Another day, another re:Invent session! This time I listened to Stephen Schmidt’s session, “AWS Security: Where we’ve been, where we’re going.” Amongst covering the highlights of AWS security during 2020, a number of newly added AWS features/services were discussed, including: AWS Audit Manager, Cloud Audit Academy and AWS Network Firewall. Stephen also highlighted the 10 places your security group should focus its resources.
In this post, I want to talk about the tactical areas (points 1-7 of the above screenshot taken from Stephen’s session) in a little more detail and the resources where you can learn more about them.
1. Use AWS Organizations
As organizations begin to expand with multiple accounts, it will become increasingly difficult to manage them as separate entities. The more accounts you have, the more distributed your environment becomes, and the associated security risks and exposures increase and multiply.
However, AWS Organizations can provide a means of centrally managing and categorizing multiple AWS accounts that you own, bringing them together into a single organization, which helps to maintain your AWS environment from a security, compliance, and account management perspective.
The primary benefit of AWS Organizations is its ability to centrally manage multiple Accounts from a single AWS account, known as the master account. You can start by inviting your existing accounts to an Organization and then create new accounts directly from the Master Account.
Using service control policies (SCPs), you can secure your AWS Organization. SCPs are different from both identity-based and resource-based policies, which grant permissions to users, groups, and roles. However, SCPs do not actually grant permission themselves. Restrictions made within an SCP set a boundary of permissions for AWS accounts.
For example, let’s say a user within an AWS account had full access to S3, RDS, and EC2 via an identity-based policy. If the SCP associated with that AWS account