AWS Security Reference Architecture Examples

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

Table of Contents

• Introduction
• Getting Started with SRA
• Example Solutions
• Utils
• Environment Setup
• Repository and Solution Naming Convention
• Frequently Asked Questions
• Contributors
• License Summary

Introduction

This repository contains code to help developers and engineers deploy AWS security-related services in an AWS Control Tower multi-account environment following patterns that align with the AWS Security Reference Architecture. The Amazon Web Services (AWS) Security Reference Architecture (AWS SRA) is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment.

The AWS service configurations and resources (e.g. IAM roles and policies) deployed by these templates are deliberately very restrictive. They are intended to illustrate an implementation pattern rather than provide a complete solution. You may need to modify and tailor these solutions to suit your environment and security needs.

The examples within this repository have been deployed and tested within an AWS Control Tower environment using AWS CloudFormation as well as the Customizations for AWS Control Tower (CFCT) solution.

Getting Started with SRA

1. Setup the environment to configure AWS Control Tower within a new or existing AWS account.
2. Deploy the Common Prerequisites solution.
3. Choose a deployment method:
   • AWS CloudFormation StackSets/Stacks - AWS Documentation
   • Customizations for AWS Control Tower (CFCT) - Solution Documentation
4. (Optional) - Deploy the Customizations for AWS Control Tower (CFCT) Setup solution. Note Only implement if the CFCT deployment method was selected.
5. Per your requirements select one or all of the Example Solutions to implement via the selected deployment method.

Example Solutions

• Common
  • Common Register Delegated Administrator
• CloudTrail
  • Organization CloudTrail
• Config
  • Config Management Account
  • Organization Aggregator
  • Organization Conformance Pack
• EC2
  • EC2 Default EBS Encryption
• Firewall Manager
  • Organization Firewall Manager
• GuardDuty
  • Organization GuardDuty
• IAM
  • Access Analyzer
  • Account Password Policy
• Macie
  • Organization Macie
• S3
  • S3 Block Account Public Access
• SecurityHub
  • Organization Security Hub

Utils

• packaging_scripts/stage-solution.sh (Package and stage all the AWS SRA example solutions. For more information see Staging script details)

Environment Setup

Based on the deployment method selected these solutions are required to implement SRA solutions.

• Common Prerequisites
• Common Customizations for AWS Control Tower (CFCT) Setup

Repository and Solution Naming Convention

The repository is organized by AWS service solutions, which include deployment platforms (e.g., AWS Control Tower and AWS CloudFormation StackSet).

Example:

.
├── solutions
│   ├── guardduty
│   │   └── guardduty_org
│   │       ├── README.md
│   │       ├── customizations_for_aws_control_tower
│   │       │   ├── manifest-v2.yaml
│   │       │   ├── manifest.yaml
│   │       │   └── parameters
│   │       ├── documentation
│   │       ├── lambda
│   │       │   └── src
│   │       │       ├── app.py
│   │       │       └── requirements.txt
│   │       └── templates
│   │           ├── sra-guardduty-org-configuration-role.yaml
│   │           ├── sra-guardduty-org-configuration.yaml
│   │           ├── sra-guardduty-org-delete-detector-role.yaml
│   │           ├── sra-guardduty-org-delivery-kms-key.yaml
│   │           └── sra-guardduty-org-delivery-s3-bucket.yaml
│   ├── ...

Frequently Asked Questions

Q. How were these particular solutions chosen? A. All the examples in this repository are derived from common patterns that many customers ask us to help them deploy within their environments. We will be adding to the examples over time.

Q. How were these solutions created? A. We’ve collected, cataloged, and curated our multi-account security solution knowledge based on working with a variety of AWS customers.

Q. Who is the audience for these AWS Security Reference Architecture examples? A. Security professionals that are looking for illustrative examples of deploying security patterns in AWS. These code samples provide a starting point from which you can build and tailor infrastructure for your needs.

Q. Why didn't the solutions use inline Lambda functions within the CloudFormation templates? A. Reasons:

• You should control the dependencies in your function's deployment package as stated in the best practices for working with AWS Lambda functions.
• The AWS Lambda runtimes might not be the latest version, which contains a feature that is needed for the solution.

Q. I have ideas to improve this repository. What should I do? A. Please create an issue or submit a pull request.

Contributors

Contributors

License Summary

The documentation is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file.

The sample code within this documentation is made available under the MIT-0 license. See the LICENSE-SAMPLECODE file.

Please note when building the project that some of the configured developer dependencies are subject to copyleft licenses. Please review these as needed for your use.