Code repository for AWS SRA examples - AWS Prescriptive Guidance

Code repository for AWS SRA examples

This document is accompanied by a GitHub repository at https://github.com/aws-samples/aws-security-reference-architecture-examples. This repository contains templates and deployable examples that illustrate some of the patterns presented previously in this document. The AWS services and infrastructure deployed in these templates are deliberately least privilege, and are intended for you to tailor and extend to fit the needs of your environment.

The initial set of solutions are built by using AWS CloudFormation and Python scripts. Deployment configurations are based on the customizations for AWS Control Tower solution, the AWS Landing Zone solution, and AWS CloudFormation StackSets. The AWS Control Tower and AWS Landing Zone solutions help customers quickly set up a secure, multi-account AWS environment based on AWS best practices. These solutions help save time by automating the setup of an environment for running secure and scalable workloads while implementing an initial security baseline through the creation of accounts and resources. They also provide a baseline environment to get started with a multi-account architecture, identity and access management, governance, data security, network design, and logging. The solutions in the AWS SRA repository provide configurations to implement the patterns described in this document.

Here is a summary of the initial solutions in the AWS SRA repository. Each solution folder includes a README.md file with details.

  • The Organization CloudTrail solution creates an organization trail within the Org Management account. This trail is encrypted with a customer master key (CMK) that is managed in the Security Tooling account, and delivers logs to an S3 bucket in the Log Archive account. Optionally, data events can be enabled for Amazon S3 and Lambda functions. An organization trail logs events for all AWS accounts in the AWS organization while preventing member accounts from modifying the configurations.

  • The AWS Config Aggregator Account solution enables an AWS Config aggregator in a specified account and creates authorizations within each member account. This solution assumes that AWS Config has already been enabled in each member account of the AWS organization. The solution includes a scheduled Lambda function that checks each day for any new member accounts that have been added to the AWS organization. If so, the solution adds them to the aggregator.

  • The Organization AWS Config Conformance Pack solution deploys AWS Config Rules by delegating administration to a member account within the AWS organization. It then creates an organization conformance pack within the delegated administrator account for all existing and future accounts in the AWS organization. This solution deploys the following sample templates: AWS Control Tower Detective Guardrails Conformance Pack and Operational Best Practices for Encryption and Key Management.

  • The Organization GuardDuty solution enables Amazon GuardDuty by delegating administration to a member account within the AWS organization. It configures GuardDuty within the delegated administrator account for all existing and future AWS organization accounts. The GuardDuty findings are also encrypted with a KMS key and sent to an S3 bucket in the Log Archive account.

  • The Organization Macie solution enables Amazon Macie by delegating administration to a member account within the AWS organization. It configures Macie within the delegated administrator account for all existing and future AWS organization accounts. Macie is further configured to send its discovery results to a central S3 bucket that is encrypted with a KMS key.

  • The SecurityHub Enabler solution enables AWS Security Hub within each AWS organization account and AWS Region that is configured with the Security Tooling account as the administrator account. The solution also provides optional configurations to enable security standards and third-party partner integrations. Centralizing Security Hub within the Security Tooling account provides a cross-account view of security standards compliance and findings from both AWS services and third-party partner integrations.

  • The Organization AWS Firewall Manager solution configures AWS Firewall Manager security policies by delegating administration to the Security Tooling account and configuring Firewall Manager with a security group policy and multiple AWS WAF policies. The security group policy requires a maximum allowed security group within a VPC (existing or created by the solution), which is deployed by the solution.