Skip to main content
Sponsor @cloudposse

Setup Security and Compliance

These are the setup instructions for Security and Compliance in your AWS Organization.

Organization-Level Configuration

The following steps are required to set up Security and Compliance in your AWS Organization. They only be completed once for the entire organization.

1 Vendor Components

Vendor all data components with the following workflow:

These are the commands included in the vendor workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀

2 Add Service Principals to the account component

Add the following service principals to the aws_service_access_principals variable of the account in stacks/catalog/account.yaml:

  • config.amazonaws.com
  • config-multiaccountsetup.amazonaws.com
  • guardduty.amazonaws.com
  • securityhub.amazonaws.com
Reminder:

The following command requires SuperAdmin. Ensure the plan output only touches service principals.

atmos terraform plan account -s core-gbl-root

The output of plan should look similar to the following:

  # aws_organizations_organization.this[0] will be updated in-place
  ~ resource "aws_organizations_organization" "this" {
      ~ aws_service_access_principals = [
          + "config-multiaccountsetup.amazonaws.com",
          + "config.amazonaws.com",
            # (8 unchanged elements hidden)
        ]
        id                            = "[random string]"
        # (9 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Apply the changes with:

atmos terraform apply account -s core-gbl-root

3 Deploy config-bucket

Important:

There should only be a single bucket that will act as a store for AWS Config data across all regions

The config-bucket is required for storing AWS Config data and is a pre-requisite for deploying AWS Config. See config-bucket

atmos terraform plan config-bucket --stack core-use1-audit
atmos terraform apply config-bucket --stack core-use1-audit

4 Deploy cloudtrail-bucket

Important:

There should only be a single bucket that will act as a store for AWS CloudTrail data across all regions

Deploying the cloudtrail-bucket to the Audit account allows the Organization to isolate audit data and permissions from other environments (production, staging, development) and is a requirement for deploying Security Hub. See cloudtrail-bucket

info

This bucket has likely been provisioned by the Cold Start. Run the following terraform plan to ensure the bucket exists. If it doesn't, create it with terraform apply.

atmos terraform plan cloudtrail-bucket --stack core-use1-audit
atmos terraform apply cloudtrail-bucket --stack core-use1-audit

5 Deploy IAM Role for CIS Benchmark

Part of the benchmark rules for CIS AWS Foundations includes deploying a support role to manage incidents with AWS Support. See CIS Benchmark 1.20 and IAM.18.

These roles are managed from the Identity Workflow using aws-teams and aws-team-roles components.

AWS Config

info

If a step in one of the following workflows fails you can restart from that failed step by using the following command:

atmos workflow deploy/aws-config/global-collector -f compliance --from-step step4

Deploy AWS Config to each region in order to collect data for global resources such as IAM.

These are the commands included in the deploy/aws-config/global-collector workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀
Reminder:

This command requires SuperAdmin.

Deploy AWS Config into accounts that require superadmin to apply.

These are the commands included in the deploy/aws-config/superadmin workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀

Security Hub

First, deploy to each region of the Delegated Administrator account.

These are the commands included in the deploy/security-hub/step1 workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀

Next, using SuperAdmin, deploy to the Organization Management (root) account in order to designate the security account as the Organization Delegated Administrator account.

These are the commands included in the deploy/security-hub/step2 workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀

assume-role acme-identity

Finally, deploy the security-hub/org-settings component to the security account in order to enable and configure Security Hub in all other accounts and regions.

These are the commands included in the deploy/security-hub/step3 workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀

Guard Duty

First, deploy to each region of the Delegated Administrator account.

These are the commands included in the deploy/guardduty/step1 workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀

Next, deploy to the Organization Management (root) account in order to designate the security account as the Organization Delegated Administrator account.

These are the commands included in the deploy/guardduty/step2 workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀

Finally, deploy to the security account in order to enable and configure GuardDuty in all other accounts and regions.

These are the commands included in the deploy/guardduty/step3 workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀

Route53 DNS Resolver Firewall

These are the commands included in the deploy/route53-resolver-dns-firewall-buckets workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀
These are the commands included in the deploy/route53-resolver-dns-firewall workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀

AWS Shield

info

An AWS Shield Advanced subscription is required in each plat AWS account before running this workflow.

These are the commands included in the deploy/aws-shield workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀

AWS Inspector v2

Delegates Administration account for AWS Inspector v2 to core-security for all regions.

These are the commands included in the deploy/aws-inspector2/step1 workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀

Enables Inspector in all regions across accounts

These are the commands included in the deploy/aws-inspector2/step2 workflow in the examples/snippets/stacks/workflows/compliance.yaml file:
    No commands found
Too many commands? Consider using the Atmos workflow! 🚀