AWS - Security guardrails in AWS restricted data environment

AWS Services

Service

Industry Generalized Name

AWS Control Tower

Cloud Governance Service

AWS Security Hub

Security Posture Management (CSPM) Service

GuardDuty

Network Intrusion Detection System (IDS) Service

AWS Config

Cloud Configuration Management Service

AWS Inspector

Vulnerability Scanning Service

AWS Systems Manager - Inventory

VM Asset Management Service (not yet required)

AWS Systems Manager - State Manager

VM State Management Service (not yet required)

AWS Systems Manager - Patch Manager

Patch Management Service (not yet required)

Amazon Macie

Sensitive Data Discovery Service (not yet enabled)

AWS Shield

Distributed Denial of Service (DDoS) protection Service (not yet enabled)

SSO

Sign in with NetID

 

 

 

Restrictions and Limitations for every account:

  • Restricted regions (Only allow resources in US-East-1,US-East-2, US-West-2)
  • No account level access to adjust GuardRail, Guard Duty, Security Hub, etc
  • Account users are blocked from creating IAM users and must use NetID to access the account. (IAM Users for service accounts may be requested from the Public Cloud Team.)

 

Building Blocks:

  • IP prefix group of UW IP addresses that users can use to quickly configure Security Groups without having to look for a list of UW IP addresses. This prefix list is created in each region.
  • Security groups for UW Traffic, using the prefix list mentioned above that only allows traffic from those IPs into ports 22 and 3389. These security groups are created in each region.
  • Remove all rules from the default security group, which is created by AWS upon account creation, in each region and continue to remove any rules added.
  • EC2 (EBS volume) is defaulted to encrypt volumes unless the user unchecks the encryption box. This ensures that if the user is unfamiliar with the AWS EC2 creation workflows the volume will be encrypted unless the user actively chooses to not encrypt the volume and unchecks the box during configuration.
  • Logs for Config, CloudTrail, S3 Access going to Log Archive Account. Only the Cloud Team has access to these logs but can assist if information is needed from them.
  • S3 Bucket encryption
  • S3 bucket access rules
    • Only the bucket owner and AWS Services can access buckets with public policies.
    • Block public ACLs for buckets in this account.
    • Block public bucket policies for buckets in this account. Reject calls to PUT Bucket policy if the specified bucket policy allows public access.
  • User Groups:
    • AWSAdministratorAccess
    • AWSSOPowerUser
    • AWSReadOnlyAccess

 

Optional Modules (only added by request):

  • IAM service account with secret stored in AWS Secrets Manager
  • High compliance S3 bucket creation

 

 

Account Types

 

AWS Organization structure

Strides - Discount program only. No differences in policies.

 

High Risk:

Data and systems are classified as High Risk if:

  1. Protection of the data is required by law/regulation,
  2. UW is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed, or
  3. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Policies/Rules on Cloud Accounts in this Organization Type:

  • No account level access to adjust GuardRail, Guard Duty, Security Hub, etc.
  • User Groups:

                                    AWSAdministratorAccess

                                    AWSSOAccess

                                    AWSReadOnlyAccess

  • Disallow configuration changes to CloudTrail
  • Integrate CloudTrail events with CloudWatch Logs
  • Enable CloudTrail in all available regions
  • Enable integrity validation for CloudTrail log files
  • Disallow changes to Amazon CloudWatch set up by AWS Control Tower
  • Disallow deletion of AWS Config Aggregation Authorizations created by AWS Control Tower
  • Disallow changes to tags created by AWS Control Tower for AWS Config resources
  • Disallow configuration changes to AWS Config
  • Enable AWS Config in all available regions.
  • Disallow changes to AWS Config Rules set up by AWS Control Tower
  • Disallow changes to AWS IAM roles set up by AWS Control Tower and AWS CloudFormation
  • Disallow changes to AWS Lambda functions set up by AWS Control Tower
  • Deny access to AWS based on the requested AWS Region
  • Disallow changes to Amazon SNS set up by AWS Control Tower
  • Disallow changes to Amazon SNS subscriptions set up by AWS Control Tower

 

 

 

Medium Risk:

Data and systems are classified as Moderate Risk if they are not considered to be High Risk, and:

  1. The data is not generally available to the public, or
  2. The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances, or reputation.

Policies/Rules on Cloud Accounts in this Organization Type:

  • Disallow configuration changes to CloudTrail
  • Integrate CloudTrail events with CloudWatch Logs
  • Enable CloudTrail in all available regions
  • Enable integrity validation for CloudTrail log file
  • Disallow changes to Amazon CloudWatch set up by AWS Control Tower
  • Disallow deletion of AWS Config Aggregation Authorizations created by AWS Control Tower
  • Disallow changes to tags created by AWS Control Tower for AWS Config resources
  • Disallow configuration changes to AWS Config
  • Enable AWS Config in all available regions
  • Disallow changes to AWS Config Rules set up by AWS Control Tower
  • Disallow changes to AWS IAM roles set up by AWS Control Tower and AWS CloudFormation
  • Disallow changes to AWS Lambda functions set up by AWS Control Tower
  • Deny access to AWS based on the requested AWS Region
  • Disallow changes to Amazon SNS set up by AWS Control Tower
  • Disallow changes to Amazon SNS subscriptions set up by AWS Control Tower

 

 

 

Low Risk:

Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and:

  1. The data is intended for public disclosure, or
  2. The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.

 

Policies/Rules on Cloud Accounts in this Organization Type:

  • Disallow configuration changes to CloudTrail
  • Integrate CloudTrail events with CloudWatch Logs
  • Enable CloudTrail in all available regions
  • Enable integrity validation for CloudTrail log file
  • Disallow changes to Amazon CloudWatch set up by AWS Control Tower
  • Disallow deletion of AWS Config Aggregation Authorizations created by AWS Control Tower
  • Disallow changes to tags created by AWS Control Tower for AWS Config resources
  • Disallow configuration changes to AWS Config
  • Enable AWS Config in all available regions
  • Disallow changes to AWS Config Rules set up by AWS Control Tower
  • Disallow changes to AWS IAM roles set up by AWS Control Tower and AWS CloudFormation
  • Disallow changes to AWS Lambda functions set up by AWS Control Tower
  • Deny access to AWS based on the requested AWS Region
  • Disallow changes to Amazon SNS set up by AWS Control Tower
  • Disallow changes to Amazon SNS subscriptions set up by AWS Control Tower

 

Polices and Roles

Policies and Rules

High Risk

Medium Risk

Low Risk

No account level access to adjust GuardRail, Guard Duty, Security Hub, etc.

X

 

 
    • User Groups (predefined permissions):
      • AWSAdministratorAccess
      • AWSSOAccess
      • AWSReadOnlyAccess

X

 

 

Disallow configuration changes to CloudTrail

X

X

X

Integrate CloudTrail events with CloudWatch Logs

X

X

X

Enable CloudTrail in all available regions

X

X

X

Enable integrity validation for CloudTrail log file

X

X

X

Disallow changes to Amazon CloudWatch set up by AWS Control Tower

X

X

X

Disallow deletion of AWS Config Aggregation Authorizations created by AWS Control Tower

X

X

X

Disallow changes to tags created by AWS Control Tower for AWS Config resources

X

X

X

Disallow configuration changes to AWS Config

X

X

X

Enable AWS Config in all available regions

X

X

X

Disallow changes to AWS Config Rules set up by AWS Control Tower

X

X

X

Disallow changes to AWS IAM roles set up by AWS Control Tower and AWS CloudFormation

X

X

X

Disallow changes to AWS Lambda functions set up by AWS Control Tower

 X

X

X

Deny access to AWS based on the requested AWS Region

X

X

X

Disallow changes to Amazon SNS set up by AWS Control Tower

X

X

X

Disallow changes to Amazon SNS subscriptions set up by AWS Control Tower

X

X

X


Keywords:
aws restricted sensitive data guardrails SCP OU high-risk high risk HIPAA 
Doc ID:
123894
Owned by:
Steve T. in Public Cloud
Created:
2023-02-07
Updated:
2023-02-07
Sites:
Public Cloud