AWS SRA best practices checklist

AWS Organizations is enabled with all features.

Service control policies (SCPs) are used to define access control guidelines for IAM principals.

Resource control policies (RCPs) are used to define access control guidelines for AWS resources.

Declarative policies are used to centrally declare and enforce your desired configuration for a given AWS service at scale across your organization.

Three foundational OUs are created (Security, Infrastructure, and Workload) to group member accounts that provide foundation services.

The Security Tooling account is created under the Security OU. This account provides centralized management of AWS security services and other third-party security tools.

The Log Archive account is created under the Security OU. This account provides a tightly controlled central log repository of AWS services and application logs.

The Network account is created under the Infrastructure OU. This account manages the gateway between your application and the broader internet. It isolates the networking services, configuration, and operation from the individual application workloads, security, and other infrastructure.

The Shared Service account is created under the Infrastructure OU. This account supports the services that multiple applications and teams use to deliver their outcomes.

The Application account is created under the Workloads OU. This account hosts the primary infrastructure and services to run and maintain an enterprise application. This guide provides a representation, but in the real world there will be multiple OUs and member accounts segregated by applications, development environments, and other security considerations.

Alternate contact information for billing, operations, and security for all member accounts are configured.

An organization trail is configured that enables delivery of CloudTrail management events in the management account and all member accounts in an AWS organization.

The organization trail is configured as multi-Region trail.

The organization trail is configured to capture events from global resources.

Additional trails to capture specific data events are configured as necessary to monitor sensitive AWS resource activities.

The Security Tooling account is set as a delegated administrator of the organization trail.

The organization trail is configured to be automatically enabled for all new member accounts.

The organization trail is configured to publish logs to a centralized S3 bucket that is hosted in the Log Archive account.

The organization trail has log file validation enabled to verify the integrity of log files.

The organization trail is integrated with CloudWatch Logs for retention of logs.

The organization trail is encrypted by using a customer managed key.

The central S3 bucket that is used for the log repository in the Log Archive account is encrypted with a customer managed key.

The central S3 bucket used for the log repository in the Log Archive account is configured with S3 Object Lock for immutability.

Versioning is enabled for the central S3 bucket that is used for the log repository in the Log Archive account.

The central S3 bucket that is used for the log repository in the Log Archive account has a resource policy defined that restricts object upload only by organization trail through the resource Amazon Resource Name (ARN).

Security Hub CSPM is enabled for all member accounts and the management account.

AWS Config is enabled for all member accounts as a prerequisite for Security Hub CSPM.

The Security Tooling account is set as a delegated administrator of Security Hub CSPM.

Amazon GuardDuty and Amazon Detective have the same delegated administrator account as Security Hub CSPM for smooth service integration.

Central configuration is used to set up and manage Security Hub CSPM across multiple AWS accounts and AWS Regions.

All OU and member accounts are designated as centrally managed by the delegated administrator of Security Hub CSPM.

Security Hub CSPM is automatically enabled for all new member accounts.

Security Hub CSPM is automatically enabled for configuration of new standards.

Security Hub CSPM findings from all Regions are aggregated to a single home Region.

Security Hub CSPM findings from all member accounts are aggregated within the Security Tooling account.

The AWS Foundational Best Practices (FSBP) standard in Security Hub CSPM is enabled for all member accounts.

The CIS AWS Foundation Benchmark standard in Security Hub CSPM is enabled for all member accounts.

Other Security Hub CSPM standards are enabled as applicable.

A Security Hub CSPM automation rule is used to enrich findings with resource context.

The Security Hub CSPM automated response and remediation feature is used to create custom EventBridge rules to take automatic actions against specific findings.

The AWS Config recorder is enabled for all member accounts and the management account.

The AWS Config recorder is enabled for all Regions.

The AWS Config delivery channel S3 bucket is centralized in the Log Archive account.

The AWS Config delegated administrator account is set to the Security Tooling account.

AWS Config has an organization aggregator set up. The aggregator includes all Regions.

AWS Config conformance packs are deployed uniformly to all member accounts from the delegated administrator account.

AWS Config rule findings are automatically sent to Security Hub CSPM.

GuardDuty detector is enabled for all member accounts and the management account.

GuardDuty detector is enabled for all Regions.

GuardDuty detector is automatically enabled for all new member accounts.

GuardDuty delegated administration is set to the Security Tooling account.

GuardDuty foundational data sources such as CloudTrail management events, VPC flow logs, and Route 53 Resolver DNS query logs are enabled.

GuardDuty S3 Protection is enabled.

GuardDuty Malware Protection for EBS volumes is enabled.

GuardDuty Malware Protection for S3 is enabled.

GuardDuty RDS Protection is enabled.

GuardDuty Lambda Protection is enabled.

GuardDuty EKS Protection is enabled.

GuardDuty EKS Runtime Monitoring is enabled.

GuardDuty Extended Threat Detection is enabled.

GuardDuty findings are exported to a central S3 bucket in the Log Archive account for retention.

IAM users are not used.

Centralized management of root access for member accounts is enforced.

The centralized privileged root user task for management account is enforced from the delegated administrator.

Centralized root access management is delegated to the Security Tooling account.

All member account root credentials are removed.

All member and management AWS account password policies are set according to the organization's security standard. 

IAM access advisor is used to review last used information for IAM groups, users, roles, and policies.

Permission boundaries are used to restrict maximum possible permissions for IAM roles.

IAM Access Analyzer is enabled for all member accounts and the management account.

The IAM Access Analyzer delegated administrator is set to the Security Tooling account.

The IAM Access Analyzer external access analyzer is configured with the organization zone of trust in every Region.

The IAM Access Analyzer external access analyzer is configured with the account zone of trust in every Region.

The IAM Access Analyzer internal access analyzer is configured with the organization zone of trust in every Region.

The IAM Access Analyzer internal access analyzer is configured with the account zone of trust in every Region.

The IAM Access Analyzer unused access analyzer for the current account is created.

The IAM Access Analyzer unused access analyzer for the current organization is created.

Detective is enabled for all member accounts.

Detective is automatically enabled for all new member accounts.

Detective is enabled for all Regions.

The Detective delegated administrator is set to the Security Tooling account.

The Detective, GuardDuty, and Security Hub CSPM delegated administrator is set to the same Security Tooling account.

Detective is integrated with Security Lake for storage and analysis of raw logs.

Detective is integrated with GuardDuty for ingesting findings.

Detective is ingesting Amazon EKS audit logs for analysis.

Detective is ingesting Security Hub CSPM logs for analysis.

Firewall Manager security policies are set.

The Firewall Manager delegated administrator is set to the Security Tooling account.

AWS Config is enabled as a prerequisite.

Multiple Firewall Manager administrators are set with restricted scope per OU, account, and Region.

A Firewall Manager AWS WAF security policy is defined.

A Firewall Manager AWS WAF centralized logging policy is defined.

A Firewall Manager Shield Advanced security policy is defined.

A Firewall Manager security group security policy is defined.

Amazon Inspector is enabled for all member accounts.

Amazon Inspector is automatically enabled for any new member account.

The Amazon Inspector delegated administrator is set to the Security Tooling account.

Amazon Inspector EC2 vulnerability scanning is enabled.

Amazon Inspector ECR image vulnerability scanning is enabled.

Amazon Inspector Lambda function and layers vulnerability scanning is enabled.

Amazon Inspector Lambda code scanning is enabled.

Amazon Inspector code security scanning is enabled.

Macie is enabled for applicable member accounts.

Macie is automatically enabled for applicable new member accounts.

The Macie delegated administrator is set to the Security Tooling account.

Macie findings are exported to a central S3 bucket in the log Archive account.

S3 buckets that store Macie findings are encrypted with a customer managed key.

The Macie policy and classification policy are published to Security Hub CSPM.

Security Lake organization configuration is enabled.

The Security Lake delegated administrator is set to the Security Tooling account.

The Security Lake organization configuration is enabled for new member accounts.

The Security Tooling account is set up as a data access subscriber to conduct analysis of logs.

The Security Tooling account is set up as a data query subscriber to conduct analysis of logs.

A CloudTrail management log source is enabled for Security Lake in all or specified active member accounts.

A VPC flow log source is enabled for Security Lake in all or specified active member accounts.

A Route 53 log source is enabled for Security Lake in all or specified active member accounts.

CloudTrail data event for an S3 log source is enabled for Security Lake in all or specified active member accounts.

A Lambda execution log source is enabled for Security Lake in all or specified active member accounts.

An Amazon EKS audit log source is enabled for Security Lake in all or specified active member accounts.

A Security Hub findings log source is enabled for Security Lake in all or specified active member accounts.

An AWS WAF log source is enabled for Security Lake in all or specified active member accounts.

Security Lake SQS queues in the delegated administrator account is encrypted with a customer managed key.

The Security Lake SQS dead-letter queue in the delegated administrator account is encrypted with a customer managed key.

The Security Lake S3 bucket is encrypted with a customer managed key.

The Security Lake S3 bucket has a resource policy that restricts direct access only by Security Lake.

All CloudFront distributions are associated with AWS WAF.

All Amazon API Gateway REST APIs are associated with AWS WAF.

All Application Load Balancers are associated with AWS WAF.

All AWS AppSync GraphQL APIs are associated with AWS WAF.

All Amazon Cognito user pools are associated with AWS WAF.

All AWS App Runner services are associated with AWS WAF.

All AWS Verified Access instances are associated with AWS WAF.

All AWS Amplify applications are associated with AWS WAF.

AWS WAF logging is enabled.

AWS WAF logs are centralized in an S3 bucket in the Log Archive account.

Shield Advanced subscription is enabled and set to auto-renew for all application accounts that have public-facing resources.

Shield Advanced is configured for all CloudFront distributions.

Shield Advanced is configured for all Application Load Balancers.

Shield Advanced is configured for all Network Load Balancers.

Shield Advanced is configured for all Route 53 hosted zones.

Shield Advanced is configured for all Elastic IP addresses.

Shield Advanced is configured for all Global Accelerators.

CloudWatch alarms are configured for CloudFront and Route 53 resources that are protected by Shield Advanced.

Shield Response Team (SRT) access is configured.

Shield Advanced proactive engagement is enabled.

Shield Advanced proactive engagement contacts are configured.

Shield Advanced protected resources have a custom AWS WAF rule configured.

Shield Advanced protected resources have automatic application-layer DDoS mitigation enabled.

AWS Security Incident Response is enabled for the whole AWS organization.

The AWS Security Incident Response delegated administrator is set to the Security Tooling account.

The proactive response and alert triaging workflow is enabled.

AWS Customer Incident Response Team (CIRT) containment actions are authorized.

Audit Manager is enabled for all member accounts.

Audit Manager is automatically enabled for new member accounts.

The Audit Manager delegated administrator is set to the Security Tooling account.

AWS Config is enabled as prerequisite for Audit Manager.

A customer managed  key is used for data stored in Audit Manager.

The default assessment report destination is configured.