AWS prescriptive-guidance medium security documentation change
Summary
Updated CloudTrail log validation documentation with explicit reference
Security assessment
Added link to log file validation documentation, emphasizing integrity checks - a security best practice to detect tampering
Diff
diff --git a/prescriptive-guidance/latest/security-reference-architecture/security-tooling.md b/prescriptive-guidance/latest/security-reference-architecture/security-tooling.md index 1a3635965..5c5321de1 100644 --- a//prescriptive-guidance/latest/security-reference-architecture/security-tooling.md +++ b//prescriptive-guidance/latest/security-reference-architecture/security-tooling.md @@ -7 +7 @@ -Delegated administrator for security servicesCentralized root accessAWS CloudTrailAWS Security Hub CSPMAWS Security HubAmazon GuardDutyAWS ConfigAmazon Security LakeAmazon MacieIAM Access AnalyzerAWS Firewall ManagerAmazon EventBridgeAmazon DetectiveAWS Audit ManagerAWS ArtifactAWS KMSAWS Private CAAmazon InspectorAWS Security Incident ResponseDeploying common security services within all AWS accounts +Delegated administrator for security servicesCentralized root accessAWS CloudTrailAWS Security Hub CSPMAWS Security HubAmazon GuardDutyAWS ConfigAmazon MacieIAM Access AnalyzerAmazon CloudWatchAmazon Security LakeAWS Firewall ManagerAmazon EventBridgeAmazon DetectiveAWS Audit ManagerAWS ArtifactAWS KMSAWS Private CAAmazon InspectorAWS Security Incident ResponseDeploying common security services within all AWS accounts @@ -11,3 +10,0 @@ Delegated administrator for security servicesCentralized root accessAWS CloudTra -Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_e3XI1t37KMHU2ua). ---- - @@ -16 +13 @@ The following diagram illustrates the AWS security services that are configured - + @@ -29 +26 @@ The Security Tooling account is dedicated to operating security services, monito -###### Design considerations +**Design considerations:** @@ -52 +49 @@ The Security Tooling account**** is the delegated administrator account for IAM -In the AWS SRA, the Security Tooling account is the delegated administrator account for managing CloudTrail. The corresponding S3 bucket to store the organization trail logs is created in the Log Archive account. This is to separate the management and usage of CloudTrail log privileges. For information about how to create or update an S3 bucket to store log files for an organization trail, see the [CloudTrail documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#org-trail-bucket-policy). As a security best practice, add the `aws:SourceArn` condition key of the organization trail to the resource policy of the S3 bucket (and any other resources such as KMS keys or SNS topics). This ensures that the S3 bucket accepts only data that is associated with the specific trail. The trail is configured with log file validation for log file integrity validation. The log and digest files are encrypted by using SSE-KMS. The organization trail is also integrated with a log group in CloudWatch Logs to send events for long-term retention. +In the AWS SRA, the Security Tooling account is the delegated administrator account for managing CloudTrail. The corresponding S3 bucket to store the organization trail logs is created in the Log Archive account. This is to separate the management and usage of CloudTrail log privileges. For information about how to create or update an S3 bucket to store log files for an organization trail, see the [CloudTrail documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#org-trail-bucket-policy). As a security best practice, add the `aws:SourceArn` condition key of the organization trail to the resource policy of the S3 bucket (and any other resources such as KMS keys or SNS topics). This ensures that the S3 bucket accepts only data that is associated with the specific trail. The trail is configured with [log file validation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html) for log file integrity validation. The log and digest files are encrypted by using SSE-KMS. The organization trail is also integrated with a log group in CloudWatch Logs to send events for long-term retention. @@ -58 +55 @@ You can create and manage organization trails from both management and delegated -###### Design considerations +**Design considerations:** @@ -60 +57 @@ You can create and manage organization trails from both management and delegated - * CloudTrail does not log data events by default, because these are often high-volume activities. However, you should capture data events for specific critical AWS resources such as S3 buckets, Lambda functions, log events from outside AWS that are sent to the CloudTrail lake, and SNS topics. To do this, configure your organization trail to include data events from specific resources by specifying the ARNs of each individual resources. + * CloudTrail does not log [data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-data-events) by default because these are often high-volume activities. However, you should capture data events for specific critical AWS resources, such as S3 buckets, Lambda functions, log events from outside AWS that are either sent to Amazon S3 or forwarded using Amazon SQS and Amazon SNS topics. To do this, configure your organization trail to include data events from specific resources by specifying the Amazon Resource Name (ARN) of each resource. @@ -69 +66 @@ You can create and manage organization trails from both management and delegated -[AWS Security Hub Cloud Security Posture Management](https://aws.amazon.com/security-hub/cspm/) (AWS Security Hub CSPM), previously known as AWS Security Hub, provides you with a comprehensive view of your security posture in AWS and helps you check your environment against security industry standards and best practices. Security Hub CSPM collects security data from across AWS integrated services, supported third-party products, and other custom security products that you might use. It helps you continuously monitor and analyze your security trends and identify the highest priority security issues. In addition to the ingested sources, Security Hub CSPM generates its own findings, which are represented by security controls that map to one or more security standards. These standards include AWS Foundational Security Best Practices (FSBP), Center for Internet Security (CIS) AWS Foundations Benchmark v1.20 and v1.4.0, National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5, Payment Card Industry Data Security Standard (PCI DSS), and [service-managed standards](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standards.html). For a list of current security standards and details on specific security controls, see the [Standards reference for Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html) in the Security Hub CSPM documentation. +[AWS Security Hub Cloud Security Posture Management](https://aws.amazon.com/security-hub/cspm/) (AWS Security Hub CSPM), previously known as AWS Security Hub, provides you with a comprehensive view of your security posture in AWS and helps you check your environment against security industry standards and best practices. Security Hub CSPM collects security data from across AWS integrated services, supported third-party products, and other custom security products that you might use. It helps you continuously monitor and analyze your security trends and identify the highest priority security issues. In addition to the ingested sources, Security Hub CSPM generates its own findings, which are represented by security controls that map to one or more security standards. These standards include AWS Foundational Security Best Practices (FSBP), Center for Internet Security (CIS) AWS Foundations Benchmark (versions 5.0.0, 3.0.0, and 1.2.0), National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5, Payment Card Industry Data Security Standard (PCI DSS), and [service-managed standards](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standards.html). For a list of current security standards and details on specific security controls, see the [Standards reference for Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html) in the Security Hub CSPM documentation. @@ -85 +82,3 @@ Security Hub CSPM uses service-linked AWS Config Rules to perform most of its se -###### Design considerations +Amazon CloudWatch supports ingesting AWS Security Hub CSPM findings. This helps you centrally analyze and monitor security findings directly in CloudWatch Logs. Security Hub CSPM findings are supported in ASFF and Open Cybersecurity Schema Framework (OCSF) format using CloudWatch Pipelines, providing standardized security data ingestion. You can use CloudWatch Logs Insights to query findings, create metric filters for monitoring, and you can use Amazon S3 Tables integration for advanced analytics. This helps security teams identify and respond to threats faster across your AWS environment. You should create an Amazon CloudWatch [telemetry enablement rule](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/telemetry-enablement-rules.html) to automatically send Security Hub findings to CloudWatch Logs for all production accounts, ensuring consistent visibility into security posture. + +**Design considerations:** @@ -102 +101,5 @@ For additional guidance on these use cases, including how to set them up, see th -###### Implementation example +**Implementation example:** + + * The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [Security Hub CSPM](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/securityhub/securityhub_org). It includes automatic enablement of the service, delegated administration to a member account (Security Tooling), and configuration to enable Security Hub CSPM for all existing and future accounts in the AWS organization. + + @@ -104 +106,0 @@ For additional guidance on these use cases, including how to set them up, see th -The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [Security Hub CSPM](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/securityhub/securityhub_org). It includes automatic enablement of the service, delegated administration to a member account (Security Tooling), and configuration to enable Security Hub CSPM for all existing and future accounts in the AWS organization. @@ -120 +122 @@ In the AWS SRA, the Security Tooling account acts as the delegated administrator -###### Implementation note +###### Note @@ -124 +126 @@ In the AWS SRA, the Security Tooling account acts as the delegated administrator -###### Design considerations +**Design considerations** : @@ -149 +151 @@ In the AWS SRA, the Security Tooling account acts as the delegated administrator -In addition to providing [foundational data sources](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html), GuardDuty provides optional features to identify security findings. These include EKS Protection, RDS Protection, S3 Protection, Malware Protection, and Lambda Protection. For new detectors, these optional features are enabled by default except for EKS Protection, which must be manually enabled. +In addition to providing [foundational data sources](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html), GuardDuty provides optional features to identify security findings. These include EKS Protection, RDS Protection, S3 Protection, Malware Protection, and Lambda Protection. For new detectors, you can configure [auto enable](https://docs.aws.amazon.com/guardduty/latest/ug/protection-plans-auto-enable.html) for the entire AWS organization. @@ -155 +157 @@ In addition to providing [foundational data sources](https://docs.aws.amazon.com - * [GuardDuty RDS Protection](https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html) is designed to profile and monitor access activity to Amazon Aurora databases without impacting database performance. + * [GuardDuty RDS Protection](https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html) is designed to profile and monitor access activity to Amazon Aurora databases (Amazon Aurora MySQL-Compatible Edition and Aurora PostgreSQL-Compatible Edition) and [Amazon RDS for PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html) without impacting database performance. @@ -164 +166 @@ GuardDuty also provides a feature known as [Extended Threat Detection](https://d -In the AWS SRA, GuardDuty is enabled in all accounts through AWS Organizations, and all findings are viewable and actionable by appropriate security teams in the GuardDuty delegated administrator account (in this case, the Security Tooling account). GuardDuty active findings are exported to a central S3 bucket in the Log Archive account, so you can retain the findings beyond 90 days. The findings are exported from the delegated administrator account and also include all the findings from associated member accounts in the same Region. The findings in the S3 bucket are encrypted with an AWS KMS customer managed key. The S3 bucket policy and KMS key policy are configured to allow only GuardDuty to use the resources. +In the AWS SRA, GuardDuty is enabled in all accounts through AWS Organizations, and all findings are viewable and actionable by appropriate security teams in the GuardDuty delegated administrator account (in this case, the Security Tooling account). GuardDuty active findings are exported to a central S3 bucket in the Log Archive account, so you can retain the findings beyond 90 days. The findings are exported from the delegated administrator account and also include all the findings from associated member accounts in the same Region. The findings in the bucket S3 are encrypted with an AWS KMS customer managed key. The S3 bucket policy and KMS key policy are configured to allow only GuardDuty to use the resources. @@ -168 +170,5 @@ When AWS Security Hub CSPM is enabled, GuardDuty findings automatically flow to -###### Implementation example +**Implementation example:** + + * The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [GuardDuty](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/guardduty/guardduty_org). It includes encrypted S3 bucket configuration, delegated administration, and GuardDuty enablement for all existing and future accounts in the AWS organization. + + @@ -170 +175,0 @@ When AWS Security Hub CSPM is enabled, GuardDuty findings automatically flow to -The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [GuardDuty](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/guardduty/guardduty_org). It includes encrypted S3 bucket configuration, delegated administration, and GuardDuty enablement for all existing and future accounts in the AWS organization. @@ -192 +197 @@ In the AWS SRA, the AWS Config delegated administrator account is the Security T -###### Design considerations +**Design considerations:** @@ -196,6 +201 @@ In the AWS SRA, the AWS Config delegated administrator account is the Security T - * In addition to using AWS Config proactive rule evaluation, you can use [AWS CloudFormation Guard](https://docs.aws.amazon.com/cfn-guard/latest/ug/what-is-guard.html), which is a a policy-as-code evaluation tool that proactively checks for resource configuration compliance. The AWS CloudFormation Guard command line interface (CLI) provides you with a declarative, domain-specific language (DSL) that you can use to express policy as code. In addition, you can use AWS CLI commands to validate JSON-formatted or YAML-formatted structured data such as CloudFormation change sets, JSON-based Terraform configuration files, or Kubernetes configurations. You can run the evaluations locally by using the [AWS CloudFormation Guard CLI](https://catalog.us-east-1.prod.workshops.aws/workshops/fff8e490-f397-43d2-ae26-737a6dc4ac68/en-US/70-cfn-guard/73-checking-templates) as part of your authoring process or run it within your [deployment pipeline](https://catalog.us-east-1.prod.workshops.aws/workshops/fff8e490-f397-43d2-ae26-737a6dc4ac68/en-US/70-cfn-guard/75-add-guard-to-pipeline). If you have [AWS Cloud Development Kit (AWS CDK)](https://aws.amazon.com/cdk/) applications, you can use [cdk-nag](https://github.com/cdklabs/cdk-nag) for proactive checking of best practices. - - - - -###### Implementation example + * In addition to using AWS Config proactive rule evaluation, you can use [AWS CloudFormation Guard](https://docs.aws.amazon.com/cfn-guard/latest/ug/what-is-guard.html), which is a policy-as-code evaluation tool that proactively checks for resource configuration compliance. The AWS CloudFormation Guard command line interface (CLI) provides you with a declarative, domain-specific language (DSL) that you can use to express policy as code. In addition, you can use AWS CLI commands to validate JSON-formatted or YAML-formatted structured data such as CloudFormation change sets, JSON-based Terraform configuration files, or Kubernetes configurations. You can run the evaluations locally by using the [AWS CloudFormation Guard CLI](https://catalog.us-east-1.prod.workshops.aws/workshops/fff8e490-f397-43d2-ae26-737a6dc4ac68/en-US/70-cfn-guard/73-checking-templates) as part of your authoring process or run it within your [deployment pipeline](https://catalog.us-east-1.prod.workshops.aws/workshops/fff8e490-f397-43d2-ae26-737a6dc4ac68/en-US/70-cfn-guard/75-add-guard-to-pipeline). If you have [AWS Cloud Development Kit (AWS CDK)](https://aws.amazon.com/cdk/) applications, you can use [cdk-nag](https://github.com/cdklabs/cdk-nag) for proactive checking of best practices. @@ -203 +202,0 @@ In the AWS SRA, the AWS Config delegated administrator account is the Security T -The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a [sample implementation](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/config/config_conformance_pack_org) that deploys AWS Config conformance packs to all AWS accounts and Regions within an AWS organization. The [AWS Config Aggregator](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/config/config_aggregator_org) module helps you configure an AWS Config aggregator by delegating administration to a member account (Security Tooling) within the Org Management account and then configuring AWS Config Aggregator within the delegated administrator account for all existing and future accounts in the AWS organization. You can use the [AWS Config Control Tower Management Account](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/config/config_management_account) module to enable AWS Config within the Org Management account―it isn't enabled by AWS Control Tower. @@ -205 +203,0 @@ The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference -## Amazon Security Lake @@ -207 +204,0 @@ The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference -[Amazon Security Lake](https://aws.amazon.com/security-lake/) is a fully managed security data lake service. You can use Security Lake to automatically centralize security data from AWS environments, software as a service (SaaS) providers, on premises, and [third-party sources](https://docs.aws.amazon.com/security-lake/latest/userguide/integrations-third-party.html). Security Lake helps you build a normalized data source that simplifies the usage of analytics tools over security data, so you can get a more complete understanding of your security posture across the entire organization. The data lake is backed by Amazon Simple Storage Service (Amazon S3) buckets, and you retain ownership over your data. Security Lake automatically collects logs for AWS services, including AWS CloudTrail, Amazon VPC, Amazon Route 53, Amazon S3, AWS Lambda, Amazon EKS audit logs, AWS Security Hub CSPM findings, and AWS WAF logs. @@ -209 +206 @@ The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference -AWS SRA recommends that you use the Log Archive account as the delegated administrator account for Security Lake. For more information about setting up the delegated administrator account, see [Amazon Security Lake](./log-archive.html#log-security-lake) in the _Security OU ‒ Log Archive account_ section. Security teams that want to access Security Lake data or need the ability to write non-native logs to the Security Lake buckets by using custom extract, transform, and load (ETL) functions should operate within the Security Tooling account. +**Implementation example:** @@ -211 +208 @@ AWS SRA recommends that you use the Log Archive account as the delegated adminis -Security Lake can collect logs from different cloud providers, logs from third-party solutions, or other custom logs. We recommend that you use the Security Tooling account to perform the ETL functions to convert the logs to Open Cybersecurity Schema Framework (OCSF) format and output a file in Apache Parquet format. Security Lake creates the cross-account role with the proper permissions for the Security Tooling account and the custom source backed by Lambda functions or AWS Glue crawlers, to write data to the S3 buckets for Security Lake. + * The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a [sample implementation](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/config/config_conformance_pack_org) that deploys AWS Config conformance packs to all AWS accounts and Regions within an AWS organization. The [AWS Config Aggregator](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/config/config_aggregator_org) module helps you configure an AWS Config aggregator by delegating administration to a member account (Security Tooling) within the Org Management account and then configuring AWS Config Aggregator within the delegated administrator account for all existing and future accounts in the AWS organization. You can use the [AWS Config Control Tower Management Account](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/config/config_management_account) module to enable AWS Config within the Org Management account―it isn't enabled by AWS Control Tower. @@ -213 +209,0 @@ Security Lake can collect logs from different cloud providers, logs from third-p -The Security Lake administrator should configure security teams that use the Security Tooling account and require access to the logs that Security Lake collects as [subscribers](https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-management.html). Security Lake supports two types of subscriber access: @@ -215 +210,0 @@ The Security Lake administrator should configure security teams that use the Sec - * **Data access** – Subscribers can directly access the Amazon S3 objects for Security Lake. Security Lake manages the infrastructure and permissions. When you configure the Security Tooling account as a Security Lake data access subscriber, the account is notified of new objects in the Security Lake buckets through Amazon Simple Queue Service (Amazon SQS), and Security Lake creates the permissions to access those new objects. @@ -217,14 +211,0 @@ The Security Lake administrator should configure security teams that use the Sec - * **Query access** – Subscribers can query source data from AWS Lake Formation tables in your S3 bucket by using services such as Amazon Athena. Cross-account access is automatically set up for query access by using Lake Formation. When you configure the Security Tooling account as a Security Lake query access subscriber, the account is given read-only access to the logs in the Security Lake account. When you use this subscriber type, the Athena and AWS Glue tables are shared from the Security Lake Log Archive account with the Security Tooling account through AWS Resource Access Manager (AWS RAM). To enable this capability, you have to update the cross-account data sharing settings to version 3. - - - - -For more information about creating subscribers, see [Subscriber management](https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-management.html) in the Security Lake documentation. - -For best practices for ingesting custom sources, see [Collecting data from custom sources](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html) in the Security Lake documentation. - -You can use [Amazon Quick Sight](https://github.com/aws-samples/amazon-security-lake-quicksight), [Amazon OpenSearch Service](https://aws.amazon.com/blogs/big-data/ingest-transform-and-deliver-events-published-by-amazon-security-lake-to-amazon-opensearch-service), and [Amazon SageMaker](https://github.com/aws-samples/amazon-security-lake-machine-learning) to set up analytics against the security data that you store in Security Lake. - -###### Design consideration - -If an application team needs query access to Security Lake data to meet a business requirement, the Security Lake administrator should configure that Application account**** as a subscriber**.** @@ -240 +221 @@ Macie findings flow to AWS Security Hub CSPM for review and analysis. Macie also -###### Design considerations +**Design considerations:** @@ -249 +230,5 @@ Macie findings flow to AWS Security Hub CSPM for review and analysis. Macie also -###### Implementation example +**Implementation example:** + + * The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [Amazon Macie](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/macie/macie_org). It includes delegating administration to a member account and configuring Macie within the delegated administrator account for all existing and future accounts in the AWS organization. Macie is also configured to send the findings to a central S3 bucket that is encrypted with a customer managed key in AWS KMS. + + @@ -251 +235,0 @@ Macie findings flow to AWS Security Hub CSPM for review and analysis. Macie also -The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [Amazon Macie](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/macie/macie_org). It includes delegating administration to a member account and configuring Macie within the delegated administrator account for all existing and future accounts in the AWS organization. Macie is also configured to send the findings to a central S3 bucket that is encrypted with a customer managed key in AWS KMS. @@ -257 +241 @@ As you accelerate your AWS Cloud adoption journey and continue to innovate, it's -[AWS Identity and Access Management Access Analyzer](https://aws.amazon.com/iam/access-analyzer) provides tools to efficiently set fine-grained permissions, verify intended permissions, and refine permissions by removing unused access to help you meet your enterprise security standards. It gives you visibility into [external and internal access to AWS resources and unused access findings](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) through [dashboards](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-dashboard.html) and [AWS Security Hub CSPM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-securityhub-integration.html). Additionally, it supports [Amazon EventBridge](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-eventbridge.html) for event-based custom notification and remediation workflows. +[AWS Identity and Access Management Access Analyzer](https://aws.amazon.com/iam/access-analyzer) provides tools to efficiently set fine-grained permissions, verify intended permissions, and refine permissions by removing unused access to help you meet your enterprise security standards. It gives you visibility into [external and internal access to AWS resources and unused access findings](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) through [dashboards ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-dashboard.html)and AWS Security Hub CSPM. Additionally, it supports [Amazon EventBridge](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-eventbridge.html) for event-based custom notification and remediation workflows. @@ -284 +268 @@ As a builder, you can use IAM Access Analyzer to perform automated [IAM policy c - * **Check against a list of IAM actions** : You can use the [CheckAccessNotGranted](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CheckAccessNotGranted.html) API to ensure that a policy doesn't grant access to a list of critical actions that are defined in your security standard. This API takes a policy and a list of up to 100 IAM actions to check whether the policy allows at least one of the actions, and returns a pass or fail response. + * **Check against a list of IAM actions** : You can use the [CheckAccessNotGranted](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CheckAccessNotGranted.html) API to ensure that a policy doesn't grant access to a list of critical actions that are defined in your security standard. This API takes a policy and checks whether the policy allows at least one of the actions, and then it returns a pass or fail response. @@ -302 +286,4 @@ IAM Access Analyzer is deployed in the Security Tooling account through the dele -###### Design consideration +**Design consideration:** + + * To get account-scoped findings (where the account serves as the trusted boundary), you create an account-scoped analyzer in each member account. This can be done as part of the account pipeline. Account-scoped findings flow into Security Hub CSPM at the member account level. From there, they flow to the Security Hub CSPM delegated administrator account (Security Tooling). + @@ -304 +290,0 @@ IAM Access Analyzer is deployed in the Security Tooling account through the dele -To get account-scoped findings (where the account serves as the trusted boundary), you create an account-scoped analyzer in each member account. This can be done as part of the account pipeline. Account-scoped findings flow into Security Hub CSPM at the member account level. From there, they flow to the Security Hub CSPM delegated administrator account (Security Tooling). @@ -306 +292,2 @@ To get account-scoped findings (where the account serves as the trusted boundary -###### Implementation examples + +**Implementation examples:** @@ -314,0 +302,63 @@ To get account-scoped findings (where the account serves as the trusted boundary +## Amazon CloudWatch + +[Amazon CloudWatch ](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html)monitors your AWS resources and the applications you run on AWS in real time, and it offers tools to give you system-wide observability of your application performance, operational health, and resource utilization. [Some AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html) automatically send basic metrics to CloudWatch at no charge. Additionally, CloudWatch provides additional monitoring capabilities for several key pieces of AWS infrastructure: + + * [Database Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Database-Insights.html) allows you to monitor database performance metrics in real time, analyze SQL query performance, and troubleshoot database load issues for AWS database services. + + * [Lambda Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights.html) provides system-level metrics for AWS Lambda functions, including memory and CPU utilization tracking, and cold start detection and analysis. + + * [Container Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights.html) allows you to collect and analyze metrics from containerized applications running on Amazon ECS clusters, Amazon EKS clusters, and self-managed Kubernetes clusters on Amazon EC2. + + + + +The AWS SRA recommends two options for centralized log collection and analytics across your AWS organization. [Amazon CloudWatch Unified Data Store](https://aws.amazon.com/cloudwatch/features/unified-data-and-telemetry/) is the recommended primary option, deployed in Security Tooling account under the Security OU. Amazon Security Lake remains available as a secondary option for organizations with existing investments or specific subscriber-based access requirements. + +The Security Tooling account serves as the centralized home for all observability, security, and compliance telemetry across your organization. Designate this account as the CloudWatch delegated administrator for the organization. This delegation grants the Monitoring account the ability to manage CloudWatch resources including Pipelines, centralization rules, cross-account observability links, and organization-wide metric and log collection—across all member accounts without requiring elevated permissions in the management account. + +CloudWatch Unified Data Store provides unified data management and analytics capabilities that consolidate operational, security, and compliance data across your AWS environment and third-party sources into a single service. This eliminates the need for multiple separate data stores and complex ETL pipelines. Additionally, the data collected in CloudWatch can be made available as an Amazon S3 Table for cross-account fine-grained, column-level access control. + +To protect the availability of the logs and the log management process, configure strict IAM policies and service control policies (SCPs) on the Monitoring account to provide only necessary permissions to manage CloudWatch. Use detective controls, such as those in AWS Config, to monitor, alert, and remediate this collection of permissions for unexpected changes. + +The CloudWatch administrator can enable organization-wide log collection using centralization rules. [Pipelines](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-pipelines.html?trk=769a1a2b-8c19-4976-9c45-b6b1226c7d20&sc_channel=el) can be used to collect AWS vended logs (CloudTrail management events, CloudTrail data events for Amazon S3 and Lambda, Amazon VPC Flow Logs, AWS WAF logs, Amazon Route 53 resolver logs, and Amazon EKS audit logs) across all member accounts and AWS Regions. Pipelines can be configured to transform logs into a standardized open-source schema called _Open Cybersecurity Schema Framework (OCSF)_ by using the built-in OCSF processor. With OCSF support, CloudWatch efficiently normalizes and consolidates security data from AWS and other enterprise security sources to create a unified and reliable repository of security-related information. + +CloudWatch Pipelines also supports third-party connectors (such as CrowdStrike, SentinelOne, Okta, Entra ID, Wiz, Zscaler, Palo Alto Networks, ServiceNow CMDB) to ingest external security telemetry into the same unified data store. + +AWS Security Hub CSPM findings can be ingested into CloudWatch through Pipelines, providing an overview of your compliance posture and whether you're following security recommendations for AWS and AWS Partner solutions. + +To gain visibility and actionable insights from logs and events, you can query the data by using CloudWatch Logs Insights (with [Facets](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs-Facets.html?trk=769a1a2b-8c19-4976-9c45-b6b1226c7d20&sc_channel=el)-based exploration, natural language queries, and Log Insights sQL/OpenSearch PPL/OpenSearch SQL support), Amazon Athena, Amazon OpenSearch Service, Amazon Redshift, Amazon SageMaker AI, Amazon Quick, and third-party solutions. Users who require access to the log data shouldn't access the Monitoring account directly. They should access data from the Security Tooling account by using cross-account IAM roles scoped to read-only CloudWatch Logs Insights queries or by querying Amazon S3 Tables (Apache Iceberg format) in the Log Archive account through AWS Lake Formation cross-account grants. This enables fine-grained, column-level access control through Athena, OpenSearch Service, Quick, or third-party SIEM tools. Other AWS accounts and on-premises locations access data through the same Lake Formation governed Amazon S3 Tables or through analytics tools that consume from the Log Archive account. + +For long-term immutable storage, configure CloudWatch to send log data to S3 buckets in the Log Archive account. Amazon S3 Object Lock and Glacier policies ensure immutability for regulatory compliance. The Log Archive account serves as a storage sink only and does not run CloudWatch analytics workloads. + +As a best practice, we recommend that you restrict the configuration of CloudWatch through development pipelines and prevent configuration changes through the AWS Management Console or the AWS Command Line Interface (AWS CLI). You can configure notifications to detect any unauthorized access to log groups or S3 buckets. + +## Amazon Security Lake + +[Amazon Security Lake](https://aws.amazon.com/security-lake/) is a fully managed security data lake service. You can use Security Lake to automatically centralize security data from AWS environments, software as a service (SaaS) providers, on premises, and [third-party sources](https://docs.aws.amazon.com/security-lake/latest/userguide/integrations-third-party.html). Security Lake helps you build a normalized data source that simplifies the usage of analytics tools over security data, so you can get a more complete understanding of your security posture across the entire organization. The data lake is backed by Amazon Simple Storage Service (Amazon S3) buckets, and you retain ownership over your data. Security Lake automatically collects logs for AWS services, including AWS CloudTrail, Amazon VPC, Amazon Route 53, Amazon S3, AWS Lambda, Amazon EKS audit logs, AWS Security Hub CSPM findings, and AWS WAF logs. + +AWS SRA recommends that you use the Log Archive account as the delegated administrator account for Security Lake. For more information about setting up the delegated administrator account, see [Amazon Security Lake](./log-archive.html#log-security-lake) in the _Security OU ‒ Log Archive account_ section. Security teams that want to access Security Lake data or need the ability to write non-native logs to the Security Lake buckets by using custom extract, transform, and load (ETL) functions should operate within the Security Tooling account. + +Security Lake can collect logs from different cloud providers, logs from third-party solutions, or other custom logs. We recommend that you use the Security Tooling account to perform the ETL functions to convert the logs to Open Cybersecurity Schema Framework (OCSF) format and output a file in Apache Parquet format. Security Lake creates the cross-account role with the proper permissions for the Security Tooling account and the custom source backed by Lambda functions or AWS Glue crawlers, to write data to the S3 buckets for Security Lake. + +The Security Lake administrator should configure security teams that use the Security Tooling account and require access to the logs that Security Lake collects as [subscribers](https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-management.html). Security Lake supports two types of subscriber access: + + * **Data access** – Subscribers can directly access the Amazon S3 objects for Security Lake. Security Lake manages the infrastructure and permissions. When you configure the Security Tooling account as a Security Lake data access subscriber, the account is notified of new objects in the Security Lake buckets through Amazon Simple Queue Service (Amazon SQS), and Security Lake creates the permissions to access those new objects. + + * **Query access** – Subscribers can query source data from AWS Lake Formation tables in your S3 bucket by using services such as Amazon Athena. Cross-account access is automatically set up for query access by using Lake Formation. When you configure the Security Tooling account as a Security Lake query access subscriber, the account is given read-only access to the logs in the Security Lake account. When you use this subscriber type, the Athena and AWS Glue tables are shared from the Security Lake Log Archive account with the Security Tooling account through AWS Resource Access Manager (AWS RAM). To enable this capability, you have to update the cross-account data sharing settings to version 3. + + + + +For more information about creating subscribers, see [Subscriber management](https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-management.html) in the Security Lake documentation. + +For best practices for ingesting custom sources, see [Collecting data from custom sources](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html) in the Security Lake documentation. + +You can use [Amazon QuickSight](https://github.com/aws-samples/amazon-security-lake-quicksight), [Amazon OpenSearch Service](https://aws.amazon.com/blogs/big-data/ingest-transform-and-deliver-events-published-by-amazon-security-lake-to-amazon-opensearch-service), and [Amazon SageMaker](https://github.com/aws-samples/amazon-security-lake-machine-learning) to set up analytics against the security data that you store in Security Lake. + +**Design consideration:** + + * If an application team needs query access to Security Lake data to meet a business requirement, the Security Lake administrator should configure that Application account**** as a subscriber**.** +