Guided Walkthroughs

Configuration Packages

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSAWS SSOIAM PoliciesVPC Endpoint PoliciesCloudFormation Guard RulesLoad BalancersRDS Event SubscriptionsAWS Resource Access Manager (RAM)

By Service Protected

Reference Guides

Other

Guided Walkthroughs

Essential Security Services (Single Account)

Overview

  • This guide configures the essential AWS security services for a single account environment to ensure overall security and visibility. The following services are configured: 
    • CloudTrail: Logs activity in the AWS account
    • Config: Records resource configuration changes over time and enables configuration compliance monitoring
    • GuardDuty: Signature and anomaly-based security detection in the account to alert on suspicious activity
    • Security Hub: Aggregates findings from various security services and enables compliance monitoring according to standards such as CIS, PCI DSS, and AWS best practices
    • Notifications: Enable email notifications for GuardDuty and Security Hub findings using EventBridge and SNS
  • Important: Make sure that you have a recent scan of your AWS account to ensure an up-to-date view of the AWS environment, configuration, and resources

A premium subscription is required for this content


Configuration

Account Summary

Select AWS account and region to display account summary
Hide Info

AWS Account/Region

Select the AWS account and region to review the current configuration and to load existing resources such as S3 buckets, KMS keys, etc. that can be used in the configuration template

Deploy

Security Logging/Monitoring Services

Items
11
Size
4.6 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  LogEncryptionKey:
    Type: "AWS::KMS::Key"
    Properties:
      EnableKeyRotation: true
      MultiRegion: false
      Description: "KMS encryption key for CloudTrail logs"
      KeyPolicy:
        Version: "2012-10-17"
        Statement:
          - Sid: "Enable IAM User Permissions"
            Effect: "Allow"
            Principal:
              AWS:
                Fn::Join:
                  - ""
                  -
                    - "arn:aws:iam::"
                    - Ref: "AWS::AccountId"
                    - ":root"
            Action: "kms:*"
            Resource: "*"
          - Sid: "Enable CloudTrail Permissions"
            Effect: "Allow"
            Principal:
              Service: "cloudtrail.amazonaws.com"
            Action:
              - "kms:DescribeKey"
              - "kms:Decrypt"
              - "kms:GenerateDataKey*"
            Resource: "*"
  KmsKeyAliasLogEncryptionKey:
    Type: "AWS::KMS::Alias"
    Properties:
      AliasName: "alias/cloudtrail-logs-encryption"
      TargetKeyId:
        Ref: "LogEncryptionKey"
  CloudTrail:
    Type: "AWS::CloudTrail::Trail"
    Properties:
      TrailName: "ManagementEventsTrail"
      IsLogging: true
      EnableLogFileValidation: true
      EventSelectors:
        - IncludeManagementEvents: true
          ReadWriteType: "All"
      IsMultiRegionTrail: true
      IncludeGlobalServiceEvents: true
      S3BucketName:
        Ref: "S3BucketForCloudTrailCloudTrail"
    DependsOn: "S3BucketPolicy"
  S3BucketForCloudTrailCloudTrail:
    Type: "AWS::S3::Bucket"
    Properties: {}
  S3BucketPolicy:
    Type: "AWS::S3::BucketPolicy"
    Properties:
      Bucket:
        Ref: "S3BucketForCloudTrailCloudTrail"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: "AWSCloudTrailBucketPermissionsCheck"
            Effect: "Allow"
            Principal:
              Service:
                - "cloudtrail.amazonaws.com"
            Action: "s3:GetBucketAcl"
            Resource:
              Fn::GetAtt:
                - "S3BucketForCloudTrailCloudTrail"
                - "Arn"
          - Sid: " AWSConfigBucketDelivery"
            Effect: "Allow"
            Principal:
              Service:
                - "cloudtrail.amazonaws.com"
            Action: "s3:PutObject"
            Resource:
              Fn::Join:
                - ""
                -
                  - Fn::GetAtt:
                      - "S3BucketForCloudTrailCloudTrail"
                      - "Arn"
                  - "/AWSLogs/*"
            Condition:
              StringEquals:
                s3:x-amz-acl: "bucket-owner-full-control"
  ConfigurationRecorder:
    Type: "AWS::Config::ConfigurationRecorder"
    Properties:
      RoleARN:
        Fn::GetAtt:
          - "IamRoleForAwsConfig"
          - "Arn"
      RecordingGroup:
        AllSupported: true
        IncludeGlobalResourceTypes: true
  DeliveryChannel:
    Type: "AWS::Config::DeliveryChannel"
    Properties:
      S3BucketName:
        Ref: "S3BucketForAwsConfig"
  S3BucketForAwsConfig:
    Type: "AWS::S3::Bucket"
    Properties: {}
  IamRoleForAwsConfig:
    Type: "AWS::IAM::Role"
    Properties:
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Principal:
              Service: "config.amazonaws.com"
            Action: "sts:AssumeRole"
      Policies:
        - PolicyName: "allow-access-to-config-s3-bucket"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "s3:PutObject"
                Resource:
                  - Fn::Join:
                      - ""
                      -
                        - Fn::GetAtt:
                            - "S3BucketForAwsConfig"
                            - "Arn"
                        - "/*"
                Condition:
                  StringLike:
                    s3:x-amz-acl: "bucket-owner-full-control"
              - Effect: "Allow"
                Action:
                  - "s3:GetBucketAcl"
                Resource:
                  Fn::GetAtt:
                    - "S3BucketForAwsConfig"
                    - "Arn"
  GuardDuty:
    Type: "AWS::GuardDuty::Detector"
    Properties:
      Enable: true
      DataSources:
        S3Logs:
          Enable: true
  SecurityHub:
    Type: "AWS::SecurityHub::Hub"
    Properties: {}
Parameters: {}
Metadata: {}
Conditions: {}