/aws-security-reference-architecture-examples

Example solutions demonstrating how to implement patterns within the AWS Security Reference Architecture guide using CloudFormation and Customizations for AWS Control Tower.

Primary LanguagePythonOtherNOASSERTION

AWS Security Reference Architecture Examples

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

Table of Contents

Introduction

This repository contains code to help developers and engineers deploy AWS security-related services in an AWS Control Tower multi-account environment following patterns that align with the AWS Security Reference Architecture. The Amazon Web Services (AWS) Security Reference Architecture (AWS SRA) is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment.

The AWS service configurations and resources (e.g. IAM roles and policies) deployed by these templates are deliberately very restrictive. They are intended to illustrate an implementation pattern rather than provide a complete solution. You may need to modify and tailor these solutions to suit your environment and security needs.

The examples within this repository have been deployed and tested within an AWS Control Tower environment using AWS CloudFormation as well as the Customizations for AWS Control Tower (CFCT) solution.

Getting Started Using the AWS SRA Easy Setup (Recommended)

How to get started with the easy setup process diagram

  1. Setup the environment to configure AWS Control Tower within a new or existing AWS account. Existing AWS Control Tower environments can also be used but may require existing service configurations to be removed.
  2. Choose a deployment method:
  3. If using CfCT, deploy the AWSControlTowerExecution role into the management account.
  4. Using parameters within the easy setup template file, choose which AWS SRA Solutions to deploy. This can be done during initial setup or as an update later.

For more information view the AWS SRA Easy Setup solution page.

AWS SRA Easy Setup

Using the AWS SRA Easy Setup, the common prerequisites and all AWS SRA solutions are automatically packaged, staged, and deployed into your AWS environment with minimal effort. This is the recommended method to install the AWS SRA code library because it reduces the likelihood of missing a step in the Manual install method. If using this method to install the AWS SRA code library, there is no other process you need to follow.

Follow the instructions in the AWS SRA Easy Setup solution page to install everything you need to get the AWS SRA code library and it's solutions deployed.

Manual Install Method For the AWS SRA

How to get started process diagram (manual install)

  1. Setup the environment to configure AWS Control Tower within a new or existing AWS account. Existing AWS Control Tower environments can also be used but may require existing service configurations to be removed.
  2. Deploy the Common Prerequisites solution. Note: This only needs to be done once for all the solutions.
  3. Choose a deployment method:
  4. (Optional) - Deploy the Customizations for AWS Control Tower (CFCT) Setup solution. Note Only implement if the CFCT deployment method was selected.
  5. Per your requirements select one or all of the below AWS SRA Solutions to implement via the selected deployment method.
    • You may use the Quick Setup to deploy the AWS SRA Solutions at this step.

AWS SRA Quick Setup

The Quick Setup can be used along with the manual install of the AWS SRA. Once you have manually installed the common prerequisites, instead of installing each solution individually, you can deploy all the Example Solutions listed in the below table via a single centralized CloudFormation template either directly within the CloudFormation console or via the Customizations for AWS Control Tower (CFCT) solution. Our testing within an environment that has the default AWS Control Tower setup (3 accounts and 1 region) resulted in deploying all the solutions within the Quick Setup in under 20 minutes.

Follow the instructions within the Quick Setup to deploy all or a subset of the solutions based on your environment requirements.

Note: The Quick Setup is not designed to be used with the Easy Setup procedure. Using them together may produce mixed results as we have not tested this. It is recommended to use the Easy Setup process

Example Solutions

  • Note: All solutions below depend on the Common Prerequisites solution in addition to the specified solutions within the Depends On column.
  • Navigate to corresponding example solution to review what is deployed and configured within the environment.
Example Solution Solution Highlights What does Control Tower provide? Depends On
Account Alternate Contacts Sets the billing, operations, and security alternate contacts for all accounts within the organization.
CloudTrail Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events. CloudTrail enabled in each account with management events only.
Config Management Account Enables AWS Config in the Management account to allow resource compliance monitoring. Configures AWS Config in all accounts except for the Management account in each governed region.
Config Organization Conformance Pack Deploys a conformance pack to all accounts and provided regions within an organization.
Config Organization Aggregator Not required for most Control Tower environments. Deploy an Organization Config Aggregator to a delegated admin other than the Audit account. Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account.
EC2 Default EBS Encryption Configures the EC2 default EBS encryption to use the default KMS key within all provided regions.
Firewall Manager Demonstrates configuring a security group policy and WAF policies for all accounts within an organization.
GuardDuty Configures GuardDuty within a delegated admin account for all accounts within an organization.
IAM Access Analyzer Configures an organization analyzer within a delegated admin account and account level analyzer within each account.
IAM Account Password Policy Sets the account password policy for users to align with common compliance standards.
Macie Configures Macie within a delegated admin account for all accounts within the organization.
S3 Block Account Public Access Configures the account-level S3 BPA settings for all accounts within the organization. Configures S3 BPA settings on buckets created by Control Tower only.
Security Hub Configures Security Hub within a delegated admin account for all accounts and governed regions within the organization.
Inspector Configure Inspector within a delegated admin account for all accounts and governed regions within the organization. Note: As of 01/19/2023, this solution is not included in the quick setup (it will be in a future code release)

Utils

  • packaging_scripts/stage-solution.sh (Package and stage all the AWS SRA example solutions. For more information see Staging script details)

Environment Setup

Based on the deployment method selected these solutions are required to implement SRA solutions.

Repository and Solution Naming Convention

The repository is organized by AWS service solutions, which include deployment platforms (e.g., AWS Control Tower and AWS CloudFormation StackSet).

Example:

.
├── solutions
│   ├── guardduty
│   │   └── guardduty_org
│   │       ├── README.md
│   │       ├── customizations_for_aws_control_tower
│   │       │   ├── manifest-v2.yaml
│   │       │   ├── manifest.yaml
│   │       │   └── parameters
│   │       ├── documentation
│   │       ├── lambda
│   │       │   └── src
│   │       │       ├── app.py
│   │       │       └── requirements.txt
│   │       └── templates
│   │           ├── sra-guardduty-org-configuration-role.yaml
│   │           ├── sra-guardduty-org-configuration.yaml
│   │           ├── sra-guardduty-org-delete-detector-role.yaml
│   │           ├── sra-guardduty-org-delivery-kms-key.yaml
│   │           └── sra-guardduty-org-delivery-s3-bucket.yaml
│   ├── ...

Frequently Asked Questions

Q. How were these particular solutions chosen? A. All the examples in this repository are derived from common patterns that many customers ask us to help them deploy within their environments. We will be adding to the examples over time.

Q. How were these solutions created? A. We’ve collected, cataloged, and curated our multi-account security solution knowledge based on working with a variety of AWS customers.

Q. Who is the audience for these AWS Security Reference Architecture examples? A. Security professionals that are looking for illustrative examples of deploying security patterns in AWS. These code samples provide a starting point from which you can build and tailor infrastructure for your needs.

Q. Why didn't the solutions use inline Lambda functions within the CloudFormation templates? A. Reasons:

Q. I have ideas to improve this repository. What should I do? A. Please create an issue or submit a pull request.

Contributors

Contributors

License Summary

The documentation is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file.

The sample code within this documentation is made available under the MIT-0 license. See the LICENSE-SAMPLECODE file.

Please note when building the project that some of the configured developer dependencies are subject to copyleft licenses. Please review these as needed for your use.