AWS Security Tools That Support AWS Organizations
Over the years, I have come to specialize in multi-account AWS security. One of the first things I do and recommend is setting up a proper AWS Multi-Account Structure, beginning with a Master Account without any resources. This helps me deploy SCPs out at the organizational root.
Previously, it was quite cumbersome to deploy security services like AWS GuardDuty or even CloudTrail to multiple accounts. Finally, AWS has noticed and made it easier to deploy these services either centrally from the master account, or even better using a delegated administrator account, such as a dedicated AWS Security Account.
Below is a list of services that are currently AWS Organizations compatible.
AWS CloudTrail
Configuring AWS at the organization-level requires CloudTrail permissions on the master account. It’s exactly the same process as creating a regular CloudTrail except that you enable it at the organizations level during creation:
Additional documentation can be found here:
By the way, the proper name of CloudTrail enabled organizationally is “Organization Trail.”
AWS Guardduty
Here is the announcement:
AWS Security Hub
Here is a link to AWS Documentation:
AWS IAM Access Analyzer
Organizations support currently not supported in Terraform. Here is the issue:
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service) and DevSecOps As A Service.
