Change Management

Guardrails to prevent removal of security services/tooling

Set up baseline security services by default (logging, monitoring, IAM, etc.) and prevent them from being removed.

Summary

When using AWS Organizations, you can set up a hierarchy of accounts, with a master account at the top and multiple member accounts underneath. With this setup, you can apply policies and controls across all member accounts, including setting up this baseline of security services and IAM roles for all accounts in your organization, along with the guardrails to prevent their removal. Cloud accounts should be bootstrapped with a base set of security services and IAM roles. This helps to ensure a consistent and strong security posture across all accounts in an organization. This security baseline can reduce the risk of human error or oversight in configuring security controls, and provide a consistent starting point for all cloud accounts. Base security services include services for setting security configuration and services for logging and monitoring (AWS Config, Guardduty, Cloudtrail, etc.). Base IAM roles may be roles that are provisioned globally (a role tied to IaC builds, a read-only role, etc.). There may be other custom or 3rd party security tooling bootstrapped in all accounts. Guardrails should be put in place to prevent users from disabling or modifying these services and roles which ensures that the security baseline is maintained across all accounts in an organization. Regular verification of these services/roles can help to identify any deviations from the baseline and ensure that any changes made are authorized and in compliance with security policies.

Applicable To

This best practice applies particularly when using AWS Organizations to centrally manage multiple AWS accounts as a single entity.

Resources

All

Maturity

Medium

Functions
Security
Reliability
CSPS

AWS

Author

Adam Cotenoff

Back to Home