JJediny
commented
3 years ago In accordance with GSA Security Engineering Requirements for AWS - PL-8: Information Security Architecture:
Required
- Enable CloudTrail in ALL regions
- Enable VPC Flow Logs per subnet
- CloudWatch (enabled for CloudTrail and VPC Flow Logs)
- Shield
- Inspector
- Config
- Trusted Advisor
Optional
- SecurityHub
- GuardDuty
- Macie
- CloudFront w/ WAF
- Shield (Advanced)
- CloudWatch (used for metrics, log data, budget alarms)
Background on these services:
GuardDuty ($$) - is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With the cloud, the collection and aggregation of account and network activities is simplified.
Config ($) - is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
Next Steps (TBD):
- [ ] Based on this we need to create an issue to enable AWS config to enforce GSA IAM password requirements and user 90 day login check-ins (this issue would be seperate from our SSO w/ GSA AD implementation plans).
- [ ] Recommend GuardDuty for production and staging environments for TTS System owners (Based on pricing this is worth the investment if tuned well).
- [x] Create a new issue to use Cloud Custodian's guardian as an offer to TTS System to potentially co-develop events to alerts for and automate its deployment - based ongoing lessons learned from the login.gov team (which is actively using it).
afeld
Background
These services provide automated monitoring of security settings/incidents/best practices
Implementation
Acceptance