Over the years I have come to specialize in multi-account AWS security. One of the first things I do and recommend is setting up a proper AWS Multi-Account Structure, beginning with a Master Account without any resources. This helps me deploy SCPs out at the organizational root.
Previously, it was quite cumbersome to deploy security services like AWS GuardDuty or even CloudTrail to multiple accounts. Finally, AWS has taken notice and made it easier to deploy these services either centrally from the master account, or even better using a delegated administrator account, such as a dedicated AWS Security Account.
Below is a list of services that are currently AWS Organizations compatible:
Configuring AWS at the organizations level requires CloudTrail permissions on the master account. It’s exactly the same process as creating a regular CloudTrail except that you enable at the organizations level during creation:
Additional documentation can be found here:
Btw, the proper name of CloudTrail enabled organizationally, is “Organization Trail”.
Here is the announcement:
Supported by Terraform:
AWS Security Hub
Here is a link to AWS Documentation: