Stax's Account Assurance process applies security controls to all Stax-managed AWS accounts within your AWS Organization.
The Account Assurance process applies hardening to minimize security risks and vulnerabilities within your AWS accounts.
A central part of Account Assurance is ensuring AWS accounts align to the CIS AWS Foundation Benchmark and the AWS Well-Architected Framework.
How We Do It
There are 6 AWS services utilized as part of Account Assurance:
- AWS CloudTrail
- AWS Config
- Amazon CloudWatch
- Amazon GuardDuty
- AWS Systems Manager
- Service Control Policies
If you are onboarding external AWS accounts to Stax, any existing configurations for the above-mentioned AWS services will be reconfigured to align with Stax controls. This ensures your resources operate in accordance with the CIS AWS Foundations Benchmark and the AWS Well-Architected Framework.
AWS CloudTrail is a service that logs all API activity within your account. It provides an audit trail for all user activity within the AWS Console, AWS SDKs, and AWS CLI. All CloudTrail logs are stored in your logging account.
As part of Account Assurance, the below CloudTrail settings are configured:
- CloudTrail is enabled in all regions
- CloudTrail logs are sent to your Logging account
- CloudTrail log validation is enabled
- CloudTrail log storage is not publicly accessible
- CloudTrail logs are encrypted at rest
As part of Account Assurance, the below Config settings are configured:
- Config is enabled in all regions
- Config logs are sent to your Logging account
- Config log storage is not publicly accessible
- Config logs are encrypted at rest
Amazon CloudWatch captures the metric data of resources and enables configuration of alarms against these metrics.
As part of Account Assurance, the below metric data is captured and monitored:
- Unauthorized API calls
- AWS Management Console authentication failures
- Disabling or deleting customer created CMKs
- S3 bucket policy changes
- Security Group changes
- Network Access Control List changes
- Network Gateway changes
- Route Table changes
- VPC changes
- IAM policy changes
Amazon GuardDuty is a threat detection service that monitors for malicious or unauthorized behavior within your AWS accounts. It also detects compromised AWS resources.
Stax enables GuardDuty in all your AWS accounts, with your Security Account acting as the GuardDuty master. All GuardDuty events created within your accounts will be sent to the GuardDuty master.
If you are onboarding external AWS accounts to Stax, any existing GuardDuty resources will need to be removed to enable Stax controls to be applied. Stax will work with you to minimize the impact to your existing configuration.
AWS IAM Access Analyzer
AWS IAM Access Analyzer scans the policies of your AWS resources and identifies if they are being shared with an external identity. Types of external identities include another AWS account, a root user, an IAM user or an AWS service.
The AWS IAM Access Analyzer service is enabled at the AWS Organization level. This means that it is configured within every region of every account in your AWS Organization. As part of this configuration, all IAM Access Analyzer findings are delivered to the StaxTrail S3 bucket in your logging account.
In addition, an AWS service-linked role is created within each account so that AWS IAM Analyzer can analyze your resources. The role is named AWSServiceRoleForAccessAnalyzer.
AWS Systems Manager
AWS Systems Manager is an AWS service that you can use to view and control your infrastructure on AWS. Session Manager is a feature of AWS Systems Manager which allows you to manage instances through a browser-based shell or via the AWS CLI. Stax enables auditing and logging of session activity within Session Manager as part of Account Assurance. All logs are sent to an S3 bucket in your Logging account.
Service Control Policies
Service Control Policies (SCPs) govern which services users can access and the actions they can perform. SCPs function at the AWS Organization entity level (root, organizational unit, or account).
Within Stax, SCPs called Policies are applied to your Stax Organization and Account Types. Stax Policies protect Stax-provisioned resources and configurations that provide critical security services and controls. All SCPs applied by Stax are visible in the Stax Console under the Policies sub-menu in the left-hand navigation pane.
You can create and apply your own Policies in addition to the mandatory controls Stax applies by default. Some examples of mandatory Policies set up by Stax include:
- Disallow modification of AWS Config
- Disallow modification of AWS GuardDuty
- Disallow modification of Stax AWS CloudTrail logs
- Disallow modifications of Stax CloudFormation Stacks
- Prevent removal of Stax CloudWatch alarms
- Disallow modifications of Stax Lambdas
- Prevent removal of Stax Identity Management Service resources
- Disallow policy changes of Stax SSM Session Manager configuration preferences
- Restrict the use of root credentials
To view the controls applied to your AWS Organization by Stax mandatory Policies, visit Policies in the Stax Console.
Stax deploys, manages, and updates resources in your accounts via automated pipelines. This ensures that your security, audit, logging, and access controls are always up to date. Underpinning this automation is AWS Cloudformation. AWS CloudFormation stacks are deployed into all of your accounts, allowing Stax to leverage the principles of Infrastructure-as-code. These stacks deploy a number of serverless AWS services into your accounts, including AWS Lambda, Amazon SNS, and Amazon Route 53. These services help ensure that your Stax experience is seamless and consistent.