AWS - Education
AWS Blueprint for StackZone AWS Engine
Eduardo Van Cauteren
Last Update há 9 meses
StackZone Education Services setup includes the necessary components enabled to support and build compliance according to this industry vertical.
- Shared Services Account:
- Amazon VPC including Private and Public Subnets distributed in 2 availability zones in the primary region
- Log-Archive Account:
- Shared Amazon S3 Bucket with a lifecycle policy to store logs up to 7 years
- Security Account:
- Aggregated SNS Security Topic (your email distribution list or account must be configured after the initial setup to start receiving the notifications)
- Central Amazon GuardDuty detector
- Central AWS Config global aggregator to visualize your compliance from a single place for your entire Organization
- Primary Account:
- Security Services Delegation to the Security Account
- Amazon S3 Storage Lens
- AWS License Manager
- AWS Systems Manager
- Amazon Macie
- AWS IAM Access Analyzer
- Service Control Policies:
- StackZone Allowed Instance Types Preventive Guardrails
- StackZone Allowed Regions Mandatory Preventive Guardrails
- StackZone Allowed Volume Types Preventive Guardrails
- StackZone Core Mandatory Preventive Guardrails
- StackZone Data perimeter Governance 1 Preventive Guardrails
- StackZone Data perimeter Governance 2 Preventive Guardrails
- StackZone Deny Mandatory Preventive Guardrails
- StackZone Deny Networking Preventive Guardrails
- StackZone Education Preventive Guardrails
- StackZone HIPAA Preventive Guardrails
- StackZone Machine Learning Guardrails
- StackZone Network Perimeter EC2 Preventive Guardrails
- StackZone Non-Core Mandatory Preventive Guardrails
- StackZone PCI Preventive Guardrails
- StackZone Restrict All Guardrails
- StackZone SCP Tag Policies
- StackZone Sensitive Data Protection Preventive Guardrails
- StackZone SOC Preventive Guardrails
- Baseline Services (Applied to every account managed by StackZone):
- Lambda Helper (required Lambda functions for StackZone to operate)
- SNS Helper (required to forward Security SNS Notifications from all accounts to the Security Account)
- Key Management Service: Creates AWS KMS Keys for Amazon EBS Volumes, CloudWatch Logs and SNS Topics to be encrypted to maintain compliance.
- Amazon CloudTrail: Enables a multi-region, encrypted Trail in every account in the primary region that logs every action to the Amazon S3 Bucket in the Log-Archive Account and locally to an Amazon CloudWatch LogGroup.
- AWS Backup & Restore: EC2 and EBS backup by tag
- AWS Config:
- Creates an AWS IAM Role to run AWS Config Rules and Remediations.
- Enables AWS Config local aggregator in each account in the primary region.
- Enables these global AWS Config Rules in all accounts:
- No Inline Policy
- IAM Policy no statements with full access
- Root MFA Enabled (24 hours)
- IAM Password Policy (24 hours)
- IAM User MFA Enabled (1 hour)
- IAM User Console MFA Enabled (1 hour)
- IAM User Unused Credential (12 hours)
- IAM Access keys Rotated (12 hours)
- IAM Root Access Key Check (12 hours)
- Root Account Hardware MFA Enabled (12 hours)
- IAM User No Policies Attached
- IAM Policy No Admin Permissions
- Enables these regional AWS Config Rules in all accounts
- Amazon GuardDuty
GuardDuty Enabled
- PCI-DSS Compliance
EC2 Instance No Public IP
- Amazon ElastiCache
Elasticache Redis Backup enabled
- Amazon EC2 AutoScaling Group
AutoScaling Group Multi AZ
- AWS CloudTrail
CloudTrail Enabled
CloudTrail Security Trail Enabled
Multi Region CloudTrail Enabled
CloudTrail Log File Validation Enabled
CloudTrail Encryption Enabled
- Amazon EBS
EBS Volumes Encrypted
- Amazon S3
S3 Public Read Prohibited
S3 Public Write Prohibited
S3 Bucket Server Side Encryption
- Amazon EC2
EC2 Instance Managed by SSM
ELB Cross Zone Load Balancing Enabled
- Network
VPC Flowlogs Enabled
Elastic Load Balancer Logging
VPC S3 Gateway Endpoint Enabled
VPC DynamoDB Gateway Endpoint Enabled
No Default VPC Check
VPC Elastic IP Attache
- Enables Automatic Remediation for:
- Amazon EBS
EBS Volumes Encrypted Remediation
- Network
VPC Flowlogs Enabled Remediation
VPC S3 Gateway Endpoint Enabled Remediation
VPC DynamoDB Gateway Endpoint Enabled Remediation
- AWS CloudTrail
CloudTrail Log File Validation Remediation