Comprehensive Security and Compliance Components for AWS Organizations
We're excited to announce comprehensive documentation for our suite of security and compliance Terraform components. These components enable you to deploy AWS security services across your entire AWS Organization using the delegated administrator pattern, providing centralized security monitoring and compliance assessment.
Hello SweetOps!
Security and compliance are critical for any organization running workloads on AWS. Whether you're pursuing SOC2, HIPAA, PCI DSS, FedRAMP, or CIS benchmarks, you need comprehensive visibility into threats, vulnerabilities, and configuration drift across all your accounts.
We've updated and documented our security and compliance components to make deploying these services straightforward and maintainable at scale.
What's Included
Our security and compliance framework includes 9 Terraform components:
| Component | Purpose |
|---|---|
| AWS Config | Configuration compliance and resource inventory |
| AWS CloudTrail | API activity logging and audit trail |
| AWS GuardDuty | Intelligent threat detection |
| AWS Security Hub | Centralized security findings aggregation |
| AWS Inspector 2 | Automated vulnerability scanning |
| Amazon Macie | Sensitive data discovery in S3 |
| IAM Access Analyzer | External and unused access detection |
| AWS Shield | DDoS protection |
| AWS Audit Manager | Compliance evidence collection |
Key Architecture Decisions
Our approach uses the delegated administrator pattern, centralizing security management while maintaining proper separation of concerns:
- Security Account: Acts as the delegated administrator for threat detection and security monitoring services
- Audit Account: Stores immutable logs (CloudTrail) and configuration snapshots (Config)
- Root Account: Delegates administration but doesn't manage day-to-day security operations
- Member Accounts: Automatically enrolled and monitored by the security account
Deployment Models
Different AWS services require different deployment approaches. We've documented each pattern:
3-Step Delegated Administrator
Used by GuardDuty, Security Hub, and Macie:
- Deploy to security account (creates the service)
- Deploy to root account (delegates administration)
- Deploy org settings to security account (configures organization-wide settings)
2-Step Delegated Administrator
Used by Inspector and Access Analyzer:
- Deploy to root account (delegates administration)
- Deploy org settings to security account
Per-Account Deployment
Used by Config and CloudTrail, with central aggregation in security/audit accounts.
Per-Resource Deployment
Used by Shield Advanced for protecting specific resources like ALBs, CloudFront distributions, and Route53 hosted zones.
Compliance Framework Support
These components support multiple compliance frameworks out of the box:
- CIS AWS Foundations Benchmark (v1.4, v1.5)
- AWS Foundational Security Best Practices
- PCI DSS (Payment Card Industry)
- HIPAA (Healthcare)
- SOC 2 (Service Organization Control)
- NIST 800-53 (Federal)
- FedRAMP (Federal Risk and Authorization)
- CMMC (Cybersecurity Maturity Model Certification)
Getting Started
We've created comprehensive documentation to help you deploy these components:
- Security and Compliance Overview - Architecture and component descriptions
- Setup Guide - Step-by-step deployment instructions
- FAQ - Common issues and troubleshooting
Each component also has its own detailed documentation page with stack configurations, deployment commands, and key variables.
Component Repositories
All components are available in the cloudposse-terraform-components GitHub organization:
- aws-config
- aws-cloudtrail
- aws-guardduty
- aws-security-hub
- aws-inspector2
- aws-macie
- aws-access-analyzer
- aws-shield
- aws-audit-manager
What's Next
We're continuing to improve our security and compliance components:
- Additional conformance pack templates for common compliance frameworks
- Enhanced integration between services
- More automated remediation patterns via EventBridge
- Expanded documentation for GovCloud deployments
If you have questions about deploying security and compliance components, reach out in the SweetOps Slack or check our FAQ for common issues.
We'd love to hear your feedback on these components. Let us know what compliance frameworks you're targeting and how we can make these components work better for your organization!