Code repository for AWS SRA examples

Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a short survey

To help you get started building and implementing the guidance in the AWS SRA, an infrastructure as code (IaC) repository at https://github.com/aws-samples/aws-security-reference-architecture-examples accompanies this guide. This repository contains code to help developers and engineers deploy some of the guidance and architecture patterns presented in this document. This code is drawn from AWS Professional Services consultants' first-hand experience with customers. The templates are general in nature―their goal is to illustrate an implementation pattern rather than provide a complete solution. The AWS service configurations and resource deployments are deliberately very restrictive. You might need to modify and tailor these solutions to suit your environment and security needs.

The AWS SRA code repository provides two solution patterns: one requires AWS Control Tower and the other uses AWS Organizations without AWS Control Tower. The solutions in this repository that require AWS Control Tower have been deployed and tested within an AWS Control Tower environment by using AWS CloudFormation and Customizations for AWS Control Tower (CfCT). Solutions that don’t require AWS Control Tower have been tested within an AWS Organizations environment by using AWS CloudFormation. The CfCT solution helps customers quickly set up a secure, multi-account AWS environment based on AWS best practices. It helps save time by automating the setup of an environment for running secure and scalable workloads while implementing an initial security baseline through the creation of accounts and resources. AWS Control Tower also provides a baseline environment to get started with a multi-account architecture, identity and access management, governance, data security, network design, and logging. The solutions in the AWS SRA repository provide additional security configurations to implement the patterns described in this document.

Here is a summary of the solutions in the AWS SRA repository. Each solution includes a README.md file with details.

The CloudTrail Organization solution creates an organization trail within the Org Management account and delegates administration to a member account such as the Audit or Security Tooling account. This trail is encrypted with a customer managed key created in the Security Tooling account and delivers logs to an S3 bucket in the Log Archive account. Optionally, data events can be enabled for Amazon S3 and AWS Lambda functions. An organization trail logs events for all AWS accounts in the AWS organization while preventing member accounts from modifying the configurations.
The GuardDuty Organization solution enables Amazon GuardDuty by delegating administration to the Security Tooling account. It configures GuardDuty within the Security Tooling account for all existing and future AWS organization accounts. The GuardDuty findings are also encrypted with a KMS key and sent to an S3 bucket in the Log Archive account.
The Security Hub Organization solution configures AWS Security Hub by delegating administration to the Security Tooling account. It configures Security Hub within the Security Tooling account for all existing and future AWS organization accounts. The solution also provides parameters for synchronizing the enabled security standards across all accounts and Regions as well as configuring a Region aggregator within the Security Tooling account. Centralizing Security Hub within the Security Tooling account provides a cross-account view of security standards compliance and findings from both AWS services and third-party AWS Partner integrations.
The Inspector solution configures Amazon Inspector within the delegated administrator (Security Tooling) account for all accounts and governed Regions under the AWS organization.
The Firewall Manager solution configures AWS Firewall Manager security policies by delegating administration to the Security Tooling account and configuring Firewall Manager with a security group policy and multiple AWS WAF policies. The security group policy requires a maximum allowed security group within a VPC (existing or created by the solution), which is deployed by the solution.
The Macie Organization solution enables Amazon Macie by delegating administration to the Security Tooling account. It configures Macie within the Security Tooling account for all existing and future AWS organization accounts. Macie is further configured to send its discovery results to a central S3 bucket that is encrypted with a KMS key.
AWS Config
- The Config Aggregator solution configures an AWS Config aggregator by delegating administration to the Security Tooling account. The solution then configures an AWS Config aggregator within the Security Tooling account for all existing and future accounts in the AWS organization.
- The Conformance Pack Organization Rules solution deploys AWS Config rules by delegating administration to the Security Tooling account. It then creates an organization conformance pack within the delegated administrator account for all existing and future accounts in the AWS organization. The solution is configured to deploy the Operational Best Practices for Encryption and Key Management conformance pack sample template.
- The AWS Config Control Tower Management Account solution enables AWS Config in the AWS Control Tower management account and updates the AWS Config aggregator within the Security Tooling account accordingly. The solution uses the AWS Control Tower CloudFormation template for enabling AWS Config as a reference to ensure consistency with the other accounts in the AWS organization.
IAM
- The Access Analyzer solution enables AWS IAM Access Analyzer by delegating administration to the Security Tooling account. It then configures an organization-level Access Analyzer within the Security Tooling account for all existing and future accounts in the AWS organization. The solution also deploys Access Analyzer to all member accounts and Regions to support analyzing account-level permissions.
- The IAM Password Policy solution updates the AWS account password policy within all accounts in an AWS organization. The solution provides parameters for configuring the password policy settings to help you align with industry compliance standards.
The EC2 Default EBS Encryption solution enables account-level, default Amazon EBS encryption within each AWS account and AWS Region in the AWS organization. It enforces the encryption of new EBS volumes and snapshots that you create. For example, Amazon EBS encrypts the EBS volumes that are created when you launch an instance and the snapshots that you copy from an unencrypted snapshot.
The S3 Block Account Public Access solution enables Amazon S3 account-level settings within each AWS account in the AWS organization. The Amazon S3 Block Public Access feature provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects don't allow public access. However, users can modify bucket policies, access point policies, or object permissions to allow public access. Amazon S3 Block Public Access settings override these policies and permissions so that you can limit public access to these resources.
The Detective Organization solution automates enabling Amazon Detective by delegating administration to an account (such as the Audit or Security Tooling account) and configuring Detective for all existing and future AWS Organization accounts.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

IAM resources

AWS Privacy Reference Architecture (AWS PRA)