Setup Security and Compliance
These are the setup instructions for Security and Compliance in your AWS Organization.
Organization-Level Configuration
The following steps are required to set up Security and Compliance in your AWS Organization. They only be completed once for the entire organization.
2 Add Service Principals to the account component
Add the following service principals to the aws_service_access_principals variable of the account in
stacks/catalog/account.yaml:
config.amazonaws.comconfig-multiaccountsetup.amazonaws.comguardduty.amazonaws.comsecurityhub.amazonaws.com
The following command requires SuperAdmin. Ensure the plan output only touches service principals.
atmos terraform plan account -s core-gbl-root
The output of plan should look similar to the following:
# aws_organizations_organization.this[0] will be updated in-place
~ resource "aws_organizations_organization" "this" {
~ aws_service_access_principals = [
+ "config-multiaccountsetup.amazonaws.com",
+ "config.amazonaws.com",
# (8 unchanged elements hidden)
]
id = "[random string]"
# (9 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Apply the changes with:
atmos terraform apply account -s core-gbl-root
3 Deploy config-bucket
There should only be a single bucket that will act as a store for AWS Config data across all regions
The config-bucket is required for storing AWS Config data and is a pre-requisite for deploying AWS Config. See
config-bucket
atmos terraform plan config-bucket --stack core-use1-audit
atmos terraform apply config-bucket --stack core-use1-audit
4 Deploy cloudtrail-bucket
There should only be a single bucket that will act as a store for AWS CloudTrail data across all regions
Deploying the cloudtrail-bucket to the Audit account allows the Organization to isolate audit data and permissions
from other environments (production, staging, development) and is a requirement for deploying Security Hub. See
cloudtrail-bucket
This bucket has likely been provisioned by the Cold Start. Run the following terraform plan to ensure the bucket exists. If it doesn't, create it with terraform apply.
atmos terraform plan cloudtrail-bucket --stack core-use1-audit
atmos terraform apply cloudtrail-bucket --stack core-use1-audit
5 Deploy IAM Role for CIS Benchmark
Part of the benchmark rules for CIS AWS Foundations includes deploying a support role to manage incidents with AWS Support. See CIS Benchmark 1.20 and IAM.18.
These roles are managed from the Identity Workflow
using aws-teams and aws-team-roles components.
AWS Config
If a step in one of the following workflows fails you can restart from that failed step by using the following command:
atmos workflow deploy/aws-config/global-collector -f compliance --from-step step4
1 Set up AWS Config globally
Deploy AWS Config to each region in order to collect data for global resources such as IAM.
This command requires SuperAdmin.
2 Set up AWS Config for SuperAdmin accounts
Deploy AWS Config into accounts that require SuperAdmin to apply.
Security Hub
1 Set up the Delegated Administrator account
First, deploy to each region of the Delegated Administrator account.
2 Set up the Organization Management account
Next, using
SuperAdmin,
deploy to the Organization Management (root) account in order to designate the security account as the Organization
Delegated Administrator account.
3 Assume the identity role
assume-role acme-identity
4 Configure Security Hub organization-wide
Finally, deploy the security-hub/org-settings component to the security account in order to enable and configure
Security Hub in all other accounts and regions.
GuardDuty
1 Set up the Delegated Administrator account
First, deploy to each region of the Delegated Administrator account.
2 Set up the Organization Management account
Next, deploy to the Organization Management (root) account in order to designate the security account as the
Organization Delegated Administrator account.
3 Configure GuardDuty organization-wide
Finally, deploy to the security account in order to enable and configure GuardDuty in all other accounts and regions.
Route53 DNS Resolver Firewall
1 Set up DNS Firewall buckets
Deploy the required S3 buckets for Route53 DNS Resolver Firewall logging.
2 Configure the DNS Firewall
Deploy and configure the Route53 DNS Resolver Firewall.
AWS Shield
1 Set up AWS Shield Advanced
An AWS Shield Advanced subscription is
required in each plat AWS account before running this workflow.
Deploy AWS Shield Advanced protection.
AWS Inspector v2
1 Set up the Delegated Administrator account
Delegate Administration account for AWS Inspector v2 to core-security for all regions.
2 Configure Inspector organization-wide
Enable Inspector in all regions across accounts.