The approach covered in this pattern is suitable for customers who have multiple Amazon Web Services (AWS) accounts with AWS Organizations and are now encountering challenges when using AWS Control Tower, a landing zone, or account vending machine services to set up baseline guardrails in their accounts.
This pattern demonstrates the use of a streamlined multiple-account architecture to set up centralized logging and standardized security controls in a well-structured manner. With the help of AWS CloudFormation templates, AWS CodePipeline, and automation scripts, this setup is deployed in all accounts that belong to an organization.
The multiple-account architecture includes the following accounts:
Centralized logging account – The account where all the virtual private cloud (VPC) flows logs, AWS CloudTrail logs, the AWS Config log, and all the logs of Amazon CloudWatch Logs (using subscriptions) from all the other accounts are stored.
Parent security account– The account to serve as the parent account for the following security services that manage across multiple accounts.
Amazon GuardDuty
AWS Security Hub
Amazon Macie
Amazon Detective
Child accounts – The other accounts in the organization. These accounts store all the useful logs in the centralized logging account. The child accounts join the parent security account as members for the security services.
After you launch the CloudFormation template (attached), it provisions three Amazon Simple Storage Service (Amazon S3) buckets in the centralized logging account. One bucket is used to store all AWS related logs (such as logs from VPC Flow Logs, CloudTrail, and AWS Config) from all the accounts. The second bucket is for storing the CloudFormation templates from all the accounts. The third bucket is for storing Amazon S3 access logs.
A separate CloudFormation template creates the pipeline that uses AWS CodeCommit. After the updated code is pushed to the CodeCommit repository, it takes care of launching resources and setting up security services in all the accounts. For more information about the file structure of the files that will be uploaded to the CodeCommit repository, see the README.md file (attached).
