Configuring Config , Guardduty , Security hub , cloudtrail on AFT provisioned Accounts

AWS Control Tower Account Factory for Terraform (AFT) is used to automate the setup and governance of AWS accounts. To configure AWS Security Hub, AWS CloudTrail, Amazon GuardDuty, and AWS Config across accounts provisioned by AFT, you should:

1. Define AFT Configurations: AFT allows you to define configurations for resources to be deployed in provisioned accounts. You would define configurations for Security Hub, CloudTrail, GuardDuty, and AWS Config as part of the account setup process.

2. Use AWS Service Catalog: AFT leverages the AWS Service Catalog to create and manage catalogs of IT services that are approved for use on AWS. You can include the setup of these services in your service catalog.

3. Implement AWS Organizations: Use AWS Organizations service control policies (SCPs) to enforce the activation of these services in all your accounts.

4. Automate with Terraform: AFT uses Terraform, so you should write Terraform scripts to automate the deployment of Security Hub, CloudTrail, GuardDuty, and Config. You can create a Terraform module for each service with the desired configuration.

5. Centralize Monitoring: Design your setup to report to a central monitoring account (e.g., a security or logging account) where all findings and logs can be aggregated and reviewed.

6. Cross-Account Permissions: Set up the necessary cross-account permissions so that your central account can access the data from these services in all other accounts.

7. Continuous Compliance Checks: Use AWS Config to assess, audit, and evaluate the configurations of your AWS resources. Define AWS Config rules as code in your Terraform scripts.

8. GuardDuty and Security Hub: Enable GuardDuty and Security Hub to centralize threat detection and security checks. Use the built-in integrations to feed findings from GuardDuty into Security Hub for a consolidated view.