AWS - Education

AWS Blueprint for StackZone AWS Engine

Eduardo Van Cauteren

Last Update vor 6 Monaten

StackZone Education Services setup includes the necessary components enabled to support and build compliance according to this industry vertical.

Components Created:
  • Shared Services Account:
    • Amazon VPC including Private and Public Subnets distributed in 2 availability zones in the primary region
  • Log-Archive Account:
    • Shared Amazon S3 Bucket with a lifecycle policy to store logs up to 7 years
  • Security Account:
    • Aggregated SNS Security Topic (your email distribution list or account must be configured after the initial setup to start receiving the notifications)
    • Central Amazon GuardDuty detector
    • Central AWS Config global aggregator to visualize your compliance from a single place for your entire Organization
  • Primary Account:
    • Security Services Delegation to the Security Account
      • Amazon S3 Storage Lens
      • AWS License Manager
      • AWS Systems Manager
      • Amazon Macie
      • AWS IAM Access Analyzer
  • Service Control Policies:
    • StackZone Allowed Instance Types Preventive Guardrails
    • StackZone Allowed Regions Mandatory Preventive Guardrails
    • StackZone Allowed Volume Types Preventive Guardrails
    • StackZone Core Mandatory Preventive Guardrails
    • StackZone Data perimeter Governance 1 Preventive Guardrails
    • StackZone Data perimeter Governance 2 Preventive Guardrails
    • StackZone Deny Mandatory Preventive Guardrails
    • StackZone Deny Networking Preventive Guardrails
    • StackZone Education Preventive Guardrails
    • StackZone HIPAA Preventive Guardrails
    • StackZone Machine Learning Guardrails
    • StackZone Network Perimeter EC2 Preventive Guardrails
    • StackZone Non-Core Mandatory Preventive Guardrails
    • StackZone PCI Preventive Guardrails
    • StackZone Restrict All Guardrails
    • StackZone SCP Tag Policies
    • StackZone Sensitive Data Protection Preventive Guardrails
    • StackZone SOC Preventive Guardrails
  • Baseline Services (Applied to every account managed by StackZone):
    • Lambda Helper (required Lambda functions for StackZone to operate)
    • SNS Helper (required to forward Security SNS Notifications from all accounts to the Security Account)
    • Key Management Service: Creates AWS KMS Keys for Amazon EBS Volumes, CloudWatch Logs and SNS Topics to be encrypted to maintain compliance.
    • Amazon CloudTrail: Enables a multi-region, encrypted Trail in every account in the primary region that logs every action to the Amazon S3 Bucket in the Log-Archive Account and locally to an Amazon CloudWatch LogGroup.
    • AWS Backup & Restore: EC2 and EBS backup by tag
    • AWS Config:
      • Creates an AWS IAM Role to run AWS Config Rules and Remediations.
      • Enables AWS Config local aggregator in each account in the primary region.
      • Enables these global AWS Config Rules in all accounts:
        • No Inline Policy
        • IAM Policy no statements with full access
        • Root MFA Enabled (24 hours)
        • IAM Password Policy (24 hours)
        • IAM User MFA Enabled (1 hour)
        • IAM User Console MFA Enabled (1 hour)
        • IAM User Unused Credential (12 hours)
        • IAM Access keys Rotated (12 hours)
        • IAM Root Access Key Check (12 hours)
        • Root Account Hardware MFA Enabled (12 hours)
        • IAM User No Policies Attached
        • IAM Policy No Admin Permissions
      • Enables these regional AWS Config Rules in all accounts
        • Amazon GuardDuty
          • GuardDuty Enabled

        • PCI-DSS Compliance
          • EC2 Instance No Public IP

        • Amazon ElastiCache
          • Elasticache Redis Backup enabled

        • Amazon EC2 AutoScaling Group
          • AutoScaling Group Multi AZ

        • AWS CloudTrail
          • CloudTrail Enabled

          • CloudTrail Security Trail Enabled

          • Multi Region CloudTrail Enabled

          • CloudTrail Log File Validation Enabled

          • CloudTrail Encryption Enabled

        • Amazon EBS
          • EBS Volumes Encrypted

        • Amazon S3
          • S3 Public Read Prohibited

          • S3 Public Write Prohibited

          • S3 Bucket Server Side Encryption

        • Amazon EC2
          • EC2 Instance Managed by SSM

          • ELB Cross Zone Load Balancing Enabled

        • Network
          • VPC Flowlogs Enabled

          • Elastic Load Balancer Logging

          • VPC S3 Gateway Endpoint Enabled

          • VPC DynamoDB Gateway Endpoint Enabled

          • No Default VPC Check

          • VPC Elastic IP Attache

        • Enables Automatic Remediation for:
          • Amazon EBS
            • EBS Volumes Encrypted Remediation

          • Network
            • VPC Flowlogs Enabled Remediation

            • VPC S3 Gateway Endpoint Enabled Remediation

            • VPC DynamoDB Gateway Endpoint Enabled Remediation

          • AWS CloudTrail
            • CloudTrail Log File Validation Remediation


Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us