Summary: In Part 1, I explained how organizations can use the AWS Well-Architected Management & Governance Lens to build an agile, reliable, scalable, and secure cloud environment. In the second blog of this series, we will look at how you can deploy custom solutions on the AWS Control Control Tower to manage the security of your multi-account AWS environment.
(This is a series on the AWS Well-Architected Framework. This is Part 2. Read Part 1 here.)
Running many applications and working with large, distributed teams can make cloud setup and governance complex and time-consuming. AWS recommends isolating different environments and applications in different AWS accounts rather than keeping them in a single account to:
AWS has simplified managing a multi-account cloud environment with a managed service called AWS Control Tower, which can:
The security of workloads is a key component of a well-architected cloud environment. While AWS Control Tower automatically collects logs and auditing information from all AWS accounts using Log Archive and stores them in Audit AWS accounts, having a centralized view of the security status and monitoring the entire organization for malicious activities is essential. This can be done by using AWS SecurityHub and AWS GuardDuty respectively. However, as the number of use cases, and consequently, AWS accounts increase, managing the security posture of each AWS account individually can become difficult.
To simplify this, Ibexlabs uses Customizations on Control Tower to implement custom security solutions on AWS Control Tower such as AWS SecurityHub and AWS GuardDuty to seamlessly integrate security aspects within your AWS environment, including the default guardrails offered by the Control Tower.
This framework helps implement solutions quickly on existing AWS accounts and also works in conjunction with the account factory to implement it for new AWS accounts. Ibexlabs provides cloud formation templates that can be called from the manifest files of the Customizations on AWS Control Tower Framework to execute on AWS accounts under the AWS Organization.
The AWS Security Hub Centralization solution will set up one of the AWS accounts (preferably the AWS Control Tower Audit account ) as a ‘master’ of the AWS Security Hub, enabling Security Hub on other AWS accounts (existing and new AWS accounts created by Control Tower) to report the security status to the master account. We use AWS Lambda functions behind-the-scenes to communicate and manage permissions between them with a principle of least privilege.
AWS GuardDuty works in a similar manner by utilizing the Built on Control Tower framework to centralize the monitoring of malicious activity using the GuardDuty ‘delegated administrator’ feature. The solution also makes use of events to capture new AWS account creation and automatically enables AWS GuardDuty to report to the delegated master.
AWS Control Tower provides controls and guardrails to ensure that your accounts operate in alignment with compliance standards, and disallow actions that lead to policy violations.However, manually configuring AWS Security Hub and Amazon GuardDuty on all existing and future accounts can be time-consuming which will affect agility. It can also lead to configuration mistakes and affect the effective usage of respective services.Ibexlabs can deploy custom solutions for you to get a centralized view of security and monitor risk for all AWS accounts under the landing zone.Ibexlabs is a Built on Control Tower Partner. Get in touch with us to learn more about our custom security solutions.In Part 3 of the series, we will highlight how you can build a well-architected environment effortlessly using Infrastructure as code.