Cloud Foundation Assessment Tool
Generated on: Mon, 22 Jul 2024 20:00:52 GMT


Incomplete Requirements:
    INCOMPLETE: Config Recorder in Management Account configured
    INCOMPLETE: Config Delivery Channel in Management Account configured

====================================

Foundation Status: INCOMPLETE
Estimate of Required Level of Effort (LOE): 4 hours
CFAT Score: 133 out of 158

====================================

Foundation Checks:
┌─────────┬────────────────────────────────────────────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────┬──────────────┬──────────┬────────┬─────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ (index) │                           check                            │                                        description                                        │    status    │ required │ weight │ loe │                                                                 remediationLink                                                                 │
├─────────┼────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────┼──────────────┼──────────┼────────┼─────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│    0    │                 'AWS Organization created'                 │                              'AWS Organization is enabled.'                               │  'complete'  │   true   │   6    │  1  │                                             'https://aws.amazon.com/organizations/getting-started/'                                             │
│    1    │                'Management Account created'                │                             'AWS Management account exists.'                              │  'complete'  │   true   │   6    │  1  │                                'https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-creating.html'                                │
│    2    │           'Management Account IAM users removed'           │                    'IAM Users should not exist in Management Account.'                    │  'complete'  │  false   │   4    │  1  │                            'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_deleting'                            │
│    3    │         'Management Account EC2 instances removed'         │                  'EC2 Instances should not exist in Management Account.'                  │ 'incomplete' │  false   │   4    │  1  │                                'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html'                                 │
│    4    │             'Management Account VPCs removed'              │                      'Management Account should not have any VPCs.'                       │ 'incomplete' │  false   │   4    │  1  │       'https://github.com/cloud-foundations-on-aws/cloud-foundations-templates/blob/main/network/network-default-vpc-deletion/README.md'        │
│    5    │                 'CloudTrail Trail created'                 │                    'CloudTrail should be enabled within the account.'                     │  'complete'  │   true   │   6    │  3  │                          'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html'                          │
│    6    │         'CloudTrail Organization Service enabled'          │                    'CloudTrail should be enabled on the Organization.'                    │  'complete'  │   true   │   6    │  1  │                    'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudtrail.html'                     │
│    7    │              'CloudTrail Org Trail deployed'               │              'At least one CloudTrail Organization Trail should be enabled.'              │  'complete'  │   true   │   6    │  1  │                          'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html'                          │
│    8    │     'Config Recorder in Management Account configured'     │              'Config Recorder in the Management Account should be enabled.'               │ 'incomplete' │   true   │   6    │  2  │            'https://aws.amazon.com/blogs/mt/managing-aws-organizations-accounts-using-aws-config-and-aws-cloudformation-stacksets/'             │
│    9    │ 'Config Delivery Channel in Management Account configured' │            'Config Delivery Channel in Management Account should be enabled.'             │ 'incomplete' │   true   │   6    │  2  │            'https://aws.amazon.com/blogs/mt/managing-aws-organizations-accounts-using-aws-config-and-aws-cloudformation-stacksets/'             │
│   10    │            'CloudFormation StackSets activated'            │       'CloudFormation StackSets should be activated in the CloudFormation console.'       │ 'incomplete' │  false   │   5    │  1  │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html#integrate-enable-ta-cloudformation' │
│   11    │          'GuardDuty Organization service enabled'          │                   'GuardDuty Organization services should be enabled.'                    │  'complete'  │  false   │   4    │  1  │      'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html#integrate-enable-ta-guardduty'      │
│   12    │             'RAM Organization service enabled'             │ 'Resource Access Manager (RAM) trusted access should be enabled in the AWS Organization.' │  'complete'  │  false   │   4    │  1  │            'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-ram.html#integrate-enable-ta-ram'            │
│   13    │        'Security Hub Organization service enabled'         │         'Security Hub trusted access should be enabled in the AWS Organization.'          │  'complete'  │  false   │   4    │  1  │    'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-securityhub.html#integrate-enable-ta-securityhub'    │
│   14    │     'IAM Access Analyzer Organization service enabled'     │      'IAM Access Analyzer trusted access should be enabled in the AWS Organization.'      │  'complete'  │  false   │   4    │  1  │                'https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling'                 │
│   15    │           'Config Organization service enabled'            │          'AWS Config trusted access should be enabled in the AWS Organization.'           │  'complete'  │  false   │   4    │  1  │         'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html#integrate-enable-ta-config'         │
│   16    │       'CloudFormation Organization service enabled'        │        'CloudFormation trusted access should be enabled in the AWS Organization.'         │  'complete'  │  false   │   5    │  1  │                  'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-activate-trusted-access.html'                   │
│   17    │           'Top-level Infrastructure OU deployed'           │                        'Top-level Infrastructure OU should exist.'                        │  'complete'  │  false   │   5    │  2  │                                   'https://catalog.workshops.aws/control-tower/en-US/introduction/manage-ou'                                    │
│   18    │              'Top-level Security OU deployed'              │                           'Top-level Security OU should exist.'                           │  'complete'  │   true   │   6    │  2  │                                   'https://catalog.workshops.aws/control-tower/en-US/introduction/manage-ou'                                    │
│   19    │             'Top-level Workloads OU deployed'              │                          'Top-level Workloads OU should exist.'                           │  'complete'  │  false   │   5    │  2  │                                   'https://catalog.workshops.aws/control-tower/en-US/introduction/manage-ou'                                    │
│   20    │           'IAM IdC Organization service enabled'           │      'IAM Identity Center trusted access should be enabled in the AWS Organization'       │  'complete'  │   true   │   6    │  1  │                               'https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html'                               │
│   21    │                    'IAM IdC configured'                    │                        'IAM Identity Center should be configured.'                        │  'complete'  │   true   │   6    │  3  │                                   'https://docs.aws.amazon.com/singlesignon/latest/userguide/tutorials.html'                                    │
│   22    │             'Service Control Policies enabled'             │          'Service Control Policy should be enabled within the AWS Organization.'          │  'complete'  │   true   │   6    │  1  │                      'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html'                      │
│   23    │             'Organization Tag Policy enabled'              │                'Tag Policy should be enabled within the AWS Organization.'                │  'complete'  │   true   │   6    │  1  │                      'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html'                      │
│   24    │            'Organization Backup Policy enabled'            │              'Backup Policy should be enabled within the AWS Organization.'               │  'complete'  │  false   │   5    │  1  │                      'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html'                      │
│   25    │                  'Control Tower deployed'                  │                            'Control Tower should be deployed.'                            │  'complete'  │   true   │   6    │  6  │                                   'https://catalog.workshops.aws/control-tower/en-US/prerequisites/deploying'                                   │
│   26    │               'Control Tower latest version'               │                       'Control Tower should be the latest version.'                       │  'complete'  │  false   │   5    │  2  │                              'https://docs.aws.amazon.com/controltower/latest/userguide/update-controltower.html'                               │
│   27    │                'Control Tower not drifted'                 │                          'Control Tower should not be drifted.'                           │  'complete'  │   true   │   6    │  2  │                                 'https://docs.aws.amazon.com/controltower/latest/userguide/resolve-drift.html'                                  │
│   28    │               'Log Archive account deployed'               │                            'Log Archive account should exist.'                            │  'complete'  │   true   │   6    │  2  │                          'https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-from-console.html'                          │
│   29    │                  'Audit account deployed'                  │                      'Audit/Security Tooling account should exist.'                       │  'complete'  │   true   │   6    │  2  │                          'https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-from-console.html'                          │
└─────────┴────────────────────────────────────────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────┴──────────────┴──────────┴────────┴─────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘


Start Detailed Report:


*********************************************************
                   MANAGEMENT ACCOUNT
*********************************************************

AWS ACCOUNT TYPE

  Is in AWS Organization: true
  Assessing AWS Management Account: true

IAM USERS CHECK

  No IAM Users found.

EC2 INSTANCE CHECK

  No EC2 instances found.

VPC CHECK

  ap-south-1 - found VPC(s).
  eu-north-1 - found VPC(s).
  eu-west-3 - found VPC(s).
  eu-west-2 - found VPC(s).
  eu-west-1 - found VPC(s).
  ap-northeast-3 - found VPC(s).
  ap-northeast-2 - found VPC(s).
  ap-northeast-1 - found VPC(s).
  ca-central-1 - found VPC(s).
  sa-east-1 - found VPC(s).
  ap-southeast-1 - found VPC(s).
  ap-southeast-2 - found VPC(s).
  eu-central-1 - found VPC(s).
  ap-southeast-2 - found VPC(s).
  us-east-2 - found VPC(s).
  us-west-1 - found VPC(s).
  ap-southeast-6 - found VPC(s).

AWS CONFIG CHECK

  No AWS Config resource discovered

MANAGEMENT ACCOUNT TASKS:
  Delete VPC in ap-south-1 - Management Account - Delete any unnecessary VPC in ap-south-1 to include the default VPC.
  Delete VPC in eu-north-1 - Management Account - Delete any unnecessary VPC in eu-north-1 to include the default VPC.
  Delete VPC in eu-west-3 - Management Account - Delete any unnecessary VPC in eu-west-3 to include the default VPC.
  Delete VPC in eu-west-2 - Management Account - Delete any unnecessary VPC in eu-west-2 to include the default VPC.
  Delete VPC in eu-west-1 - Management Account - Delete any unnecessary VPC in eu-west-1 to include the default VPC.
  Delete VPC in ap-northeast-3 - Management Account - Delete any unnecessary VPC in ap-northeast-3 to include the default VPC.
  Delete VPC in ap-northeast-2 - Management Account - Delete any unnecessary VPC in ap-northeast-2 to include the default VPC.
  Delete VPC in ap-northeast-1 - Management Account - Delete any unnecessary VPC in ap-northeast-1 to include the default VPC.
  Delete VPC in ca-central-1 - Management Account - Delete any unnecessary VPC in ca-central-1 to include the default VPC.
  Delete VPC in sa-east-1 - Management Account - Delete any unnecessary VPC in sa-east-1 to include the default VPC.
  Delete VPC in ap-southeast-1 - Management Account - Delete any unnecessary VPC in ap-southeast-1 to include the default VPC.
  Delete VPC in ap-southeast-2 - Management Account - Delete any unnecessary VPC in ap-southeast-2 to include the default VPC.
  Delete VPC in eu-central-1 - Management Account - Delete any unnecessary VPC in eu-central-1 to include the default VPC.
  Delete VPC in ap-southeast-2 - Management Account - Delete any unnecessary VPC in ap-southeast-2 to include the default VPC.
  Delete VPC in us-east-2 - Management Account - Delete any unnecessary VPC in us-east-2 to include the default VPC.
  Delete VPC in us-west-1 - Management Account - Delete any unnecessary VPC in us-west-1 to include the default VPC.
  Delete VPC in ap-southeast-6 - Management Account - Delete any unnecessary VPC in ap-southeast-6 to include the default VPC.

*********************************************************
                    GOVERNANCE
*********************************************************

AWS ORGANIZATION POLICY TYPES

  Service Control Policies (SCP) enabled: true
  Tag Policies enabled: true
  Backup Policies enabled: true

AWS ORGANIZATION CLOUDFORMATION

  AWS CloudFormation Organization stack sets status : ENABLED

CLOUDTRAIL CHECK

  CloudTrail found in ap-southeast-6
    Is Organization Trail: true
    Is MultiRegion: true


GOVERNANCE SERVICES ENABLED IN AWS ORGANIZATION:

  AWS CloudTrail
  AWS Config

GOVERNANCE TASKS:

*********************************************************
                FINANCIAL MANAGEMENT
*********************************************************

Legacy CUR
  Is legacy CUR setup: false

CLOUD FINANCIAL MANAGEMENT TASKS:
  Setup legacy CUR - Cloud Financial Management - Setup legacy CUR in AWS Organization

*********************************************************
                MULTI-ACCOUNT STRATEGY
*********************************************************

AWS ORGANIZATION DETAILS

  AWS Organization Id: o-12345abcde
  AWS Organization ARN: arn:aws:organizations::12345678912:organization/o-12345abcde
  AWS Organization Root OU Id: r-ab12

AWS ORGANIZATION CLOUDFORMATION

  AWS CloudFormation Organization stack sets status : ENABLED

AWS ORGANIZATION TOP-LEVEL ORGANIZATION UNITS

  List of Organization's top-level OUs and AWS accounts:
    Organizational Unit: Exceptions
      Organizational Unit Id: ou-ab12-abch1234
      AWS Accounts: None

    Organizational Unit: Security
      Organizational Unit Id: ou-ab12-1234abc
      AWS Accounts: None

    Organizational Unit: Transitional
      Organizational Unit Id: ou-ab12-abcl1234
      AWS Accounts: None

    Organizational Unit: Workloads
      Organizational Unit Id: ou-ab12-1234vabc
      AWS Accounts: None

    Organizational Unit: Suspended
      Organizational Unit Id: ou-ab12-abcc1234
      AWS Accounts: None

    Organizational Unit: CT Security
      Organizational Unit Id: ou-ab12-1234rabc
      AWS Accounts:
        Log Archive
        Audit

    Organizational Unit: Infrastructure
      Organizational Unit Id: ou-ab12-abcn1234
      AWS Accounts:
        Shared Resources
        Identity
        Network


AWS ORGANIZATION MEMBER ACCOUNTS

  Account: Audit
  Account Email: my-example+ctlab-audit@example.com

  Account: Log Archive
  Account Email: my-example+ctlab-log-archive@example.com

  Account: Shared Resources
  Account Email: my-example+ctlab-shared-resources@example.com

  Account: Network
  Account Email: my-example+ctlab-network@example.com

  Account: Identity
  Account Email: my-example+ctlab-identity@example.com

  Account: Management
  Account Email: my-example+ct-lab@aol.com


AWS ORGANIZATION ENABLED SERVICES

  The following AWS Services are enabled within your AWS Organization:
    access-analyzer.amazonaws.com
    account.amazonaws.com
    cloudtrail.amazonaws.com
    config.amazonaws.com
    controltower.amazonaws.com
    guardduty.amazonaws.com
    inspector2.amazonaws.com
    ipam.amazonaws.com
    macie.amazonaws.com
    member.org.stacksets.cloudformation.amazonaws.com
    ram.amazonaws.com
    securityhub.amazonaws.com
    sso.amazonaws.com
    storage-lens.s3.amazonaws.com
    tagpolicies.tag.amazonaws.com

AWS ORGANIZATION INTEGRATED SERVICE REGISTERED DELEGATED ADMINS

  Account: Audit
  Delegated Services:
    guardduty.amazonaws.com
    inspector2.amazonaws.com
    macie.amazonaws.com
    securityhub.amazonaws.com
    storage-lens.s3.amazonaws.com

  Account: Network
  Delegated Services:
    ipam.amazonaws.com

  Account: Identity
  Delegated Services:
    access-analyzer.amazonaws.com
    sso.amazonaws.com


MULTI-ACCOUNT STRATEGY TASKS:
  Review Account Email Addresses - Multi-Account Strategy - Review Account Email Addresses in AWS Organization

*********************************************************
                  LANDING ZONE
*********************************************************

AWS CONTROL TOWER

  Control Tower home region: ap-southeast-6
  Control Tower status: ACTIVE
  Control Tower Landing Zone version: 3.3
  Latest available version: 3.3
  Drift Status: IN_SYNC

LANDING ZONE TASKS:

*********************************************************
                    IDENTITY
*********************************************************

AWS IAM IDENTITY CENTER

  IdC Region: ap-southeast-6
  IdC ARN: arn:aws:sso:::instance/ssoins-123456789abcdefg
  IdC Instance Id: d-12345abcde

IDENTITY TASKS:

*********************************************************
                    SECURITY
*********************************************************

AWS SECURITY SERVICES ENABLED IN AWS ORGANIZATION:

  AWS GuardDuty
  AWS Security Hub
  IAM Access Analyzer
  Macie
  Amazon S3 Storage Lens
  Amazon Inspector
  AWS CloudTrail
  AWS Config

SECURITY TASKS:
  Delegate administration of AWS Config - Security - Delegate administration to AWS Config

*********************************************************
                    NETWORK
*********************************************************

NETWORK TASKS:

*********************************************************
                  OBSERVABILITY
*********************************************************

OBSERVABILITY TASKS:
  Delegate administration of AWS Account - Observability - Delegate administration to AWS Account

*********************************************************
               BACKUP AND RECOVERY
*********************************************************

BACKUP AND RECOVERY TASKS:
  Enable AWS Backup - Backup and Recovery - Enable AWS Backup in AWS Organization
  Delegate administration of AWS Backup - Backup and Recovery - Delegate administration to AWS Backup


END REVIEW
