runbooks 0.2.5__py3-none-any.whl → 0.6.1__py3-none-any.whl

runbooks/cfat/docs/cfat.txt

@@ -0,0 +1,335 @@
+Cloud Foundation Assessment Tool
+Generated on: Mon, 22 Jul 2024 20:00:52 GMT 
+
+
+Incomplete Requirements:
+    INCOMPLETE: Config Recorder in Management Account configured
+    INCOMPLETE: Config Delivery Channel in Management Account configured
+
+====================================
+
+Foundation Status: INCOMPLETE
+Estimate of Required Level of Effort (LOE): 4 hours
+CFAT Score: 133 out of 158
+
+====================================
+
+Foundation Checks:
+┌─────────┬────────────────────────────────────────────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────┬──────────────┬──────────┬────────┬─────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
+│ (index) │                           check                            │                                        description                                        │    status    │ required │ weight │ loe │                                                                 remediationLink                                                                 │
+├─────────┼────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────┼──────────────┼──────────┼────────┼─────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
+│    0    │                 'AWS Organization created'                 │                              'AWS Organization is enabled.'                               │  'complete'  │   true   │   6    │  1  │                                             'https://aws.amazon.com/organizations/getting-started/'                                             │
+│    1    │                'Management Account created'                │                             'AWS Management account exists.'                              │  'complete'  │   true   │   6    │  1  │                                'https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-creating.html'                                │
+│    2    │           'Management Account IAM users removed'           │                    'IAM Users should not exist in Management Account.'                    │  'complete'  │  false   │   4    │  1  │                            'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_deleting'                            │
+│    3    │         'Management Account EC2 instances removed'         │                  'EC2 Instances should not exist in Management Account.'                  │ 'incomplete' │  false   │   4    │  1  │                                'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html'                                 │
+│    4    │             'Management Account VPCs removed'              │                      'Management Account should not have any VPCs.'                       │ 'incomplete' │  false   │   4    │  1  │       'https://github.com/cloud-foundations-on-aws/cloud-foundations-templates/blob/main/network/network-default-vpc-deletion/README.md'        │
+│    5    │                 'CloudTrail Trail created'                 │                    'CloudTrail should be enabled within the account.'                     │  'complete'  │   true   │   6    │  3  │                          'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html'                          │
+│    6    │         'CloudTrail Organization Service enabled'          │                    'CloudTrail should be enabled on the Organization.'                    │  'complete'  │   true   │   6    │  1  │                    'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudtrail.html'                     │
+│    7    │              'CloudTrail Org Trail deployed'               │              'At least one CloudTrail Organization Trail should be enabled.'              │  'complete'  │   true   │   6    │  1  │                          'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html'                          │
+│    8    │     'Config Recorder in Management Account configured'     │              'Config Recorder in the Management Account should be enabled.'               │ 'incomplete' │   true   │   6    │  2  │            'https://aws.amazon.com/blogs/mt/managing-aws-organizations-accounts-using-aws-config-and-aws-cloudformation-stacksets/'             │
+│    9    │ 'Config Delivery Channel in Management Account configured' │            'Config Delivery Channel in Management Account should be enabled.'             │ 'incomplete' │   true   │   6    │  2  │            'https://aws.amazon.com/blogs/mt/managing-aws-organizations-accounts-using-aws-config-and-aws-cloudformation-stacksets/'             │
+│   10    │            'CloudFormation StackSets activated'            │       'CloudFormation StackSets should be activated in the CloudFormation console.'       │ 'incomplete' │  false   │   5    │  1  │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html#integrate-enable-ta-cloudformation' │
+│   11    │          'GuardDuty Organization service enabled'          │                   'GuardDuty Organization services should be enabled.'                    │  'complete'  │  false   │   4    │  1  │      'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html#integrate-enable-ta-guardduty'      │
+│   12    │             'RAM Organization service enabled'             │ 'Resource Access Manager (RAM) trusted access should be enabled in the AWS Organization.' │  'complete'  │  false   │   4    │  1  │            'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-ram.html#integrate-enable-ta-ram'            │
+│   13    │        'Security Hub Organization service enabled'         │         'Security Hub trusted access should be enabled in the AWS Organization.'          │  'complete'  │  false   │   4    │  1  │    'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-securityhub.html#integrate-enable-ta-securityhub'    │
+│   14    │     'IAM Access Analyzer Organization service enabled'     │      'IAM Access Analyzer trusted access should be enabled in the AWS Organization.'      │  'complete'  │  false   │   4    │  1  │                'https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling'                 │
+│   15    │           'Config Organization service enabled'            │          'AWS Config trusted access should be enabled in the AWS Organization.'           │  'complete'  │  false   │   4    │  1  │         'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html#integrate-enable-ta-config'         │
+│   16    │       'CloudFormation Organization service enabled'        │        'CloudFormation trusted access should be enabled in the AWS Organization.'         │  'complete'  │  false   │   5    │  1  │                  'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-activate-trusted-access.html'                   │
+│   17    │           'Top-level Infrastructure OU deployed'           │                        'Top-level Infrastructure OU should exist.'                        │  'complete'  │  false   │   5    │  2  │                                   'https://catalog.workshops.aws/control-tower/en-US/introduction/manage-ou'                                    │
+│   18    │              'Top-level Security OU deployed'              │                           'Top-level Security OU should exist.'                           │  'complete'  │   true   │   6    │  2  │                                   'https://catalog.workshops.aws/control-tower/en-US/introduction/manage-ou'                                    │
+│   19    │             'Top-level Workloads OU deployed'              │                          'Top-level Workloads OU should exist.'                           │  'complete'  │  false   │   5    │  2  │                                   'https://catalog.workshops.aws/control-tower/en-US/introduction/manage-ou'                                    │
+│   20    │           'IAM IdC Organization service enabled'           │      'IAM Identity Center trusted access should be enabled in the AWS Organization'       │  'complete'  │   true   │   6    │  1  │                               'https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html'                               │
+│   21    │                    'IAM IdC configured'                    │                        'IAM Identity Center should be configured.'                        │  'complete'  │   true   │   6    │  3  │                                   'https://docs.aws.amazon.com/singlesignon/latest/userguide/tutorials.html'                                    │
+│   22    │             'Service Control Policies enabled'             │          'Service Control Policy should be enabled within the AWS Organization.'          │  'complete'  │   true   │   6    │  1  │                      'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html'                      │
+│   23    │             'Organization Tag Policy enabled'              │                'Tag Policy should be enabled within the AWS Organization.'                │  'complete'  │   true   │   6    │  1  │                      'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html'                      │
+│   24    │            'Organization Backup Policy enabled'            │              'Backup Policy should be enabled within the AWS Organization.'               │  'complete'  │  false   │   5    │  1  │                      'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html'                      │
+│   25    │                  'Control Tower deployed'                  │                            'Control Tower should be deployed.'                            │  'complete'  │   true   │   6    │  6  │                                   'https://catalog.workshops.aws/control-tower/en-US/prerequisites/deploying'                                   │
+│   26    │               'Control Tower latest version'               │                       'Control Tower should be the latest version.'                       │  'complete'  │  false   │   5    │  2  │                              'https://docs.aws.amazon.com/controltower/latest/userguide/update-controltower.html'                               │
+│   27    │                'Control Tower not drifted'                 │                          'Control Tower should not be drifted.'                           │  'complete'  │   true   │   6    │  2  │                                 'https://docs.aws.amazon.com/controltower/latest/userguide/resolve-drift.html'                                  │
+│   28    │               'Log Archive account deployed'               │                            'Log Archive account should exist.'                            │  'complete'  │   true   │   6    │  2  │                          'https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-from-console.html'                          │
+│   29    │                  'Audit account deployed'                  │                      'Audit/Security Tooling account should exist.'                       │  'complete'  │   true   │   6    │  2  │                          'https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-from-console.html'                          │
+└─────────┴────────────────────────────────────────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────┴──────────────┴──────────┴────────┴─────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
+
+
+Start Detailed Report:
+
+
+*********************************************************
+                   MANAGEMENT ACCOUNT
+*********************************************************
+
+AWS ACCOUNT TYPE
+
+  Is in AWS Organization: true
+  Assessing AWS Management Account: true
+
+IAM USERS CHECK
+
+  No IAM Users found.
+
+EC2 INSTANCE CHECK
+
+  No EC2 instances found.
+
+VPC CHECK
+
+  ap-south-1 - found VPC(s).
+  eu-north-1 - found VPC(s).
+  eu-west-3 - found VPC(s).
+  eu-west-2 - found VPC(s).
+  eu-west-1 - found VPC(s).
+  ap-northeast-3 - found VPC(s).
+  ap-northeast-2 - found VPC(s).
+  ap-northeast-1 - found VPC(s).
+  ca-central-1 - found VPC(s).
+  sa-east-1 - found VPC(s).
+  ap-southeast-1 - found VPC(s).
+  ap-southeast-2 - found VPC(s).
+  eu-central-1 - found VPC(s).
+  us-east-1 - found VPC(s).
+  us-east-2 - found VPC(s).
+  us-west-1 - found VPC(s).
+  us-west-2 - found VPC(s).
+
+AWS CONFIG CHECK
+
+  No AWS Config resource discovered
+
+MANAGEMENT ACCOUNT TASKS:
+  Delete VPC in ap-south-1 - Management Account - Delete any unnecessary VPC in ap-south-1 to include the default VPC.
+  Delete VPC in eu-north-1 - Management Account - Delete any unnecessary VPC in eu-north-1 to include the default VPC.
+  Delete VPC in eu-west-3 - Management Account - Delete any unnecessary VPC in eu-west-3 to include the default VPC.
+  Delete VPC in eu-west-2 - Management Account - Delete any unnecessary VPC in eu-west-2 to include the default VPC.
+  Delete VPC in eu-west-1 - Management Account - Delete any unnecessary VPC in eu-west-1 to include the default VPC.
+  Delete VPC in ap-northeast-3 - Management Account - Delete any unnecessary VPC in ap-northeast-3 to include the default VPC.
+  Delete VPC in ap-northeast-2 - Management Account - Delete any unnecessary VPC in ap-northeast-2 to include the default VPC.
+  Delete VPC in ap-northeast-1 - Management Account - Delete any unnecessary VPC in ap-northeast-1 to include the default VPC.
+  Delete VPC in ca-central-1 - Management Account - Delete any unnecessary VPC in ca-central-1 to include the default VPC.
+  Delete VPC in sa-east-1 - Management Account - Delete any unnecessary VPC in sa-east-1 to include the default VPC.
+  Delete VPC in ap-southeast-1 - Management Account - Delete any unnecessary VPC in ap-southeast-1 to include the default VPC.
+  Delete VPC in ap-southeast-2 - Management Account - Delete any unnecessary VPC in ap-southeast-2 to include the default VPC.
+  Delete VPC in eu-central-1 - Management Account - Delete any unnecessary VPC in eu-central-1 to include the default VPC.
+  Delete VPC in us-east-1 - Management Account - Delete any unnecessary VPC in us-east-1 to include the default VPC.
+  Delete VPC in us-east-2 - Management Account - Delete any unnecessary VPC in us-east-2 to include the default VPC.
+  Delete VPC in us-west-1 - Management Account - Delete any unnecessary VPC in us-west-1 to include the default VPC.
+  Delete VPC in us-west-2 - Management Account - Delete any unnecessary VPC in us-west-2 to include the default VPC.
+
+*********************************************************
+                    GOVERNANCE
+*********************************************************
+
+AWS ORGANIZATION POLICY TYPES
+
+  Service Control Policies (SCP) enabled: true
+  Tag Policies enabled: true
+  Backup Policies enabled: true
+
+AWS ORGANIZATION CLOUDFORMATION
+
+  AWS CloudFormation Organization stack sets status : ENABLED
+
+CLOUDTRAIL CHECK
+
+  CloudTrail found in us-west-2
+    Is Organization Trail: true
+    Is MultiRegion: true
+
+
+GOVERNANCE SERVICES ENABLED IN AWS ORGANIZATION:
+
+  AWS CloudTrail
+  AWS Config
+
+GOVERNANCE TASKS:
+
+*********************************************************
+                FINANCIAL MANAGEMENT
+*********************************************************
+
+Legacy CUR
+  Is legacy CUR setup: false
+
+CLOUD FINANCIAL MANAGEMENT TASKS:
+  Setup legacy CUR - Cloud Financial Management - Setup legacy CUR in AWS Organization
+
+*********************************************************
+                MULTI-ACCOUNT STRATEGY
+*********************************************************
+
+AWS ORGANIZATION DETAILS
+
+  AWS Organization Id: o-12345abcde
+  AWS Organization ARN: arn:aws:organizations::12345678912:organization/o-12345abcde
+  AWS Organization Root OU Id: r-ab12
+
+AWS ORGANIZATION CLOUDFORMATION
+
+  AWS CloudFormation Organization stack sets status : ENABLED
+
+AWS ORGANIZATION TOP-LEVEL ORGANIZATION UNITS
+
+  List of Organization's top-level OUs and AWS accounts:
+    Organizational Unit: Exceptions
+      Organizational Unit Id: ou-ab12-abch1234
+      AWS Accounts: None
+
+    Organizational Unit: Security
+      Organizational Unit Id: ou-ab12-1234abc
+      AWS Accounts: None
+
+    Organizational Unit: Transitional
+      Organizational Unit Id: ou-ab12-abcl1234
+      AWS Accounts: None
+
+    Organizational Unit: Workloads
+      Organizational Unit Id: ou-ab12-1234vabc
+      AWS Accounts: None
+
+    Organizational Unit: Suspended
+      Organizational Unit Id: ou-ab12-abcc1234
+      AWS Accounts: None
+
+    Organizational Unit: CT Security
+      Organizational Unit Id: ou-ab12-1234rabc
+      AWS Accounts:
+        Log Archive
+        Audit
+
+    Organizational Unit: Infrastructure
+      Organizational Unit Id: ou-ab12-abcn1234
+      AWS Accounts:
+        Shared Resources
+        Identity
+        Network
+
+
+AWS ORGANIZATION MEMBER ACCOUNTS
+
+  Account: Audit
+  Account Email: my-example+ctlab-audit@example.com
+
+  Account: Log Archive
+  Account Email: my-example+ctlab-log-archive@example.com
+
+  Account: Shared Resources
+  Account Email: my-example+ctlab-shared-resources@example.com
+
+  Account: Network
+  Account Email: my-example+ctlab-network@example.com
+
+  Account: Identity
+  Account Email: my-example+ctlab-identity@example.com
+
+  Account: Management
+  Account Email: my-example+ct-lab@aol.com
+
+
+AWS ORGANIZATION ENABLED SERVICES
+
+  The following AWS Services are enabled within your AWS Organization:
+    access-analyzer.amazonaws.com
+    account.amazonaws.com
+    cloudtrail.amazonaws.com
+    config.amazonaws.com
+    controltower.amazonaws.com
+    guardduty.amazonaws.com
+    inspector2.amazonaws.com
+    ipam.amazonaws.com
+    macie.amazonaws.com
+    member.org.stacksets.cloudformation.amazonaws.com
+    ram.amazonaws.com
+    securityhub.amazonaws.com
+    sso.amazonaws.com
+    storage-lens.s3.amazonaws.com
+    tagpolicies.tag.amazonaws.com
+
+AWS ORGANIZATION INTEGRATED SERVICE REGISTERED DELEGATED ADMINS
+
+  Account: Audit
+  Delegated Services:
+    guardduty.amazonaws.com
+    inspector2.amazonaws.com
+    macie.amazonaws.com
+    securityhub.amazonaws.com
+    storage-lens.s3.amazonaws.com
+ 
+  Account: Network
+  Delegated Services:
+    ipam.amazonaws.com
+ 
+  Account: Identity
+  Delegated Services:
+    access-analyzer.amazonaws.com
+    sso.amazonaws.com
+ 
+
+MULTI-ACCOUNT STRATEGY TASKS:
+  Review Account Email Addresses - Multi-Account Strategy - Review Account Email Addresses in AWS Organization
+
+*********************************************************
+                  LANDING ZONE
+*********************************************************
+
+AWS CONTROL TOWER
+
+  Control Tower home region: us-west-2
+  Control Tower status: ACTIVE
+  Control Tower Landing Zone version: 3.3
+  Latest available version: 3.3
+  Drift Status: IN_SYNC
+
+LANDING ZONE TASKS:
+
+*********************************************************
+                    IDENTITY
+*********************************************************
+
+AWS IAM IDENTITY CENTER
+
+  IdC Region: us-west-2
+  IdC ARN: arn:aws:sso:::instance/ssoins-123456789abcdefg
+  IdC Instance Id: d-12345abcde
+
+IDENTITY TASKS:
+
+*********************************************************
+                    SECURITY
+*********************************************************
+
+AWS SECURITY SERVICES ENABLED IN AWS ORGANIZATION:
+
+  AWS GuardDuty
+  AWS Security Hub
+  IAM Access Analyzer
+  Macie
+  Amazon S3 Storage Lens
+  Amazon Inspector
+  AWS CloudTrail
+  AWS Config
+
+SECURITY TASKS:
+  Delegate administration of AWS Config - Security - Delegate administration to AWS Config
+
+*********************************************************
+                    NETWORK
+*********************************************************
+
+NETWORK TASKS:
+
+*********************************************************
+                  OBSERVABILITY
+*********************************************************
+
+OBSERVABILITY TASKS:
+  Delegate administration of AWS Account - Observability - Delegate administration to AWS Account
+
+*********************************************************
+               BACKUP AND RECOVERY
+*********************************************************
+
+BACKUP AND RECOVERY TASKS:
+  Enable AWS Backup - Backup and Recovery - Enable AWS Backup in AWS Organization
+  Delegate administration of AWS Backup - Backup and Recovery - Delegate administration to AWS Backup
+
+
+END REVIEW

runbooks/cfat/docs/jira-import.csv

@@ -0,0 +1,24 @@
+"Summary", "Description", "Status" 
+"cfat - undefined - Delete VPC in ap-south-1", "Delete any unnecessary VPC in ap-south-1 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in eu-north-1", "Delete any unnecessary VPC in eu-north-1 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in eu-west-3", "Delete any unnecessary VPC in eu-west-3 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in eu-west-2", "Delete any unnecessary VPC in eu-west-2 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in eu-west-1", "Delete any unnecessary VPC in eu-west-1 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in ap-northeast-3", "Delete any unnecessary VPC in ap-northeast-3 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in ap-northeast-2", "Delete any unnecessary VPC in ap-northeast-2 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in ap-northeast-1", "Delete any unnecessary VPC in ap-northeast-1 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in ca-central-1", "Delete any unnecessary VPC in ca-central-1 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in sa-east-1", "Delete any unnecessary VPC in sa-east-1 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in ap-southeast-1", "Delete any unnecessary VPC in ap-southeast-1 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in ap-southeast-2", "Delete any unnecessary VPC in ap-southeast-2 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in eu-central-1", "Delete any unnecessary VPC in eu-central-1 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in us-east-1", "Delete any unnecessary VPC in us-east-1 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in us-east-2", "Delete any unnecessary VPC in us-east-2 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in us-west-1", "Delete any unnecessary VPC in us-west-1 to include the default VPC.", "Open" 
+"cfat - undefined - Delete VPC in us-west-2", "Delete any unnecessary VPC in us-west-2 to include the default VPC.", "Open" 
+"cfat - undefined - Setup legacy CUR", "Setup legacy CUR in AWS Organization", "Open" 
+"cfat - undefined - Review account email addresses", "Review Account Email Addresses in AWS Organization", "Open" 
+"cfat - undefined - Delegate administration of AWS Config", "Delegate administration to AWS Config", "Open" 
+"cfat - undefined - Delegate administration of AWS Account management", "Delegate administration to AWS Account contact management", "Open" 
+"cfat - undefined - Enable AWS Backup", "Enable AWS Backup in AWS Organization", "Open" 
+"cfat - undefined - Delegate administration of AWS Backup", "Delegate administration to AWS Backup", "Open"