Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
aws-sample-cf/README.md
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
30 lines (27 sloc)
1.77 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sample-cf | |
| A sample AWS CloudFormation template | |
| ## control-tower-client-vpc.yaml | |
| Example of VPC template to replace default VPC created by Control Tower. This is | |
| loosely based on the VPC template used by the Landing Zones solution. It creates | |
| one public and two private subnets, each divided between two AZs, as well as an | |
| Internet Gateway for the public subnet and a VPC Flow Log. Actual VPC CIDR | |
| assignment and subnet IPs are parameterized. This is intended for use as a StackSet | |
| to deploy to multiple client accounts, wherein each client account gets a different | |
| parameter set to define it's VPC IP range. | |
| ## GuardDutyMasterExecutionRole.yml | |
| For deployment into all accounts that will run GuardDuty and report findings back | |
| to the Master account. This can be deployed via StackSets from the Master (assuming | |
| you have the necessary StackSet execution roles created on Master and client accounts). | |
| This allows the GuardyDuty setup script to assume role into the client accounts through | |
| the Master account in order to enable GuardDuty in the clients and accept the | |
| invitation from the Master. | |
| ## EventBridgeRulesAndSNSTopics.yml | |
| This CFN template creates two Event rules and associated SNS topics. It is intended | |
| for deployment in the Master Organization account. One rule captures | |
| a 'CreateAccountResult' event from an Organization, which happens shortly after a | |
| new account is created in the Org. It sends the Event JSON to SNS, where it can then be | |
| accessed by a Lambda function for further action. In the Control Tower context, the | |
| 'MoveAccount' event is more useful, as it happens further along in the account | |
| provisioning sequence, and the event it generates can be used to determine | |
| OU-based provisioning items, such as applying different Config Rules depending on | |
| which OU an account is moved into. |