Shared accounts for security – Introduction to AWS Security Services

by Britanee Kane Posted on

Shared accounts for security

Control Tower’s shared accounts feature offers a structured approach to security governance by centralizing key functions into specific accounts. These accounts, including the log archive and audit accounts, are housed within the security OU. They are typically accessed by a selected group of security and compliance professionals within the organization, ensuring a controlled environment for sensitive tasks.

Log archive account

The Log Archive account serves as a centralized repository for all logs generated by CloudTrail and Config. While its primary function is to store these specific types of logs, it can also be configured to store additional logs from other AWS services, such as S3 access logs or VPC flow logs, depending on your organization’s requirements.

The immutability of logs in the Log Archive account is a critical feature for ensuring data integrity and compliance. AWS employs multiple layers of security, including encryption and access controls, to ensure that once logs are written, they cannot be altered or deleted. This is crucial for compliance with various regulations such as GDPR, HIPAA, and others that require secure, tamper-proof storage of logs.

To ensure that all accounts are sending their logs to the Log Archive account, Control Tower can be configured to trigger alerts or notifications if an account fails to send logs as expected. This can be done through Amazon CloudWatch alarms or custom Lambda functions that monitor for any discrepancies in log delivery.

Audit account

The Audit account in Control Tower provides read-only access to all the resources across your landing zone, facilitating a secure and controlled environment for conducting audits and security reviews. While the account itself doesn’t run any specific services, it is often used in conjunction with various AWS and third-party auditing and compliance tools.

AWS recommends using AWS Audit Manager, which automates the collection of evidence for audits, and Security Hub, which aggregates security findings. These tools can be configured to run within the Audit account, providing a comprehensive view of your security posture without the risk of altering configurations or data.The Audit account can also be integrated with third-party governance, risk, and compliance (GRC) platforms. These platforms can pull data from the Audit account to provide additional insights and reporting capabilities, further enhancing your organization’s ability to conduct thorough and effective audits.

Leave a Reply

Your email address will not be published. Required fields are marked *