Config Remediation)
+- Deploy Managed AWS Config rules per ou, globally
+  - First sample rule: auto-enable logging on new ELB's (includes remediation)
+  - Followed by a collection of NIST 800-53 non-remediating rules
+  - Include SCP to protect 'PBMMAccel-' prefixed Config rules
+- Documentation updates, improvements and finalization
+- Ongoing defect remediation and codebase improvements
+
+## Planned
+
+- Deploy additional specific remediating Config rules
+  - Dependant on current in-progress tasks
+  - Auto-remediate unencrypted S3 buckets
+  - Auto-remediate missing role on all new and existing EC2 instances
+  - Auto-remediate missing permissions on all new and existing EC2 instances
+    - See: https://aws.amazon.com/blogs/mt/applying-managed-instance-policy-best-practices/
+  - Deploy Customer provided Lambda's (if required for above Config rule remediations)
+- Enable NEW Guardduty S3 features moved from Macie
+- Push CloudWatch Log Agent using Run Command - all instances
+- Enable 'SSM Global Inventory (Managed Instance Config)
+  - https://docs.aws.amazon.com/config/latest/developerguide/recording-managed-instance-inventory.html
+  - https://aws.amazon.com/about-aws/whats-new/2018/11/aws-systems-manager-now-supports-multi-account-and-multi-region-inventory-view/
+- Firewall tweaks: Add out-of-box A/P firewall support, 2nd tunnel support
+- Add support for this new S3 feature: https://aws.amazon.com/about-aws/whats-new/2020/10/amazon-s3-object-ownership-enables-bucket-owners-to-automatically-assume-ownership-of-objects-uploaded-to-their-buckets/
+- Full PBMM/Medium Cloud Security Profile ITSG write-ups / Documentation
+- SCP improvements and improved coverage (i.e. S3)
+
+## Assessing
+
+- Spoke sub-account local VPC CIDR management
+- Deploy customer provided Service Catalog Items
+- Improve existing ALB deployment codebase (add http support, alarms, add seperate health-check VIF)
+- Mechanism to allow sub-accounts to request perimeter FW/ALB flow updates
+- Enable WAF on ALB's
+- Allow disabling SH rules on a per OU/account basis
+- Email SH findings/alerts based on risk rating
+- Encrypt all CWL groups w/CMK
+- Open security tools outside Canada (Core OU only?)
+- Config file cleanup and formal JSON schema
+  - Adopt a JSON pointer syntax in config file (allow duplicate object naming)
+  - improve consistency, remove type mutations, ensure multiples are implemented (or remove them until supported)
+  - config file to become a contract
+
+## WISH LIST
+
+- Accelerator Wizard based GUI interface (to abstract/hide the configuration file)
+  - Easy mode (limited selections) and Advanced mode (extreme customization)
+  - Deployed in Ops account, permissions based on IAM credentials
+    - Org Admin can make any configuration change
+    - Account Admin creates accounts, makes minor changes, approves user requests
+    - Users can request a 'set of accounts' of a certain type, request account changes, a flow, or a custom vpc
+  - Phased deliver (Org Admin Wizard on day 1, slowly add workflows)
+
+---
+
+[...Return to Accelerator Table of Contents](./index.md)

index.md

@@ -0,0 +1,29 @@
+# AWS Secure Environment Accelerator
+
+## **Documentation**
+
+### - [Solution Summary / Repo root](../README.md)
+
+- Unofficial [Roadmap](./roadmap.md)
+
+### - [Installation, Upgrades and Basic Operations Guide](./installation/installation.md)
+
+- Link to [releases](https://github.com/aws-samples/aws-secure-environment-accelerator/releases)
+- [Link](./installation/customization-index.md) to sample config files and customization details
+- [Link](./architectures/pbmm/log-file-locations.md) to AWS SEA Central Logging Bucket Structures
+
+### - [Accelerator Operations/Troubleshooting Guide](./operations/operations-troubleshooting-guide.md)
+
+### - [Accelerator Developer Guide](./developer/developer-guide.md) (Early Draft)
+
+### - [Accelerator Governance and Contributing Guide](../CONTRIBUTING.md) (Early Draft)
+
+### - [Prescriptive PBMM Architecture Design Document](./architectures/pbmm/architecture.md) (Early Draft)
+
+### - [Frequently Asked Questions](./faq/faq.md)
+
+---
+
+Note: A ZIP file containing a PDF version of all documentation can be found [here](https://github.com/aws-samples/aws-secure-environment-accelerator/actions?query=workflow%3A%22Generate+Documentation%22).
+
+---