Updating LZA upgrade docs (#1298)

Author: ColinL2021

src/mkdocs/docs/lza-upgrade/faq.md

@@ -10,7 +10,7 @@ Changes to the shared networking resources managed by the accelerator may have a
 - When the route tables are replaced in the NetworkVPC stage of the LZA installation, minimal packet loss (i.e. few seconds) can be observed. This affects all traffic going through the Transit Gateway.
 - For deployments using AWS Network Firewall, the routes targeting the network firewall endpoints are re-created in the NetworkVpcEndpointsStack that is deployed immediately after the NetworkVPCStack. This causes a network disruption of all ingress/egress traffic going through the Perimeter VPC between 1 and 2 minutes.
 - For deployments using third-party Firewalls (i.e. FortiGate), the routes targeting the firewall ENIs are re-created in the NetworkAssociationsGwlbStack. This doesn't affect workload traffic flowing through the firewalls but can impact connectivity to the firewall management interface.
-- There is a period between the **NetworkVPC** and **PostImportASEAResources** stages where route tables to VPC Gateway Endpoints for S3 and DynamoDB are not available. See the section on [Optional preparation steps](./upgrade/optional-steps.md#configure-interface-endpoints-for-s3-and-dynamodb) for more details and recommended workaround.
+- There is a period between the **NetworkVPC** and **PostImportASEAResources** stages where route tables to VPC Gateway Endpoints for S3 and DynamoDB are not available. See the section on [Preparation steps](./upgrade/preparation-steps.md#configure-interface-endpoints-for-s3-and-dynamodb-optional) for more details and recommended workaround.
 
 ## What if we made manual changes to subnet route tables outside the accelerator?
 
@@ -84,4 +84,4 @@ ORDER BY
   COUNT(*) DESC
 ```
 
-For more information about LZA related Quotas, refer to the [LZA Documentation about Quotas](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/quotas.html) as well as this note about [CodeBuild concurrency](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/prerequisites.html#update-codebuild-conncurrency-quota)
+For more information about LZA related Quotas, refer to the [LZA Documentation about Quotas](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/quotas.html) as well as this note about [CodeBuild concurrency](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/prerequisites.html#update-codebuild-conncurrency-quota)

src/mkdocs/docs/lza-upgrade/index.md

@@ -35,7 +35,7 @@ Before starting we strongly encourage you to go through the full documentation a
     4. [Configuration conversion](./preparation/configuration-conversion.md)
     5. [Pre-upgrade validations](./preparation/validation.md)
 - [Upgrade](./upgrade/index.md)
-    1. [Optional preparation steps](./upgrade/optional-steps.md)
+    1. [Preparation steps](./upgrade/preparation-steps.md)
     2. [Disable ASEA](./upgrade/disable-asea.md)
     3. [Install LZA](./upgrade/install-lza.md)
     4. [Finalize the upgrade](./upgrade/finalize.md)

src/mkdocs/docs/lza-upgrade/upgrade/finalize.md

@@ -6,7 +6,7 @@
 
 ### Remove temporary Interface Endpoints for S3 and DynamoDB
 
-If you created temporary Interface Endpoints for S3 and DynamoDB in the [optional preparation steps](./optional-steps.md#configure-interface-endpoints-for-s3-and-dynamodb) you can now remove them [according to the instructions](./optional-steps.md#removal-of-endpoints-after-the-lza-installation).
+If you created temporary Interface Endpoints for S3 and DynamoDB in the [preparation steps](./preparation-steps.md#configure-interface-endpoints-for-s3-and-dynamodb-optional) you can now remove them [according to the instructions](./preparation-steps.md#removal-of-endpoints-after-the-lza-installation).
 
 
 ## Post upgrade Overview

src/mkdocs/docs/lza-upgrade/upgrade/index.md

@@ -14,7 +14,7 @@ Re-confirm pre-requisites
 The upgrade steps are
 
 - Upgrade
-    1. [Optional preparation steps](./optional-steps.md)
+    1. [Preparation steps](./preparation-steps.md)
     2. [Disable ASEA](./disable-asea.md)
     3. [Install LZA](./install-lza.md)
     4. [Finalize the upgrade](./finalize.md)

src/mkdocs/docs/lza-upgrade/upgrade/optional-steps.md renamed to src/mkdocs/docs/lza-upgrade/upgrade/preparation-steps.md

@@ -1,8 +1,35 @@
-# Optional preparation steps
+# Preparation steps
 
 Additional preparation steps are recommended depending on your configuration
 
-## Configure Interface Endpoints for S3 and DynamoDB
+## Disable Security Hub forwarding to CloudWatch Log Groups
+
+ASEA uses an EventBridge rule and a Lambda function to forward all Security Hub findings to a CloudWatch Log Group in the Security Audit account. The centralized logging architecture then forward all the CloudWatch Log entries to the central S3 bucket. During the LZA installation, a LZA specific EventBridge rule will be deployed to achieve the same outcome. The LZA rule directly targets the CloudWatch Log Group without a Lambda, the process is thus more efficient.
+
+We recommend disabling the EventBridge rule **before** the LZA installation to avoid duplicate findings being delivered. Environments with more than 30 AWS Accounts have experienced timeout issues related to Lambda concurrency rate limiting during the upgrade.
+
+!!! tip
+    If you require all findings to be logged in CloudWatch Logs and S3 then you can disable the rule **after** the LZA installation, be advised that you will see duplicate findings being delivered. If there are more than 30 AWS Accounts in the AWS Organization then you would also have to increase the Service Quotas for Lambda [**Concurrent executions**](https://console.aws.amazon.com/servicequotas/home/services/lambda/quotas/L-B99A9384) and CloudWatch Logs [**CreateLogStream throttle limit in transactions per second**](https://console.aws.amazon.com/servicequotas/home/services/logs/quotas/L-76507CEF). In all cases, Security Hub findings will continue to be available in the Security Hub console and through SNS Topics notifications if they are configured, this only affect the delivery of the findings to CloudWatch and S3.
+
+### Disable the EventBridge rule
+1. Login to your Management account using an administrative role
+2. Assume the privileged role (i.e. `{prefix-name}-PipelineRole`) into the Security Audit account
+3. Go to the EventBridge console in the Rules page
+4. Locate the `{prefix-name}-SecurityHubFindingsImportToCWLs` rule
+5. Disable the rule
+6. Repeat this for every AWS Region enabled in your configuration file
+
+Alternatively you can run the following command using AWS Cloud Shell from the Security Audit account to disable the rule in all regions (you need to use the appropriate rule name if using a different accelerator prefix)
+```bash
+for region in `aws ec2 describe-regions --query "Regions[].RegionName" --output text`; do aws events disable-rule --region $region --name ASEA-SecurityHubFindingsImportToCWLs; done
+```
+
+## AWS Security Hub CSPM Configuration
+
+By default AWS Security Hub CSPM is configured as [local configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/local-configuration.html) and is managed by ASEA/LZA for the AWS Organization. AWS Security Hub CSPM introduced [central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) to configure Security Hub CSPM, standards, and controls across multiple organization accounts, organizational units (OUs), and Regions. Currently LZA does not support central configuration and if central configuration was manually implemented then you must revert AWS Security Hub CSPM to local configuration. If you have central configuration enabled at the time of the upgrade, the upgrade will fail at the Security_Audit stage. LZA manages Security Hub CSPM configuration in the [security-config.yaml](https://github.com/aws-samples/landing-zone-accelerator-on-aws-for-cccs-medium/blob/main/config/security-config.yaml) file under the securityHub section.
+
+
+## Configure Interface Endpoints for S3 and DynamoDB (Optional)
 
 ### Context
 During the upgrade process, LZA creates new route tables and associates them with the existing subnets to replace the previous ASEA route tables. This is mostly transparent as the LZA route tables are identical to the ASEA route tables defined in the ASEA configuration. However, the routes pointing to the prefix list for Gateway Endpoints (S3 and DynamoDB) are only added at a later stage of the upgrade process. Therefore the Gateway Endpoints won't be available from your VPCs between the NetworkVPC stage and PostImportASEAResources stage of the LZA installation. Communication to S3 and DDB will fall back to using the public endpoints going through your Perimeter VPC using the default route. This traffic will be allowed or denied based on your egress rules in the perimeter firewall.
@@ -68,25 +95,3 @@ Once LZA upgrade is complete
     - Remove all record from the zone except the SOA and NS records
     - Delete the Private Hosted Zone
     - Delete the Interface endpoint (don't delete the Gateway endpoints)
-
-## Disable Security Hub forwarding to CloudWatch Log Groups
-
-ASEA uses an Event Bridge rule and a Lambda function to forward all Security Hub findings to a CloudWatch Log Group in the Security Audit account. The centralized logging architecture then forward all the CloudWatch Log entries to the central S3 bucket. During the LZA installation, a LZA specific Event Bridge rule will be deployed to achieve the same outcome. The LZA rule directly targets the CloudWatch Log Group without a Lambda, the process is thus more efficient.
-
-We recommend disabling the Event Bridge rule **before** the LZA installation to avoid duplicate findings being delivered. On large environments, timeout issues related to Lambda rate limiting have been reported during the upgrade.
-
-!!! tip
-    If you require all findings to be logged in CloudWatch Logs and S3 we recommend you instead disable the rule **after** the LZA installation, be advised that you will see duplicate findings being delivered. In all cases, Security Hub findings will continue to be available in the Security Hub console and through SNS Topics notifications if they are configured, this only affect the delivery of the findings to CloudWatch and S3.
-
-### Disable the Event Bridge rule
-1. Login to your Management account using an administrative role
-2. Assume the privileged role (i.e. `{prefix-name}-PipelineRole`) into the Security Audit account
-3. Go to the Event Bridge console in the Rules page
-4. Locate the `{prefix-name}-SecurityHubFindingsImportToCWLs` rule
-5. Disable the rule
-6. Repeat this for every AWS Region enabled in your configuration file
-
-Alternatively you can run the following command using AWS Cloud Shell from the Security Audit account to disable the rule in all regions (you need to use the appropriate rule name if using a different accelerator prefix)
-```bash
-for region in `aws ec2 describe-regions --query "Regions[].RegionName" --output text`; do aws events disable-rule --region $region --name ASEA-SecurityHubFindingsImportToCWLs; done
-```

src/mkdocs/mkdocs.yml

@@ -43,7 +43,7 @@ nav:
           - Pre-upgrade validations: lza-upgrade/preparation/validation.md
       - Upgrade:
           - lza-upgrade/upgrade/index.md
-          - Optional preparation steps: lza-upgrade/upgrade/optional-steps.md
+          - Preparation steps: lza-upgrade/upgrade/preparation-steps.md
           - Disable ASEA: lza-upgrade/upgrade/disable-asea.md
           - Install LZA: lza-upgrade/upgrade/install-lza.md
           - Finalize the upgrade: lza-upgrade/upgrade/finalize.md