Tweaks docs for AMI issue and CT latest (#1028)

Brian969 · web-flow · commit e3412cdfd4ed · 2022-08-09T17:10:43.000-04:00
diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@ A common misconception is that the AWS Secure Environment Accelerator only deplo
 
 Additionally, while the Accelerator is initially responsible for deploying a prescribed architecture, it more importantly allows for organizations to operate, evolve, and maintain their cloud architecture and security controls over time and as they grow, with minimal effort, often using native AWS tools. While the Accelerator helps with the deployment of technical security controls, it’s important to understand that the Accelerator is only part of your security and compliance effort.  We encourage customers to work with their AWS account team, AWS Professional Services or an AWS Partner to determine how to best meet the remainder of your compliance requirements.
 
-The Accelerator is designed to enable customers to upgrade across Accelerator versions while maintaining a customer’s specific configuration and customizations, and without the need for any coding expertise or for Professional Services. Customers have been able to seamlessly upgrade their AWS multi-account environment from the very first Accelerator beta release to the latest release (across more than 50 releases), gaining the benefits of bug fixes and enhancements while having the option to enable new features, without any loss of existing customization or functionality.
+The Accelerator is designed to enable customers to upgrade across Accelerator versions while maintaining a customer’s specific configuration and customizations, and without the need for any coding expertise or for professional services. Customers have been able to seamlessly upgrade their AWS multi-account environment from the very first Accelerator beta release to the latest release (across more than 50 releases), gaining the benefits of bug fixes and enhancements while having the option to enable new features, without any loss of existing customization or functionality.
 
 Specifically the accelerator deploys and manages the following functionality, both at initial accelerator deployment and as new accounts are created, added, or onboarded in a completely automated but customizable manner:
 
@@ -28,23 +28,24 @@ Specifically the accelerator deploys and manages the following functionality, bo
   - Security Tooling
 - Workload Accounts - automated concurrent mass account creation or use AWS organizations to scale one account at a time. These accounts are used to host a customer's workloads and applications.
 - Scalable to 1000's of AWS accounts
-- Supports AWS Organizations nested [ou's](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html) and importing existing AWS accounts
+- Supports AWS Organizations nested [OU's](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html) and importing existing AWS accounts
 - Performs 'account warming' to establish initial limits, when required
 - Automatically submits limit increases, when required (complies with initial limits until increased)
-- Leverages AWS Control Tower **(NEW)**
+- Leverages AWS Control Tower
 
 ### Creates Networking
 
 - Transit Gateways and TGW route tables (incl. inter-region TGW peering)
 - Centralized and/or Local (bespoke) VPC's
 - Subnets, Route tables, NACLs, Security groups, NATGWs, IGWs, VGWs, CGWs
+- **NEW** Outpost, Local Zone and Wavelength support
 - VPC Endpoints (Gateway and Interface, Centralized or Local)
 - Route 53 Private and Public Zones, Resolver Rules and Endpoints, VPC Endpoint Overloaded Zones
 - All completely and individually customizable (per account, VPC, subnet, or OU)
 - Layout and customize your VPCs, subnets, CIDRs and connectivity the way you want
-- Static or Dynamic **(NEW)** VPC and subnet CIDR assignments
+- Static or Dynamic VPC and subnet CIDR assignments
 - Deletes default VPC's (worldwide)
-- AWS Network Firewall **(NEW)**
+- AWS Network Firewall
 
 ### Cross-Account Object Sharing
 
@@ -70,7 +71,7 @@ Specifically the accelerator deploys and manages the following functionality, bo
 ### Cloud Security Services
 
 - Enables and configures the following AWS services, worldwide w/central designated admin account:
-  - Guardduty w/S3 protection
+  - GuardDuty w/S3 protection
   - Security Hub (Enables designated security standards, and disables individual controls)
   - Firewall Manager
   - CloudTrail w/Insights and S3 data plane logging
@@ -87,11 +88,11 @@ Specifically the accelerator deploys and manages the following functionality, bo
 - Enables account level default EBS encryption and S3 Block Public Access
 - Configures Systems Manager Session Manager w/KMS encryption and centralized logging
 - Configures Systems Manager Inventory w/centralized logging
-- Creates and configures AWS budgets (customizable per ou and per account)
+- Creates and configures AWS budgets (customizable per OU and per account)
 - Imports or requests certificates into AWS Certificate Manager
 - Deploys both perimeter and account level ALB's w/Lambda health checks, certificates and TLS policies
 - Deploys & configures 3rd party firewall clusters and management instances (leverages marketplace)
-  - Gateway Load Balancer w/auto-scaling **(NEW)** and VPN IPSec BGP ECMP deployment options
+  - Gateway Load Balancer w/auto-scaling and VPN IPSec BGP ECMP deployment options
 - Protects Accelerator deployed and managed objects
 - Sets Up SNS Alerting topics (High, Medium, Low, Blackhole priorities)
 - Deploys CloudWatch Log Metrics and Alarms
@@ -111,19 +112,20 @@ Specifically the accelerator deploys and manages the following functionality, bo
   - GuardDuty Findings
   - Macie Discovery results
   - ALB Logs
-  - SSM Inventory **(NEW)**
-  - Security Hub findings **(NEW)**
+  - SSM Inventory 
+  - Security Hub findings
   - SSM Session Logs (also sent to CWL)
   - Resolver Query Logs (also sent to CWL)
-- Email alerting for CloudTrail Metric Alarms, Firewall Manager Events **(NEW)**, Security Hub Findings incl. Guardduty Findings **(NEW)**
+- Email alerting for CloudTrail Metric Alarms, Firewall Manager Events, Security Hub Findings incl. GuardDuty Findings
+- **NEW** Optionally collect Organization and ASEA configuration and metadata in a new restricted log archive bucket
 
 ## Relationship with AWS Landing Zone Solution (ALZ)
 
 The ALZ was an AWS Solution designed to deploy a multi-account AWS architecture for customers based on best practices and lessons learned from some of AWS' largest customers. The AWS Accelerator draws on design patterns from the Landing Zone, and re-uses several concepts and nomenclature, but it is not directly derived from it, nor does it leverage any code from the ALZ. The Accelerator is a standalone solution with no dependence on ALZ.
 
 ## Relationship with AWS Control Tower
 
-The AWS Secure Environment Accelerator now leverages AWS Control Tower! **(NEW)**
+The AWS Secure Environment Accelerator now leverages AWS Control Tower!
 
 With the release of v1.5.0, the AWS Accelerator adds the capability to be deployed on top of AWS Control Tower. Customers get the benefits of the fully managed capabilities of AWS Control Tower combined with the power and flexibility of the Accelerators Networking and Security orchestration.
 
diff --git a/src/mkdocs/docs/index.md b/src/mkdocs/docs/index.md
@@ -33,20 +33,21 @@ Specifically the accelerator deploys and manages the following functionality, bo
 -   Supports AWS Organizations nested [OU's](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html) and importing existing AWS accounts
 -   Performs 'account warming' to establish initial limits, when required
 -   Automatically submits limit increases, when required (complies with initial limits until increased)
--   Leverages AWS Control Tower **(NEW)**
+-   Leverages AWS Control Tower
 
 ### 1.2.2. Creates Networking
 
 -   Transit Gateways and TGW route tables (incl. inter-region TGW peering)
 -   Centralized and/or Local (bespoke) VPC's
 -   Subnets, Route tables, NACLs, Security groups, NATGWs, IGWs, VGWs, CGWs
+-   **NEW** Outpost, Local Zone and Wavelength support
 -   VPC Endpoints (Gateway and Interface, Centralized or Local)
 -   Route 53 Private and Public Zones, Resolver Rules and Endpoints, VPC Endpoint Overloaded Zones
 -   All completely and individually customizable (per account, VPC, subnet, or OU)
 -   Layout and customize your VPCs, subnets, CIDRs and connectivity the way you want
--   Static or Dynamic **(NEW)** VPC and subnet CIDR assignments
+-   Static or Dynamic VPC and subnet CIDR assignments
 -   Deletes default VPC's (worldwide)
--   AWS Network Firewall **(NEW)**
+-   AWS Network Firewall
 
 ### 1.2.3. Cross-Account Object Sharing
 
@@ -93,11 +94,11 @@ Specifically the accelerator deploys and manages the following functionality, bo
 -   Imports or requests certificates into AWS Certificate Manager
 -   Deploys both perimeter and account level ALB's w/Lambda health checks, certificates and TLS policies
 -   Deploys & configures 3rd party firewall clusters and management instances (leverages marketplace)
-    -   Gateway Load Balancer w/auto-scaling **(NEW)** and VPN IPSec BGP ECMP deployment options
+    -   Gateway Load Balancer w/auto-scaling and VPN IPSec BGP ECMP deployment options
 -   Protects Accelerator deployed and managed objects
 -   Sets Up SNS Alerting topics (High, Medium, Low, Blackhole priorities)
 -   Deploys CloudWatch Log Metrics and Alarms
--   Deploys customer provided custom config rules (2 provided out-of-box, No EC2 Instance Profile)
+-   Deploys customer provided custom config rules (2 provided out-of-box, no EC2 Instance Profile/Permissions)
 
 ### 1.2.7. Centralized Logging and Alerting
 
@@ -113,19 +114,20 @@ Specifically the accelerator deploys and manages the following functionality, bo
     -   GuardDuty Findings
     -   Macie Discovery results
     -   ALB Logs
-    -   SSM Inventory **(NEW)**
-    -   Security Hub findings **(NEW)**
+    -   SSM Inventory
+    -   Security Hub findings
     -   SSM Session Logs (also sent to CWL)
     -   Resolver Query Logs (also sent to CWL)
--   Email alerting for CloudTrail Metric Alarms, Firewall Manager Events **(NEW)**, Security Hub Findings incl. Guardduty Findings **(NEW)**
+-   Email alerting for CloudTrail Metric Alarms, Firewall Manager Events, Security Hub Findings incl. GuardDuty Findings
+- **NEW** Optionally collect Organization and ASEA configuration and metadata in a new restricted log archive bucket
 
 ## 1.3. Relationship with AWS Landing Zone Solution (ALZ)
 
 The ALZ was an AWS Solution designed to deploy a multi-account AWS architecture for customers based on best practices and lessons learned from some of AWS' largest customers. The AWS Accelerator draws on design patterns from the Landing Zone, and re-uses several concepts and nomenclature, but it is not directly derived from it, nor does it leverage any code from the ALZ. The Accelerator is a standalone solution with no dependence on ALZ.
 
 ## 1.4. Relationship with AWS Control Tower
 
-The AWS Secure Environment Accelerator now leverages AWS Control Tower! **(NEW)**
+The AWS Secure Environment Accelerator now leverages AWS Control Tower!
 
 With the release of v1.5.0, the AWS Accelerator adds the capability to be deployed on top of AWS Control Tower. Customers get the benefits of the fully managed capabilities of AWS Control Tower combined with the power and flexibility of the Accelerators Networking and Security orchestration.
 
diff --git a/src/mkdocs/docs/installation/install.md b/src/mkdocs/docs/installation/install.md
@@ -15,7 +15,7 @@ These installation instructions assume one of the prescribed architectures is be
 -   Management or root AWS Organization account (the AWS Accelerator cannot be deployed in an AWS sub-account)
     -   No additional AWS accounts need to be pre-created before Accelerator installation
 -   If required, a limit increase to support your desired number of new AWS sub-accounts (default limit is 10 sub-accounts)
-    - **recent changes to new AWS account limits are causing accelerator installation failures, please work with your local account team to increase your limits**
+    -   **recent changes to new AWS account limits are causing accelerator installation failures, please work with your local account team to increase your limits**
 -   Valid Accelerator configuration file, updated to reflect your requirements (see below)
 -   Determine your primary or Accelerator `control` or `home` region, this is the AWS region in which you will most often operate
 -   Government of Canada customers are still required to do a standalone installation at this time, please request standalone installation instructions from your Account SA or TAM
@@ -142,7 +142,8 @@ Before installing, you must first:
     - OU and account names can ONLY be customized during initial installation. These values MUST match with the values supplied in the Accelerator config file.
         1. Go to the AWS Control Tower console and click `Set up landing zone`
         2. Select your `home` region (i.e. `ca-central-1`) - the Accelerator home region must match the Control Tower home region
-        3. Select _all_ regions for `Additional AWS Regions for governance`, click `Next`
+        3. Leave the Region deny setting set to `Not enabled` - the Accelerator needs a customized region deny policy
+        4. Select _all_ regions for `Additional AWS Regions for governance`, click `Next`
             - The Control Tower and Accelerator regions MUST be properly aligned
             - If a region is not `governed` by Control Tower, it must NOT be listed in `control-tower-supported-regions`
             - To manage a region requires the region:
@@ -152,15 +153,16 @@ Before installing, you must first:
                 - While we highly recommend guardrail deployment for all AWS enabled by default regions, at minimum
                     - the home region MUST be enabled in Control Tower and must be listed in `control-tower-supported-regions`
                     - both the home-region and ${GBL\*REGION} must be listed in `supported-regions`
-        4. For the `Foundational OU`, leave the default value `Security`
-        5. For the `Additional OU` provide the value `Infrastructure`, click `Next`
-        6. Enter the email addresses for your `Log Archive` and `Audit` accounts, change the `Audit` account name to `Security`, click `Next` - OU and account names can ONLY be customized during initial installation. OU names, account names and email addresses \_must\* match identically with the values supplied in the Accelerator config file.
-        7. Click setup and wait ~60 minutes for the Control Tower installation to complete
-        8. Select `Add or register organizational units`, Click `Add an OU`
-        9. Type `Dev`, click `Add`, wait until the OU is finished provisioning (or it will error)
-        10. Repeat step 9 for each OU (i.e. `Test`, `Prod`, `Central`, `Sandbox`)
-        11. Select `Account factory`, Edit, Subnets: 0, Deselect all regions, click `Save`
-        12. In AWS Organizations, move the Management account from the `root` OU into the `Security` OU
+        5. For the `Foundational OU`, leave the default value `Security`
+        6. For the `Additional OU` provide the value `Infrastructure`, click `Next`
+        7. Enter the email addresses for your `Log Archive` and `Audit` accounts, change the `Audit` account name to `Security`, click `Next` - OU and account names can ONLY be customized during initial installation. OU names, account names and email addresses \_must\* match identically with the values supplied in the Accelerator config file.
+        8. Select `Enabled` for AWS CloudTrail configuration (if not selected), click `Next`
+        9. Click `Set up landing zone` and wait ~60 minutes for the Control Tower installation to complete
+        10. Select `Add or register organizational units`, Click `Add an OU`
+        11. Type `Dev`, click `Add`, wait until the OU is finished provisioning (or it will error)
+        12. Repeat step 9 for each OU (i.e. `Test`, `Prod`, `Central`, `Sandbox`)
+        13. Select `Account factory`, Edit, Subnets: 0, Deselect all regions, click `Save`
+        14. In AWS Organizations, move the Management account from the `root` OU into the `Security` OU
 4. Verify:
     1. AWS Organizations is enabled in `All features` mode
         - if required, navigate to AWS Organizations, click `Create Organization`, `Create Organization`
@@ -365,9 +367,17 @@ If deploying to an internal AWS employee account and installing the solution wit
 
 Current Issues:
 
+-   **NEW 2022-08-07** An issue with the version of cfn-init in the "latest" AWS standard Windows AMI will cause the state machine to fail during a new installation when deploying an RDGW host. RDGW hosts in existing deployments will fail to fully initialize if the state machine is or has been recently run and the auto-scaling group subsequently refreshes the host (default every 7 days).
+
+    -   To temporarily workaround this issue, assume an administrative role in your `operations` account, open Systems Manager Parameter Store, and `Create parameter` with a Name of `/asea/windows-ami` and a value of `ami-0d336ea070bc06fb8` (which is the previous good AMI), accepting the other default values. Update your config file to point to this new parameter by changing `image-path` (under \deployments\mad) to `/asea/windows-ami` instead of `/aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base`. Rerun your state machine. If you have an existing RDGW instance it should be terminated to allow the auto-scaling group to redeploy it.
+    -   This config file entry should be reverted and state machine rerun once the next AWS Windows AMI is released (hopefully within the next week) to ensure you are always using the latest Windows AMI.
+
 -   If dns-resolver-logging is enabled, VPC names containing spaces are not supported at this time as the VPC name is used as part of the log group name and spaces are not supported in log group names. By default in many of the sample config files, the VPC name is auto-generated from the OU name using a variable. In this situation, spaces are also not permitted in OU names (i.e. if any account in the OU has a VPC with resolver logging enabled and the VPC is using the OU as part of its name)
+
 -   On larger deployments we are occasionally seeing state machine failures when `Creating Config Recorders`. Simply rerun the state machine with the input of `{"scope": "FULL", "mode": "APPLY"}`.
+
 -   Occasionally CloudFormation fails to return a completion signal. After the credentials eventually fail (1 hr), the state machine fails. Simply rerun the state machine with the input of `{"scope": "FULL", "mode": "APPLY"}`
+
 -   If the State Machine fails on an initial execution of NEW-ACCOUNTS, it must be re-run to target the failed accounts (i.e. with `{"scope": "FULL", "mode": "APPLY"}`) or the new sub-accounts will fail to be properly guardrailed
 
 Issues in Older Releases:
