8

StackZone - Blueprints

Last Update vor 7 Monaten

AWS - Baseline AWS - Financial Services AWS - Healthcare AWS - Machine Learning AWS - SaaS (AWS SSB)

AWS - Education

AWS Blueprint for StackZone AWS Engine

Eduardo Van Cauteren

Last Update vor einem Jahr

StackZone Education Services setup includes the necessary components enabled to support and build compliance according to this industry vertical.

Components Created:
  • Shared Services Account:
    • Amazon VPC including Private and Public Subnets distributed in 2 availability zones in the primary region
  • Log-Archive Account:
    • Shared Amazon S3 Bucket with a lifecycle policy to store logs up to 7 years
  • Security Account:
    • Aggregated SNS Security Topic (your email distribution list or account must be configured after the initial setup to start receiving the notifications)
    • Central Amazon GuardDuty detector
    • Central AWS Config global aggregator to visualize your compliance from a single place for your entire Organization
  • Primary Account:
    • Security Services Delegation to the Security Account
      • Amazon S3 Storage Lens
      • AWS License Manager
      • AWS Systems Manager
      • Amazon Macie
      • AWS IAM Access Analyzer
  • Service Control Policies:
    • StackZone Allowed Instance Types Preventive Guardrails
    • StackZone Allowed Regions Mandatory Preventive Guardrails
    • StackZone Allowed Volume Types Preventive Guardrails
    • StackZone Core Mandatory Preventive Guardrails
    • StackZone Data perimeter Governance 1 Preventive Guardrails
    • StackZone Data perimeter Governance 2 Preventive Guardrails
    • StackZone Deny Mandatory Preventive Guardrails
    • StackZone Deny Networking Preventive Guardrails
    • StackZone Education Preventive Guardrails
    • StackZone HIPAA Preventive Guardrails
    • StackZone Machine Learning Guardrails
    • StackZone Network Perimeter EC2 Preventive Guardrails
    • StackZone Non-Core Mandatory Preventive Guardrails
    • StackZone PCI Preventive Guardrails
    • StackZone Restrict All Guardrails
    • StackZone SCP Tag Policies
    • StackZone Sensitive Data Protection Preventive Guardrails
    • StackZone SOC Preventive Guardrails
  • Baseline Services (Applied to every account managed by StackZone):
    • Lambda Helper (required Lambda functions for StackZone to operate)
    • SNS Helper (required to forward Security SNS Notifications from all accounts to the Security Account)
    • Key Management Service: Creates AWS KMS Keys for Amazon EBS Volumes, CloudWatch Logs and SNS Topics to be encrypted to maintain compliance.
    • Amazon CloudTrail: Enables a multi-region, encrypted Trail in every account in the primary region that logs every action to the Amazon S3 Bucket in the Log-Archive Account and locally to an Amazon CloudWatch LogGroup.
    • AWS Backup & Restore: EC2 and EBS backup by tag
    • AWS Config:
      • Creates an AWS IAM Role to run AWS Config Rules and Remediations.
      • Enables AWS Config local aggregator in each account in the primary region.
      • Enables these global AWS Config Rules in all accounts:
        • No Inline Policy
        • IAM Policy no statements with full access
        • Root MFA Enabled (24 hours)
        • IAM Password Policy (24 hours)
        • IAM User MFA Enabled (1 hour)
        • IAM User Console MFA Enabled (1 hour)
        • IAM User Unused Credential (12 hours)
        • IAM Access keys Rotated (12 hours)
        • IAM Root Access Key Check (12 hours)
        • Root Account Hardware MFA Enabled (12 hours)
        • IAM User No Policies Attached
        • IAM Policy No Admin Permissions
      • Enables these regional AWS Config Rules in all accounts
        • Amazon GuardDuty

          • GuardDuty Enabled

        • PCI-DSS Compliance

          • EC2 Instance No Public IP

        • Amazon ElastiCache

          • Elasticache Redis Backup enabled

        • Amazon EC2 AutoScaling Group

          • AutoScaling Group Multi AZ

        • AWS CloudTrail

          • CloudTrail Enabled

          • CloudTrail Security Trail Enabled

          • Multi Region CloudTrail Enabled

          • CloudTrail Log File Validation Enabled

          • CloudTrail Encryption Enabled

        • Amazon EBS

          • EBS Volumes Encrypted

        • Amazon S3

          • S3 Public Read Prohibited

          • S3 Public Write Prohibited

          • S3 Bucket Server Side Encryption

        • Amazon EC2

          • EC2 Instance Managed by SSM

          • ELB Cross Zone Load Balancing Enabled

        • Network

          • VPC Flowlogs Enabled

          • Elastic Load Balancer Logging

          • VPC S3 Gateway Endpoint Enabled

          • VPC DynamoDB Gateway Endpoint Enabled

          • No Default VPC Check

          • VPC Elastic IP Attache

        • Enables Automatic Remediation for:
          • Amazon EBS

            • EBS Volumes Encrypted Remediation

          • Network

            • VPC Flowlogs Enabled Remediation

            • VPC S3 Gateway Endpoint Enabled Remediation

            • VPC DynamoDB Gateway Endpoint Enabled Remediation

          • AWS CloudTrail

            • CloudTrail Log File Validation Remediation

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us