AWS account Hierarchy

0

When we start with control tower, 2 accounts within security OU, i.e. log archive and audit accounts are created. On this structure I have a few questions:

  1. I read detective guardrails are implemented by AWS config. But why can't I see those under config rules of AWS Config service.

  2. I understand that Audit account has power to access other accounts programmatically. I thought this is the reason why security services like security hub, aws config and other security related services are hosted here. But in my project, security services are hosted in a separate account rather than audit account. If so, what is the purpose of audit account. Also, is it necessary for the account which holds centralized aws config aggregator, security hub etc. to have a programmatic access on other accounts?

  3. By default, does log archive account just collects cloudtrails from all other accounts. Under AWS best practices, I see that audit account holds all the security services and also acts as a AWS config aggregator. At the same time, all logging (including DNS, VPC etc.) happens under Log archive account. If so, do we need to explicitly send aggregator logs in audit account to centralized s3 bucket under archive account.

1개 답변
0

AWS Control Tower Guardrails and AWS Config Rules: Control Tower uses AWS Config for guardrails, but they don't show up as regular AWS Config rules. They are managed by Control Tower itself.

Purpose of the Audit Account: The Audit Account is used to grant read-only access for auditing purposes. Security services can be hosted in a separate account, and the Audit Account can be granted read-only access to them.

Programmatic Access for Security Services Account: Yes, the account hosting centralized security services like AWS Config Aggregator and Security Hub should have programmatic access to other accounts to collect and analyze data.

Log Archive Account: By default, the Log Archive Account collects CloudTrail logs. If you want to centralize other logs like DNS or VPC logs, you need to set up forwarding from the Audit Account to the Log Archive Account. This ensures that all logs are in one place for analysis and long-term storage.

profile picture
전문가
답변함 일 년 전
profile pictureAWS
전문가
검토됨 일 년 전
  • On your last point, if audit account is hosting the aws config aggregator but I still want to centralize aws config logs to S3 in archive account. Is it possible to send config aggregator logs to s3 in other account

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠