By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS account Hierarchy

0

When we start with control tower, 2 accounts within security OU, i.e. log archive and audit accounts are created. On this structure I have a few questions:

  1. I read detective guardrails are implemented by AWS config. But why can't I see those under config rules of AWS Config service.

  2. I understand that Audit account has power to access other accounts programmatically. I thought this is the reason why security services like security hub, aws config and other security related services are hosted here. But in my project, security services are hosted in a separate account rather than audit account. If so, what is the purpose of audit account. Also, is it necessary for the account which holds centralized aws config aggregator, security hub etc. to have a programmatic access on other accounts?

  3. By default, does log archive account just collects cloudtrails from all other accounts. Under AWS best practices, I see that audit account holds all the security services and also acts as a AWS config aggregator. At the same time, all logging (including DNS, VPC etc.) happens under Log archive account. If so, do we need to explicitly send aggregator logs in audit account to centralized s3 bucket under archive account.

Topics
Security, Identity, & ComplianceManagement & GovernanceAWS Well-Architected Framework
Tags
Security, Identity, & ComplianceAWS OrganizationsSecurityAWS Account Management
Language
English
nishan
asked a year ago221 views
1 Answer
0

AWS Control Tower Guardrails and AWS Config Rules: Control Tower uses AWS Config for guardrails, but they don't show up as regular AWS Config rules. They are managed by Control Tower itself.

Purpose of the Audit Account: The Audit Account is used to grant read-only access for auditing purposes. Security services can be hosted in a separate account, and the Audit Account can be granted read-only access to them.

Programmatic Access for Security Services Account: Yes, the account hosting centralized security services like AWS Config Aggregator and Security Hub should have programmatic access to other accounts to collect and analyze data.

Log Archive Account: By default, the Log Archive Account collects CloudTrail logs. If you want to centralize other logs like DNS or VPC logs, you need to set up forwarding from the Audit Account to the Log Archive Account. This ensures that all logs are in one place for analysis and long-term storage.

profile picture
EXPERT
Sedat Salman
answered a year ago
profile pictureAWS
EXPERT
Brettski-AWS
reviewed a year ago
  • nishan
    a year ago

    On your last point, if audit account is hosting the aws config aggregator but I still want to centralize aws config logs to S3 in archive account. Is it possible to send config aggregator logs to s3 in other account

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content