Why Is Cloud Security So Hard? (Hint: It’s Not)
Securing a new environment without knowing the rules of the road can be hard. Take the time to learn the rules and avoid speedbumps.
Finally, AWS has noticed and made it easier to deploy these services either centrally from the master account, or even better using a delegated administrator account, such as a dedicated AWS Security Account.
Over the years, I have come to specialize in multi-account AWS security. One of the first things I do and recommend is setting up a proper AWS Multi-Account Structure, beginning with a Master Account without any resources. This helps me deploy SCPs out at the organizational root.
Previously, it was quite cumbersome to deploy security services like AWS GuardDuty or even CloudTrail to multiple accounts. Finally, AWS has noticed and made it easier to deploy these services either centrally from the master account, or even better using a delegated administrator account, such as a dedicated AWS Security Account.
Below is a list of services that are currently AWS Organizations compatible.
Configuring AWS at the organization-level requires CloudTrail permissions on the master account. It’s exactly the same process as creating a regular CloudTrail except that you enable it at the organizations level during creation:
Additional documentation can be found here:
By the way, the proper name of CloudTrail enabled organizationally is “Organization Trail.”
Here is the announcement:
Here is a link to AWS Documentation:
Organizations support currently not supported in Terraform. Here is the issue:
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service).