AWS re:Inforce 2024
Securing Hundreds of Aws Accounts for Streamlined Governance Com421

Title: AWS re:Inforce 2024 - Securing hundreds of AWS accounts for streamlined governance (COM421)

Insights:

  • Use Case for Multiple AWS Accounts: Companies, especially SaaS vendors, often create separate AWS accounts for each customer to ensure resource separation. This practice extends to having distinct accounts for development, staging, and production environments, and sometimes even for individual microservices.
  • AWS Organizations: This service is crucial for managing multiple AWS accounts, offering consolidated billing, budget alarms, and cost exploration tools to monitor expenses across accounts.
  • Identity and Access Management: AWS IAM Identity Center simplifies user and group management across multiple accounts, supporting MFA enforcement and integration with third-party SSO providers.
  • Sandbox Accounts: Companies create sandbox accounts for experimentation and testing before moving to staging and production, further increasing the number of accounts.
  • AWS Control Tower: This service helps manage multi-account structures by providing a landing zone, predefined VPCs, and control mechanisms. It integrates with Identity Center for SSO and offers features like region deny, centralized logging, and CloudTrail management.
  • Security Services:
    • CloudTrail: Ensures all API calls and activities are logged and sent to a central account, enhancing security and forensic capabilities.
    • Security Hub and GuardDuty: These services provide centralized security management and intelligent threat detection, respectively. Security Hub aggregates findings across accounts, while GuardDuty offers advanced threat detection, including malware protection.
    • AWS Inspector: Scans for vulnerabilities in EC2 instances, Lambda functions, and container registries, reporting findings to Security Hub.
  • AWS Config: Aggregates configuration data across accounts, allowing for advanced queries to identify non-compliant resources, such as public EC2 instances or unencrypted databases.
  • Systems Manager: Provides tools for managing EC2 instances at scale, including:
    • Session Manager: Eliminates the need for SSH keys, offering secure, browser-based terminal access.
    • Fleet Manager: Facilitates RDP access to Windows instances.
    • Distributor: Automates package installation across instances.
    • Inventory: Collects data on installed packages across instances.
    • Patch Manager: Manages patching across accounts, with Explorer aggregating patch data for organizational visibility.
    • Quick Setup: Simplifies the setup of Systems Manager for regular updates and inventory collection.

Quotes:

  • "Many companies choose to use separate AWS accounts to have dev stage protein environments and some of them go with cases like have an account per microservice."
  • "AWS organizations... does the consolidated billing so that in organizations, we would see all of the cost of each and every of the accounts that we have."
  • "IAM Identity Center... would allow us to create and manage groups, users, integrations with third party single sign-on providers as well."
  • "AWS Control Tower streamlines and helps us to manage this multi-account structure for us."
  • "Security Hub can be enabled for a whole organization... you have one single central place that you can enable controls across the whole organization."
  • "GuardDuty is the intelligent threat detection service, like IDS system that AWS has."
  • "AWS Config advanced queries... you can now very easily scan for public databases, not encrypted DynamoDBs."
  • "The session manager eliminates the need for you to handle SH keys. You no longer need an SH key to log into your instance."
  • "Patch Manager... shows you your posture in terms of patched instances or actually not patched instances."
Securing Generative Ai Privacy and Compliance Considerations Gai222Securing the Software Supply Chain with Detection as Code Tdr224 S