SquareOps

SquareOps Technologies
SquareOps Technologies
Contact Us

AWS Multi-Account Security Reference Architecture

  • Blog

About

AWS Multi Account Security
Explore a comprehensive AWS Multi-Account Security Reference Architecture. Learn how to secure and manage AWS environments, including IAM roles, policies, and automation strategies.

Industries

  • AWS, AWS Cloud Trail, Cloud Watch Monitoring, I am Analyzer

Share Via

Introduction

The challenge of maintaining strong security across multiple AWS (Amazon Web Services) accounts is becoming increasingly complex. As DevOps practices accelerate deployment cycles, the need for a dynamic and integrated security strategy grows.

In this blog post, we’ll explore advanced techniques to enhance your AWS security posture using essential services like Security Hub, AWS Config, IAM Access Analyzer, CloudTrail, and GuardDuty. Additionally, we’ll demonstrate how to centralize monitoring and alerting with CloudWatch, enabling a unified overview of metrics, logs, and notifications across all your AWS environments. We’ve grounded our strategies in the AWS Security Reference Architecture as outlined in the AWS Prescriptive Guidance.

While the AWS Security Baseline guidance provides an excellent foundation for your initial steps in securing your cloud environment, adopting more sophisticated AWS security best practices is essential for advanced AWS compliance requirements. With a focus on automated cloud security measures , you can maintain a proactive stance against potential threats, streamlining security operations across your cloud infrastructure.

Moreover, we will be implementing these advanced security strategies for Synaptic, ensuring their AWS environments are secure and compliant with industry standards.

Architecture Overview Of AWS Multi- Account Service

Multi-Account Strategy

Our reference architecture employs a multi-account setup, where distinct AWS accounts are allocated for specific purposes such as central security and governance account, development,  staging, and production environments( categorized as workload accounts ) and workspaces accounts ( with primary purpose of securely accessing the cloud resources by internal engineering teams ) . This segregation facilitates workload isolation and containment, minimizing the impact of security incidents across the system.

Multi-Account Strategy

AWS Services Utilization

We have integrated AWS Security Hub into our architecture to centralize and aggregate security findings from various AWS services like Amazon GuardDutyAWS Config, and IAM Access Analyzer. This integration enables us to have a unified view of our security posture and effectively detect and respond to security issues. 

For the configuration of proactive monitoring, we utilized AWS Config service to continuously monitor and record configurations of AWS resources across all accounts. This helps us track changes, assess compliance against security best practices, and address any deviations from our security policies promptly.

 IAM Access Analyzer is used to analyze resource policies and identify unintended access permissions and potential security risks. Enabling Access Analyzer in all accounts helped us to proactively detect and remediate access-related vulnerabilities. 

To log API calls and user activity on AWS resources, we utilized AWS CloudTrail within each AWS account, providing a detailed history of actions and enabling us to monitor for unauthorized or suspicious behavior. Multi-region CloudTrail is active to enhance visibility into system activity. 

For threat detection, Amazon GuardDuty is used for analyzing CloudTrail logs, VPC flow logs, and DNS logs to detect potential security threats such as malicious activity and unauthorized access attempts. GuardDuty is active across all accounts, enhancing our threat detection capabilities. 

Centralized monitoring is achieved through a dedicated security tooling account that aggregates CloudWatch metrics and logs from all source AWS accounts using Cross account observability in AWS Cloudwatch service. This approach allows us to monitor the performance, health, and security status of resources centrally, providing a comprehensive view of our AWS environments , all at one place.

Furthermore, we have set up centralized alerting and notification using CloudWatch Events , Amazon SNS, AWS chatbot and Slack. This configuration ensures that our security teams receive timely alerts for any security findings or events detected across multiple AWS accounts, facilitating prompt incident response, effective remediation, and continuous security monitoring.

Security Services Deployment

AWS Security Hub

  • Enable AWS Security Hub in each AWS account.
  • Configure Security Hub to aggregate findings into the central AWS Security Hub master account.
  • Use Security Hub’s built-in compliance standards(Like AWS Foundational Security Best Practices v1.0.0, CIS AWS Foundations Benchmark v1.4.0, NIST Special Publication 800-53 Revision 5, PCI DSS v3.2.1) and automated security checks to assess the overall security posture.
  • Utilize Security Hub integration across diverse services for enabling AWS Security Hub in each AWS account.
  • Associate member accounts with central security accounts by manually sending and accepting membership invitations in Security Hub.
AWS Security Hub

AWS GuardDuty

  • Enable AWS GuardDuty in each AWS account to continuously monitor for malicious activity and unauthorized behavior.
  • Activate the Protection Plans(S3, RDS, EKS, Runtime Monitoring, Lambda) whichever required.
  • Configure AWS GuardDuty to send findings to the central security tooling account for centralized monitoring and analysis.
  • Request the member accounts to forward their AWS GuardDuty findings to the central security account to consolidate visibility into a single location through an associated email id with the member account .
AWS GuardDuty

AWS IAM Access Analyzer

  • Utilize IAM Access Analyzer to analyze resource policies and identify unintended access to AWS resources.
  • Enable  IAM Access Analyzer to analyze cross-account access of the resources
  • Enable cross-account access analysis to monitor IAM policies across all AWS accounts from the central account.
  • Create archive rules within IAM Access Analyzer to suppress findings based on defined conditions, enhancing control over security assessments.
AWS IAM Access Analyzer

AWS Config

  • Enable AWS Config in each AWS account to track changes to AWS resources and configurations.
  • Deploy AWS managed or custom conformance packs(collection of AWS Config rules and remediation actions[e.g CIS, Well Architected Security Pillar, Well architected Reliability Pillar etc]) to manage compliance by automatically assessing and enforcing desired configurations across AWS resources with remediation steps. 
  • Create custom rules or Utilize AWS managed rules from the Config console based on the compliance standard and resources configuration. 
  • Configure AWS Config to send configuration change notifications and compliance status to the Security Hub master account.
  • Enable a Config aggregator in the child accounts to send configuration change notifications and compliance data to the central security-tooling account.
AWS Config

AWS CloudTrail

  • Enable CloudTrail in each AWS account to capture API activity and audit logs.
  • Aggregate CloudTrail logs from all accounts into a centralized Amazon S3 bucket for log retention and analysis.
  • Enable CloudWatch log groups in the CloudTrail logs destination within the same accounts.
  • Create CloudWatch log group metrics filters in the CloudTrail’s CloudWatch log group to filter various logs events such as console logins without MFA, root access key usage, gateway changes, IAM policy changes, etc.
AWS CloudTrail

Centralized Monitoring and Alerting

Cross-Account CloudWatch Monitoring

  • Set up cross-account and cross-region CloudWatch observability to aggregate CloudWatch metrics and log data from all source accounts into the security tooling account.
  • Configure CloudWatch Events rules in the central AWS account to monitor Security Hub, GuardDuty, IAM Access Analyzer, and AWS Config findings.
  • Configure CloudWatch alerts based on metrics which are created from cloudtrail logs events. 
  • Set up CloudWatch Alarms to trigger alerts based on predefined thresholds for security incidents and compliance violations.
  • Use CloudWatch Logs for log aggregation and analysis to gain insights into security events and trends.

Incident Report, Response and Remediation:

  • Configure notifications from the central security account to receive alerts for each service’s findings (AWS ) in the event of any issues or incidents occurring to ensure prompt response to potential security concerns across the AWS environment.
  • Implement automated response workflows using AWS Lambda functions triggered by CloudWatch Events.
  • Define escalation procedures and remediation actions for different types of security incidents detected by this monitoring system.

Next Steps

  1. Automate deployments: Automating the deployment and changes to cloud resources is the fundamental concept in Governance, Risk and Compliance management. Develop infrastructure-as-a-code for provisioning new accounts. ( We have pre-built terraform automation to accelerate the deployment ) . 
  2. Use Control Tower: Utilize AWS Control Tower for greater oversight and governance across your AWS environments. This service simplifies the management of multiple accounts and automates compliance checks against established rulesets, making it an essential component of any scalable AWS architecture.
  3. Automate incident responses: To further enhance security measures, automate incident responses using AWS services. By establishing automated workflows, you can ensure immediate action is taken when potential security threats are detected, reducing the window for damage and improving your overall security posture.

Conclusion

At SquareOps Technologies, our commitment to innovation and excellence in cloud services is unwavering. We understand that every organization’s needs are unique, and our team of experts is equipped to provide customized solutions that meet your specific requirements.

We invite you to reach out to us for any assistance in implementing AWS security reference architecture or other cloud and DevOps solutions. Let’s work together to transform your deployment strategy and grow your business toward greater efficiency and success.

Frequently asked questions

What is the AWS Multi-Account Security Reference Architecture?

The AWS Multi-Account Security Reference Architecture is a framework that helps organizations securely manage multiple AWS accounts, each with distinct security responsibilities and isolated workloads. It utilizes AWS services like AWS Organizations, IAM, and centralized logging to ensure secure and efficient management of resources across accounts.

Why should an organization use a multi-account architecture in AWS?

A multi-account architecture enhances security, compliance, and resource management by isolating workloads and permissions between different AWS accounts. This reduces the blast radius of security incidents, enables better billing management, and supports governance and compliance requirements across different departments or projects.

What are the main components of the AWS Multi-Account Security Architecture?

The AWS Multi-Account Security Architecture includes several key components: AWS Organizations for centralized account management, IAM for access control, AWS SSO for simplified sign-on, CloudTrail for activity auditing, AWS Config for resource configuration monitoring, GuardDuty for threat detection, and Security Hub for centralized security management. These components work together to enhance security, compliance, and manageability across multiple AWS accounts.

How are security services deployed in a multi-account AWS architecture?

Security services like AWS Security Hub, AWS GuardDuty, and AWS Config are deployed centrally in a security account. This centralization enables automated security monitoring, configuration compliance, and threat detection across all member accounts in the organization.

What is the role of AWS Organizations in a multi-account setup?

AWS Organizations allows you to manage multiple AWS accounts under a single organization. It simplifies account management, applies policies across accounts, and enables consolidated billing. Organizations also enable the creation of Organizational Units (OUs) for grouping accounts based on security, compliance, or operational needs.

How does centralized monitoring work in AWS Multi-Account Security?

Centralized monitoring collects logs and metrics from all accounts into a central account using services like Amazon CloudWatch, AWS CloudTrail, and Amazon GuardDuty. This allows security teams to monitor activity, detect anomalies, and ensure compliance across the entire organization from one location.

What is the benefit of centralized alerting in AWS Multi-Account Security?

Centralized alerting ensures that all security events and incidents across AWS accounts are reported to a single account or dashboard. This reduces alert fatigue, simplifies incident response, and ensures that security teams can act on threats in real time, without needing to check each individual account.

How can organizations implement least privilege access in a multi-account environment?

By using AWS IAM and AWS Organizations, organizations can enforce least privilege access by controlling permissions at the account level, using service control policies (SCPs), and restricting cross-account access. Additionally, AWS IAM roles and policies can be fine-tuned to limit access to specific resources and services.

How does AWS Config support security in a multi-account architecture?

AWS Config records and tracks configuration changes across accounts. By using AWS Config Rules, you can enforce compliance with internal policies and standards, detect misconfigurations, and ensure that resources remain secure and compliant in real time.

What are the best practices for managing security in a multi-account AWS environment?

Best practices for security in a multi-account AWS environment include using AWS Organizations for central management, applying least privilege with IAM, enabling AWS SSO, and monitoring with CloudTrail and GuardDuty. Use SCPs to enforce policies, AWS Config for compliance, and Security Hub for centralized security visibility. Regularly review and rotate credentials.

Related Posts

Implementing DevSecOps

Best Practices for Implementing DevSecOps: A Technical Guide

  • Blog
Implementing DevSecOps is a critical evolution in modern software development. By integrating security into every stage of the DevOps pipeline, organizations can detect and mitigate vulnerabilities early, ensuring both compliance and security from the start.
Read More
Terraform State Management Strategies

Terraform State Management Strategies: Effectively managing Terraform state

  • Blog
Effective Terraform state management is important for integrity, security, and performance. This paper details some of the best practices you can implement, like remote state storage, state locking, encryption, splitting state files in large deployments, and workspaces for multi-tenancy, to significantly reduce risks associated with your state file corruption and concurrency.
Read More
Zero Trust Architecture in the Cloud

Zero Trust Architecture in the Cloud: Implementing a zero trust model

  • Blog
Zero Trust is essential for securing AWS environments in today's threat landscape. By focusing on strict identity verification, micro-segmentation, and continuous monitoring, organizations can protect their cloud resources more effectively. Adopting Zero Trust principles ensures that every access request is scrutinized, minimizing the risk of breaches.
Read More
Stress Testing for Resilience

Stress Testing for Resilience in Modern Infrastructure 

  • Blog
Stress testing is essential for assessing the resilience of modern infrastructure, allowing organizations to identify vulnerabilities and enhance preparedness for unexpected disruptions. By simulating extreme scenarios, it ensures that systems can withstand challenges and continue to function effectively.
Read More
DevSecOps Enables Shift-Left Approach

How DevSecOps Enables a Shift-Left Approach in Security

  • Blog
Learn how DevSecOps enables a shift-left approach in security, integrating security practices early in the software development lifecycle. Discover best practices, benefits, and case studies to enhance your security strategy.
Read More
Observability In Modern Microservices Architecture

Observability In Modern Microservices Architecture

  • Blog
Learn the importance of observability in modern microservices, key metrics to track, and essential tools for a healthy ecosystem.
Read More