AWS Multiple Account Security Strategy
General Best Practices
- Clearly define an AWS account-creation process
- Who is creating an account?
- What is the account used for?
- Define a company-wide AWS usage policy
- Should include minimal security baseline requirements for the different ways they will use AWS
- Which services are approved for use
- What security or encryption features must be enabled
- Create a security account structure for managing multiple accounts
- Centralize security monitoring and management
- Manage identity and access
- Provide audit and compliance monitoring services
- Leverage AWS APIs and scripts
- Consistently apply baseline configurations across multiple AWS accounts
- Compliance-monitoring scripts
Implementation Considerations
When to Create Multiple Accounts
Multiple accounts provide highest level of security and resource isolation in AWS.
Questions to consider when creating multiple accounts:
- Does the business require administrative isolation between workloads?
- Does the business require limited visibility and discoverability of workloads?
- Does the business require isolation to minimize blast radius?
- Does the business require strong isolation of recovery and/or auditing data?
When to Create a Security Account Structure
- Do you want to manage AWS user identities in one account and federate access across to other accounts?
- Do you want to centrally store, secure, analyze, and report on AWS generated log data fro services such as AWS CloudTrail, AWS Config, Amazon S3, Amazon CloudFront, ELastic Load Balancing or Amazon VPC Flow Logs?
- Do you want to empower security and compliance organizations to apply security baselines and monitor security compliance across multiple AWS accounts?
- Do you want to centrally manage approved Amazon Elastic Compute Cloud (Amazon EC2), Amazon Machine Images (AMIs), or AWS Service Catalog portfolios and products?
AWS Security Account Structures
Identity Account Structure
- Manage all users in a single account and enable user and group access to resources in other accounts
- IAM cross-account roles are used to grant access from one account to another
- AWS provides out-of-the-box federation capabilities from IAM, AWS Directory Service, or from existing identity stores using SAML 2.0
Logging Account Structure
- Accounts send logs and configuration information to a parent logging account
- Configure AWS CloudTrail and AWS Config to store configuration log data in S3 bucket owned by the parent account
- SCPs can be used to restrict member accounts from modifying AWS CloudTrail or AWS Config configuration settings
- EC2 instance can ship logs to a central account
- Configure CloudWatch Logs subscriptions and AWS Lambda to forward log data from one account to another
- Reduces the need to implement distributed log storage, protection, and analysis solution for each individual account
Publishing Account Structure
- Central management of pre-approved server images and AWS CloudFormation templates across a company
- Cross-account resource sharing to share AMIs and AWS Service Catalog portfolios created in a parent account
Hybrid AWS Security Account Structures
Information Security Account
- Collecting and analyzing security-related data
- Running compliance scripts
- Configuring security services (CloudTrail and AWS Config)
- Manage IAM access across other AWS accounts
- Owned by InfoSec - Information Security department
Central IT Account
- Host identity repositories
- Federate user access
- Centrally manage shared AMIs, EBS snapshots and AWS Service Catalog portfolios
- Provide centralized DNS, logging, configuration management or software development services