Code repository for AWS SRA examples
Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a short survey |
To help you get started building and implementing the guidance in the AWS SRA, an
infrastructure as code (IaC) repository at https://github.com/aws-samples/aws-security-reference-architecture-examples
The AWS SRA code repository provides code samples with both AWS CloudFormation and Terraform
deployment options. The solution patterns support two environments: one requires AWS Control
Tower and the other uses AWS Organizations without AWS Control Tower. The solutions in this
repository that require AWS Control Tower have been deployed and tested within an AWS Control
Tower environment by using AWS CloudFormation and Customizations for AWS Control Tower (CfCT)
Here is a summary of the solutions in the AWS SRA
repository
-
The CloudTrail Organization
solution creates an organization trail within the Org Management account and delegates administration to a member account such as the Audit or Security Tooling account. This trail is encrypted with a customer managed key created in the Security Tooling account and delivers logs to an S3 bucket in the Log Archive account. Optionally, data events can be enabled for Amazon S3 and AWS Lambda functions. An organization trail logs events for all AWS accounts in the AWS organization while preventing member accounts from modifying the configurations. -
The GuardDuty Organization
solution enables Amazon GuardDuty by delegating administration to the Security Tooling account. It configures GuardDuty within the Security Tooling account for all existing and future AWS organization accounts. The GuardDuty findings are also encrypted with a KMS key and sent to an S3 bucket in the Log Archive account. -
The Security Hub Organization
solution configures AWS Security Hub by delegating administration to the Security Tooling account. It configures Security Hub within the Security Tooling account for all existing and future AWS organization accounts. The solution also provides parameters for synchronizing the enabled security standards across all accounts and Regions as well as configuring a Region aggregator within the Security Tooling account. Centralizing Security Hub within the Security Tooling account provides a cross-account view of security standards compliance and findings from both AWS services and third-party AWS Partner integrations. -
The Inspector
solution configures Amazon Inspector within the delegated administrator (Security Tooling) account for all accounts and governed Regions under the AWS organization. -
The Firewall Manager
solution configures AWS Firewall Manager security policies by delegating administration to the Security Tooling account and configuring Firewall Manager with a security group policy and multiple AWS WAF policies. The security group policy requires a maximum allowed security group within a VPC (existing or created by the solution), which is deployed by the solution. -
The Macie Organization
solution enables Amazon Macie by delegating administration to the Security Tooling account. It configures Macie within the Security Tooling account for all existing and future AWS organization accounts. Macie is further configured to send its discovery results to a central S3 bucket that is encrypted with a KMS key. -
AWS Config
-
The Config Aggregator
solution configures an AWS Config aggregator by delegating administration to the Security Tooling account. The solution then configures an AWS Config aggregator within the Security Tooling account for all existing and future accounts in the AWS organization. -
The Conformance Pack Organization Rules
solution deploys AWS Config rules by delegating administration to the Security Tooling account. It then creates an organization conformance pack within the delegated administrator account for all existing and future accounts in the AWS organization. The solution is configured to deploy the Operational Best Practices for Encryption and Key Management conformance pack sample template. -
The AWS Config Control Tower Management Account
solution enables AWS Config in the AWS Control Tower management account and updates the AWS Config aggregator within the Security Tooling account accordingly. The solution uses the AWS Control Tower CloudFormation template for enabling AWS Config as a reference to ensure consistency with the other accounts in the AWS organization.
-
-
IAM
-
The Access Analyzer
solution enables AWS IAM Access Analyzer by delegating administration to the Security Tooling account. It then configures an organization-level Access Analyzer within the Security Tooling account for all existing and future accounts in the AWS organization. The solution also deploys Access Analyzer to all member accounts and Regions to support analyzing account-level permissions. -
The IAM Password Policy
solution updates the AWS account password policy within all accounts in an AWS organization. The solution provides parameters for configuring the password policy settings to help you align with industry compliance standards.
-
-
The EC2 Default EBS Encryption
solution enables account-level, default Amazon EBS encryption within each AWS account and AWS Region in the AWS organization. It enforces the encryption of new EBS volumes and snapshots that you create. For example, Amazon EBS encrypts the EBS volumes that are created when you launch an instance and the snapshots that you copy from an unencrypted snapshot. -
The S3 Block Account Public Access
solution enables Amazon S3 account-level settings within each AWS account in the AWS organization. The Amazon S3 Block Public Access feature provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects don't allow public access. However, users can modify bucket policies, access point policies, or object permissions to allow public access. Amazon S3 Block Public Access settings override these policies and permissions so that you can limit public access to these resources. -
The Detective Organization
solution automates enabling Amazon Detective by delegating administration to an account (such as the Audit or Security Tooling account) and configuring Detective for all existing and future AWS Organization accounts. -
The Shield Advanced
solution automates the deployment of AWS Shield Advanced to provide enhanced DDoS protection for your applications on AWS. -
The AMI Bakery Organization
solution helps automate the process for building and managing standard, hardened Amazon Machine Image (AMI) images. This ensures consistency and security across your AWS instances, and simplifies deployment and maintenance tasks. -
The Patch Manager
solution helps streamline patch management across multiple AWS accounts. You can use this solution to update AWS Systems Manager Agent (SSM Agent) on all managed instances, and to scan and install critical and important security patches and bug fixes on Windows and Linux tagged instances. The solution also configures the Default Host Management Configuration setting to detect the creation of new AWS accounts and automatically deploy the solution to those accounts.