Over the years I have come to specialize in multi-account AWS security. One of the first things I do and recommend is setting up a proper AWS Multi-Account Structure, beginning with a Master Account without any resources. This helps me deploy SCPs out at the organizational root.

Previously, it was quite cumbersome to deploy security services like AWS GuardDuty or even CloudTrail to multiple accounts. Finally, AWS has taken notice and made it easier to deploy these services either centrally from the master account, or even better using a delegated administrator account, such as a dedicated AWS Security Account.

Below is a list of services that are currently AWS Organizations compatible:

AWS CloudTrail

Configuring AWS at the organizations level requires CloudTrail permissions on the master account. It’s exactly the same process as creating a regular CloudTrail except that you enable at the organizations level during creation:

Screenshot of AWS Organizational CloudTrail option

Additional documentation can be found here:

Btw, the proper name of CloudTrail enabled organizationally, is “Organization Trail”.

AWS Guardduty

Here is the announcement:

Supported by Terraform:

AWS Security Hub

Here is a link to AWS Documentation:

AWS IAM Access Analyzer

Organizations support currently not supported in Terraform. Here is a link to the issue.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: