Docs(core):Minor doc and config file tweaks (#358)

Brian969 · web-flow · commit 74f8cc95ff5f · 2020-08-26T13:32:02.000+05:30
* Minor doc and config file tweaks (#358)
diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@ A common misconception is that the AWS Secure Environment Accelerator only deplo
 
 Additionally, while the Accelerator is initially responsible for deploying a prescribed architecture, it more importantly allows for organizations to operate, evolve, and maintain their cloud architecture and security controls over time and as they grow, with mininal effort, often using native AWS tools. Customers don't have to change the way they operate in AWS.
 
-Specifically the accelerator deploys and manages the following functionality, both at initial accelerator deployment and as new accounts are created, added, or onboarded:
+Specifically the accelerator deploys and manages the following functionality, both at initial accelerator deployment and as new accounts are created, added, or onboarded in a completely automated manner:
 
 ### Creates AWS Account
 
@@ -29,7 +29,7 @@ Specifically the accelerator deploys and manages the following functionality, bo
 
 ### Creates Networking
 
-- Transit Gateways and TGW route tables
+- Transit Gateways and TGW route tables (incl. inter-region peering coming in v1.1.9)
 - Centralized and/or Local VPC's
 - Subnets, Route tables, NACLs, Security groups, NATGWs, IGWs, VGWs, CGWs
 - VPC Endpoints (Gateway and Interface, Centralized or Local)
@@ -78,12 +78,14 @@ Specifically the accelerator deploys and manages the following functionality, bo
 - Deploys both perimeter and account level ALB's w/Lambda health checks, certificates and TLS policies
 - Deploys & configures 3rd party firewall clusters and management instances w/vendor best practices and sample security policies, w/automated TGW ECMP BGP tunnel standup
 - Protects Accelerator deployed and managed objects
+- Sets Up SNS Alerting topics (High, Medium, Low, Blockhole priorities) (coming in v1.1.9)
+- Deploys CloudWatch Log Metrics and Alarms (coming in v1.1.9)
 
-### Centralized Logging
+### Centralized Logging and Alerting
 
 - Deploys an rsyslog auto-scaling cluster behind an NLB, all syslogs forwarded to CWL
-- Centralizes logging to a single centralize S3 bucket (enables, configures and centralizes)
-  - VPC Flow logs (Enhanced metadata fields and CWL destination coming soon)
+- Centralizes logging to a single centralized S3 bucket (enables, configures and centralizes)
+  - VPC Flow logs w/Enhanced metadata fields (also sent to CWL)
   - Organizational Cost and Usage Reports
   - CloudTrail Logs including S3 Data Plane Logs (also sent to CWL)
   - All CloudWatch Logs (includes rsyslog logs)
@@ -113,18 +115,18 @@ When appropriate, it is envisioned that the AWS Accelerator will add the capabil
 
 This summarizes the installation process, the full installation document can be found in the documentation section below.
 
-- Create a config.json file to represent your organizations requirements (PBMM sample provided)
+- Create a config.json (or config.yaml) file to represent your organizations requirements (PBMM sample provided)
 - Create a Secrets Manager Secret which contains a GitHub token with access to the Accelerator code repo
 - Create a unique S3 input bucket and place your config.json and any additional custom config files in the bucket
 - Download and execute the latest installer CloudFormation template in your master accounts preferred 'primary' region
 - Wait for:
   - CloudFormation to deploy and start the Code Pipeline (~5 mins)
-  - Code Pipeline to download the Accelerator codebase and install the Accelerator State Machine (~15 mins)
-  - The Accelerator State Machine to finish execution (~3hrs)
+  - Code Pipeline to download the Accelerator codebase and install the Accelerator State Machine (~15-20 mins)
+  - The Accelerator State Machine to finish execution (~2hrs)
 - Perform required manual follow-up activities (configure AWS SSO, set firewall passwords, etc.)
 - When required:
   - Use AWS Organizations to create new fully managed and guardrailed AWS accounts
-  - Update the config file in CodeCommit and run the Accelerator State Machine (~20min) to:
+  - Update the config file in CodeCommit and run the Accelerator State Machine (~30min) to:
     - deploy, configure and guardrail multiple accounts at the same time
     - change Accelerator configuration settings
 
diff --git a/docs/installation/index.md b/docs/installation/index.md
diff --git a/reference-artifacts/Custom-Scripts/Import-Account-CFN-Role-Template.yml b/reference-artifacts/Custom-Scripts/Import-Account-CFN-Role-Template.yml
diff --git a/reference-artifacts/Custom-Scripts/resolver-rule-cleanup.sh b/reference-artifacts/Custom-Scripts/resolver-rule-cleanup.sh
diff --git a/reference-artifacts/SCPs/PBMMAccel-Guardrails-PBMM-Only.json b/reference-artifacts/SCPs/PBMMAccel-Guardrails-PBMM-Only.json
@@ -82,7 +82,6 @@
       "Effect": "Deny",
       "NotAction": [
         "a4b:*",
-        "access-analyzer:*",
         "acm:*",
         "aws-marketplace-management:*",
         "aws-marketplace:*",
diff --git a/reference-artifacts/SCPs/PBMMAccel-Guardrails-Unclass-Only.json b/reference-artifacts/SCPs/PBMMAccel-Guardrails-Unclass-Only.json
@@ -27,7 +27,6 @@
       "Effect": "Deny",
       "NotAction": [
         "a4b:*",
-        "access-analyzer:*",
         "aws-marketplace-management:*",
         "aws-marketplace:*",
         "aws-portal:*",
diff --git a/reference-artifacts/config-pbmm-standalone-full.json b/reference-artifacts/config-pbmm-standalone-full.json
@@ -6,7 +6,7 @@
     "central-log-retention": 730,
     "default-log-retention": 90,
     "central-bucket": "AWSDOC-EXAMPLE-BUCKET",
-    "organization-admin-role": "OrganizationAccountAccessRole",
+    "organization-admin-role": "AWSCloudFormationStackSetExecutionRole",
     "default-cwl-retention": 731,
     "workloadaccounts-suffix" : 1,
     "workloadaccounts-prefix" : "config",
@@ -64,6 +64,7 @@
       "ssm-to-s3": true,
       "ssm-to-cwl": true
     },
+    "additional-cwl-regions": {},
     "reports": {
       "cost-and-usage-report": {
         "additional-schema-elements": ["RESOURCES"],
diff --git a/reference-artifacts/config-pbmm-standalone-lite.json b/reference-artifacts/config-pbmm-standalone-lite.json
@@ -6,7 +6,7 @@
     "central-log-retention": 730,
     "default-log-retention": 90,
     "central-bucket": "AWSDOC-EXAMPLE-BUCKET",
-    "organization-admin-role": "OrganizationAccountAccessRole",
+    "organization-admin-role": "AWSCloudFormationStackSetExecutionRole",
     "default-cwl-retention": 731,
     "workloadaccounts-suffix" : 1,
     "workloadaccounts-prefix" : "config",
@@ -64,6 +64,7 @@
       "ssm-to-s3": true,
       "ssm-to-cwl": true
     },
+    "additional-cwl-regions": {},
     "reports": {
       "cost-and-usage-report": {
         "additional-schema-elements": ["RESOURCES"],
diff --git a/reference-artifacts/config.example.json b/reference-artifacts/config.example.json
@@ -78,16 +78,6 @@
         "report-versioning": "OVERWRITE_REPORT"
       }
     },
-    "conformance-packs": [
-      {
-        "gc-pack": {
-          "install": true,
-          "auto-remediation": true,
-          "monitoring": true,
-          "frequency": 24
-        }
-      }
-    ],
     "zones": {
       "account": "shared-network",
       "resolver-vpc": "Endpoint",
@@ -487,7 +477,7 @@
           "central-resolver-rule-account": "shared-network",
           "central-resolver-rule-vpc": "Endpoint",
           "log-group-name": "/PBMMAccel/MAD/example.local",
-          "share-to-account": "master",
+          "share-to-account": "",
           "restrict_srcips": ["10.0.0.0/8", "100.96.252.0/23", "100.96.250.0/23"],
           "num-rdgw-hosts": 1,
           "min-rdgw-hosts": 1,
@@ -1146,7 +1136,7 @@
       "email": "myemail+pbmmT-master@example.com---------------------REPLACE----------------------",
       "ou": "core",
       "landing-zone-account-type": "primary",
-      "share-mad-from": "operations",
+      "share-mad-from": "",
       "src-filename": "config.json",
       "budget": {
         "name": "Organization Budget",
@@ -3260,14 +3250,6 @@
           }
         ]
       },
-      "certificates": [
-        {
-          "name": "UnclassSelf-SignedCert",
-          "type": "import",
-          "priv-key": "certs/example1-cert.key",
-          "cert": "certs/example1-cert.crt"
-        }
-      ],
       "vpc": [
         {
           "deploy": "shared-network",
