Deploy single (per-region) CMK KMS keys and share to all accounts in the AWS Organization

[julian-price]

trafficstars

Following on from my comment in https://github.com/aws-solutions/automated-security-response-on-aws/issues/178#issuecomment-2363130018, this enhancement request centres on provisioning a single CMK KMS key per region, shared to an AWS Organization to remediate findings with. For obvious reasons, this type of deployment would only be applicable where the sharr solution was deployed in an AWS Organization, but it would greatly reduce the costs of running the solution (in my case about 90% of the costs would be saved by deploying in this manner).

I have implemented a version of the solution locally that creates shared keys.

Changes Made

1. A DEPLOY_TO_AWS_ORG environment variable was added to the SolutionDeployStack which, if set via the -o switch in the build-s3-dist.sh script will generate a version of the sharr solution that uses KMS kets shared to the Organization.
2. The MemberStack was changed to take an optional sharedKeyAccount parameter along with a boolean property (deployToOrg) denoting whether the solution is to be deployed to an Org. If true, then the MemberRemediationKey construct just looks up the key from its alias ARN; if false, the key is created by the MemberRemediationKey construct. The key ARN, whether shared or not still gets stored in an SSM parameter in each member account.
3. A new OrganizationSharedKeyStack was created that takes an OrganizationIdParam parameter and creates a key (using the same key creation method as the MemberRemediationKey construct).
4. The SolutionDeployStack was modified to create the OrganizationSharedKeyStack and add tagging (https://github.com/aws-solutions/automated-security-response-on-aws/issues/202)