AWS Multi-Account Security Reference Architecture

 The challenge of maintaining strong security across multiple AWS (Amazon Web Services) accounts is becoming increasingly complex. As DevOps practices accelerate deployment cycles, the need for a dynamic and integrated security strategy grows.

In this blog post, we’ll explore advanced techniques to enhance your AWS security posture using essential services like Security Hub, AWS Config, IAM Access Analyzer, CloudTrail, and GuardDuty. Additionally, we’ll demonstrate how to centralize monitoring and alerting with CloudWatch, enabling a unified overview of metrics, logs, and notifications across all your AWS environments. We’ve grounded our strategies in the AWS Security Reference Architecture as outlined in the AWS Prescriptive Guidance

While the AWS Security Baseline guidance provides an excellent foundation for your initial steps in securing your cloud environment, adopting more sophisticated AWS security best practices is essential for advanced AWS compliance requirements. With a focus on automated cloud security measures , you can maintain a proactive stance against potential threats, streamlining security operations across your cloud infrastructure

Architecture Overview Of AWS Multi- Account Service

Multi-Account Strategy

Our reference architecture employs a multi-account setup, where distinct AWS accounts are allocated for specific purposes such as central security and governance account, development,  staging, and production environments( categorized as workload accounts ) and workspaces accounts ( with primary purpose of securely accessing the cloud resources by internal engineering teams ) . This segregation facilitates workload isolation and containment, minimizing the impact of security incidents across the system.

AWS Services Utilization 

We have integrated AWS Security Hub into our architecture to centralize and aggregate security findings from various AWS services like Amazon GuardDuty, AWS Config, and IAM Access Analyzer. This integration enables us to have a unified view of our security posture and effectively detect and respond to security issues. 

For the configuration of proactive monitoring, we utilized AWS Config service to continuously monitor and record configurations of AWS resources across all accounts. This helps us track changes, assess compliance against security best practices, and address any deviations from our security policies promptly.

 IAM Access Analyzer is used to analyze resource policies and identify unintended access permissions and potential security risks. Enabling Access Analyzer in all accounts helped us to proactively detect and remediate access-related vulnerabilities. 

To log API calls and user activity on AWS resources, we utilized AWS CloudTrail within each AWS account, providing a detailed history of actions and enabling us to monitor for unauthorized or suspicious behavior. Multi-region CloudTrail is active to enhance visibility into system activity. 

For threat detection, Amazon GuardDuty is used for analyzing CloudTrail logs, VPC flow logs, and DNS logs to detect potential security threats such as malicious activity and unauthorized access attempts. GuardDuty is active across all accounts, enhancing our threat detection capabilities. 

Centralized monitoring is achieved through a dedicated security tooling account that aggregates CloudWatch metrics and logs from all source AWS accounts using Cross account observability in AWS Cloudwatch service. This approach allows us to monitor the performance, health, and security status of resources centrally, providing a comprehensive view of our AWS environments , all at one place.

Furthermore, we have set up centralized alerting and notification using CloudWatch Events , Amazon SNS, AWS chatbot and Slack. This configuration ensures that our security teams receive timely alerts for any security findings or events detected across multiple AWS accounts, facilitating prompt incident response, effective remediation, and continuous security monitoring.

Security Services Deployment:

AWS Security Hub:

• Enable AWS Security Hub in each AWS account.
• Configure Security Hub to aggregate findings into the central AWS Security Hub master account.
• Use Security Hub’s built-in compliance standards(Like AWS Foundational Security Best Practices v1.0.0, CIS AWS Foundations Benchmark v1.4.0, NIST Special Publication 800-53 Revision 5, PCI DSS v3.2.1) and automated security checks to assess the overall security posture.
• Utilize Security Hub integration across diverse services for enabling AWS Security Hub in each AWS account.
• Associate member accounts with central security accounts by manually sending and accepting membership invitations in Security Hub.

AWS GuardDuty:

• Enable AWS GuardDuty in each AWS account to continuously monitor for malicious activity and unauthorized behavior.
• Activate the Protection Plans(S3, RDS, EKS, Runtime Monitoring, Lambda) whichever required.
• Configure AWS GuardDuty to send findings to the central security tooling account for centralized monitoring and analysis.
• Request the member accounts to forward their AWS GuardDuty findings to the central security account to consolidate visibility into a single location through an associated email id with the member account .

AWS IAM Access Analyzer:

• Utilize IAM Access Analyzer to analyze resource policies and identify unintended access to AWS resources.
• Enable  IAM Access Analyzer to analyze cross-account access of the resources
• Enable cross-account access analysis to monitor IAM policies across all AWS accounts from the central account.
• Create archive rules within IAM Access Analyzer to suppress findings based on defined conditions, enhancing control over security assessments.

AWS Config:

• Enable AWS Config in each AWS account to track changes to AWS resources and configurations.
• Deploy AWS managed or custom conformance packs(collection of AWS Config rules and remediation actions[e.g CIS, Well Architected Security Pillar, Well architected Reliability Pillar etc]) to manage compliance by automatically assessing and enforcing desired configurations across AWS resources with remediation steps. 
• Create custom rules or Utilize AWS managed rules from the Config console based on the compliance standard and resources configuration. 
• Configure AWS Config to send configuration change notifications and compliance status to the Security Hub master account.
• Enable a Config aggregator in the child accounts to send configuration change notifications and compliance data to the central security-tooling account.

AWS CloudTrail:

• Enable CloudTrail in each AWS account to capture API activity and audit logs.
• Aggregate CloudTrail logs from all accounts into a centralized Amazon S3 bucket for log retention and analysis.
• Enable CloudWatch log groups in the CloudTrail logs destination within the same accounts.
• Create CloudWatch log group metrics filters in the CloudTrail’s CloudWatch log group to filter various logs events such as console logins without MFA, root access key usage, gateway changes, IAM policy changes, etc.

Centralized Monitoring and Alerting:

Cross-Account CloudWatch Monitoring:

• Set up cross-account and cross-region CloudWatch observability to aggregate CloudWatch metrics and log data from all source accounts into the security tooling account.
• Configure CloudWatch Events rules in the central AWS account to monitor Security Hub, GuardDuty, IAM Access Analyzer, and AWS Config findings.
• Configure CloudWatch alerts based on metrics which are created from cloudtrail logs events. 
• Set up CloudWatch Alarms to trigger alerts based on predefined thresholds for security incidents and compliance violations.
• Use CloudWatch Logs for log aggregation and analysis to gain insights into security events and trends.

Incident Report, Response and Remediation:

• Configure notifications from the central security account to receive alerts for each service’s findings (AWS ) in the event of any issues or incidents occurring to ensure prompt response to potential security concerns across the AWS environment.
• Implement automated response workflows using AWS Lambda functions triggered by CloudWatch Events.
• Define escalation procedures and remediation actions for different types of security incidents detected by this monitoring system.

Next Steps

1. Automate deployments: Automating the deployment and changes to cloud resources is the fundamental concept in Governance, Risk and Compliance management. Develop infrastructure-as-a-code for provisioning new accounts. ( We have pre-built terraform automation to accelerate the deployment ) . 
2. Use Control Tower: Utilize AWS Control Tower for greater oversight and governance across your AWS environments. This service simplifies the management of multiple accounts and automates compliance checks against established rulesets, making it an essential component of any scalable AWS architecture.
3. Automate incident responses: To further enhance security measures, automate incident responses using AWS services. By establishing automated workflows, you can ensure immediate action is taken when potential security threats are detected, reducing the window for damage and improving your overall security posture.

Conclusion

At SquareOps Technologies, our commitment to innovation and excellence in cloud services is unwavering. We understand that every organization’s needs are unique, and our team of experts is equipped to provide customized solutions that meet your specific requirements.

We invite you to reach out to us for any assistance in implementing AWS security reference architecture or other cloud and DevOps solutions. Let’s work together to transform your deployment strategy and grow your business toward greater efficiency and success.