From 2baa5d9d6a7b723f073064709cfc4f38261f0ef6 Mon Sep 17 00:00:00 2001
From: Kishore Vinjam <kkvinjam@gmail.com>
Date: Tue, 6 Feb 2024 23:44:38 -0500
Subject: [PATCH] Add support to deployment in non-control environments

---
 .../functional_tests/entrypoint.sh            |   1 +
 .taskcat.yml                                  |  18 +++
 scripts/cleanup_config.json                   |  16 ++-
 scripts/cleanup_config.py                     | 127 +++++++++++-------
 templates/abi-enable-qradar-integration.yaml  |  58 +++++++-
 .../enable-cloudtrail-integrations.yaml       |  56 +++++++-
 .../enable-guardduty-integrations.yaml        |  56 +++++++-
 7 files changed, 278 insertions(+), 54 deletions(-)

diff --git a/.project_automation/functional_tests/entrypoint.sh b/.project_automation/functional_tests/entrypoint.sh
index 8d67f7b..1bd94e1 100755
--- a/.project_automation/functional_tests/entrypoint.sh
+++ b/.project_automation/functional_tests/entrypoint.sh
@@ -43,6 +43,7 @@ run_test "launch-qradar-main-default"
 
 run_test "launch-qradar-main-both"
 
+#run_test "launch-qradar-main-both-nonct"
 ## Executing ash tool
 
 #find ${PROJECT_PATH} -name lambda.zip -exec rm -rf {} \;
diff --git a/.taskcat.yml b/.taskcat.yml
index 02c331e..3ccdaaf 100644
--- a/.taskcat.yml
+++ b/.taskcat.yml
@@ -29,6 +29,24 @@ tests:
       - us-east-1
     template: templates/abi-enable-qradar-integration.yaml
 
+  launch-qradar-main-both-nonct:
+    parameters:
+      pSRASourceS3BucketName: $[taskcat_autobucket]
+      pSRAS3BucketRegion: $[taskcat_current_region]
+      pSRAStagingS3KeyPrefix: $[taskcat_project_name]
+      pConfigureCloudTrail: 'Yes'
+      pConfigureGuardDuty: 'Yes'
+      pDisableGuardDuty: 'Yes'
+      pControlTower: 'false'
+      pLogArchiveAccountId: $[taskcat_ssm_/nonct/log-archive-account-id]
+      pSecurityAccountId: $[taskcat_ssm_/nonct/audit-account-id]
+      pGovernedRegions: 'us-east-1,us-east-2'
+      pAdminRoleName: 'AWSCloudFormationStackSetAdministrationRole'
+      pExecRoleName: 'AWSCloudFormationStackSetExecutionRole'
+    regions:
+      - us-east-1
+    template: templates/abi-enable-qradar-integration.yaml
+
   # launch-qradar-main-only-ct:
   #   parameters:
   #     pSRASourceS3BucketName: $[taskcat_autobucket]
diff --git a/scripts/cleanup_config.json b/scripts/cleanup_config.json
index d9a5ecf..59a2ff3 100644
--- a/scripts/cleanup_config.json
+++ b/scripts/cleanup_config.json
@@ -3,6 +3,18 @@
     "Type" : "STACK",
     "Filter" : "tCaT-launch-qradar"
   },
+  {
+    "Type" : "STACK_SET",
+    "Filter" : "qradar-setup-iam-role-stack"
+  },
+  {
+    "Type" : "STACK_SET",
+    "Filter" : "qradar-cloudtrail-event-stack"
+  },
+  {
+    "Type" : "STACK_SET",
+    "Filter" : "qradar-guardduty-event-stack"
+  },
   {
     "Type" : "SSM_PARAMETER",
     "Filter" : "/sra/gd/",
@@ -39,7 +51,6 @@
     "Type": "S3_BUCKET",
     "Filter": "tcat-"
   },
-
   {
     "Type": "S3_BUCKET",
     "Filter": "sra-cloudtrail-staging-"
@@ -92,6 +103,9 @@
     "Type" : "CODE_BUILD",
     "Filter": "sra-codebuild-project"
   },
+  {
+    "Type" : "GUARDDUTY_DET"
+  },
   {
     "Type" : "STACK_SET",
     "Filter" : "sra-stackset-execution-role"
diff --git a/scripts/cleanup_config.py b/scripts/cleanup_config.py
index 9db8b43..c366120 100644
--- a/scripts/cleanup_config.py
+++ b/scripts/cleanup_config.py
@@ -30,26 +30,27 @@
                 'UPDATE_COMPLETE', 'UPDATE_ROLLBACK_IN_PROGRESS',
                 'UPDATE_ROLLBACK_FAILED', 'UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS',
                 'UPDATE_ROLLBACK_COMPLETE', 'REVIEW_IN_PROGRESS']
-def list_stacksets():
+
+def list_stacksets(context=CF):
     '''List all stacksets in the account'''
-    response = CF.list_stack_sets()
+    response = context.list_stack_sets()
     stacksets = response['Summaries']
     while response.get('NextToken'):
-        response = CF.list_stack_sets(NextToken=response['NextToken'])
+        response = context.list_stack_sets(NextToken=response['NextToken'])
         stacksets.extend(response['Summaries'])
     return stacksets
 
-def list_active_stackset_names():
+def list_active_stackset_names(context=CF):
     '''List all stackset names in the account'''
     cf_names = []
-    for cfn in list_stacksets():
+    for cfn in list_stacksets(context):
         if cfn['Status'] != 'DELETED':
             cf_names += [cfn['StackSetName']]
     return cf_names
 
-def list_stackset_names(filters=None):
+def list_stackset_names(context=CF, filters=None):
     '''List all stackset names in the account'''
-    cf_info = list_stacksets()
+    cf_info = list_stacksets(context)
     cf_names = []
     for cfn in cf_info:
         if cfn['Status'] != 'DELETED':
@@ -62,19 +63,19 @@ def list_stackset_names(filters=None):
 
     return cf_names
 
-def list_stackset_instances(stackset_name):
+def list_stackset_instances(context=CF, ss_name=None):
     '''List all stackset instances in the account'''
-    response = CF.list_stack_instances(StackSetName=stackset_name)
+    response = context.list_stack_instances(StackSetName=ss_name)
     stackinstances = response['Summaries']
     while response.get('NextToken'):
-        response = CF.list_stack_instances(StackSetName=stackset_name,
+        response = context.list_stack_instances(StackSetName=ss_name,
                                         NextToken=response['NextToken'])
         stackinstances.extend(response['Summaries'])
     return stackinstances
 
 def delete_stack_instances(stackset_name, retain_stacks=False):
     '''Delete all stackset instances in the account'''
-    stackinstances = list_stackset_instances(stackset_name)
+    stackinstances = list_stackset_instances(ss_name=stackset_name)
     for stackinstance in stackinstances:
         CF.delete_stack_instances(StackSetName=stackset_name,
                                 Regions=[stackinstance['Region']],
@@ -82,7 +83,7 @@ def delete_stack_instances(stackset_name, retain_stacks=False):
 
 def si_account_list(stackset_name):
     '''List all stackset instance accounts'''
-    stackinstances = list_stackset_instances(stackset_name)
+    stackinstances = list_stackset_instances(ss_name=stackset_name)
     stackinstance_names = []
     for stackinstance in stackinstances:
         stackinstance_names += [stackinstance['Account']]
@@ -90,7 +91,7 @@ def si_account_list(stackset_name):
 
 def si_region_list(stackset_name):
     '''List all stackset instance regions'''
-    stackinstances = list_stackset_instances(stackset_name)
+    stackinstances = list_stackset_instances(ss_name=stackset_name)
     stackinstance_regions = []
     for stackinstance in stackinstances:
         stackinstance_regions += [stackinstance['Region']]
@@ -127,7 +128,7 @@ def delete_all_stackinstances(stackset_name):
                                                  RetainStacks=False)
 
         loop = 1
-        while len(list_stackset_instances(stackset_name)) > 0 and loop < 30:
+        while len(list_stackset_instances(ss_name=stackset_name)) > 0 and loop < 30:
             sleep(10)
             loop += 1
 
@@ -135,7 +136,7 @@ def delete_all_stackinstances(stackset_name):
 
 def delete_stacksets(filters):
     '''Delete all stacksets created by CfCT solution in the account'''
-    cf_names = list_stackset_names(filters)
+    cf_names = list_stackset_names(filters=filters)
     for cf_name in cf_names:
         op_info = delete_all_stackinstances(cf_name)
         op_id = op_info['OperationId']
@@ -151,11 +152,11 @@ def delete_stacksets(filters):
         CF.delete_stack_set(StackSetName=cf_name)
 
 def list_all_stacks():
-    '''List all stacks in the account with status other than DELETE_COMPLETE'''
-    response = CF.list_stacks(StackStatusFilter=VALID_STATUS)
+    '''List all stacks in the account'''
+    response = CF.list_stacks()
     stacks = response['StackSummaries']
     while response.get('NextToken'):
-        response = CF.list_stacks(StackStatusFilter=VALID_STATUS, NextToken=response['NextToken'])
+        response = CF.list_stacks(NextToken=response['NextToken'])
         stacks.extend(response['StackSummaries'])
     return stacks
 
@@ -245,29 +246,33 @@ def delete_s3_buckets(item):
                 else:
                     raise exe
 
-def list_all_parameters(ssm_session):
+def list_all_parameters(context):
     ''''List all parameters in the account'''
-    response = ssm_session.describe_parameters()
-    result = response['Parameters']
+    response = context.describe_parameters()
+    parameters = response['Parameters']
     while response.get('NextToken'):
-        response = ssm_session.describe_parameters(NextToken=response['NextToken'])
-        result.extend(response['Parameters'])
-
-    return result
+        response = context.describe_parameters(NextToken=response['NextToken'])
+        parameters.extend(response['Parameters'])
+    return parameters
 
 def delete_parameters(item):
     '''Delete all parameters created in the account'''
 
+    print(f"Recieved item: {item}")
     filters = item['Filter']
     (ssm_session, account, target) = get_client_session(item, 'ssm')
-    print(f"SSM action on {target} with filters: {filters}")
+    print(f"SSM action on {account}/{target} with filters: {filters}")
 
-    parameters = list_all_parameters(ssm_session)
+    parameters = list_all_parameters(context=ssm_session)
     for parameter in parameters:
         param_name = parameter['Name']
+        print(f"param_name: {param_name}")
         if param_name.startswith(filters):
             print(f"..Deleting parameter {param_name}.")
+            res = ssm_session.get_parameter(Name=param_name)['Parameter']['ARN']
+            print(f"res: {res}")
             ssm_session.delete_parameter(Name=param_name)
+            print(f"..Deleted parameter {param_name}.")
 
 def get_temp_credentials(aws_account, role_name='AWSControlTowerExecution'):
     '''
@@ -306,6 +311,7 @@ def establish_remote_session(account):
             aws_secret_access_key=sts_creds['SecretAccessKey'],
             aws_session_token=sts_creds['SessionToken']
             )
+            print(f"Established session for {account} with {role}")
             break
 
     return result
@@ -360,7 +366,7 @@ def delete_cw_logs(item):
 
     filters = item['Filter']
     (cw_session, account, target) = get_client_session(item, 'logs')
-    print(f"LOG GROUP action on {target} with filters: {filters}")
+    print(f"LOG GROUP action on {account}/{target} with filters: {filters}")
 
     log_groups = list_cw_lognames(context=cw_session)
     for log_group_name in log_groups:
@@ -408,7 +414,6 @@ def delete_detector():
                 print('Deleting GuardDuty Detector in %s', account['Id'])
                 gd_client.delete_detector(DetectorId=det_id)
 
-
 def list_cb_projects():
     '''
     List all CodeBuild projects
@@ -433,35 +438,57 @@ def delete_build_projects(filters='sra-codebuild-'):
             cb_session = SESSION.client('codebuild')
             cb_session.delete_project(name=project)
 
-def get_account_info(ss_name='AWSControlTowerLoggingResources'):
+def get_log_account_info(context, ss_name='AWSControlTowerLoggingResources'):
+    ''' List first stack instances in a stackset '''
+
+    cf_client = context.client('cloudformation')
+    if ss_name in list_active_stackset_names(cf_client):
+        instance = cf_client.list_stack_instances(StackSetName=ss_name)
+        account_id = instance['Summaries'][0]['Account']
+        for account in get_list_of_accounts():
+            if account['Id'] == account_id:
+                account_name = account['Name']
+    else:
+        account_id = get_account_id('Log Archive')
+        account_name = 'LogArchive'
+
+    return {'AccountName': account_name, 'AccountID': account_id}
+
+def get_audit_account_info(context, ss_name='AWSControlTowerLoggingResources'):
     '''
     List first stack instances in a stackset
     '''
-    result = None
 
-    if ss_name in list_active_stackset_names():
-        instance = CF.list_stack_instances(StackSetName=ss_name)
+    cf_client = context.client('cloudformation')
+    if ss_name in list_active_stackset_names(cf_client):
+        instance = cf_client.list_stack_instances(StackSetName=ss_name)
         account_id = instance['Summaries'][0]['Account']
         for account in get_list_of_accounts():
             if account['Id'] == account_id:
                 account_name = account['Name']
-        result = {'AccountName': account_name, 'AccountID': account_id}
-    return result
+    else:
+        account_id = get_account_id('Audit')
+        account_name = 'Audit'
+
+    return {'AccountName': account_name, 'AccountID': account_id}
 
 def get_client_session(item, client_name):
-    '''
-    Return a session for parent or child
-    '''
+    ''' Return a session for parent or child '''
 
     account = None
     if 'Account' in item:
         if item['Account'] in ACCOUNTS:
+            print(f"Using account {ACCOUNTS[item['Account']]} for {client_name}")
             account = get_account_id(ACCOUNTS[item['Account']])
+            print(f"Got account ID: {account}")
+
     if account:
+        print(f"Establishing session to : {account}")
         session = establish_remote_session(account)
         client_session = session.client(client_name)
         target = account
     else:
+        print(f"Using local session for {client_name}")
         client_session = boto3.client(client_name)
         target = STS.get_caller_identity()['Account']
 
@@ -474,13 +501,17 @@ def delete_iam_role(item):
 
     role_name = item['Filter']
     (iam_session, account, target) = get_client_session(item, 'iam')
-    print(f"IAM action on {target} with role_name: {role_name}")
+    print(f"IAM action on {account}/{target} with role_name: {role_name}")
 
     try:
         policies = iam_session.list_attached_role_policies(RoleName=role_name)
         for policy in policies['AttachedPolicies']:
             print(f"..Detaching policy {policy['PolicyArn']} from role {role_name}.")
             iam_session.detach_role_policy(RoleName=role_name, PolicyArn=policy['PolicyArn'])
+        policies = iam_session.list_role_policies(RoleName=role_name)
+        for policy in policies['PolicyNames']:
+            print(f"..Deleting inline policy {policy} from role {role_name}.")
+            iam_session.delete_role_policy(RoleName=role_name, PolicyName=policy)
         print(f"....Deleting role {role_name}.")
         iam_session.delete_role(RoleName=role_name)
     except Exception as exe:
@@ -520,23 +551,25 @@ def run_cleanup(config):
                                      description='Clear the configuration.')
     PARSER.add_argument("-C", "--config", default='cleanup_config.json',
                         help="Clear content from config")
+    PARSER.add_argument("-r", "--home_region", default='us-east-1',
+                        help="Control Tower home region")
 
     ARGS = PARSER.parse_args()
+    CT_HOME = ARGS.home_region
+
+    ACC_SESSION = boto3.session.Session(region_name=CT_HOME)
+    LOG_ACCT_NAME = 'Log Archive'
+    AUDIT_ACCT_NAME = 'Audit'
+
+    LOG_ACCT_INFO = get_log_account_info(context=ACC_SESSION)
+    AUDIT_ACCT_INFO = get_audit_account_info(ACC_SESSION)
 
-    LOG_ACCT_INFO = get_account_info('AWSControlTowerLoggingResources')
-    AUDIT_ACCT_INFO = get_account_info('AWSControlTowerSecurityResources')
     if LOG_ACCT_INFO:
         LOG_ACCT_NAME = LOG_ACCT_INFO['AccountName']
-    else:
-        LOG_ACCT_NAME = 'Log Archive'
-
     if AUDIT_ACCT_INFO:
         AUDIT_ACCT_NAME = AUDIT_ACCT_INFO['AccountName']
-    else:
-        AUDIT_ACCT_NAME = 'Audit'
 
     ACCOUNTS = {"log_account": LOG_ACCT_NAME, "audit": AUDIT_ACCT_NAME}
-    print('Recieved Account Info: %s', ACCOUNTS)
     CLEAR_CFG = ARGS.config
 
     if isfile(CLEAR_CFG):
diff --git a/templates/abi-enable-qradar-integration.yaml b/templates/abi-enable-qradar-integration.yaml
index 822b263..f515841 100644
--- a/templates/abi-enable-qradar-integration.yaml
+++ b/templates/abi-enable-qradar-integration.yaml
@@ -49,6 +49,44 @@ Parameters:
     Default: ''
     Description: (Optional) Email address for receiving SRA alarms
     Type: String
+  pControlTower:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description:
+      Indicates whether AWS Control Tower is deployed and being used for this AWS environment.
+    Type: String
+  pSecurityAccountId:
+    AllowedPattern: '^\d{12}$'
+    Default: 111111111111
+    ConstraintDescription: Must be 12 digits.
+    Description: AWS Account ID of the Security Tooling account (ignored for AWS Control Tower environments).
+    Type: String
+  pLogArchiveAccountId:
+    AllowedPattern: '^\d{12}$'
+    Default: 222222222222
+    ConstraintDescription: Must be 12 digits.
+    Description: AWS Account ID of the Log Archive account (ignored for AWS Control Tower environments).
+    Type: String
+  pGovernedRegions:
+    AllowedPattern: '^(ct-regions)|((\b(?<!@)(af-south-1|ap-east-1|ap-northeast-1|ap-northeast-2|ap-northeast-3|ap-south-1|ap-south-2|ap-southeast-1|ap-southeast-2|ap-southeast-3|ap-southeast-4|ca-central-1|cn-north-1|cn-northwest-1|eu-central-1|eu-central-2|eu-north-1|eu-south-1|eu-south-2|eu-west-1|eu-west-2|eu-west-3|me-central-1|me-south-1|sa-east-1|us-east-1|us-east-2|us-gov-east-1|us-gov-west-1|us-west-1|us-west-2)\b,{0,1})*)$'
+    ConstraintDescription:
+      For AWS Control Tower, set to ct-regions (default).  If not using AWS Control Tower, specify comma separated list of regions (e.g. us-west-2,us-east-1,ap-south-1) in lower case.
+    Default: ct-regions
+    Description: AWS regions (comma separated) if not using AWS Control Tower (leave set to ct-regions for AWS Control Tower environments)
+    Type: String
+  pCreateAWSControlTowerExecutionRole:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Indicates whether the AWSControlTowerExecution role should be created in the management account. (Only when AWS Control Tower landing zone is deployed. The 'pControlTower' must be set to 'true')
+    Type: String
+  pAdminRoleName:
+    Default: 'AWSCloudFormationStackSetAdministrationRole'
+    Description: IAM role in the Management account, used to deploy stacks in other account/regions. Needed only when 'pControlTower' is set to 'false'
+    Type: String
+  pExecRoleName:
+    Default: 'AWSCloudFormationStackSetExecutionRole'
+    Description: IAM role in the AWS accounts, which allows trusted access to 'pAdminRoleName'. Needed only when 'pControlTower' is set to 'false'
+    Type: String
 
 Conditions:
   cEnableGuardDuty: !Equals [!Ref pConfigureGuardDuty, 'Yes']
@@ -56,6 +94,7 @@ Conditions:
   cEnableSetupIAMRoleStack: !Or
     - !Equals [!Ref pConfigureGuardDuty, 'Yes']
     - !Equals [!Ref pConfigureCloudTrail, 'Yes']
+  cControlTowerEnabled: !Equals [!Ref pControlTower, 'true']
 
 Resources:
   CloudTrailIntegrationStack:
@@ -71,6 +110,11 @@ Resources:
         pSRAS3BucketRegion: !Ref pSRAS3BucketRegion
         pSRASourceS3BucketName: !Ref pSRASourceS3BucketName
         pSRAStagingS3KeyPrefix: !Ref pSRAStagingS3KeyPrefix
+        pCreateAWSControlTowerExecutionRole: !Ref pCreateAWSControlTowerExecutionRole
+        pControlTower: !Ref pControlTower
+        pGovernedRegions: !Ref pGovernedRegions
+        pSecurityAccountId: !Ref pSecurityAccountId
+        pLogArchiveAccountId: !Ref pLogArchiveAccountId
 
   CloudTrailReadyWaitCondition:
     Type: AWS::CloudFormation::WaitConditionHandle
@@ -93,16 +137,26 @@ Resources:
         pRepoBranch: !Ref pRepoBranch
         pSRAAlarmEmail: !Ref pSRAAlarmEmail
         pDisableGuardDuty: !Ref pDisableGuardDuty
+        pControlTower: !Ref pControlTower
+        pGovernedRegions: !Ref pGovernedRegions
+        pSecurityAccountId: !Ref pSecurityAccountId
+        pLogArchiveAccountId: !Ref pLogArchiveAccountId
 
   SetupIAMRoleStack:
     Type: AWS::CloudFormation::StackSet
     Condition: cEnableSetupIAMRoleStack
     Properties:
       StackSetName: qradar-setup-iam-role-stack
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !If 
+          - cControlTowerEnabled
+          - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+          - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pAdminRoleName}
       CallAs: SELF
       Description: Setup necessary IAM roles needed for the QRadar application to access the services
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !If
+          - cControlTowerEnabled
+          - 'AWSControlTowerExecution'
+          - !Ref pExecRoleName
       Capabilities:
         - CAPABILITY_NAMED_IAM
       ManagedExecution:
diff --git a/templates/enable-integrations/enable-cloudtrail-integrations.yaml b/templates/enable-integrations/enable-cloudtrail-integrations.yaml
index 1415a23..918437b 100644
--- a/templates/enable-integrations/enable-cloudtrail-integrations.yaml
+++ b/templates/enable-integrations/enable-cloudtrail-integrations.yaml
@@ -40,6 +40,47 @@ Parameters:
     Default: "tags/v3.0.4"
     Description: SRA version to tag
     Type: String
+  pControlTower:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description:
+      Indicates whether AWS Control Tower is deployed and being used for this AWS environment.
+    Type: String
+  pSecurityAccountId:
+    AllowedPattern: '^\d{12}$'
+    Default: 111111111111
+    ConstraintDescription: Must be 12 digits.
+    Description: AWS Account ID of the Security Tooling account (ignored for AWS Control Tower environments).
+    Type: String
+  pLogArchiveAccountId:
+    AllowedPattern: '^\d{12}$'
+    Default: 222222222222
+    ConstraintDescription: Must be 12 digits.
+    Description: AWS Account ID of the Log Archive account (ignored for AWS Control Tower environments).
+    Type: String
+  pGovernedRegions:
+    AllowedPattern: '^(ct-regions)|((\b(?<!@)(af-south-1|ap-east-1|ap-northeast-1|ap-northeast-2|ap-northeast-3|ap-south-1|ap-south-2|ap-southeast-1|ap-southeast-2|ap-southeast-3|ap-southeast-4|ca-central-1|cn-north-1|cn-northwest-1|eu-central-1|eu-central-2|eu-north-1|eu-south-1|eu-south-2|eu-west-1|eu-west-2|eu-west-3|me-central-1|me-south-1|sa-east-1|us-east-1|us-east-2|us-gov-east-1|us-gov-west-1|us-west-1|us-west-2)\b,{0,1})*)$'
+    ConstraintDescription:
+      For AWS Control Tower, set to ct-regions (default).  If not using AWS Control Tower, specify comma separated list of regions (e.g. us-west-2,us-east-1,ap-south-1) in lower case.
+    Default: ct-regions
+    Description: AWS regions (comma separated) if not using AWS Control Tower (leave set to ct-regions for AWS Control Tower environments)
+    Type: String
+  pCreateAWSControlTowerExecutionRole:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Indicates whether the AWSControlTowerExecution role should be created in the management account. (Only when AWS Control Tower landing zone is deployed. The 'pControlTower' must be set to 'true')
+    Type: String
+  pAdminRoleName:
+    Default: 'AWSCloudFormationStackSetAdministrationRole'
+    Description: IAM role in the Management account, used to deploy stacks in other account/regions. Needed only when 'pControlTower' is set to 'false'
+    Type: String
+  pExecRoleName:
+    Default: 'AWSCloudFormationStackSetExecutionRole'
+    Description: IAM role in the AWS accounts, which allows trusted access to 'pAdminRoleName'. Needed only when 'pControlTower' is set to 'false'
+    Type: String
+
+Conditions:
+  cControlTowerEnabled: !Equals [!Ref pControlTower, 'true']
 
 Resources:
   CloudTrailStack:
@@ -55,6 +96,11 @@ Resources:
         pEnableDataEventsOnly: 'false'
         pEnableLambdaDataEvents: 'false'
         pEnableS3DataEvents: 'true'
+        pCreateAWSControlTowerExecutionRole: !Ref pCreateAWSControlTowerExecutionRole
+        pControlTower: !Ref pControlTower
+        pGovernedRegions: !Ref pGovernedRegions
+        pSecurityAccountId: !Ref pSecurityAccountId
+        pLogArchiveAccountId: !Ref pLogArchiveAccountId
       Tags:
         - Key: sra-solution
           Value: !Ref pSRAStagingS3KeyPrefix
@@ -63,10 +109,16 @@ Resources:
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: qradar-cloudtrail-event-stack
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !If 
+          - cControlTowerEnabled
+          - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+          - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pAdminRoleName}
       CallAs: SELF
       Description: Enabled S3 Bucket Event Listener to Send CloudTrail Messages to SQS
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !If
+          - cControlTowerEnabled
+          - 'AWSControlTowerExecution'
+          - !Ref pExecRoleName
       Capabilities:
         - CAPABILITY_NAMED_IAM
       ManagedExecution:
diff --git a/templates/enable-integrations/enable-guardduty-integrations.yaml b/templates/enable-integrations/enable-guardduty-integrations.yaml
index b551c52..a9d66eb 100644
--- a/templates/enable-integrations/enable-guardduty-integrations.yaml
+++ b/templates/enable-integrations/enable-guardduty-integrations.yaml
@@ -91,6 +91,47 @@ Parameters:
     Default: "tags/v3.0.4"
     Description: SRA version to tag
     Type: String
+  pControlTower:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description:
+      Indicates whether AWS Control Tower is deployed and being used for this AWS environment.
+    Type: String
+  pSecurityAccountId:
+    AllowedPattern: '^\d{12}$'
+    Default: 111111111111
+    ConstraintDescription: Must be 12 digits.
+    Description: AWS Account ID of the Security Tooling account (ignored for AWS Control Tower environments).
+    Type: String
+  pLogArchiveAccountId:
+    AllowedPattern: '^\d{12}$'
+    Default: 222222222222
+    ConstraintDescription: Must be 12 digits.
+    Description: AWS Account ID of the Log Archive account (ignored for AWS Control Tower environments).
+    Type: String
+  pGovernedRegions:
+    AllowedPattern: '^(ct-regions)|((\b(?<!@)(af-south-1|ap-east-1|ap-northeast-1|ap-northeast-2|ap-northeast-3|ap-south-1|ap-south-2|ap-southeast-1|ap-southeast-2|ap-southeast-3|ap-southeast-4|ca-central-1|cn-north-1|cn-northwest-1|eu-central-1|eu-central-2|eu-north-1|eu-south-1|eu-south-2|eu-west-1|eu-west-2|eu-west-3|me-central-1|me-south-1|sa-east-1|us-east-1|us-east-2|us-gov-east-1|us-gov-west-1|us-west-1|us-west-2)\b,{0,1})*)$'
+    ConstraintDescription:
+      For AWS Control Tower, set to ct-regions (default).  If not using AWS Control Tower, specify comma separated list of regions (e.g. us-west-2,us-east-1,ap-south-1) in lower case.
+    Default: ct-regions
+    Description: AWS regions (comma separated) if not using AWS Control Tower (leave set to ct-regions for AWS Control Tower environments)
+    Type: String
+  pCreateAWSControlTowerExecutionRole:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Indicates whether the AWSControlTowerExecution role should be created in the management account. (Only when AWS Control Tower landing zone is deployed. The 'pControlTower' must be set to 'true')
+    Type: String
+  pAdminRoleName:
+    Default: 'AWSCloudFormationStackSetAdministrationRole'
+    Description: IAM role in the Management account, used to deploy stacks in other account/regions. Needed only when 'pControlTower' is set to 'false'
+    Type: String
+  pExecRoleName:
+    Default: 'AWSCloudFormationStackSetExecutionRole'
+    Description: IAM role in the AWS accounts, which allows trusted access to 'pAdminRoleName'. Needed only when 'pControlTower' is set to 'false'
+    Type: String
+
+Conditions:
+  cControlTowerEnabled: !Equals [!Ref pControlTower, 'true']
 
 Resources:
   GuardDutyStack:
@@ -113,6 +154,11 @@ Resources:
         pEnableEksAddonManagement: !Ref pEnableEksAddonManagement
         pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs
         pGuardDutyFindingPublishingFrequency: !Ref pGuardDutyFindingPublishingFrequency
+        pControlTower: !Ref pControlTower
+        pGovernedRegions: !Ref pGovernedRegions
+        pSecurityAccountId: !Ref pSecurityAccountId
+        pLogArchiveAccountId: !Ref pLogArchiveAccountId
+        pCreateAWSControlTowerExecutionRole: !Ref pCreateAWSControlTowerExecutionRole
       Tags:
         - Key: sra-solution
           Value: !Ref pSRAStagingS3KeyPrefix
@@ -121,10 +167,16 @@ Resources:
     Type: AWS::CloudFormation::StackSet
     Properties:
       StackSetName: qradar-guardduty-event-stack
-      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+      AdministrationRoleARN: !If 
+          - cControlTowerEnabled
+          - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole
+          - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pAdminRoleName}
       CallAs: SELF
       Description: Enabled S3 Bucket Event Listener to Send GuardDuty finding events to SQS
-      ExecutionRoleName: AWSControlTowerExecution
+      ExecutionRoleName: !If
+          - cControlTowerEnabled
+          - 'AWSControlTowerExecution'
+          - !Ref pExecRoleName
       Capabilities:
         - CAPABILITY_NAMED_IAM
       ManagedExecution: