Learn how Stax Account Assurance ensures the security of your accounts
Stax applies security controls to all AWS Accounts within your organization. This is termed 'Account Assurance' and involves the application of hardening controls which minimize security risks and vulnerabilities to AWS Accounts.
A central part of Account Assurance is ensuring AWS Accounts align to the CIS AWS Foundation Benchmark and the AWS Well-Architected Framework.
How We Do It
There are 5 AWS services utilized as part of Account Assurance:
- AWS CloudTrail
- AWS Config
- Amazon CloudWatch
- Amazon GuardDuty
- Service Control Policies
If you are onboarding External AWS Accounts to Stax, any existing configurations for the above-mentioned AWS services will be reconfigured to align with Stax controls. This ensures your resources operate in accordance with the CIS AWS Foundations Benchmark and the AWS Well-Architected Framework.
AWS CloudTrail is a service that logs all API activity within your account. It provides an audit trail for all user activity within the AWS Console, AWS SDKs, and AWS CLI. All CloudTrail logs are stored in your Logging Account.
As part of Account Assurance, the below CloudTrail settings are configured:
- CloudTrail is enabled in all regions
- CloudTrail logs are sent to your Security Account
- CloudTrail log validation is enabled
- CloudTrail log storage is not publicly accessible
- CloudTrail logs are encrypted at rest
AWS Config monitors and records all changes that are made to AWS resources. As part of Account Assurance, AWS Config is enabled in all regions. The logs generated by AWS Config are sent to a central S3 bucket in the Logging Account, to enable easy access for analysis and monitoring.
Amazon CloudWatch captures the metric data of resources and enables configuration of alarms against these metrics.
As part of Account Assurance, the below metric data is captured and monitored:
- Unauthorized API calls
- AWS Management Console authentication failures
- Disabling or deleting customer created CMKs
- S3 bucket policy changes
- Security Group changes
- Network Access Control List changes
- Network Gateway changes
- Route Table changes
- VPC changes
- IAM policy changes
Amazon GuardDuty is a threat detection service that monitors for malicious or unauthorized behavior within your AWS Accounts. It also detects compromised AWS resources.
Stax enables GuardDuty in all your AWS Accounts, with your Security Account acting as the GuardDuty master. All GuardDuty events created within your accounts will be sent to the GuardDuty master.
If you are onboarding External AWS Accounts to Stax, any existing GuardDuty resources will need to be removed to enable Stax controls to be applied. Stax will work with you to minimize the impact to your existing configuration.
AWS IAM Access Analyzer
AWS IAM Access Analyzer scans the policies of your AWS resources and identifies if they are being shared with an external identity. Types of external identities include another AWS account, a root user, an IAM user or an AWS service.
The AWS IAM Access Analyzer service is enabled at the AWS Organization level. This means that it is configured within every region of every account in your AWS Organization. As part of this configuration, all IAM Access Analyzer findings are delivered to the StaxTrail S3 bucket in your logging account. In addition, an AWS service-linked role is created within each account so that AWS IAM Analyzer can analyze your resources. The role is named
Service Control Policies
Service Control Policies (SCPs) govern which services users can access and the actions they can perform. SCPs function at the AWS Organization entity level (root, OU or account).
Within Stax, SCPs called Policies are applied to your Stax Organization and Account Types. Stax Policies protect Stax-provisioned resources and configurations that provide critical security services and controls. All SCPs applied by Stax are visible in the customer console under the Policies sub-menu in the left-hand navigation pane.
You can set your own Policies, however, Stax provides a set of mandatory controls by default. Some examples of mandatory Policies set up by Stax include:
- Disallow modification to AWS Config
- Disallow modification to AWS GuardDuty
- Disallow modification to Stax AWS CloudTrail logs
- Disallow modifications to Stax CloudFormation Stacks
- Prevent removal of Stax CloudWatch alarms
- Disallow modifications to Stax Lambdas
- Prevent removal of IDAM resources
- Disallow policy changes to Stax SSM Session Manager configuration preferences
To view the controls applied to your AWS Organization by Stax mandatory Policies, please visit Policies in the customer console.