This monorepo contains a collection of tools and frameworks for performing ReSCO (Resilience, Security, and Cost Optimization) assessments across different types of workloads and infrastructures. It uses AWS serverless services to gather the data from the control plane and provide a list of assessments with the sevrity level and recommended actions.
ReSCO assessments help organizations evaluate and improve their:
- Resilience: System reliability, fault tolerance, and disaster recovery capabilities
- Security: Security posture, compliance, and risk management
- Cost Optimization: Resource utilization, cost efficiency, and optimization opportunities
| Project | Description | Status |
|---|---|---|
| resco-aiml-assessment | ReSCO assessment tools for AI/ML workloads | Active |
- Python 3.12+ - Install Python
- SAM CLI - Install the SAM CLI
- Docker - Install Docker community edition
Clone the Repository
git clone https://github.com/your-username/resco-assessments.git
cd resco-assessments/deploymentYou will see 1-resco-member-roles.yaml and 2-resco-multi-account-assessment.yaml file in the deployment folder.
For single account deployment, proceed to Deployment Step #2 and choose Single Account Mode.
The multi-account deployment consists of:
- Central Security Account: Runs the main assessment infrastructure
- Member Accounts: Have cross-account roles that allow the central account to perform assessments
Deploy 1-resco-member-roles.yaml to all target accounts using CloudFormation StackSets.
- AWS Organizations setup with management account access
- StackSets service-linked roles configured
# Create the StackSet
aws cloudformation create-stack-set \
--stack-set-name resco-aiml-member-roles \
--template-body file://1-resco-member-roles.yaml \
--parameters ParameterKey=ReSCOAccountID,ParameterValue=123456789012 \
--capabilities CAPABILITY_NAMED_IAM \
--administration-role-arn arn:aws:iam::MANAGEMENT-ACCOUNT:role/service-role/AWSCloudFormationStackSetAdministrationRole \
--execution-role-name AWSCloudFormationStackSetExecutionRole
# Deploy to target accounts
aws cloudformation create-stack-instances \
--stack-set-name resco-aiml-member-roles \
--deployment-targets OrganizationalUnitIds=ou-root-xxxxxxxxxx \
--regions us-east-1 \
--parameter-overrides ParameterKey=ReSCOAccountID,ParameterValue=123456789012Parameters:
ReSCOAccountID: Account ID where the central ReSCO infrastructure will run
Deploy 2-resco-multi-account-assessment.yaml in your central security account.
aws cloudformation create-stack \
--stack-name resco-aiml-multi-account \
--template-body file://2-resco-multi-account-assessment.yaml \
--parameters \
ParameterKey=MultiAccountScan,ParameterValue=true \
ParameterKey=EmailAddress,ParameterValue=security-team@company.com \
ParameterKey=ConcurrentAccountScans,ParameterValue=Three \
--capabilities CAPABILITY_NAMED_IAMKey Parameters:
MultiAccountScan: Set totruefor multi-account scanningMultiAccountListOverride: Space-delimited list of specific accounts (optional)EmailAddress: Email for completion notifications (optional)ConcurrentAccountScans: Number of parallel scans (Three/Six/Twelve)
- Creates local
ReSCOAIMLMemberRole - Runs assessment in the same account
- Uses local S3 bucket for results
- Lists all active accounts in AWS Organizations
- Assumes
ReSCOAIMLMemberRolein each target account - Deploys SAM application in each account with shared S3 bucket
- Executes Step Functions in each account
- Consolidates results in central S3 bucket
- CodeBuild project starts automatically after stack creation
- For each target account:
- Assumes cross-account role
- Deploys ReSCO SAM application
- Executes Step Functions state machine
- Stores results in central S3 bucket
- Sends completion notification (if configured)
- Assume roles in member accounts
- List AWS Organizations accounts
- Deploy CloudFormation/SAM applications
- Execute Step Functions
- Write to S3 bucket
- Read-only access to AIML services (Bedrock, SageMaker)
- IAM read permissions for security assessment
- CloudTrail, GuardDuty, Lambda read permissions
- VPC and EC2 read permissions
- S3 Bucket: Central storage for all assessment results
- CloudWatch Logs: CodeBuild execution logs
- SNS Notifications: Email alerts on completion/failure
- EventBridge Rules: Automated workflow triggers
Update the StackSet to include new organizational units or specific accounts:
aws cloudformation create-stack-instances \
--stack-set-name resco-aiml-member-roles \
--accounts 111111111111 222222222222 \
--regions us-east-1Edit the member role permissions in 1-resco-member-roles.yaml to add/remove service permissions.
Adjust ConcurrentAccountScans parameter based on your organization size and cost considerations.
- StackSet Deployment Failures: Check service-linked roles and permissions
- Cross-Account Role Assumption: Verify trust relationships and account IDs
- SAM Deployment Failures: Check CodeBuild logs for specific errors
- Step Functions Execution: Monitor state machine executions in each account
- Check CodeBuild project logs in CloudWatch
- Verify cross-account role trust policies
- Ensure S3 bucket permissions allow cross-account writes
- Monitor Step Functions executions for individual account assessments
We welcome community contributions! Please see CONTRIBUTING.md for guidelines.
- All roles follow least-privilege principle
- Cross-account trust limited to specific CodeBuild role
- S3 bucket enforces SSL-only access
- Assessment data encrypted in transit and at rest
- No persistent credentials stored in CodeBuild
See Security issue notifications for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.