From d54abfbb2190d7e4b521b1df153a55ccd126fcff Mon Sep 17 00:00:00 2001 From: rjulian Date: Sun, 13 Dec 2020 19:47:17 -0800 Subject: [PATCH 1/3] Add in multi account block --- about.rst | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/about.rst b/about.rst index 86f8cbe..24c87f7 100644 --- a/about.rst +++ b/about.rst @@ -68,3 +68,20 @@ This infrastructure is created similarly to the output of `reflex build` in that forwarding_regions: - us-east-2 - eu-west-1 + +Multi-account Support +---------------------------- + +In a default implementation of reflex, a single account is monitored for events. If your organization leverages many accounts and wish to monitor them all through a single reflex deploy, we allow for the configuration of a multi-account forwarder to a central account. In this setup, there is an account deployed with normal reflex infrastructure, called a "parent" account and then many "child" accounts that forward their rule findings to the central account for processing. + +Similarly to the multi-region build output, we can create multi-account output with a configuration block update like below. This will create separate output directories needed to be deployed separately with terraform in each account. *Note*: If specifying child accounts, it is required to specify parent accounts in the configuration below. Specifying neither child or parent accounts will create a single account build. + +.. code-block:: yaml + + providers: + - aws: + region: us-east-1 + parent_account: "123456789012" + child_accounts: + - "234567890123" + - "345678901234" From 742d9654adc7e11f6016940557a5239549ae1ab0 Mon Sep 17 00:00:00 2001 From: rjulian Date: Sun, 13 Dec 2020 19:50:25 -0800 Subject: [PATCH 2/3] Fix typo and add a bit more information about child account infrastructure. --- about.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/about.rst b/about.rst index 24c87f7..390b06c 100644 --- a/about.rst +++ b/about.rst @@ -72,7 +72,8 @@ This infrastructure is created similarly to the output of `reflex build` in that Multi-account Support ---------------------------- -In a default implementation of reflex, a single account is monitored for events. If your organization leverages many accounts and wish to monitor them all through a single reflex deploy, we allow for the configuration of a multi-account forwarder to a central account. In this setup, there is an account deployed with normal reflex infrastructure, called a "parent" account and then many "child" accounts that forward their rule findings to the central account for processing. +In a default implementation of reflex, a single account is monitored for events. If your organization leverages many accounts and wishes to monitor them all through a single reflex deploy, we allow for the configuration of a multi-account forwarder to a central account. In this setup, there is an account deployed with normal reflex infrastructure, called a "parent" account and then many "child" accounts that forward their rule findings to the central account for processing. In the "child" +accounts, you will find just event rules, SNS topics, and IAM roles for cross account describe/remediation. Similarly to the multi-region build output, we can create multi-account output with a configuration block update like below. This will create separate output directories needed to be deployed separately with terraform in each account. *Note*: If specifying child accounts, it is required to specify parent accounts in the configuration below. Specifying neither child or parent accounts will create a single account build. From b4d46a05f9d3c240f1a9fa40a7317cdf2e969016 Mon Sep 17 00:00:00 2001 From: rjulian Date: Sun, 13 Dec 2020 19:51:07 -0800 Subject: [PATCH 3/3] Fix extra newline --- about.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/about.rst b/about.rst index 390b06c..6abebf9 100644 --- a/about.rst +++ b/about.rst @@ -72,8 +72,7 @@ This infrastructure is created similarly to the output of `reflex build` in that Multi-account Support ---------------------------- -In a default implementation of reflex, a single account is monitored for events. If your organization leverages many accounts and wishes to monitor them all through a single reflex deploy, we allow for the configuration of a multi-account forwarder to a central account. In this setup, there is an account deployed with normal reflex infrastructure, called a "parent" account and then many "child" accounts that forward their rule findings to the central account for processing. In the "child" -accounts, you will find just event rules, SNS topics, and IAM roles for cross account describe/remediation. +In a default implementation of reflex, a single account is monitored for events. If your organization leverages many accounts and wishes to monitor them all through a single reflex deploy, we allow for the configuration of a multi-account forwarder to a central account. In this setup, there is an account deployed with normal reflex infrastructure, called a "parent" account and then many "child" accounts that forward their rule findings to the central account for processing. In the "child" accounts, you will find just event rules, SNS topics, and IAM roles for cross account describe/remediation. Similarly to the multi-region build output, we can create multi-account output with a configuration block update like below. This will create separate output directories needed to be deployed separately with terraform in each account. *Note*: If specifying child accounts, it is required to specify parent accounts in the configuration below. Specifying neither child or parent accounts will create a single account build.