(docs) various updates (#1067)

* corrections

- remove duplicate scp line
- fix bad section reference in docs

* add endpoint question to FAQ

* Doc tweaks for 154 release

reference-artifacts/SCPs/ASEA-Guardrails-Sandbox.json

@@ -7,7 +7,6 @@
       "Action": [
         "aws-marketplace:CreatePrivate*",
         "aws-marketplace:AssociateProductsWithPrivate*",
-        "aws-marketplace:CreatePrivate*",
         "aws-marketplace:DescribePrivate*",
         "aws-marketplace:DisassociateProducts*",
         "aws-marketplace:ListPrivate*",

reference-artifacts/SCPs/ASEA-Guardrails-Sensitive.json

@@ -7,7 +7,6 @@
       "Action": [
         "aws-marketplace:CreatePrivate*",
         "aws-marketplace:AssociateProductsWithPrivate*",
-        "aws-marketplace:CreatePrivate*",
         "aws-marketplace:DescribePrivate*",
         "aws-marketplace:DisassociateProducts*",
         "aws-marketplace:ListPrivate*",

reference-artifacts/SCPs/ASEA-Guardrails-Unclass.json

@@ -7,7 +7,6 @@
       "Action": [
         "aws-marketplace:CreatePrivate*",
         "aws-marketplace:AssociateProductsWithPrivate*",
-        "aws-marketplace:CreatePrivate*",
         "aws-marketplace:DescribePrivate*",
         "aws-marketplace:DisassociateProducts*",
         "aws-marketplace:ListPrivate*",

src/mkdocs/docs/faq/index.md

@@ -346,6 +346,47 @@
 
     Additionally, setting "populate-all-elbs-in-param-store": true for an account will populates all Accelerator wide ELB information into parameter store within that account. The sample PBMM configuration files set this value on the perimeter account, such that ELB information is available to configure centralized ingress capabilities.
 
+??? faq "1.3.3. How do I deploy AWS Elastic Beanstalk instances?"
+
+    #### How do I deploy AWS Elastic Beanstalk instances?
+
+    If your deployed environment contains an SCP enforcing volume encryption of EC2 instances, your Elastic Beanstalk deployment will fail.
+
+    The SCP will contain an entry like this:
+
+    ```json
+    {
+      "Sid": "EBS1",
+      "Effect": "Deny",
+      "Action": "ec2:RunInstances",
+      "Resource": "arn:aws:ec2:*:*:volume/*",
+      "Condition": {
+        "Bool": {
+          "ec2:Encrypted": "false"
+        }
+      }
+    },
+
+    ```
+    A solution is to encrypt the root volume of the AMI that Elastic Beanstalk uses for your selected platform, and perform a custom AMI deployment of your Elastic Beanstalk application.
+
+    You can gather the AMI that Elastic Beanstalk uses via CLI with the following command:
+
+    ```bash
+    aws elasticbeanstalk describe-platform-version --region <YOUR_REGION> --platform-arn <ARN_EB_PLATFORM>
+    ```
+
+    Once you have gathered the AMI ID successfully, go to the EC2 console and:
+
+    - Click on the ‘AMIs’ option in the left navigation pane 
+    - Search for your AMI after selecting ‘Public Images’ from the dropdown list. 
+    - Select the AMI 
+    - Go to Actions and Copy AMI
+    - Click on the checkbox to enable ‘Encryption’ and then select "Copy AMI".
+
+    Once the AMI is successfully copied, you can use this AMI to specify a custom AMI in your Elastic Beanstalk environments with root volume encrypted.
+
+
 ## 1.4. Upgrades
 
 ??? faq "1.4.1. Can I upgrade directly to the latest release, or must I perform upgrades sequentially?"
@@ -873,47 +914,25 @@
 
     ![Logging](../installation/img/ASEA-Logging-Arch.png)
 
-??? faq "1.6.17. How do I deploy AWS Elastic Beanstalk instances?"
-
-    #### How do I deploy AWS Elastic Beanstalk instances?
-
-    If your deployed environment contains an SCP enforcing volume encryption of EC2 instances, your Elastic Beanstalk deployment will fail.
-
-    The SCP will contain an entry like this:
-
-    ```json
-    {
-      "Sid": "EBS1",
-      "Effect": "Deny",
-      "Action": "ec2:RunInstances",
-      "Resource": "arn:aws:ec2:*:*:volume/*",
-      "Condition": {
-        "Bool": {
-          "ec2:Encrypted": "false"
-        }
-      }
-    },
-
-    ```
-    A solution is to encrypt the root volume of the AMI that Elastic Beanstalk uses for your selected platform, and perform a custom AMI deployment of your Elastic Beanstalk application.
-
-    You can gather the AMI that Elastic Beanstalk uses via CLI with the following command:
-
-    ```bash
-    aws elasticbeanstalk describe-platform-version --region <YOUR_REGION> --platform-arn <ARN_EB_PLATFORM>
-    ```
-
-    Once you have gathered the AMI ID successfully, go to the EC2 console and:
-
-    - Click on the ‘AMIs’ option in the left navigation pane 
-    - Search for your AMI after selecting ‘Public Images’ from the dropdown list. 
-    - Select the AMI 
-    - Go to Actions and Copy AMI
-    - Click on the checkbox to enable ‘Encryption’ and then select "Copy AMI".
-
-    Once the AMI is successfully copied, you can use this AMI to specify a custom AMI in your Elastic Beanstalk environments with root volume encrypted.
-
-
+??? faq "1.6.17. Why are only select interface endpoints provisioned in the sample configuration files?"
+
+    #### Why are only select interface endpoints provisioned in the sample configuration files? 
+
+   For economic reasons, most of the sample configuration files only include the following minimum set of required interface endpoints:
+
+   "ec2", "ec2messages", "ssm", "ssmmessages", "secretsmanager", "cloudformation", "kms", "logs", "monitoring"
+
+   The full sample configuration file included all interface endpoints that existed in the Canada (Central) region at the time the configuration file was originally developed:
+
+   "access-analyzer", "acm-pca", "application-autoscaling", "appmesh-envoy-management", "athena", "autoscaling", "autoscaling-plans", "awsconnector", "cassandra", "clouddirectory", "cloudformation", "cloudtrail", "codebuild", "codecommit", "codepipeline", "config", "datasync", "ebs", "ec2", "ec2messages", "ecr.api", "ecr.dkr", "ecs", "ecs-agent", "ecs-telemetry", "elasticbeanstalk", "elasticbeanstalk-health", "elasticfilesystem", "elasticloadbalancing", "elasticmapreduce", "email-smtp", "events", "execute-api", "git-codecommit", "glue", "kinesis-firehose", "kinesis-streams", "kms", "license-manager", "logs", "macie2", "monitoring", "notebook", "sagemaker.api", "sagemaker.runtime", "secretsmanager", "servicecatalog", "sms", "sns", "sqs", "ssm", "ssmmessages", "states", "storagegateway", "sts", "synthetics", "transfer", "transfer.server", "workspaces"
+
+   Since that time these additional endpoints have been launched in the ca-central-1 region and can be optionally added to customer configuration files to make them accessible from private address space: 
+
+   "airflow.api", "airflow.env", "airflow.ops", "app-integrations", "appstream.api", "appstream.streaming", "auditmanager", "backup", "backup-gateway", "batch", "cloudhsmv2", "codedeploy", "codedeploy-commands-secure", "codestar-connections.api", "comprehend", "comprehendmedical", "databrew", "dms", "elasticache", "emr-containers", "finspace", "finspace-api", "fis", "fsx", "greengrass", "imagebuilder", "inspector2", "iot.data", "iot.fleethub.api", "iotsitewise.api", "iotsitewise.data", "kendra", "lakeformation", "lambda", "memory-db", "mgn", "models-v2-lex", "nimble", "panorama", "profile", "qldb.session", "rds", "rds-data", "redshift", "redshift-data", "rekognition", "runtime-v2-lex", "sagemaker.featurestore-runtime", "securityhub", "servicecatalog-appregistry", "ssm-contacts", "ssm-incidents", "sync-states", "textract", "transcribe", "transcribestreaming", "translate", "xray"
+
+   The aws.sagemaker.ca-central-1.studio interface endpoint was also launched, but cannot be auto-deployed by the Accelerator at this time as it does not utilize standardized naming and requires a code update to enable deployment.
+
+   Additional endpoints may exist in other AWS regions.  Any endpoint can be added to any Accelerator configuration file, as long as it follows the standardized endpoint naming convention (e.g. com.amazonaws.{region}.{service}).
 
 ## 1.7. Network Architecture
 

src/mkdocs/docs/installation/install.md

@@ -215,7 +215,7 @@ Multiple options exist for downloading the GitHub Accelerator codebase and pushi
     - Do NOT download the code off the main GitHub branch, this will leave you in a completely unsupported state (and with beta code)
 3. Push the extracted codebase into the newly created CodeCommit repository, maintaining the file/folder hierarchy
 4. Set the default CodeCommit branch for the new repository to main
-5. Create a branch following the Accelerator naming format for your release (i.e. `release/v1.5.3`)
+5. Create a branch following the Accelerator naming format for your release (i.e. `release/v1.5.4`)
 
 ### 1.4.3. AWS Internal (Employee) Accounts Only
 
@@ -318,7 +318,7 @@ If deploying to an internal AWS employee account and installing the solution wit
     - Add an `Email` address to be used for State Machine Status notification
     - The `GitHub Branch` should point to the release you selected
         - if upgrading, change it to point to the desired release
-        - the latest stable branch is currently `release/v1.5.3`, case sensitive
+        - the latest stable branch is currently `release/v1.5.4`, case sensitive
         - click `Next`
 7. Finish deploying the stack
     - Apply a tag on the stack, Key=`Accelerator`, Value=`ASEA` (case sensitive).
@@ -369,8 +369,9 @@ Current Issues:
 
 -   **NEW 2022-08-07** An issue with the version of cfn-init in the "latest" AWS standard Windows AMI will cause the state machine to fail during a new installation when deploying an RDGW host. RDGW hosts in existing deployments will fail to fully initialize if the state machine is or has been recently run and the auto-scaling group subsequently refreshes the host (default every 7 days).
 
-    -   To temporarily workaround this issue, assume an administrative role in your `operations` account, open Systems Manager Parameter Store, and `Create parameter` with a Name of `/asea/windows-ami` and a value of `ami-0d336ea070bc06fb8` (which is the previous good AMI), accepting the other default values. Update your config file to point to this new parameter by changing `image-path` (under \deployments\mad) to `/asea/windows-ami` instead of `/aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base`. Rerun your state machine. If you have an existing RDGW instance it should be terminated to allow the auto-scaling group to redeploy it.
-    -   This config file entry should be reverted and state machine rerun once the next AWS Windows AMI is released (hopefully within the next week) to ensure you are always using the latest Windows AMI.
+    -   To temporarily workaround this issue, assume an administrative role in your `operations` account, open Systems Manager Parameter Store, and `Create parameter` with a Name of `/asea/windows-ami` and a value of `ami-0d336ea070bc06fb8` (which is the previous good AMI in ca-central-1), accepting the other default values. Update your config file to point to this new parameter by changing `image-path` (under \deployments\mad) to `/asea/windows-ami` instead of `/aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base`. Rerun your state machine. If you have an existing RDGW instance it should be terminated to allow the auto-scaling group to redeploy it.
+	-   In other regions you will need to lookup the previous working ami-id (you cannot use `ami-0d336ea070bc06fb8`)
+    -   This config file entry should be reverted and state machine rerun once the next (validated fixed) AWS Windows AMI is released to ensure you are always using the latest Windows AMI. **NOTE: Issue still exists 2022-10-05.**
 
 -   If dns-resolver-logging is enabled, VPC names containing spaces are not supported at this time as the VPC name is used as part of the log group name and spaces are not supported in log group names. By default in many of the sample config files, the VPC name is auto-generated from the OU name using a variable. In this situation, spaces are also not permitted in OU names (i.e. if any account in the OU has a VPC with resolver logging enabled and the VPC is using the OU as part of its name)
 
@@ -382,7 +383,7 @@ Current Issues:
 
 Issues in Older Releases:
 
--   New installs to releases prior to v1.3.9 are no longer supported.
+-   New installs to releases prior to v1.5.4 are no longer supported.
 -   Upgrades to releases prior to v1.3.8 are no longer supported.
 
 ## 1.7. Post-Installation
@@ -391,6 +392,8 @@ The Accelerator installation is complete, but several manual steps remain:
 
 1.  Enable and configure AWS SSO in your `home` region (i.e. ca-central-1)
 
+    - **NOTE: AWS SSO has been renamed to AWS IAM Identity Center (IdC). The IdC GUI has also been reworked. The below steps are no longer click-by-click accurate. An update to the below documentation is planned, which will also include instructions to delegate AWS IdC administration to the Operations account enabling connecting IdC directly to MAD, rather than through an ADC.**
+
     -   Login to the AWS Console using your Organization Management account
     -   Navigate to AWS Single Sign-On, click `Enable SSO`
     -   Set the SSO directory to AD ("Settings" => "Identity Source" => "Identity Source" => click `Change`, Select Active Directory, and select your domain from the list)

src/mkdocs/docs/installation/upgrades.md

@@ -19,7 +19,7 @@
 
 -   Upgrades to `v1.5.1-a and above` from `v1.5.0` or `v1.5.1`:
     -   Do not add the parameter: `"ssm-inventory-collection": true` to OUs or accounts which already have SSM Inventory configured or the state machine will fail
-    -   Follow the standard upgrade steps detailed in section 3.2 below
+    -   Follow the standard upgrade steps detailed in section 1.3 below
 -   `v1.5.1` was replaced by v1.5.1-a and is no longer supported for new installs or upgrades
 -   Upgrades to `v1.5.0` and `v1.5.1-a and above` from `v1.3.8 through v1.3.9`:
     -   We recommend upgrading directly to v1.5.1-a