sample-cf
A sample AWS CloudFormation template
control-tower-client-vpc.yaml
Example of VPC template to replace default VPC created by Control Tower. This is loosely based on the VPC template used by the Landing Zones solution. It creates one public and two private subnets, each divided between two AZs, as well as an Internet Gateway for the public subnet and a VPC Flow Log. Actual VPC CIDR assignment and subnet IPs are parameterized. This is intended for use as a StackSet to deploy to multiple client accounts, wherein each client account gets a different parameter set to define it's VPC IP range.
GuardDutyMasterExecutionRole.yml
For deployment into all accounts that will run GuardDuty and report findings back to the Master account. This can be deployed via StackSets from the Master (assuming you have the necessary StackSet execution roles created on Master and client accounts). This allows the GuardyDuty setup script to assume role into the client accounts through the Master account in order to enable GuardDuty in the clients and accept the invitation from the Master.
EventBridgeRulesAndSNSTopics.yml
This CFN template creates two Event rules and associated SNS topics. It is intended for deployment in the Master Organization account. One rule captures a 'CreateAccountResult' event from an Organization, which happens shortly after a new account is created in the Org. It sends the Event JSON to SNS, where it can then be accessed by a Lambda function for further action. In the Control Tower context, the 'MoveAccount' event is more useful, as it happens further along in the account provisioning sequence, and the event it generates can be used to determine OU-based provisioning items, such as applying different Config Rules depending on which OU an account is moved into.