Various fixes-access-analyzer-FW-Docs (#776)

* Update instance.ts

prettier

fix empty firewall license value

* Create object-naming.md

* fix-access-analyzer

* Update known issues

* Update README.md

Author: Brian969

docs/installation/installation.md

@@ -268,6 +268,8 @@ If deploying to an internal AWS employee account, to successfully install the so
 Current Issues:
 
 - Occasionally CloudFormation fails to return a completion signal. After the credentials eventually fail (1 hr), the state machine fails. Simply rerun the state machine.
+- In v1.3.5 new deployments the State Machine fails in Phase 1 on a GuardDuty delegated admin issue which causes the stack to rollback and then causes an issue with Macie. In the Organization Management account, in every 'supported-region' defined in the config file, check for the existance of a completed Phase 1 stack. If the Phase 1 stack does NOT exist in the region, disable or ensure the Macie Delegated Admin account is removed from Macie for that region. If the Phase 1 stack exists, Macie Delegated Admin should be and remain enabled. Once validated for all regions, rerun the state machine.
+- In v1.3.6 the Macie issue from v1.3.5 has been resolved, but Guardduty continues to cause the state machine to fail. Simply rerun the state machine. We are working on a fix.
 
 Issues in Older Releases:
 

docs/installation/object-naming.md

@@ -0,0 +1,58 @@
+### Accelerator Object Naming
+
+- Resources will have the 'Name' tag assigned, where Name={name}{suffix}
+  - No prefix or suffix will be applied to DNS records/zones (as that breaks them)
+  - When \_ is not supported, a - will be used
+- Stacks/stacksets/functions and **_non-end user_** accessed objects deployed in all accounts will also start with the {AcceleratorPrefix} prefix (i.e. "**_PBMMAccel-_**" or "**_ASEA-_**")
+  - The prefix does not apply to objects like VPC's, subnets, or TGW's which customers need to directly access. This is for objects deployed to build the customer accessible objects
+  - This prefix will be protected by SCP's so customers don't break 'managed' features
+- Resources will have the tag 'Accelerator={AcceleratorName}' assigned when tags are supported
+- Stacks will have the tag 'AcceleratorName={AcceleratorName}' assigned, which will often (but not always) be inherited by objects created by the stack (due to TGW duplicate tag issue)
+
+### Defaults
+
+    - the default {AcceleratorName} is 'PBMM' before v1.5.0 and 'ASEA' after v1.5.0
+    - the default {AcceleratorPrefix} is 'PBMMAccel-' before v1.5.0 and 'ASEA-' after v1.5.0
+
+### **_Suffix's_**
+
+| suffix    | object type               |
+| --------- | ------------------------- |
+| \_vpc     | VPC                       |
+| \_azN_net | Subnet                    |
+| \_azN_rt  | RouteTable                |
+| \_tgw     | Transit Gateway           |
+| \-key     | KMS key                   |
+| \_pcx     | Peering Connection        |
+| \_sg      | Security Group            |
+| \_nacl    | NACL                      |
+| \_alb     | Application Load Balancer |
+| \_nlb     | Network Load Balancer     |
+| \_agw     | Appliance Gateway         |
+| \_vpce    | VPC Endpoint              |
+| \_AMI     | AMI                       |
+| \_dhcp    | DHCP option set           |
+| \_snap    | snapshot                  |
+| \_ebs     | Block storage             |
+| \_igw     | internet gateway          |
+| \_lgw     | Local gateway             |
+| \_nat     | NAT gateway               |
+| \_vpg     | Virtual private gateway   |
+| \_cgw     | Customer gateway          |
+| \_vpn     | VPN Connection            |
+| \_sm      | Step Functions            |
+| \_rule    | CW Event Rule             |
+| \_pl      | CodeBuild                 |
+
+### **_No Suffix_**
+
+| suffix | object type            |
+| ------ | ---------------------- |
+| None   | Stacks                 |
+| None   | CFN_Stack_Sets         |
+| None   | Lambda                 |
+| None   | Cloud Trails           |
+| None   | CWL Groups             |
+| None   | Config Rules           |
+| None   | OU                     |
+| None   | Service Control Policy |

reference-artifacts/Custom-Scripts/SEA-uninstall/README.md

@@ -66,20 +66,31 @@ The logic of the script is the following:
 
 ## Instructions
 
-1. Paste AWS temporary credentials (or set AWS_PROFILE) into the command terminal that will execute the script and set AWS_DEFAULT_REGION.
+~~Paste AWS temporary credentials (or set AWS_PROFILE) into the command terminal that will execute the script and set AWS_DEFAULT_REGION.~~
 
-2. Install the python3 required libaries (ex: `pip3 install -r requirements.txt`)
+1. Log into the AWS console as a Full Administrator to the Organization Management account.
+2. Start a CloudShell session.
+3. Copy the files from this folder and your `config.json` to the CloudShell session;
+   - ensure the management account name is properly reflected in the config file, or the script will fail;
+   - the script does not handle the use of the {HOME_REGION} variable (at this time), replace all occurances with the actual name of the home region (i.e. ca-central-1).
+4. Install the python3 required libaries (ex: `pip3 install -r requirements.txt`).
+5. Make the Python script executable (ex: `chmod +x aws-sea-cleanup.py`).
 
-3. Before running this script you must manually delete AWS SSO.
+6. Before running this script you must manually delete AWS SSO.
 
-4. Execute the script `python3 aws-sea-cleanup.py`.
+7. Execute the script `python3 aws-sea-cleanup.py`, a stacks.json should be generated.
 
 **Note: ** if you used a different AcceleratorPrefix you can use `python3 aws-sea-cleanup.py --AcceleratorPrefix YOUR_ACCELERATOR_PREFIX`.
 
-5. Manual steps (in the Organization Management account):
+7. Execute the script `python3 aws-sea-cleanup.py`, it should delete/cleanup your environment.
+
+   - if the script fails with an `Explicit Denied` error messages, manually remove all SCP's from all OU's and accounts from within AWS Organizations
+   - this requires first disabling the CloudWatch Event Rule, or the policies will auto re-attach
+
+8. Manual steps (in the Organization Management account):
    - In Secrets Manager, set the Secret `accelerator/config/last-successful-commit` to an empty string;
    - In DynamoDB, delete the 3 `PBMMAccel-*` tables;
-   - In Systems Manager Parameter Store, delete the `/accelerator/version` parameter;
+   - In Systems Manager Parameter Store, delete the `/accelerator/version` and `/accelerator/first-version` parameters;
    - In CodeCommit, delete the repository `PBMMAccel-Config-Repo`.
 
 ## Considerations
@@ -88,7 +99,7 @@ The logic of the script is the following:
 
    a. Certificates in ACM
 
-   b. The initial CDK bootstrap CloudFormation Stack (`CDKToolkit`)
+   b. The initial CDK bootstrap CloudFormation Stack (`PBMMAccel-CDKToolkit`) and `ASEA-CloudFormationStackSetExecutionRole` stack
 
    c. CDK S3 buckets (`cdktoolkit-stagingbucket-*`)
 

reference-artifacts/SCPs/ASEA-Guardrails-Sandbox.json

@@ -39,6 +39,7 @@
       "Effect": "Deny",
       "NotAction": [
         "a4b:*",
+        "access-analyzer:ValidatePolicy",
         "aws-marketplace-management:*",
         "aws-marketplace:*",
         "aws-portal:*",

reference-artifacts/SCPs/ASEA-Guardrails-Sensitive.json

@@ -99,6 +99,7 @@
       "NotAction": [
         "a4b:*",
         "acm:*",
+        "access-analyzer:ValidatePolicy",
         "aws-marketplace-management:*",
         "aws-marketplace:*",
         "aws-portal:*",

reference-artifacts/SCPs/ASEA-Guardrails-Unclass.json

@@ -78,6 +78,7 @@
       "Effect": "Deny",
       "NotAction": [
         "a4b:*",
+        "access-analyzer:ValidatePolicy",
         "aws-marketplace-management:*",
         "aws-marketplace:*",
         "aws-portal:*",

src/lib/cdk-constructs/src/firewall/instance.ts

@@ -106,7 +106,7 @@ export class FirewallInstance extends cdk.Construct {
             bucket: configuration.bucket.bucketName,
             region: configuration.bucketRegion,
             config: `/${configuration.configPath}`,
-            license: `/${props.licensePath}`,
+            license: props.licensePath ? `/${props.licensePath}` : '',
           },
           null,
           2,