Getting started
Prerequisites
Creating an Organization
Creating Audit and Log Archive AWS Accounts
Management
Creating an AWS Account
Initial Setup
Billing Alerts
Configuring AWS SSO (IAM Identity Center)
Generating As-Built-Documentation
Environments
Environments
Configuring AWS Client VPN
Configuring Private Bastion
Deleting an Environment
Domains
Service Roles
Compliance
Compliance standards
Compliance status
Configuring a standard
Reference
Choosing Email Addresses for your AWS Accounts
Checklist end-of-deployment
Configuring SSO for Microsoft Azure
Configuring SSO for G-Suite
Deploying Applications
Notification History
Removing Citadel Access from AWS Accounts
What’s deployed in my account
Troubleshooting
Troubleshooting
Common Issues
Finding the Root Cause of a Failed Job
Creating new environment failed
Fixing Network Access is not connecting to RDS
SSO G-Suite - Deploy Lambda Error
Common issues
What are the resources created?
Master Baseline
Parameters:
Parameter Name | Type | Description |
Region | String | AWS Region to deploy |
AuditAccountId | String | AWS Account ID of Audit Account |
LogArchiveAccountId | String | AWS Account ID of Log Archive Account |
RoleName | String | Role used to access accounts |
RegionPrimary | String | Is this the primary Region for baseline? |
Email | String | Email address to notify when alarms occur |
GuardDutyAlerts | String | Enable GuardDuty Alerts? |
Conditions:
Condition Name | Description |
IsRegionPrimary | Condition to check if the region is the primary region |
Resources:
Resource Name | Type | Description |
AuditBaselineStackSet | AWS::CloudFormation::StackSet | Citadel Audit Baseline StackSet |
LogArchiveBaselineStackSet | AWS::CloudFormation::StackSet | Citadel Log Archive Baseline StackSet |
Output:
Output Name | Condition | Description |
AdminAccountId | IsRegionPrimary | AWS Account ID of Audit Account |
LogArchiveAccountId | IsRegionPrimary | AWS Account ID of Log Archive Account |
Master Billing Alerts
Parameters:
Parameter Name | Type | Description | Default Value |
BudgetAmount | Number | Budget amount to alarm (in USD) | 0 |
BudgetThreshold | Number | Threshold of budget to alarm (in percent) | 80 |
BudgetEmail | String | Email to alarm when budget is exceeded or cost anomaly is detected | "" |
CostAnomaly | String | Enables anomaly detection on cost | "false" |
CostAnomalyThreshold | Number | Alert when an anomaly detected is greater than this threshold (in USD) - A good number would be 20% of your expected monthly amount | 200 |
Resources:
Resource Name | Type | Description |
Budget | AWS::Budgets::Budget | Budget resource for cost monitoring |
AnomalyServiceMonitor | AWS::CE::AnomalyMonitor | Anomaly monitor for cost anomaly detection |
AnomalyDefaultSubscription | AWS::CE::AnomalySubscription | Anomaly subscription for cost anomaly detection |
Outputs:
(There are no outputs defined in your template)
Master Workload Linked Baseline
Parameters:
Parameter Name | Type | Description | Default Value |
AccountId | String | AWS Account ID of target account | |
Region | String | AWS Region to deploy | |
AccountEmail | String | Email of target account | |
RoleName | String | Role used to access accounts | OrganizationAccountAccessRole |
Resources:
Resource Name | Type | Description |
LinkedBaselineStackSet | AWS::CloudFormation::StackSet | Citadel Baseline for Linked Accounts StackSet |
Outputs:
(There are no outputs defined in your template)
Master Workload Access
Parameters:
Parameter Name | Type | Description | Default Value |
ExternalIds | String | Enter External IDs for allowing access from Citadel (comma separated) | |
AccountId | String | AWS Account ID to provide access to Citadel | |
RoleName | String | Role used to access accounts | OrganizationAccountAccessRole |
Resources:
Resource Name | Type | Description |
AccountAccessStackSet | AWS::CloudFormation::StackSet | Access to Citadel to AWS Account StackSet |
Outputs:
(There are no outputs defined in your template)
Workload Client VPN
Parameters:
Parameter Name | Type | Description | Default Value |
SplitTunnel | String | Split Tunnel |
Conditions:
Condition Name | Description |
IsSplitTunnel | Condition to check if SplitTunnel is true |
Resources:
Resource Name | Type | Description |
ClientVpnEndpoint | AWS::EC2::ClientVpnEndpoint | Client VPN Endpoint |
ClientVpnTargetNetworkAssociation | AWS::EC2::ClientVpnTargetNetworkAssociation | Association between Client VPN and a VPC |
ClientVpnAuthorizationRule | AWS::EC2::ClientVpnAuthorizationRule | Authorization rule for Client VPN access |
ClientVpnSecurityGroup | AWS::EC2::SecurityGroup | Security group for Client VPN |
LogGroup | AWS::Logs::LogGroup | Log group for CloudWatch Logs |
ImportCertificate | Custom::CustomImportCertificate | Custom resource for importing a certificate |
CustomResourceFunctionImportCertificate | AWS::Lambda::Function | Lambda function for importing a certificate |
CustomResourceFunctionImportCertificateRole | AWS::IAM::Role | IAM Role for Lambda function ImportCertificate |
LookupSSOProvider | Custom::CustomLookupSSOProvider | Custom resource for looking up SSO provider |
CustomResourceFunctionLookupSSOProvider | AWS::Lambda::Function | Lambda function for looking up SSO provider |
CustomResourceFunctionLookupSSOProviderRole | AWS::IAM::Role | IAM Role for Lambda function LookupSSOProvider |
Outputs:
(There are no outputs defined in your template)
Workload Deploy Compliance Baseline
Resources:
Resource Name | Type | Description |
ConfigConformancePack | AWS::Config::ConformancePack | Conformance pack for Citadel Compliance Baseline |
S3BucketLogging | AWS::S3::Bucket | S3 bucket for logging |
S3BucketLoggingPolicy | AWS::S3::BucketPolicy | Bucket policy for S3 bucket logging |
S3Bucket | AWS::S3::Bucket | S3 bucket for Compliance Assessment |
Outputs:
Output Name | Description |
S3BucketName | S3 Bucket Name |
S3BucketArn | S3 Bucket ARN |
Workload Deploy Compliance
Parameters:
Parameter Name | Type | Description |
FrameworkName | String | Name referencing the standard framework |
FrameworkId | String | Id referencing the standard framework |
Resources:
Resource Name | Type | Description |
CustomResourceFunctionEnableAuditManagerRole | AWS::IAM::Role | IAM Role for Lambda function EnableAuditManager |
CustomResourceFunctionEnableAuditManager | AWS::Lambda::Function | Lambda function for enabling Audit Manager |
EnableAuditManager | Custom::CustomEnableAuditManager | Custom resource for enabling Audit Manager |
Assessment | AWS::AuditManager::Assessment | AWS Audit Manager assessment |
Outputs:
(There are no outputs defined in your template)
Workload Domain
Parameters:
Parameter Name | Type | Description |
HostedZoneName | String | Name of hosted zone domain |
Resources:
Resource Name | Type | Description |
HostedZone | AWS::Route53::HostedZone | Route 53 Hosted Zone for Citadel Domain |
Outputs:
Output Name | Description |
HostedZone | HostedZone Id |
HostedZoneNameServers | HostedZone Name Servers |
Workload KMS CMK
Parameters:
Parameter Name | Type | Description |
Name | String | Name for KMS Key |
Resources:
Resource Name | Type | Description |
KMSKey | AWS::KMS::Key | KMS Key for Citadel |
KMSKeyAkias | AWS::KMS::Alias | KMS Alias for Citadel Key |
Outputs:
Output Name | Description |
KMSKeyId | KMS CMK Id |
KMSKeyArn | KMS CMK Arn |