In order to deploy resources from this repo successfully, it is necessary to meet the requirements below, as the terraform code we provide will not create them
- Slack App or legacy Slack webhook, see Slack Webhook for details
- Security audit account within AWS Organizations
- Security audit read-only role with an identical name in every AWS account of the Organization
- Storage bucket for Terraform state file
- OIDC role (preferred) or IAM user with deploy policy assigned, for CI/CD deployment
- You may already have an existing security audit role in all your AWS accounts
- You can select using the
security_audit_role_name
Terraform variable - If you don't already have a suitable role in all AWS accounts, create a new one
- Name new role
domain-protect-audit
to match default Terraform variable value - Assign domain-protect-audit IAM policy
- Set trust policy with Security Audit AWS Account ID
- Use External ID in trust policy
- Deploy across Organization using CloudFormation StackSets
- Creation of takeover resources in security account must not be blocked in some regions by SCP
- S3 Block Public Access must not be turned on at the account level in the security account
- Production workspace must be named
prd
or set to an alternate using a Terraform variable - See automated takeover for further details
- A separate scanning Lambda function is started for every AWS account in the organisation
- If you have over 1,000 AWS accounts, request an increase to the Lambda default concurrent execution limit