Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure all accounts in our organisation are watched #173

Open
katebee opened this issue Jan 12, 2021 · 1 comment
Open

Ensure all accounts in our organisation are watched #173

katebee opened this issue Jan 12, 2021 · 1 comment

Comments

@katebee
Copy link
Contributor

katebee commented Jan 12, 2021

As a member of the InfoSec team, I want a single place I can review the security findings of AWS Trusted Advisor across all GNM AWS accounts.

All teams should be able to access Security HQ and see the same information as the InfoSec team and gain insights into best practices and what corrective actions they can take. Anyone seeing an issue should feel empowered and confident to fix the issue, including those less familiar with AWS.

Alternative solutions

It is possible to download the Trusted Advisor report for an AWS organisation. However, this is only possible via the AWS organisation administrator account and only provides a rather raw and verbose CSV. This means the reports are not easy to disseminate and someone needs to analyse each one to identify and communicate the required security remediations.

Challenges to solve

Failed StackSet creation

Some stacks fail to create due to the account not having access to the S3 bucket where the lambda artefact is stored. Missing accounts will need to either be added to the list of accounts with access. Alternatively, the bucket permissions could be changed to use the new PrincipalOrgID condition key.

AWS API rate limiting

Increasing the number of accounts in Security HQ may mean we are rate limited more frequently, or cannot collect for all accounts on each refresh of the data. I am comfortable with sacrificing frequency for coverage (all accounts) and happy to discuss crawl options.

Bonus

Security HQ was our first adventure into StackSets and pre-dates the ability to deploy a stackset to an OU or org-wide.
I wrote a Digital blog post in December 2019 if you are curious about the history of SHQ and our use of StackSets.

Switching to using an org-wide StackSet for the watched-account role would ensure that any new accounts are automatically added to the StackSet.
@katebee
Copy link
Contributor Author

katebee commented Jan 21, 2021

I added all accounts that were part of our AWS organisation on 15/01/21 and redeployed Security HQ so that it would pick up the changes to the configuration.

We are getting intermittent AWS API rate limits on some accounts for the Credentials reports; the number of accounts affected varies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@katebee