Protect Control Tower Resources

[thebigcosinus]

Hi,

I'm looking for a template to protect accounts in an organization deployed with AWS SSO and Control Tower

Thanks

[james-green-affinity]

There you go

Disclaimer!
Double check this yourself!

`
regions:

• eu-west-2
• global

account-blocklist:

• "00000" #

accounts:
"0000000": #
filters:

  CloudFormationStack:
  - type: glob
    value: "*"

  NetpuneSnapshot:
  - type: glob
    value: "*"

  ConfigServiceConfigRule:
  - type: glob
    value: "*"

  IAMRole:
  - type: regex
    value: "aws-controltower-*"
  - type: regex
    value: "AWSControlTowerExecution"
  - type: regex
    value: "AWSReservedSSO_*"
  - type: regex
    value: "AWSReservedSSO_*"
  - "backup"

  IAMRolePolicyAttachment:
  - type: regex
    value: "aws-controltower-*"
  - type: regex
    value: "AWSReservedSSO_*"
  - "AWSControlTowerExecution*"
  - "backup"

  IAMRolePolicy:
  - type: regex
    value: "aws-controltower-*"
  - type: regex
    value: "AWSControlTowerExecution"
  - type: regex
    value: "terraform-*"


  ConfigServiceDeliveryChannel:
  - "aws-controltower-BaselineConfigDeliveryChannel"

  ConfigServiceConfigurationRecorder:
  - "aws-controltower-BaselineConfigRecorder"

  CloudTrailTrail:
  - type: glob
    value: "*"

  EC2DHCPOption:
  - type: glob
    value: "*"

  SNSTopic:
  - type: regex
    value: "TopicARN: arn:aws:sns:eu-west-2:000000000000:aws-controltower-SecurityNotifications-*"

  CloudWatchEventsRule:
  - "Rule: aws-controltower-ConfigComplianceChangeEventRule"

  CloudWatchLogsLogGroup:
  - "/aws/lambda/aws-controltower-NotificationForwarder"
  - "aws-controltower/CloudTrailLogs"
  - "/aws/lambda/us-east-1.basicAuth"
  - type: regex
    value: "/aws/rds/*"
  - type: regex
    value: "/ecs/*"


  CloudWatchEventsTarget:
  - type: regex
    value: "Rule: aws-controltower-*"

  SNSSubscription:
  - type: regex
    value: "Owner: * ARN: arn:aws:sns:eu-west-2:*:aws-controltower-*"

  LambdaFunction:
  - type: regex
    value: "aws-controltower-NotificationForwarder*"

  GuardDutyDetector:
  - type: glob
    value: "*"

  IAMSAMLProvider:
  - type: regex
    value: "arn:aws:iam::*:saml-provider/AWSSSO_c0b2c38aa90e902f_DO_NOT_DELETE"

  EFSMountTarget:
  - type: glob
    value: "*"

  AWSBackupRecoveryPoint:
  - type: glob
    value: "*"

  RDSInstance:
  - type: glob
    value: "*"

  NeptuneCluster:
  - type: glob
    value: "*"`

[mavogel]

you might want to use aws s3 cp s3://aws-nuke-config-retain-control-tower/aws-nuke-config.yaml . as a baseline and then adapt the values

• either hardcoded
• or dynamically: yq e '.accounts."PLACEHOLDER".filters.ConfigServiceConfigRule += {"type":"regex","value":".*securityhub.*"}' -i aws-nuke-config.yaml

[LVSant]

I'd like to contribute with what's being working for us.
We use AWS SSO and AWS Control Tower.

presets:
  sso:
    filters:
      IAMSAMLProvider:
        - type: "regex"
          value: "AWSSSO_.*_DO_NOT_DELETE"
      IAMRole:
        - type: "glob"
          value: "AWSReservedSSO_*"
      IAMRolePolicyAttachment:
        - type: "glob"
          value: "AWSReservedSSO_*"
  controltower:
    filters:
      CloudTrailTrail:
        - type: "contains"
          value: "aws-controltower"
      CloudWatchEventsRule:
        - type: "contains"
          value: "aws-controltower"
      EC2VPCEndpoint:
        - type: "contains"
          value: "aws-controltower"
      EC2VPC:
        - type: "contains"
          value: "aws-controltower"
      OpsWorksUserProfile:
        - type: "contains"
          value: "AWSControlTowerExecution"
      CloudWatchLogsLogGroup:
        - type: "contains"
          value: "aws-controltower"
        - type: "contains"
          value: "AWSControlTowerBP"
      CloudWatchEventsTarget:
        - type: "contains"
          value: "aws-controltower"
      SNSSubscription:
        - type: "contains"
          value: "aws-controltower"
      SNSTopic:
        - type: "contains"
          value: "aws-controltower"
      EC2Subnet:
        - type: "contains"
          value: "aws-controltower"
      ConfigServiceDeliveryChannel:
        - type: "contains"
          value: "aws-controltower"
      ConfigServiceConfigurationRecorder:
        - type: "contains"
          value: "aws-controltower"
      CloudFormationStack:
        - type: "contains"
          value: "AWSControlTower"
      EC2RouteTable:
        - type: "contains"
          value: "aws-controltower"
      LambdaFunction:
        - type: "contains"
          value: "aws-controltower"
      EC2DHCPOption:
        - type: "contains"
          value: "aws-controltower"
      IAMRole:
        - type: "contains"
          value: "aws-controltower"
        - type: "contains"
          value: "AWSControlTower"
      IAMRolePolicyAttachment:
        - type: "contains"
          value: "aws-controltower"
        - type: "contains"
          value: "AWSControlTower"
      IAMRolePolicy:
        - type: "contains"
          value: "aws-controltower"

[ekristen]

Tracking via ekristen/aws-nuke#330

---

Please see the copy of the notice from the README about the deprecation of this project. Sven was kind enough to grant me access to help triage and close issues and pull requests that have already been addressed in the actively maintained fork. Some additional information is located in the welcome issue for more information.

Caution

This repository for aws-nuke is no longer being actively maintained. We recommend users to switch to the actively maintained fork of this project at ekristen/aws-nuke.
We appreciate all the support and contributions we've received throughout the life of this project. We believe that the fork will continue to provide the functionality and support that you have come to expect from aws-nuke.
Please note that this deprecation means we will not be addressing issues, accepting pull requests, or making future releases from this repository.
Thank you for your understanding and support.