| | | | | | --- | --- | --- | --- | * * * [[_TOC_]] * * * **Purpose** ----------- This document outlines AWS monitoring and security services and features which will be enabled in each AWS account and which will consolidate their findings in the centralized Audit Account. **Implementation** ------------------ #### **Monitoring Services** | Monitoring Service | Description | Implementation Details | Location | | --- | --- | --- | --- | | [Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) | Evaluate the configuration settings of AWS resources against the established security baseline. | A predefined set of Config Rules(link to Detective Controls artifact) will be configured in each account with rules compliance status being sent to the Audit account through the Config Aggregator and SNS. Config Rules compliance status will be accessible through the Audit account Config Aggregator View Console/API. Additionally, ControlTower will reflect the compliance status for the default detective controls. | Config Aggregator /SNS(Audit account) Config/SNS(local accounts) | | [CloudWatch Alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) | Watch a metric over a specified time period and send notifications to an Amazon SNS topic, based on the value of the metric relative to a threshold over time. | A predefined set of CloudWatch Alarms(link to Detective Controls artifact) will be configured in each account with changes in the alarm state being sent to the Audit account SNS topic. | SNS (Audit account) CloudWatch/SNS(local accounts) | | [Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) | Helps identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity which lets you identify unintended access to your resources and data. | Access Analyzer will be configured for the entire AWS Organization with the Audit account serving as the administrator which will collect findings from all accounts in the organization. | AccessAnalyzer/SecurityHub(Audit account) | | [GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) | Continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts and workloads. | GuardDuty will be configured in each account to analyze CloudTrail, VPC Flow Logs, and DNS logs and send findings to the Audit account for centralized monitoring and potential response. GuardDuty findings from all member accounts will be accessible through the Audit account GuardDuty Console/API | GuardDuty/SecurityHub(Audit account) GuardDuty/SecurityHub(local accounts) | | [Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) | Aggregates, organizes, and prioritizes security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions. | Security Hub will be configured in each account and send findings to the Audit account for centralized monitoring and potential response. CIS AWS Foundations benchmark and AWS Foundational Security Best Practices standards will be enabled in all accounts. Security Hub findings from all member accounts will be accessible through the Audit account Security Hub Console/API. | SecurityHub(Audit account) SecurityHub(local accounts) | Notifications generated by the security services will be forwarded to the security contact email distribution list setup for all AWS accounts (link to LZ Account page). #### Pricing Information 1. [AWS Config](https://aws.amazon.com/config/pricing/) 2. [AWS CloudWatch](https://aws.amazon.com/cloudwatch/pricing/) 3. [AWS GuardDuty](https://aws.amazon.com/guardduty/pricing/) 4. [AWS SecurityHub](https://aws.amazon.com/security-hub/pricing/) #### Future State The following additional security monitoring services can be considered for implementation in the future:: 1. [AWS Macie](https://docs.aws.amazon.com/macie/latest/userguide/what-is-macie.html) 2. [AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html) **Attachments:**