(docs)Update installation.md (#667)

* Update installation.md
* Update sample configs with ap-northeast-3
* fix error in developer guide
* Improve SCP
* block sharing snapshots and ec2 images
* tweak-scp-lockdown-snapsharing
* Update installation.md

Author: Brian969

docs/developer/developer-guide.md

@@ -754,7 +754,7 @@ There is a script called `cdk.sh` in `src/deployments/cdk` that allows you to de
 
 The script enables development mode which means that accounts, organizations, configuration, limits and outputs will be loaded from the local environment instead of loading the values from DynamoDB. The local files that need to be available in the `src/deployments/cdk` folder are the following.
 
-1. `accounts.json` based on `accelerator/accounts`
+1. `accounts.json` based on `accelerator/accounts` (-Parameters table)
 
 ```json
 [
@@ -777,7 +777,7 @@ The script enables development mode which means that accounts, organizations, co
 ]
 ```
 
-2. `organizations.json` based on `accelerator/organizations`
+2. `organizations.json` based on `accelerator/organizations` (-Parameters table)
 
 ```json
 [
@@ -796,7 +796,7 @@ The script enables development mode which means that accounts, organizations, co
 ]
 ```
 
-3. `limits.json` based on `accelerator/limits`
+3. `limits.json` based on `accelerator/limits` (-Parameters table)
 
 ```json
 [
@@ -819,7 +819,7 @@ The script enables development mode which means that accounts, organizations, co
 ]
 ```
 
-4. `outputs.json` based on `outputs.json` in the Accelerator configuration bucket
+4. `outputs.json` based on the -Outputs table
 
 ```json
 [

docs/installation/installation.md

@@ -220,6 +220,7 @@ If deploying to an internal AWS employee account, to successfully install the so
 ## 2.5. Installation
 
 1. You can find the latest release in the repository [here](https://github.com/aws-samples/aws-secure-environment-accelerator/releases).
+   - Due to some breaking dependency issues, customers can only install or upgrade to v1.3.1 or above (older releases continue to function, but cannot be installed)
 2. Download the CloudFormation (CFN) template `AcceleratorInstallerXXX.template.json` for the release you plan to install
 3. Use the provided CloudFormation template to deploy a new stack in your Management (root) AWS account
    - As previously stated we do not support installation in sub-accounts
@@ -230,7 +231,7 @@ If deploying to an internal AWS employee account, to successfully install the so
 8. Add an `Email` address to be used for State Machine Status notification
 9. The `GithubBranch` should point to the release you selected
    - if upgrading, change it to point to the desired release
-   - the latest stable branch is currently `release/v1.3.0`, case sensitive
+   - the latest stable branch is currently `release/v1.3.1`, case sensitive
 10. Apply a tag on the stack, Key=`Accelerator`, Value=`PBMM` (case sensitive).
 11. **ENABLE STACK TERMINATION PROTECTION** under `Stack creation options`
 12. The stack typically takes under 5 minutes to deploy.
@@ -266,6 +267,7 @@ If deploying to an internal AWS employee account, to successfully install the so
 Current Issues:
 
 - Occasionally CloudFormation fails to return a completion signal. After the credentials eventually fail (1 hr), the state machine fails. Simply rerun the state machine.
+- New deployments to existing organizations with more than 20 accounts will fail on SSM document sharing as we fail to paginate the API call. Remove the SSM remediation documents from all of the OU's, i.e. `"documents": []` and set `"remediation": false` on the 4 config rules in global-options. Will be resolved in v1.3.1. Adding a new SSM document to the config file which results in it being shared to more than 20 accounts will also fail. Assuming no OU has more than 20 accounts, customers can deploy the SSM document one OU at a time to work around this issue.
 
 Issues in Older Releases:
 
@@ -301,7 +303,8 @@ Issues in Older Releases:
            - Each new VIP will use a new high port (i.e. 7007, 7008, etc.), all of which map back to port 443
            - Detailed steps can be read [here](./guides/public-facing-workload-via-fortigate.md).
     4. In your `home` region (i.e. ca-central-1), Enable AWS SSO, Set the SSO directory to MAD, set the SSO email attrib to: \${dir:email}, create all default permission sets and any desired custom permission sets, map MAD groups to perm sets
-    5. On a per role basis, you need to enable the CWL Account Selector in the Security and the Ops accounts
+    5. On a per role basis, you need to enable the CWL Account Selector in the Security and the Ops accounts, in each account:
+       - Go to CloudWatch, Settings, Under `Cross-account cross-region` select `Configure`, Under `View cross-account cross-region` select `Enable`, choose `AWS Organization account selector`, click `Enable`
     6. Customers are responsible for the ongoing management and rotation of all passwords on a regular basis per their organizational password policy. This includes the passwords of all IAM users, MAD users, firewall users, or other users, whether deployed by the Accelerator or not. We do NOT automatically rotate any passwords, but strongly encourage customers do so, on a regular basis.
 
 2.  During the installation we request required limit increases, resources dependent on these limits will not be deployed
@@ -315,6 +318,7 @@ Issues in Older Releases:
 
 ## 3.1. Considerations
 
+- Due to some breaking dependency issues, customers can only install or upgrade to v1.3.1 or above (older releases continue to function, but cannot be installed)
 - Always compare your configuration file with the config file from the release you are upgrading to in order to validate new or changed parameters or changes in parameter types / formats.
   - do NOT update to the latest firewall AMI - see the the last bullet in section [5.1. Accelerator Design Constraints / Decisions](#51-accelerator-design-constraints--decisions)
   - do NOT update the `organization-admin-role` - see bullet 2 in section [2.2.6. Other](#226-other)
@@ -358,7 +362,7 @@ Issues in Older Releases:
 
 ## 3.2. Summary of Upgrade Steps (all versions)
 
-1. Login to your Organization Management (root) AWS account with administrative priviliges
+1. Login to your Organization Management (root) AWS account with administrative privileges
 2. Ensure a valid Github token is stored in secrets manager [(section 2.3.2)](#232-create-github-personal-access-token-and-store-in-secrets-manager)
 3. Review and implement any relevant tasks noted in the upgrade considerations in [section 3.1](#31-considerations)
 4. Update the config file in Code Commit with new parameters and updated parameter types based on the version you are upgrading to (this is important as features are iterating rapidly)
@@ -375,12 +379,13 @@ Issues in Older Releases:
    - The pipeline will automatically run and trigger the upgraded state machine
 9. If you are using a pre-existing GitHub token:
 
-- Update the Installer CloudFormation stack using the template downloaded in step 5, updating the `GithubBranch` to the latest release (eg. `release/v1.2.5`)
+- Update the Installer CloudFormation stack using the template downloaded in step 5, updating the `GithubBranch` to the latest release (eg. `release/v1.3.1`)
   - Go to AWS CloudFormation and select the stack: `PBMMAccel-what-you-provided`
   - Select Update, select Replace current template, Select Upload a template file
   - Select Choose File and select the template you downloaded in step 5 (`AcceleratorInstallerXYZ.template.json`)
   - Select Next, Update `GithubBranch` parameter to `release/vX.Y.Z` where X.Y.Z represents the latest release
   - Click Next, Next, I acknowledge, Update
+  - Wait for the CloudFormation stack to update (`Update_Complete` status) (Requires manual refresh)
 - Go To Code Pipeline and Release the PBMMAccel-InstallerPipeline
 
 # 4. Existing Organizations / Accounts

reference-artifacts/SAMPLE_CONFIGS/config.example.json

@@ -25,6 +25,7 @@
     "supported-regions": [
       "ap-northeast-1",
       "ap-northeast-2",
+      "ap-northeast-3",
       "ap-south-1",
       "ap-southeast-1",
       "ap-southeast-2",
@@ -48,17 +49,17 @@
     "central-security-services": {
       "account": "security",
       "region": "${HOME_REGION}",
-      "security-hub-excl-regions": [],
+      "security-hub-excl-regions": ["ap-northeast-3"],
       "guardduty": true,
-      "guardduty-excl-regions": [],
+      "guardduty-excl-regions": ["ap-northeast-3"],
       "guardduty-s3": true,
-      "guardduty-s3-excl-regions": [],
+      "guardduty-s3-excl-regions": ["ap-northeast-3"],
       "cwl": true,
       "access-analyzer": true,
       "config-excl-regions": [],
       "config-aggr-excl-regions": [],
       "macie": true,
-      "macie-excl-regions": [],
+      "macie-excl-regions": ["ap-northeast-3"],
       "macie-frequency": "FIFTEEN_MINUTES"
     },
     "central-operations-services": {
@@ -568,9 +569,7 @@
         {
           "name": "EC2-INSTANCE-PROFILE-PERMISSIONS",
           "type": "custom",
-          "resource-types": [
-            "AWS::IAM::Role"
-          ],
+          "resource-types": ["AWS::IAM::Role"],
           "runtime": "nodejs12.x",
           "parameters": {
             "AWSManagedPolicies": "AmazonSSMManagedInstanceCore, AmazonSSMDirectoryServiceAccess, CloudWatchAgentServerPolicy",
@@ -2083,7 +2082,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -2641,7 +2640,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -3226,7 +3225,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -3811,7 +3810,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -4396,7 +4395,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -4948,7 +4947,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",

reference-artifacts/SAMPLE_CONFIGS/config.lite-example.json

@@ -25,6 +25,7 @@
     "supported-regions": [
       "ap-northeast-1",
       "ap-northeast-2",
+      "ap-northeast-3",
       "ap-south-1",
       "ap-southeast-1",
       "ap-southeast-2",
@@ -48,17 +49,17 @@
     "central-security-services": {
       "account": "security",
       "region": "${HOME_REGION}",
-      "security-hub-excl-regions": [],
+      "security-hub-excl-regions": ["ap-northeast-3"],
       "guardduty": true,
-      "guardduty-excl-regions": [],
+      "guardduty-excl-regions": ["ap-northeast-3"],
       "guardduty-s3": true,
-      "guardduty-s3-excl-regions": [],
+      "guardduty-s3-excl-regions": ["ap-northeast-3"],
       "cwl": true,
       "access-analyzer": true,
       "config-excl-regions": [],
       "config-aggr-excl-regions": [],
       "macie": true,
-      "macie-excl-regions": [],
+      "macie-excl-regions": ["ap-northeast-3"],
       "macie-frequency": "FIFTEEN_MINUTES"
     },
     "central-operations-services": {
@@ -568,9 +569,7 @@
         {
           "name": "EC2-INSTANCE-PROFILE-PERMISSIONS",
           "type": "custom",
-          "resource-types": [
-            "AWS::IAM::Role"
-          ],
+          "resource-types": ["AWS::IAM::Role"],
           "runtime": "nodejs12.x",
           "parameters": {
             "AWSManagedPolicies": "AmazonSSMManagedInstanceCore, AmazonSSMDirectoryServiceAccess, CloudWatchAgentServerPolicy",
@@ -2020,7 +2019,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -2578,7 +2577,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -3163,7 +3162,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -3748,7 +3747,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -4333,7 +4332,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",

reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json

@@ -26,6 +26,7 @@
     "supported-regions": [
       "ap-northeast-1",
       "ap-northeast-2",
+      "ap-northeast-3",
       "ap-south-1",
       "ap-southeast-1",
       "ap-southeast-2",
@@ -49,17 +50,17 @@
     "central-security-services": {
       "account": "security",
       "region": "${HOME_REGION}",
-      "security-hub-excl-regions": [],
+      "security-hub-excl-regions": ["ap-northeast-3"],
       "guardduty": true,
-      "guardduty-excl-regions": [],
+      "guardduty-excl-regions": ["ap-northeast-3"],
       "guardduty-s3": true,
-      "guardduty-s3-excl-regions": [],
+      "guardduty-s3-excl-regions": ["ap-northeast-3"],
       "cwl": true,
       "access-analyzer": true,
       "config-excl-regions": [],
       "config-aggr-excl-regions": [],
       "macie": true,
-      "macie-excl-regions": [],
+      "macie-excl-regions": ["ap-northeast-3"],
       "macie-frequency": "FIFTEEN_MINUTES"
     },
     "central-operations-services": {
@@ -573,9 +574,7 @@
         {
           "name": "EC2-INSTANCE-PROFILE-PERMISSIONS",
           "type": "custom",
-          "resource-types": [
-            "AWS::IAM::Role"
-          ],
+          "resource-types": ["AWS::IAM::Role"],
           "runtime": "nodejs12.x",
           "parameters": {
             "AWSManagedPolicies": "AmazonSSMManagedInstanceCore, AmazonSSMDirectoryServiceAccess, CloudWatchAgentServerPolicy",
@@ -589,7 +588,7 @@
             "CustomerManagedPolicies": ["${SEA::EC2InstaceProfilePermissions}"],
             "ResourceId": "RESOURCE_ID"
           }  
-        }
+        },
         {
           "name": "ELB_LOGGING_ENABLED",
           "remediation-action": "SSM-ELB-Enable-Logging",
@@ -2575,7 +2574,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -3133,7 +3132,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -3718,7 +3717,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -4303,7 +4302,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -4888,7 +4887,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",
@@ -5711,7 +5710,7 @@
       ],
       "aws-config": [
         {
-          "excl-regions": [],
+          "excl-regions": ["ap-northeast-3"],
           "rules": [
             "EC2-INSTANCE-PROFILE",
             "EC2-INSTANCE-PROFILE-PERMISSIONS",

reference-artifacts/SCPs/ASEA-Guardrails-Sensitive.json

@@ -38,6 +38,10 @@
         "ec2:DisassociateRouteTable",
         "ec2:AllocateAddress",
         "ec2:AssociateAddress",
+        "ec2:ModifyImageAttribute",
+        "ec2:ModifySnapshotAttribute",
+        "rds:ModifyDBSnapshotAttribute",
+        "rds:ModifyDBClusterSnapshotAttribute",
         "globalaccelerator:Create*",
         "globalaccelerator:Update*",
         "kms:ScheduleKeyDeletion",