Hub Account Spoke Accounts Organizations Management Account

AWS Account Structure

Follow these guidelines when setting up accounts for each stack:

Hub Account

The Hub stack contains all compute and storage resources of the solution to facilitate scans. Select a member account within your AWS Organization to deploy the Hub stack. Since this account will have read access to resource names and policies in all spoke accounts, including bucket names and secret names, choose an account that you protect as carefully as the most sensitive target account you intend to scan.

Important: Avoid using the Organizations management account as your Hub account, as it’s best practice to keep the management account free from operational workloads.

Spoke Accounts

Deploy the Spoke stack to any member account within your AWS Organization that requires assessment, including the Hub account itself. This stack consists of a single IAM role that grants read access to the policies of all supported services.

For efficient deployment across multiple AWS accounts, consider using CloudFormation StackSets.

Organizations Management Account

The Org-Management stack must be deployed in your Organizations management account. This stack consists of a single IAM role that will be assumed by the Hub stack’s Lambda function and grants minimal required permissions to access data of the Organization. This role enables: - Reading account information (listing accounts and their parent relationships) - Reading Delegated Administrator configurations and their services - Viewing AWS service access settings for the Organization - Reading and listing Organization policies

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Security

Quotas