Requirements
In order to deploy Domain Protect successfully, it is necessary to meet prerequisites:
- Security tooling account within AWS Organizations
- CloudFormation Stack Set delegated administrator assigned to security tooling account
- Storage bucket for Terraform state file
- OIDC role with deploy policy assigned, for CI/CD deployment
- Slack App with OAuth token, see Slack for details
- After initial deployment of Domain Protect, copy the Slack App OAuth token value to the Slack OAuth AWS Secret
Optional Domain Protect audit role in AWS org management account
Domain Protect installs a role in all accounts in the Organization using a CloudFormation StackSet, with the exception of the Organization management account.
If you have Route53 domains or hosted zones in the Organization Management account:
- Create an IAM role in the Org Management account
- Name new role
domain-protect-audit - Assign domain-protect-audit IAM policy
-
Set IAM role trust policy
-
See Org Management Account for more information.
Self-installation of Domain Protect audit role to Organization accounts
Optionally you can self-install the Domain Protect audit role across your Organization by another method, as detailed in Domain Protect audit role.
Requirements for takeover
- Creation of takeover resources in security account must not be blocked in some regions by SCP
- S3 Block Public Access must not be turned on at the account level in the security account
- Production workspace must be named
prdor set to an alternate using a Terraform variable - See automated takeover for further details
Organisations with over 1,000 AWS accounts
- A separate scanning Lambda function is started for every AWS account in the organisation
- If you have over 1,000 AWS accounts, request an increase to the Lambda default concurrent execution limit