AWS Security Reference Architecture Examples

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

---

⚠️Influence the future of the AWS Security Reference Architecture (AWS SRA) code library by taking a short survey.

Table of Contents

• Introduction
• Getting started
• Deployment with CloudFormation
  • Using AWS SRA in AWS Control Tower Environments
    • AWS SRA Easy Setup with an AWS Control Tower Landing Zone (Recommended)
    • Manual Setup in AWS Control Tower Environments
  • Using AWS SRA in AWS Organizations Environments with CloudFormation
    • Easy Setup in AWS Organizations Environments (Recommended)
    • Manual Setup in AWS Organizations
  • Easy Setup with CloudFormation Details
  • Quick Setup with CloudFormation (Deprecated)
• Deployment with Terraform
• Example Solutions
• Utils
• Environment Setup
• Repository and Solution Naming Convention
• Frequently Asked Questions
• License Summary

Introduction

This repository contains code to help developers and engineers deploy AWS security-related services in either an AWS Organizations multi-account environment with or without AWS Control Tower as it's landing zone following patterns that align with the AWS Security Reference Architecture. The Amazon Web Services (AWS) Security Reference Architecture (AWS SRA) is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment.

The AWS service configurations and resources (e.g. IAM roles and policies) deployed by these templates are deliberately very restrictive. They are intended to illustrate an implementation pattern rather than provide a complete solution. You may need to modify and tailor these solutions to suit your environment and security needs.

For the solutions within this repository that require AWS Control Tower, they have been deployed and tested within an AWS Control Tower environment using AWS CloudFormation, Customizations for AWS Control Tower (CFCT), and Terraform.

For those solutions that do not require AWS Control Tower, they have been tested within an AWS Organizations environment using AWS CloudFormation, and Terraform.

Getting started

Whether you're new to AWS security or looking to enhance your existing setup, our code library provides comprehensive solutions to help fortify your AWS environments. Deploying the AWS SRA code library can be deployed using two different methods: AWS CloudFormation and Terraform.

Deployment with CloudFormation

Using AWS SRA in AWS Control Tower Environments

For multi-account environments that use (or will use) the AWS Control Tower landing zone, you can install the AWS SRA code solutions using the instructions in this section.

AWS SRA Easy Setup with an AWS Control Tower Landing Zone (Recommended)

1. Setup the environment to configure AWS Control Tower within a new or existing AWS account. Existing AWS Control Tower environments can also be used but may require existing service configurations to be removed.
2. Choose a deployment method:
   • AWS CloudFormation StackSets/Stacks - CFN AWS SRA Easy Setup Implementation Details
     • See AWS CloudFormation Documentation for more information.
   • Customizations for AWS Control Tower (CfCT) - CfCT AWS SRA Easy Setup Implementation Details
     • See CfCT Documentation for more information.
3. If using CfCT, deploy the AWSControlTowerExecution role into the management account.
4. Using parameters within the easy setup template file, choose which AWS SRA Solutions to deploy. This can be done during initial setup or as an update later.

For more information view the AWS SRA Easy Setup solution page.

Manual Setup in AWS Control Tower Environments

1. Setup the environment to configure AWS Control Tower within a new or existing AWS account. Existing AWS Control Tower environments can also be used but may require existing service configurations to be removed.
2. Deploy the Common Prerequisites solution. Note: This only needs to be done once for all the solutions.
3. Choose a deployment method:
   • AWS CloudFormation StackSets/Stacks - AWS Documentation
   • Customizations for AWS Control Tower (CfCT) - Solution Documentation
4. (Optional) - Deploy the Customizations for AWS Control Tower (CFCT) Setup solution. Note Only implement if the CFCT deployment method was selected.
5. Per your requirements select one or all of the below AWS SRA Solutions to implement via the selected deployment method.
   • You may use the Quick Setup to deploy the AWS SRA Solutions at this step.

Using AWS SRA in AWS Organizations Environments with CloudFormation

For multi-account environments that use AWS Organizations and do NOT have an AWS Control Tower landing zone installed, you can install the AWS SRA code solutions using the instructions in this section.

Easy Setup in AWS Organizations Environments (Recommended)

1. Setup the environment to configure AWS Organizations within a new or existing AWS account. Existing AWS Organizations environments can also be used but may require existing service configurations to be removed.
   • The Security Tooling and Log Archive accounts must be created or already be part of the existing AWS Organizations environment (though they may be named differently in your environment).
   • It is recommended that the OU structure is setup in alignment with the AWS SRA design guidance
2. Deploy using CloudFormation
   • CloudFormation StackSets/Stacks AWS SRA Easy Setup Implementation Details
     • See AWS CloudFormation Documentation for more information.
3. Using parameters within the easy setup template file, choose which AWS SRA Solutions to deploy. This can be done during initial setup or as an update later.

For more information view the AWS SRA Easy Setup solution page.

Manual Setup in AWS Organizations

1. Setup the environment to configure AWS Organizations within a new or existing AWS account. Existing AWS Organizations environments can also be used but may require existing service configurations to be removed.
   • The Security Tooling and Log Archive accounts must be created or already be part of the existing AWS Organizations environment (though they may be named differently in your environment).
   • It is recommended that the OU structure is setup in alignment with the AWS SRA design guidance
2. Deploy the Common Prerequisites solution. Note: This only needs to be done once for all the solutions.
3. Per your requirements select one or all of the below AWS SRA Solutions to implement via CloudFormation.
   • You may use the Quick Setup to deploy the AWS SRA Solutions at this step.

Easy Setup with CloudFormation Details

Using the AWS SRA Easy Setup, the common prerequisites and all AWS SRA solutions are automatically packaged, staged, and deployed into your AWS environment with minimal effort. This is the recommended method to install the AWS SRA code library because it reduces the likelihood of missing a step in the Manual install method. If using this method to install the AWS SRA code library, there is no other process you need to follow.

Follow the instructions in the AWS SRA Easy Setup solution page to install everything you need to get the AWS SRA code library and it's solutions deployed.

Quick Setup with CloudFormation (Deprecated)

The Quick Setup has been deprecated. Refer to the Easy Setup instead.

Deployment with Terraform

Please follow the instructions for SRA Terraform deployments in the SRA Terraform edition documentation.

Example Solutions

• Note: All solutions below depend on the Common Prerequisites solution in addition to the specified solutions within the Depends On column.
• Navigate to corresponding example solution to review what is deployed and configured within the environment.
• If a solution depends on AWS Control Tower then the AWS Control Tower landing zone must be deployed before installing the solution (along with any other solution dependencies). Each solution will be updated to remove the requirement of needing an AWS Control Tower landing zone (making it optional) in future updates, however, AWS Organizations will always be required.
• For solutions supported in the SRA Terraform edition, please see the SRA Terraform edition documentation.

Example Solution	Solution Highlights	What does Control Tower provide?	Depends On
Account Alternate Contacts	Sets the billing, operations, and security alternate contacts for all accounts within the organization.
AMI Bakery	Creates and configures an AMI image management pipeline.
CloudTrail	Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events.	CloudTrail enabled in each account with management events only.
Config Management Account	Enables AWS Config in the Management account to allow resource compliance monitoring.	Configures AWS Config in all accounts except for the Management account in each governed region.	AWS Control Tower
Config Organization Aggregator	Not required for most Control Tower environments. Deploy an Organization Config Aggregator to a delegated admin other than the Audit account.	Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account.	AWS Control Tower Common Register Delegated Administrator
Config Organization Conformance Pack	Deploys a conformance pack to all accounts and provided regions within an organization.		Common Register Delegated Administrator Config Management Account
Config Organization	Configures AWS Config in all accounts in each governed region. Deploys an Organization Config Aggregator to a delegated admin account. This solution is incompatible with the AWS Control Tower environment.		AWS Organization Common Register Delegated Administrator
Detective	The Detective Organization solution will automate enabling Amazon Detective by delegating administration to an account (e.g. Audit or Security Tooling) and configuring Detective for all the existing and future AWS Organization accounts.		GuardDuty
EC2 Default EBS Encryption	Configures the EC2 default EBS encryption to use the default KMS key within all provided regions.
Firewall Manager	Demonstrates configuring a security group policy and WAF policies for all accounts within an organization.
GuardDuty	Configures GuardDuty within a delegated admin account for all accounts within an organization.
IAM Access Analyzer	Configures an organization analyzer within a delegated admin account and account level analyzer within each account.		Common Register Delegated Administrator
IAM Account Password Policy	Sets the account password policy for users to align with common compliance standards.
Inspector	Configure Inspector within a delegated admin account for all accounts and governed regions within the organization.
Macie	Configures Macie within a delegated admin account for all accounts within the organization.
Patch Manager	Configures Systems Manager Patch Manager functionality for accounts and governed regions within the organization.
S3 Block Account Public Access	Configures the account-level S3 BPA settings for all accounts within the organization.	Configures S3 BPA settings on buckets created by Control Tower only.	AWS Control Tower
Security Hub	Configures Security Hub within a delegated admin account for all accounts and governed regions within the organization.		AWS Config in all Org Accounts Config Management Account (if using AWS Control Tower)
Security Lake	Configures Security Lake within a delegated admin account for accounts and governed regions within the organization.
Shield Advanced	Enables and configures AWS Shield Advanced for some or all the existing and future AWS Organization accounts

Utils

• packaging_scripts/stage-solution.sh (Package and stage all the AWS SRA example solutions. For more information see Staging script details)

Environment Setup

Based on the deployment method selected these solutions are required to implement SRA solutions.

• Common Prerequisites
• Common Customizations for AWS Control Tower (CFCT) Setup

Repository and Solution Naming Convention

The repository is organized by AWS service solutions, which include deployment platforms (e.g., AWS Control Tower and AWS CloudFormation StackSet).

Example:

.
├── solutions
│   ├── guardduty
│   │   └── guardduty_org
│   │       ├── README.md
│   │       ├── customizations_for_aws_control_tower
│   │       │   ├── manifest.yaml
│   │       │   └── parameters
│   │       ├── documentation
│   │       ├── lambda
│   │       │   └── src
│   │       │       ├── app.py
│   │       │       └── requirements.txt
│   │       └── templates
│   │           ├── sra-guardduty-org-configuration-role.yaml
│   │           ├── sra-guardduty-org-configuration.yaml
│   │           ├── sra-guardduty-org-delete-detector-role.yaml
│   │           ├── sra-guardduty-org-delivery-kms-key.yaml
│   │           └── sra-guardduty-org-delivery-s3-bucket.yaml
│   ├── ...

Frequently Asked Questions

Q. How were these particular solutions chosen? A. All the examples in this repository are derived from common patterns that many customers ask us to help them deploy within their environments. We will be adding to the examples over time.

Q. How were these solutions created? A. We’ve collected, cataloged, and curated our multi-account security solution knowledge based on working with a variety of AWS customers.

Q. Who is the audience for these AWS Security Reference Architecture examples? A. Security professionals that are looking for illustrative examples of deploying security patterns in AWS. These code samples provide a starting point from which you can build and tailor infrastructure for your needs.

Q. Why didn't the solutions use inline Lambda functions within the CloudFormation templates? A. Reasons:

• You should control the dependencies in your function's deployment package as stated in the best practices for working with AWS Lambda functions.
• The AWS Lambda runtimes might not be the latest version, which contains a feature that is needed for the solution.

Q. I have ideas to improve this repository. What should I do? A. Please create an issue or submit a pull request.

License Summary

The documentation is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file.

The sample code within this documentation is made available under the MIT-0 license. See the LICENSE-SAMPLECODE file.

Please note when building the project that some of the configured developer dependencies are subject to copyleft licenses. Please review these as needed for your use.