Centralized logging and multiple-account security guardrails
Created by Ankush Verma (AWS) and Tracy (Pierce) Hickey (AWS)
Environment: Production | Technologies: Security, identity, compliance; Management & governance | AWS services: AWS CloudFormation; AWS Config; Amazon CloudWatch; AWS CodePipeline; Amazon GuardDuty; AWS Lambda; Amazon Macie; AWS Security Hub; Amazon S3 |
Summary
The approach covered in this pattern is suitable for customers who have multiple Amazon Web Services (AWS) accounts with AWS Organizations and are now encountering challenges when using AWS Control Tower, a landing zone, or account vending machine services to set up baseline guardrails in their accounts.
This pattern demonstrates the use of a streamlined multiple-account architecture to set up centralized logging and standardized security controls in a well-structured manner. With the help of AWS CloudFormation templates, AWS CodePipeline, and automation scripts, this setup is deployed in all accounts that belong to an organization.
The multiple-account architecture includes the following accounts:
Centralized logging account – The account where all the virtual private cloud (VPC) flows logs, AWS CloudTrail logs, the AWS Config log, and all the logs of Amazon CloudWatch Logs (using subscriptions) from all the other accounts are stored.
Parent security account– The account to serve as the parent account for the following security services that manage across multiple accounts.
Amazon GuardDuty
AWS Security Hub
Amazon Macie
Amazon Detective
Child accounts – The other accounts in the organization. These accounts store all the useful logs in the centralized logging account. The child accounts join the parent security account as members for the security services.
After you launch the CloudFormation template (attached), it provisions three Amazon Simple Storage Service (Amazon S3) buckets in the centralized logging account. One bucket is used to store all AWS related logs (such as logs from VPC Flow Logs, CloudTrail, and AWS Config) from all the accounts. The second bucket is for storing the CloudFormation templates from all the accounts. The third bucket is for storing Amazon S3 access logs.
A separate CloudFormation template creates the pipeline that uses AWS CodeCommit. After the updated code is pushed to the CodeCommit repository, it takes care of launching resources and setting up security services in all the accounts. For more information about the file structure of the files that will be uploaded to the CodeCommit repository, see the README.md file (attached).
Prerequisites and limitations
Prerequisites
An AWS Organizations organization ID, with all accounts joined to the same organization.
An active email address to receive Amazon Simple Notification Service (Amazon SNS) notifications.
Confirmed quotas for Amazon Simple Storage Service (Amazon S3) buckets in each of your accounts. By default, each account has 100 S3 buckets. If you require additional buckets, request a quota increase before you deploy this solution.
Limitations
All the accounts should be the part of the same organization. If you are not using AWS Organizations, you must modify certain policies, such as the S3 bucket policy, to allow access from the AWS Identity and Access Management (IAM) roles for each account.
Note: While the solution is being deployed, you must confirm the Amazon SNS subscription. The confirmation message is sent to the email address that you provide during the deployment process. This will initiate a few email alert messages to this email address, because these alarms are initiated whenever IAM role policies are created or modified in the account. During the deployment process, you can ignore these alert messages.
Architecture
Target technology stack
Amazon CloudWatch alarms and logs
AWS CodeCommit repository
AWS CodePipeline
AWS Config
Amazon Detective
Amazon GuardDuty
IAM roles and permissions
Amazon Macie
S3 buckets
AWS Security Hub
Amazon SNS
Target architecture
Other accounts registered as child accounts of the parent security account for the security services
Security findings from all the child accounts, including the parent account
Resources
The following resources are provisioned automatically when the updated code is pushed to the CodeCommit repository in each account and AWS Region.
CloudFormation stack 1 – Logging parent stack
- Nested stack 1 – Standard IAM roles and policies
- Nested stack 2 – AWS Config setup in the account
- Nested stack 3 – CloudWatch alarms
- SecurityGroupChangesAlarm
- UnauthorizedAttemptAlarm
- RootActivityAlarm
- NetworkAclChangesAlarm
- IAMUserManagementAlarm
- IAMPolicyChangesAlarm
- CloudTrailChangeAlarm
- IAMCreateAccessKeyAlarm
- Metric filters for creating metrics from CloudTrail logs and using them for alarms
- SNS topic
CloudFormation stack 2 – Parent guardrail stack
- Nested stack 1 – AWS Lambda function for setting up the account password policy
- Nested stack 2 – Basic AWS Config rules
- CIS-SecurityGroupsMustRestrictSshTraffic
- OpenSecurityGroupRuleCheck along with the Lambda function for security group rule evaluation
- check-ec2-for-required-tag
- check-for-unrestricted-ports
CloudFormation stack 3 – CloudWatch logs export
- Exporting CloudWatch logs from log groups to Amazon S3 using an Amazon Kinesis subscription
Tools
AWS CloudFormation – AWS CloudFormation uses templates to model and provision, in an automated and secure manner, all the resources needed for your applications across all AWS Regions and accounts.
Amazon CloudWatch – Amazon CloudWatch monitors your AWS resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications.
AWS CodeCommit – AWS CodeCommit is a version-control service hosted by AWS. You can use CodeCommit to privately store and manage assets (such as documents, source code, and binary files) in the cloud.
AWS CodePipeline – AWS CodePipeline is a continuous delivery service that you can use to model, visualize, and automate the steps required to release your software.
AWS Config – AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
Amazon Detective – Amazon Detective is used to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Detective automatically collects log data from your AWS resources. It then uses machine learning, statistical analysis, and graph theory to help you visualize and conduct faster and more efficient security investigations.
Amazon GuardDuty – Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the flow logs, CloudTrail management event logs, CloudTrail data event logs, and Domain Name System (DNS) logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment.
AWS Identity and Access Management – AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
Amazon Macie – Amazon Macie automates the discovery of sensitive data, such as personally identifiable information (PII) and financial data, to provide you with a better understanding of the data that your organization stores in Amazon S3.
Amazon S3 – Amazon Simple Storage Service (Amazon S3) is a highly scalable object storage service that can be used for a wide range of storage solutions, including websites, mobile applications, backups, and data lakes.
AWS Security Hub – AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security standards and best practices.
Amazon SNS – Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and consumers).
Epics
| Task | Description | Skills required |
|---|---|---|
| Launch the Childaccount_IAM_role_All_Accounts.yaml CloudFormation template to create the IAM role in the us-east-1 Region. | To create the required IAM roles and permissions, you must manually launch this template in each account, one by one (centralized logging account, parent security account, and all other AWS accounts in the organization) in the us-east-1 Region. The | Cloud architect |
| In the template parameters, provide the name of the IAM role. | Provide the IAM role that CodeBuild, in the parent security account, can assume in all other child accounts. The default role name is | Cloud architect |
| In the parameters, provide the account ID for the parent security account. | The parent security account is the account where CodeBuild runs. | Cloud architect |
| Task | Description | Skills required |
|---|---|---|
| In the centralized logging account, in us-east-1, launch the S3Buckets-Centralized-LoggingAccount.yaml CloudFormation template. | To create the S3 buckets in the centralized logging account, launch the | Cloud architect |
| In the template parameters, provide the name of the S3 bucket for AWS logs storage. | Enter a name for the | Cloud architect |
| Provide the name of the S3 bucket for storing access logs. | Enter an S3 bucket name for the | Cloud architect |
| Provide the name of the S3 bucket for storing templates. | Enter an S3 bucket name in the | Cloud architect |
| Provide the organization ID. | To provide access to S3 buckets within the organization, enter the ID for the organization in the | Cloud architect |
| Task | Description | Skills required |
|---|---|---|
| Launch the security-guard-rails-codepipeline-Centralized-SecurityAccount.yml CloudFormation template. | To deploy the CI/CD pipeline, manually launch the | Cloud architect |
| Provide a name for the S3 bucket that will store templates in the centralized logging account. | Enter the name of the S3 bucket that you provided for the | Cloud architect |
| Provide the name of the IAM role to be used in the child accounts. | Enter the name that you provided for the | Cloud architect |
| Provide an active email address for receiving CodePipeline failure notifications. | Enter the email address that you want to use for receiving CodePipeline failure notifications and other CloudWatch alarm-related notifications. | Cloud architect |
| Task | Description | Skills required |
|---|---|---|
| Modify Accountlist.json. | In the | Cloud architect |
| Modify accounts.csv | In the | Cloud architect |
| Modify parameters.config. | In the
For the other parameters, you can keep the default values. For an example, see the | Cloud architect |
| Task | Description | Skills required |
|---|---|---|
| Access the CodeCommit repo that you created in Step 3. | From the Outputs section of the CI/CD infrastructure CloudFormation stack (launched in Step 3), note the name of the CodeCommit repository URL. Create access to the repository so that the files can be pushed to it for the infrastructure to be deployed in all the target accounts. For more information, see Setting up for AWS CodeCommit. | Cloud architect |
| Push the files to the CodeCommit repository. | Install Git on your machine. Then run the Git commands to clone the empty repository, copy the files from your laptop to the repository folder, and push the artifacts to the repository. Check for the sample Git commands in the | Cloud architect |
| Task | Description | Skills required |
|---|---|---|
| Confirm the status of CodePipeline and CodeBuild. | After you push the artifacts to the CodeCommit repo, confirm that the CodePipeline pipeline that you created in Step 3 has been initiated. Then check the CodeBuild logs to confirm the status or errors. | Cloud architect |
Related resources
Attachments
To access additional content that is associated with this document, unzip the following file: attachment.zip
