Setup Security and Compliance

This guide walks you through deploying AWS security and compliance services across your AWS Organization. Follow the steps in order to ensure proper configuration of all services.

Before You Begin

• AWS Organizations is configured with your account structure
• Account baseline has been deployed (see Deploy Accounts)
• Root account access is available for root account deployments (such as with the managers profile)

Deployment Order

The security components have dependencies and must be deployed in a specific order:

---

Phase 1: Organization-Level Configuration

These steps are required once for the entire organization.

1 Vendor Components

Vendor all security and compliance components:

atmos vendor pull --component aws-config
atmos vendor pull --component aws-cloudtrail
atmos vendor pull --component aws-guardduty
atmos vendor pull --component aws-security-hub
atmos vendor pull --component aws-inspector2
atmos vendor pull --component aws-macie
atmos vendor pull --component aws-access-analyzer
atmos vendor pull --component aws-shield
atmos vendor pull --component aws-audit-manager

2 Add Service Principals

Add the following service principals to the aws_service_access_principals variable of the account component in stacks/catalog/account.yaml:

# stacks/catalog/account.yaml
components:
  terraform:
    account:
      vars:
        aws_service_access_principals:
          # Existing principals...
          - access-analyzer.amazonaws.com
          - cloudtrail.amazonaws.com
          - config.amazonaws.com
          - config-multiaccountsetup.amazonaws.com
          - guardduty.amazonaws.com
          - inspector2.amazonaws.com
          - macie.amazonaws.com
          - securityhub.amazonaws.com

Root Access Required:

This requires root account access (such as with the managers profile). Ensure the plan output only modifies service principals.

atmos terraform plan account -s core-gbl-root
atmos terraform apply account -s core-gbl-root

3 Deploy Config Bucket

Deploy the S3 bucket for AWS Config data storage. This bucket stores configuration snapshots and history for compliance auditing.

Important:

Deploy only one config-bucket per organization. It stores data from all accounts and regions.

atmos terraform apply config-bucket -s core-ue1-audit

4 Deploy CloudTrail Bucket

Deploy the S3 bucket for CloudTrail logs. This bucket stores API activity logs from all accounts in the organization.

Important:

Deploy only one cloudtrail-bucket per organization. It may already exist from the Deploy Accounts.

# Verify bucket exists or create it
atmos terraform plan cloudtrail-bucket -s core-ue1-audit
atmos terraform apply cloudtrail-bucket -s core-ue1-audit

5 Deploy CIS Benchmark IAM Role

CIS AWS Foundations Benchmark requires a support role for managing incidents with AWS Support. See CIS Benchmark 1.20.

This role is managed through the Identity Layer using aws-teams and aws-team-roles.

---

Phase 2: Foundational Services

AWS CloudTrail

AWS CloudTrail records API activity across your organization. Deploy the organization trail to capture events from all accounts.

1 Deploy Organization Trail

Deploy CloudTrail to create an organization-wide trail that automatically logs API activity from all accounts.

atmos terraform apply aws-cloudtrail-s core-gbl-audit

AWS Config

AWS Config provides configuration compliance monitoring and resource inventory. It must be deployed to every account and region.

1 Deploy AWS Config Globally

Deploy AWS Config to each region to collect data for global resources (IAM, etc.) and regional resources.

atmos terraform apply aws-config -s core-ue1-security
atmos terraform apply aws-config -s core-ue2-security
atmos terraform apply aws-config -s core-uw2-security
# ... repeat for each region

2 Deploy AWS Config for Root Accounts

Deploy AWS Config to accounts that require root access to apply (root, security).

Root Access Required:

This requires root account access (such as with the managers profile).

atmos terraform apply aws-config -s core-ue1-root
atmos terraform apply aws-config -s core-ue2-root
atmos terraform apply aws-config -s core-uw2-root
# ... repeat for each region

---

Phase 3: Threat Detection & Vulnerability Scanning

AWS GuardDuty

AWS GuardDuty provides intelligent threat detection using ML-based analysis. It uses a 3-step delegated administrator deployment model.

1 Deploy to Delegated Administrator (Step 1)

First, deploy to the security account to create the GuardDuty detector.

atmos terraform apply aws-guardduty/delegated-administrator -s core-ue1-security

2 Delegate from Organization Management (Step 2)

Deploy to the root account to designate the security account as the delegated administrator.

Root Access Required:

This requires root account access (such as with the managers profile).

atmos terraform apply aws-guardduty/root -s core-ue1-root

3 Configure Organization Settings (Step 3)

Deploy to the security account again to enable GuardDuty organization-wide with all protection features.

atmos terraform apply aws-guardduty/org-settings -s core-ue1-security

AWS Inspector 2

AWS Inspector 2 provides automated vulnerability scanning for EC2, ECR, and Lambda. It uses a 2-step delegated administrator deployment model.

1 Delegate from Organization Management (Step 1)

Deploy to the root account to designate the security account as the delegated administrator.

Root Access Required:

This requires root account access (such as with the managers profile).

atmos terraform apply aws-inspector2/root -s core-ue1-root

2 Configure Organization Settings (Step 2)

Deploy to the security account to enable Inspector organization-wide.

atmos terraform apply aws-inspector2/org-settings -s core-ue1-security

Amazon Macie

Amazon Macie discovers sensitive data in S3 using ML-based classification. It uses a 3-step delegated administrator deployment model.

1 Deploy to Delegated Administrator (Step 1)

First, deploy to the security account to create the Macie account.

atmos terraform apply aws-macie/delegated-administrator -s core-ue1-security

2 Delegate from Organization Management (Step 2)

Deploy to the root account to designate the security account as the delegated administrator.

Root Access Required:

This requires root account access (such as with the managers profile).

atmos terraform apply aws-macie/root -s core-ue1-root

3 Configure Organization Settings (Step 3)

Deploy to the security account again to enable Macie organization-wide.

atmos terraform apply aws-macie/org-settings -s core-ue1-security

IAM Access Analyzer

IAM Access Analyzer identifies resources shared with external entities and unused access. It uses a 2-step delegated administrator deployment model.

1 Delegate from Organization Management (Step 1)

Deploy to the root account to designate the security account as the delegated administrator.

Root Access Required:

This requires root account access (such as with the managers profile).

atmos terraform apply aws-access-analyzer/root -s core-gbl-root

2 Configure Organization Settings (Step 2)

Deploy to the security account to create organization and account analyzers.

atmos terraform apply aws-access-analyzer/org-settings -s core-ue1-security

---

Phase 4: Aggregation & Protection

AWS Security Hub

AWS Security Hub aggregates findings from all security services into a centralized dashboard. It uses a 3-step delegated administrator deployment model.

1 Deploy to Delegated Administrator (Step 1)

First, deploy to the security account to enable Security Hub and configure product subscriptions.

atmos terraform apply aws-security-hub/delegated-administrator -s core-ue1-security

2 Delegate from Organization Management (Step 2)

Deploy to the root account to designate the security account as the delegated administrator.

Root Access Required:

This requires root account access (such as with the managers profile).

atmos terraform apply aws-security-hub/root -s core-ue1-root

3 Assume Identity Role

Switch back to your default identity role:

assume-role acme-identity

4 Configure Organization Settings (Step 3)

Deploy to the security account again to enable Security Hub organization-wide with compliance standards.

atmos terraform apply aws-security-hub/org-settings -s core-ue1-security

AWS Shield

AWS Shield provides DDoS protection for critical resources. Unlike other services, Shield is deployed per-resource rather than organization-wide.

Subscription Required:

AWS Shield Advanced requires a subscription ($3,000/month per organization) in each account before deployment. See Subscribing to Shield Advanced.

1 Deploy AWS Shield Advanced

Deploy Shield protection to accounts and resources that need DDoS protection.

# Global resources (Route53, CloudFront)
atmos terraform apply aws-shield -s plat-gbl-prod

# Regional resources (ALBs, Elastic IPs)
atmos terraform apply aws-shield -s plat-ue1-prod

AWS Audit Manager (Optional)

AWS Audit Manager automates compliance evidence collection. It is deployed only to the root account.

GovCloud Limitation:

AWS Audit Manager has limited framework availability in GovCloud. Consider using AWS Config conformance packs as an alternative for compliance monitoring.

1 Deploy AWS Audit Manager

Deploy Audit Manager to the root account to enable compliance evidence collection.

atmos terraform apply aws-audit-manager/root -s core-ue1-root

---

Optional: DNS Firewall

Route53 DNS Resolver Firewall provides DNS-level security to block malicious domains.

1 Deploy DNS Firewall Buckets

Deploy S3 buckets for DNS Firewall logging.

atmos terraform apply route53-resolver-dns-firewall-logs -s plat-ue1-dev
atmos terraform apply route53-resolver-dns-firewall-logs -s plat-ue1-prod
atmos terraform apply route53-resolver-dns-firewall-logs -s plat-ue1-sandbox
atmos terraform apply route53-resolver-dns-firewall-logs -s plat-ue1-staging

2 Configure DNS Firewall

Deploy and configure the Route53 DNS Resolver Firewall.

atmos terraform apply route53-resolver-dns-firewall/dev -s plat-ue1-dev
atmos terraform apply route53-resolver-dns-firewall/prod -s plat-ue1-prod
atmos terraform apply route53-resolver-dns-firewall/sandbox -s plat-ue1-sandbox
atmos terraform apply route53-resolver-dns-firewall/staging -s plat-ue1-staging

---

Verification

After deployment, verify all services are properly configured:

Check Security Hub Dashboard

1. Open the AWS Console in the security account
2. Navigate to Security Hub
3. Verify findings are being aggregated from all services

Verify Service Status

# Check GuardDuty status
aws guardduty list-detectors --region us-east-1

# Check Security Hub status
aws securityhub describe-hub --region us-east-1

# Check Inspector status
aws inspector2 list-delegated-admin-accounts --region us-east-1

# Check Config status
aws configservice describe-configuration-recorders --region us-east-1

Review Compliance

1. Open Security Hub in the security account
2. Navigate to "Security standards"
3. Review compliance scores for enabled standards (CIS, PCI DSS, AWS Foundational)

---

Troubleshooting

See the FAQ for common issues and solutions, or consult the individual component documentation for service-specific troubleshooting.