Apply security services across your AWS organization - AWS Prescriptive Guidance

Apply security services across your AWS organization

The security categories we discussed earlier in the Security foundations section are organized functionally, to represent areas of focus for your cloud security strategy. Another way to group services is by their intended scope of control. This perspective focuses on where to configure and manage AWS security services to deploy appropriate layers of defense in the AWS Organizations hierarchy. For example, some services and features are best used to implement controls for your AWS organization. Others are best used to protect individual resources within an AWS account. Understanding the scope of influence of each service helps you adopt a defense-in-depth strategy. Thinking about services in this way helps ensure that your layers of security appropriately complement one another. With this perspective, you can answer questions both from the top down (for example, “Which services apply security controls across my entire AWS organization?”) and from the bottom up (for example, “Which services apply controls to this particular resource?”). In this section, we walk through the elements of an AWS environment—organization, OU, account, network, principal, resource—and identify the associated security services and features. Further discussion of the individual services within each AWS account follows in the next section.

Organization-wide or multiple accounts

At the top level, there are AWS services and features that are designed to apply governance and control capabilities or guardrails across multiple accounts in an AWS organization (including the entire organization or specific OUs). Service control policies (SCPs) are a good example of an IAM feature that is designed as an AWS organization-wide guardrail. Another example is AWS CloudTrail, which supports an organization trail that will log all events for all AWS accounts in that AWS organization. This comprehensive trail is distinct from individual trails that might be created in each account. A third example is AWS Firewall Manager, which you can use to configure and apply AWS WAF rules, AWS WAF Classic rules, AWS Shield Advanced protections, Amazon Virtual Private Cloud (Amazon VPC) security groups, AWS Network Firewall policies, and Amazon Route 53 resolver DNS firewall policies across your AWS organization.

Some security services (marked with an asterisk * in the following diagram) operate with a dual scope: organization-wide and account-focused. These services fundamentally monitor or control security within an individual account. However, some configurations, and often the results from multiple accounts, can be aggregated to an organization-wide account for centralized visibility and management. For example, an SCP applies across an entire OU or AWS organization by default. In contrast, Amazon GuardDuty can be configured and managed both at the account level (where individual findings are generated) and at the AWS organization level (via the delegated administrator feature) where findings can be managed in aggregate.

            Organization-wide and account-focused security services

AWS accounts

Within OUs, there are services that protect multiple types of elements within an AWS account. The following diagram illustrates these services. For example, AWS Secrets Manager is often managed from, and protects resources for, a single account. Amazon GuardDuty monitors resources and activity associated with a single account. As mentioned in the previous section, some of these services can also be configured and administered within AWS Organizations, so they can be managed across multiple accounts (which do not all have to be in the same AWS organization). These services (denoted with an asterisk *) also make it easier to aggregate results from multiple accounts and deliver those to a single account. This gives individual application teams the flexibility and visibility to manage specific security needs while also allowing governance and visibility to centralized security teams. Amazon GuardDuty is a good example of such a service. GuardDuty findings from multiple member accounts (such as all accounts in an AWS organization) can be collected, viewed, and managed from a delegated administrator account.

            Security services that protect multiple types of elements within an AWS

Virtual network and compute infrastructure

Because network access is so critical in security, and compute infrastructure is a fundamental component of many AWS workloads, there are many AWS security services and features that are dedicated to these resources. For example, Amazon Inspector helps check for unintended network accessibility of your Amazon Elastic Compute Cloud (Amazon EC2) instances and for vulnerabilities on those EC2 instances. VPC endpoints enable you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring additional network access services such as internet gateways. The following diagram illustrates security services that focus on network or compute infrastructure.

            Security services that focus on network or compute infrastructure

Principals and resources

IAM principals and resources are the fundamental building blocks (along with policies) of identity and access management in AWS. An IAM principal is an entity in AWS that can perform actions and access resources. A principal can be an AWS account root user, an IAM user, or a role. A resource is an object that exists within an AWS service. Examples include an EC2 instance, an Amazon Simple Notification Service (Amazon SNS) topic, and an S3 bucket. You can associate permissions with a principal to grant or restrict the principal’s actions and their access to resources. You can also associate permissions with a resource to grant or restrict which principals can access or act on that resource. IAM identity-based (or resource-based) policies are typically used for these respective permission controls. The IAM resources section dives deeper into the types of IAM policies and how they are used.

The following diagram illustrates AWS security services and features for account principals.

            AWS security services and features for account principals

The following diagram illustrates services and features for account resources.

            AWS security services and features for account resources