Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

AWS account Hierarchy

0

When we start with control tower, 2 accounts within security OU, i.e. log archive and audit accounts are created. On this structure I have a few questions:

  1. I read detective guardrails are implemented by AWS config. But why can't I see those under config rules of AWS Config service.

  2. I understand that Audit account has power to access other accounts programmatically. I thought this is the reason why security services like security hub, aws config and other security related services are hosted here. But in my project, security services are hosted in a separate account rather than audit account. If so, what is the purpose of audit account. Also, is it necessary for the account which holds centralized aws config aggregator, security hub etc. to have a programmatic access on other accounts?

  3. By default, does log archive account just collects cloudtrails from all other accounts. Under AWS best practices, I see that audit account holds all the security services and also acts as a AWS config aggregator. At the same time, all logging (including DNS, VPC etc.) happens under Log archive account. If so, do we need to explicitly send aggregator logs in audit account to centralized s3 bucket under archive account.

Argomenti
Sicurezza, identità e conformitàGestione e amministrazioneAWS Well-Architected Framework
Tag
Sicurezza, identità e conformitàOrganizzazioni AWSSicurezzaGestore account AWS
Lingua
English
nishan
posta un anno fa226 visualizzazioni
1 Risposta
0

AWS Control Tower Guardrails and AWS Config Rules: Control Tower uses AWS Config for guardrails, but they don't show up as regular AWS Config rules. They are managed by Control Tower itself.

Purpose of the Audit Account: The Audit Account is used to grant read-only access for auditing purposes. Security services can be hosted in a separate account, and the Audit Account can be granted read-only access to them.

Programmatic Access for Security Services Account: Yes, the account hosting centralized security services like AWS Config Aggregator and Security Hub should have programmatic access to other accounts to collect and analyze data.

Log Archive Account: By default, the Log Archive Account collects CloudTrail logs. If you want to centralize other logs like DNS or VPC logs, you need to set up forwarding from the Audit Account to the Log Archive Account. This ensures that all logs are in one place for analysis and long-term storage.

profile picture
ESPERTO
Sedat Salman
con risposta un anno fa
profile pictureAWS
ESPERTO
Brettski-AWS
verificato un anno fa
  • nishan
    un anno fa

    On your last point, if audit account is hosting the aws config aggregator but I still want to centralize aws config logs to S3 in archive account. Is it possible to send config aggregator logs to s3 in other account

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente