Essential Security Services (Single Account)

This guide configures the essential AWS security services for a single account environment to ensure overall security and visibility. The following services are configured:
- CloudTrail: Logs activity in the AWS account
- Config: Records resource configuration changes over time and enables configuration compliance monitoring
- GuardDuty: Signature and anomaly-based security detection in the account to alert on suspicious activity
- Security Hub: Aggregates findings from various security services and enables compliance monitoring according to standards such as CIS, PCI DSS, and AWS best practices
- Notifications: Enable email notifications for GuardDuty and Security Hub findings using EventBridge and SNS
Important: Make sure that you have a recent scan of your AWS account to ensure an up-to-date view of the AWS environment, configuration, and resources

AWS Account

CloudTrail

Select AWS account and region to display account summary

Hide Info

AWS Account/Region

Select the AWS account and region to review the current configuration and to load existing resources such as S3 buckets, KMS keys, etc. that can be used in the configuration template

Items

Size

4.5 KB

YAML/JSON

AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  LogEncryptionKey:
    Type: 'AWS::KMS::Key'
    Properties:
      EnableKeyRotation: true
      MultiRegion: false
      Description: KMS encryption key for CloudTrail logs
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS:
                'Fn::Join':
                  - ''
                  - - 'arn:aws:iam::'
                    - Ref: 'AWS::AccountId'
                    - ':root'
            Action: 'kms:*'
            Resource: '*'
          - Sid: Enable CloudTrail Permissions
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action:
              - 'kms:DescribeKey'
              - 'kms:Decrypt'
              - 'kms:GenerateDataKey*'
            Resource: '*'
  KmsKeyAliasLogEncryptionKey:
    Type: 'AWS::KMS::Alias'
    Properties:
      AliasName: alias/cloudtrail-logs-encryption
      TargetKeyId:
        Ref: LogEncryptionKey
  CloudTrail:
    Type: 'AWS::CloudTrail::Trail'
    Properties:
      TrailName: ManagementEventsTrail
      IsLogging: true
      EnableLogFileValidation: true
      EventSelectors:
        - IncludeManagementEvents: true
          ReadWriteType: All
      IsMultiRegionTrail: true
      IncludeGlobalServiceEvents: true
      S3BucketName:
        Ref: S3BucketForCloudTrailCloudTrail
    DependsOn: S3BucketPolicy
  S3BucketForCloudTrailCloudTrail:
    Type: 'AWS::S3::Bucket'
    Properties: {}
  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket:
        Ref: S3BucketForCloudTrailCloudTrail
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AWSCloudTrailBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:GetBucketAcl'
            Resource:
              'Fn::GetAtt':
                - S3BucketForCloudTrailCloudTrail
                - Arn
          - Sid: ' AWSConfigBucketDelivery'
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:PutObject'
            Resource:
              'Fn::Join':
                - ''
                - - 'Fn::GetAtt':
                      - S3BucketForCloudTrailCloudTrail
                      - Arn
                  - /AWSLogs/*
            Condition:
              StringEquals:
                's3:x-amz-acl': bucket-owner-full-control
  ConfigurationRecorder:
    Type: 'AWS::Config::ConfigurationRecorder'
    Properties:
      RoleARN:
        'Fn::GetAtt':
          - IamRoleForAwsConfig
          - Arn
      RecordingGroup:
        AllSupported: true
        IncludeGlobalResourceTypes: true
  DeliveryChannel:
    Type: 'AWS::Config::DeliveryChannel'
    Properties:
      S3BucketName:
        Ref: S3BucketForAwsConfig
  S3BucketForAwsConfig:
    Type: 'AWS::S3::Bucket'
    Properties: {}
  IamRoleForAwsConfig:
    Type: 'AWS::IAM::Role'
    Properties:
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWS_ConfigRole'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: ''
            Effect: Allow
            Principal:
              Service: config.amazonaws.com
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: allow-access-to-config-s3-bucket
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 's3:PutObject'
                Resource:
                  - 'Fn::Join':
                      - ''
                      - - 'Fn::GetAtt':
                            - S3BucketForAwsConfig
                            - Arn
                        - /*
                Condition:
                  StringLike:
                    's3:x-amz-acl': bucket-owner-full-control
              - Effect: Allow
                Action:
                  - 's3:GetBucketAcl'
                Resource:
                  'Fn::GetAtt':
                    - S3BucketForAwsConfig
                    - Arn
  GuardDuty:
    Type: 'AWS::GuardDuty::Detector'
    Properties:
      Enable: true
      DataSources:
        S3Logs:
          Enable: true
  SecurityHub:
    Type: 'AWS::SecurityHub::Hub'
    Properties: {}
Parameters: {}
Metadata: {}
Conditions: {}

AI CloudAdvisor (Beta)

My Presets

Security Controls

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

AI CloudAdvisor (Beta)

Configuration Stack
0

My Presets

Security Controls

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

Essential Security Services (Single Account)

Overview

A premium subscription is required for this content

Configuration

Account Summary

Deploy

Security Logging/Monitoring Services

AI CloudAdvisor (Beta)

My Presets

Security Controls

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

AI CloudAdvisor (Beta)

Configuration Stack0

My Presets

Security Controls

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

Essential Security Services (Single Account)

Overview

A premium subscription is required for this contentSign up for premiumLog in

Configuration

Account Summary

Deploy

Security Logging/Monitoring Services Deploy to AWS

Configuration Stack
0

A premium subscription is required for this content

Security Logging/Monitoring Services