Cloud One Conformity helps you to continuously improve your security and compliance posture for AWS infrastructure through automated checks and clear remediation steps.
This guide provides details on how to integrate provisioning of Cloud One Conformity with AWS Control Tower to ensure that every account added through Control Tower Account Factory is automatically provisioned in Cloud One Conformity, providing centralized visibility to potential mis-configurations before any services have been provisioned.
The Lifecycle Hook solution provides a cloudformation template which, when launched in the Control Tower Master Account, deploys AWS infrastructure to ensure Conformity monitors each Account Factory AWS account automatically. The solution consists of 2 lambda functions; one to manage our role and access Conformity and another to manage the lifecycle of the first lambda. AWS Secrets Manager is leveraged to store the API key for Conformity in the Master account, and a CloudWatch Events rule is configured to trigger the customization lambda when a Control Tower account is successfully deployed.
You will first need to generate an API key for Conformity and note the region endpoint for your Conformity Organization. Once you've recorded these items, log into the Control Tower master AWS account and launch the lifecycle template. Select the AWS region for your Control Tower deployment before entering the Conformity ApiKey and selecting your Conformity endpoint region then continue to complete launching the stack. On the last page of the wizard, be sure to select the checkbox to acknowledge that this template may create IAM resources.
During stack launch, the lifecycle lambda will be executed for each existing Control Tower Account, including the Control Tower Master, Audit, and Log accounts. After launch, a cloudwatch event rule will trigger the lifecycle lambda for each successful Control Tower CreateManagedAccount event. The lifecycle lambda function will retrieve the Conformity ApiKey from AWS Secrets Manager, then get the External ID for your organization from the Conformity API. Next the lambda function will assume the ControlTowerExecution role in the target Managed Account in order to create the necessary cross account role and associated policy. Finally, a call will be made to the Conformity API to add this Managed Account to your Conformity Organization.
As new rules are added to Conformity, it may be necessary on occasion to update the permissions for the application's cross account role. To update the role deployed by the lifecycle hook, update the conformity stack with the latest template which can be found at its original url. The parameter values should not be modified from their original values unless directed by Trend Micro Support. Updating the cloudformation stack will update the role used by all existing accounts and the role created for future enrollments.
To remove the lifecycle hook, identify and delete the cloudformation stack. Protection for Managed Accounts which
have already been added will remain in place. For details on removing an account subscription for conformity see
the help documentation.