Centralized logging and multiple-account security guardrails - AWS Prescriptive Guidance

Centralized logging and multiple-account security guardrails

Created by Ankush Verma (AWS) and Tracy (Pierce) Hickey (AWS)

Environment: Production

Technologies: Security, identity, compliance; Management & governance

AWS services: AWS CloudFormation; AWS Config; Amazon CloudWatch; AWS CodePipeline; Amazon GuardDuty; AWS Lambda; Amazon Macie; AWS Security Hub; Amazon S3

Summary

The approach covered in this pattern is suitable for customers who have multiple Amazon Web Services (AWS) accounts with AWS Organizations and are now encountering challenges when using AWS Control Tower, a landing zone, or account vending machine services to set up baseline guardrails in their accounts.

This pattern demonstrates the use of a streamlined multiple-account architecture to set up centralized logging and standardized security controls in a well-structured manner. With the help of AWS CloudFormation templates, AWS CodePipeline, and automation scripts, this setup is deployed in all accounts that belong to an organization.

The multiple-account architecture includes the following accounts:

  • Centralized logging account – The account where all the virtual private cloud (VPC) flows logs, AWS CloudTrail logs, the AWS Config log, and all the logs of Amazon CloudWatch Logs (using subscriptions) from all the other accounts are stored.

  • Parent security account– The account to serve as the parent account for the following security services that manage across multiple accounts.

    • Amazon GuardDuty

    • AWS Security Hub

    • Amazon Macie

    • Amazon Detective

  • Child accounts – The other accounts in the organization. These accounts store all the useful logs in the centralized logging account. The child accounts join the parent security account as members for the security services.

After you launch the CloudFormation template (attached), it provisions three Amazon Simple Storage Service (Amazon S3) buckets in the centralized logging account. One bucket is used to store all AWS related logs (such as logs from VPC Flow Logs, CloudTrail, and AWS Config) from all the accounts. The second bucket is for storing the CloudFormation templates from all the accounts. The third bucket is for storing Amazon S3 access logs.

A separate CloudFormation template creates the pipeline that uses AWS CodeCommit. After the updated code is pushed to the CodeCommit repository, it takes care of launching resources and setting up security services in all the accounts. For more information about the file structure of the files that will be uploaded to the CodeCommit repository, see the README.md file (attached).

Prerequisites and limitations

Prerequisites 

  • An AWS Organizations organization ID, with all accounts joined to the same organization.

  • An active email address to receive Amazon Simple Notification Service (Amazon SNS) notifications.

  • Confirmed quotas for Amazon Simple Storage Service (Amazon S3) buckets in each of your accounts. By default, each account has 100 S3 buckets. If you require additional buckets, request a quota increase before you deploy this solution.

Limitations 

All the accounts should be the part of the same organization. If you are not using AWS Organizations, you must modify certain policies, such as the S3 bucket policy, to allow access from the AWS Identity and Access Management (IAM) roles for each account.

Note: While the solution is being deployed, you must confirm the Amazon SNS subscription. The confirmation message is sent to the email address that you provide during the deployment process. This will initiate a few email alert messages to this email address, because these alarms are initiated whenever IAM role policies are created or modified in the account. During the deployment process, you can ignore these alert messages.

Architecture

Target technology stack  

  • Amazon CloudWatch alarms and logs

  • AWS CodeCommit repository

  • AWS CodePipeline

  • AWS Config

  • Amazon Detective

  • Amazon GuardDuty

  • IAM roles and permissions

  • Amazon Macie

  • S3 buckets

  • AWS Security Hub

  • Amazon SNS

Target architecture 

Diagram showing services in the three AWS accounts.
Diagrams showing details of logging and security services.
  1. Other accounts registered as child accounts of the parent security account for the security services

  2. Security findings from all the child accounts, including the parent account

Resources

The following resources are provisioned automatically when the updated code is pushed to the CodeCommit repository in each account and AWS Region.

CloudFormation stack 1 – Logging parent stack

- Nested stack 1 – Standard IAM roles and policies

- Nested stack 2 – AWS Config setup in the account

- Nested stack 3 – CloudWatch alarms

            - SecurityGroupChangesAlarm

            - UnauthorizedAttemptAlarm

            - RootActivityAlarm

            - NetworkAclChangesAlarm

            - IAMUserManagementAlarm

            - IAMPolicyChangesAlarm

            - CloudTrailChangeAlarm

            - IAMCreateAccessKeyAlarm

      - Metric filters for creating metrics from CloudTrail logs and using them for alarms

      - SNS topic

CloudFormation stack 2 – Parent guardrail stack

- Nested stack 1 – AWS Lambda function for setting up the account password policy

- Nested stack 2 – Basic AWS Config rules

      - CIS-SecurityGroupsMustRestrictSshTraffic

      - OpenSecurityGroupRuleCheck along with the Lambda function for security group rule evaluation

      - check-ec2-for-required-tag

      - check-for-unrestricted-ports

CloudFormation stack 3 – CloudWatch logs export

- Exporting CloudWatch logs from log groups to Amazon S3 using an Amazon Kinesis subscription

Tools

  • AWS CloudFormation – AWS CloudFormation uses templates to model and provision, in an automated and secure manner, all the resources needed for your applications across all AWS Regions and accounts.

  • Amazon CloudWatch – Amazon CloudWatch monitors your AWS resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications.

  • AWS CodeCommit – AWS CodeCommit is a version-control service hosted by AWS. You can use CodeCommit to privately store and manage assets (such as documents, source code, and binary files) in the cloud.

  • AWS CodePipeline – AWS CodePipeline is a continuous delivery service that you can use to model, visualize, and automate the steps required to release your software.

  • AWS Config – AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

  • Amazon Detective – Amazon Detective is used to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Detective automatically collects log data from your AWS resources. It then uses machine learning, statistical analysis, and graph theory to help you visualize and conduct faster and more efficient security investigations.

  • Amazon GuardDuty – Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the flow logs, CloudTrail management event logs, CloudTrail data event logs, and Domain Name System (DNS) logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment.

  • AWS Identity and Access Management – AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

  • Amazon Macie – Amazon Macie automates the discovery of sensitive data, such as personally identifiable information (PII) and financial data, to provide you with a better understanding of the data that your organization stores in Amazon S3.

  • Amazon S3 – Amazon Simple Storage Service (Amazon S3) is a highly scalable object storage service that can be used for a wide range of storage solutions, including websites, mobile applications, backups, and data lakes.

  • AWS Security Hub – AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security standards and best practices.

  • Amazon SNS – Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and consumers).

Epics

TaskDescriptionSkills required
Launch the Childaccount_IAM_role_All_Accounts.yaml CloudFormation template to create the IAM role in the us-east-1 Region.

To create the required IAM roles and permissions, you must manually launch this template in each account, one by one (centralized logging account, parent security account, and all other AWS accounts in the organization) in the us-east-1 Region. The Childaccount_IAM_role_All_Accounts.yaml template is in the /templates/initial_deployment_templates directory of the package. The IAM role is used when making API calls for provisioning and setting up the rest of the architecture. Make sure that the name of the IAM role that is passed as a parameter is consistent across all the accounts.

Cloud architect
In the template parameters, provide the name of the IAM role.

Provide the IAM role that CodeBuild, in the parent security account, can assume in all other child accounts. The default role name is security_execute_child_stack_role.

Cloud architect
In the parameters, provide the account ID for the parent security account.

The parent security account is the account where CodeBuild runs.

Cloud architect
TaskDescriptionSkills required
In the centralized logging account, in us-east-1, launch the S3Buckets-Centralized-LoggingAccount.yaml CloudFormation template.

To create the S3 buckets in the centralized logging account, launch the S3Buckets-Centralized-LoggingAccount.yaml. The template is in the /templates/initial_deployment_templates directory of the package. The S3 buckets will store all the logs, templates, and Amazon S3 access logs. Make a note of the all the S3 bucket names, which you will use to modify the parameter files in the following steps.

Cloud architect
In the template parameters, provide the name of the S3 bucket for AWS logs storage.

Enter a name for the S3 Bucket Name for Centralized Logging in Logging Account parameter. This bucket acts as centralized location to store AWS logs, such as flow logs and CloudTrail logs, from all the accounts. Make a note of both the bucket name and the Amazon Resource Name (ARN).

Cloud architect
Provide the name of the S3 bucket for storing access logs.

Enter an S3 bucket name for the S3 Bucket Name for Access Logs in Logging Account parameter. This S3 bucket stores access logs for Amazon S3.

Cloud architect
Provide the name of the S3 bucket for storing templates.

Enter an S3 bucket name in the S3 Bucket Name for CloudFormation Template storage in Logging Account parameter.

Cloud architect
Provide the organization ID.

To provide access to S3 buckets within the organization, enter the ID for the organization in the Organization Id for Non-AMS accounts parameter.

Cloud architect
TaskDescriptionSkills required
Launch the security-guard-rails-codepipeline-Centralized-SecurityAccount.yml CloudFormation template.

To deploy the CI/CD pipeline, manually launch the security-guard-rails-codepipeline-Centralized-SecurityAccount.yml template in the parent security account in us-east-1. The template is in the /templates/initial_deployment_templates directory of the package. This pipeline will deploy all the infrastructure in all the child accounts.

Cloud architect
Provide a name for the S3 bucket that will store templates in the centralized logging account.

Enter the name of the S3 bucket that you provided for the S3 Bucket Name for the CloudFormation Template storage in Logging Account parameter in Step 2.

Cloud architect
Provide the name of the IAM role to be used in the child accounts.

Enter the name that you provided for the Name of the IAM role parameter in Step 1.

Cloud architect
Provide an active email address for receiving CodePipeline failure notifications.

Enter the email address that you want to use for receiving CodePipeline failure notifications and other CloudWatch alarm-related notifications.

Cloud architect
TaskDescriptionSkills required
Modify Accountlist.json.

In the Accountlist.json file, which is at the top level in the package, add the parent security account number and the child account numbers. Note that the ChildAccountList field also includes the parent security account number. See the example in the deployment-instructions.md file in the package.

Cloud architect
Modify accounts.csv

In the accounts.csv file, which is at the top level in the package, add all the child accounts along with the email registered with the accounts. See the example in the deployment-instructions.md file.

Cloud architect
Modify parameters.config.

In the parameters.config file, which is in the /templates folder,  update the following six parameters:

  • pNotifyEmail: The email address that you provided when you set up the pipeline (see Step 3)

  • pstackNameLogging: The name of the CloudFormation stack for centralized logging

  • pS3LogsBucket: The name of the S3 bucket where logs from all accounts will be stored (see Step 2)

  • pBucketName: The ARN for the S3 bucket used to store the logs

  • pTemplateBucketName: The name of the S3 buckets where templates will be stored (see Step 2)

  • pAllowedAccounts: Account IDs for the parent and child accounts

For the other parameters, you can keep the default values. For an example, see the deployment-instructions.md file in the package.

Cloud architect
TaskDescriptionSkills required
Access the CodeCommit repo that you created in Step 3.

From the Outputs section of the CI/CD infrastructure CloudFormation stack (launched in Step 3), note the name of the CodeCommit repository URL. Create access to the repository so that the files can be pushed to it for the infrastructure to be deployed in all the target accounts. For more information, see Setting up for AWS CodeCommit.

Cloud architect
Push the files to the CodeCommit repository.

Install Git on your machine. Then run the Git commands to clone the empty repository, copy the files from your laptop to the repository folder, and push the artifacts to the repository. Check for the sample Git commands in the deployment-instructions.md file in the package. For basic Git commands, see the Related resources section.

Cloud architect
TaskDescriptionSkills required
Confirm the status of CodePipeline and CodeBuild.

After you push the artifacts to the CodeCommit repo, confirm that the CodePipeline pipeline that you created in Step 3 has been initiated. Then check the CodeBuild logs to confirm the status or errors.

Cloud architect

Related resources

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip