English / 日本語
AWSCloudFormationTemplates/security sets basic configurations for security. This builds Amazon GuardDuty, AWS Config, AWS CloudTrail , AWS Security Hub , Amazon Macie , and related resources.
If you just want to deploy the stack, click the button below.
| US East (Virginia) | Asia Pacific (Tokyo) |
|---|---|
 |
|
If you want to deploy each service individually, click the button below.
| Services | US East (Virginia) | Asia Pacific (Tokyo) |
|---|---|---|
| IAM |  |
|
| AWS Security Hub | |
|
| Amazon GuardDuty | |
|
| AWS CloudTrail | |
|
| AWS Config | |
|
| Amazon Macie | |
|
| Amazon Security Lake | |
|
| Logging | |
|
The following sections describe the individual components of the architecture.
This template enables IAM Access Analyzer. IAM Access Analyzer sends results to Amazon SNS via Amazon EventBridge.
After deploying it, you can designate the delegated IAM AccessAnalyzer administrator account for your organization manually.
This template enables the AWS Security Hub and sets up Amazon SNS and Amazon EventBridge to receive a message when the result of a compliance check changes to Failure.
After deploying it, Update a CloudFormation parameters to enable Security Hub and Standards.
This template enables Amazon GuardDuty. Amazon GuardDuty only sends notifications when it detects findings of MEDIUM or higher level.
After deploying it, you can designate the delegated Amazon GuardDuty administrator account for your organization.
Choose Accounts in the navigation pane, and Choose Enable in the banner at the top of the page.
This action automatically turns on the Auto-enable GuardDuty configuration so that GuardDuty gets enabled for any new account that joins the organization.
Then enable data sources in any member account if you need.
This template enables AWS CloudTrail and creates an S3 Bucket when its logs are stored.
CloudTrail Logs stored in an S3 bucket are encrypted using AWS KMS CMKs.
If you have already enabled AWS Control Tower, AWS CloudTrail is enabled at all account in your organizations regardless of deploying the template.
This template creates an AWS Config delivery channel, a configuration recorder and some managed rules, as follows.
The following rules enable Automatic Remediation feature and attached SSM Automation Documents.
- IAM_PASSWORD_POLICY
- IAM_ROOT_ACCESS_KEY_CHECK
- S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
- VPC_FLOW_LOGS_ENABLED
- VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
- VPC_DEFAULT_SECURITY_GROUP_CLOSED
AWS Security Hub creates some related config rules for security checks automatically.
When AWS Config detects noncompliant resources, it sends a notification to Amazon SNS.
If you have already enabled AWS Control Tower, AWS Config is enabled at all account in your organizations regardless of deploying the template.
This template configures Amazon Macie.
After deploying it, you can designate the delegated Amazon Macie administrator account for your organization.
Choose Accounts in the navigation pane, and Choose Enable in the banner at the top of the page.
This action automatically turns on the Auto-enable Macie configuration so that Macie gets enabled for any new account that joins the organization.
This template builds Amazon Security Lake and SIEM on Open Search Service using AWS CloudFormation StackSets.
If you want to use Security Lake for an organization, you must use your Organizations management account to designate a delegated Security Lake administrator.
If you integrates SIEM on Open Search Service with Security Lake, change visibility timeout of SQS from 5 minutes to 10 minutes.
After setting up the SIEM on OpenSearch Service, add a notification configuration to the S3 bucket by following these steps. Additionally, update the CloudFormation parameters as needed.
This template creates Amazon EventBridge for AWS Health and AWS Trusted Advisor.
EventBridge transfer its events to Amazon SNS.
This template creates some other resources, such as Service-linked Role, IAM Role, S3 Bucket, Amazon SNS, and so on.
Execute the command to deploy.
aws cloudformation deploy --template-file template.yaml --stack-name DefaultSecuritySettings --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPANDYou can provide optional parameters as follows:
| Name | Type | Default | Requied | Details |
|---|---|---|---|---|
| AlarmLevel | NOTICE / WARNING | NOTICE | ○ | The alarm level of CloudWatch alarms |
| AuditAccountId | String | The id of the audit account | ||
| AWSCloudTrail | ENABLED / CREATED_BY_CONTROL_TOWER / DISABLED | ENABLED | ○ | Enable or disable AWS CloudTrail |
| AWSCloudTrailAdditionalFilters | String | Additional expression of CloudWatch Logs metric filters | ||
| AWSCloudTrailS3Trail | ENABLED / DISABLED | ENABLED | ○ | If it is ENABLED, creating trail is enabled |
| AWSConfig | ENABLED / DISABLED | ENABLED | ○ | If it is ENABLED, AWS Config is enabled |
| AWSConfigAutoRemediation | ENABLED / DISABLED | ENABLED | ○ | If it is ENABLED, AWSConfigAutoRemediation by SSM Automation and Lambda are enabled |
| AmazonGuadDuty | ENABLED / NOTIFICATION_ONLY / DISABLED | ENABLED | ○ | If it is ENABLED, Amazon GuardDuty is enabled |
| AmazonMacie | ENABLED / NOTIFICATION_ONLY / DISABLED | ENABLED | ○ | If it is ENABLED, Amazon Macie is enabled |
| AWSSecurityHub | String | STANDARDS_ONLY | ○ | If it is ENABLED, AWS Security Hub enabled |
| AWSSecurityHubStandards | CommaDelimitedList | FSBP, CIS | ○ | |
| IAMAccessAnalyzer | String | ACCOUNT | ○ | If it is ACCOUNT or ORGANIZATION, IAM Access Analyzer is enabled |
| IAMUserArnToAssumeAWSSupportRole | String | IAM User ARN to assume AWS Support role | ||
| LogArchiveAccountId | String | The id of the log archive account | ||
| OrganizationId | String | The Organizations ID | ||
| OrganizationsRootId | String | The root id of AWS Organizations | ||
| SecurityOUId | String | The id of the security OU | ||
| SIEM | ENABLED / DISABLED | DISABLED | ○ | Enable or disable SIEM environment |
| SIEMControlTowerLogBucketNameList | String | ※ | The S3 log bucket names in the Log Archive account. Specify after installing OpenSearch Service. | |
| SIEMControlTowerRoleArnForEsLoader | String | ※ | The IAM Role ARN to be assumed by aes-siem-es-loader. Specify after installing OpenSearch Service. | |
| SIEMControlTowerSqsForLogBuckets | String | ※ | The SQS ARN for S3 log buckets in Log Archive Account. Specify after installing OpenSearch Service. | |
| SIEMEsLoaderServiceRoleArn | String | ※ | The ARN of lambda function aes-siem-es-loader. Specify after installing OpenSearch Service. | |
| SIEMGeoLite2LicenseKey | String | The license key from MaxMind to enrich geoip location | ||
| SIEMSecurityLakeExternalId | String | ※ | The Security Lake external ID for cross account. Specify after installing OpenSearch Service. | |
| SIEMSecurityLakeRoleArn | String | ※ | The IAM Role ARN to be assumed by aes-siem-es-loader. Specify after installing OpenSearch Service. | |
| SIEMSecurityLakeSubscriberSqs | String | ※ | The SQS ARN of Security Lake Subscriber. Specify after installing OpenSearch Service. | |
| SIEMEmail | String | The email as SNS topic, where Amazon OpenSearch Service will send alerts to |
If you use Amazon GuardDuty or AWS Security Hub in your Security tooling or Security view-only (Audit) account, set these accounts as the delegated administrator accounts in the management accounts.
This template helps you to comply with the following items.
| Control Id | Rules | FSBP | CIS | Remediation |
|---|---|---|---|---|
| CloudTrail.1 | Ensure CloudTrail is enabled in all Regions | ○ | ○ | This template enables CloudTrail and related resources in all Regions |
| CloudTrail.4 | Ensure CloudTrail log file validation is enabled | ○ | ○ | This template enables CloudTrail and related resources in all Regions |
| CloudTrail.5 | Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs | ○ | ○ | This template enables CloudTrail and related resources in all Regions |
| CloudTrail.6 | Ensure the S3 bucket CloudTrail logs to is not publicly accessible | ○ | This template enables CloudTrail and related resources in all Region | |
| CloudTrail.7 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | ○ | This template enables CloudTrail and related resources in all Region | |
| CloudWatch.1 | Ensure a log metric filter and alarm exist for usage of "root" account | ○ | This template creates a log metric filter and alarm | |
| CloudWatch.2 | Ensure VPC flow logging is enabled in all VPCs | ○ | This template creates a log metric filter and alarm | |
| CloudWatch.3 | Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA | ○ | This template creates a log metric filter and alarm | |
| CloudWatch.6 | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | ○ | This template creates a log metric filter and alarm | |
| CloudWatch.7 | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | ○ | This template creates a log metric filter and alarm | |
| CloudWatch.8 | Ensure a log metric filter and alarm exist for S3 bucket policy changes | ○ | This template creates a log metric filter and alarm | |
| CloudWatch.9 | Ensure a log metric filter and alarm exist for AWS Config configuration changes | ○ | This template creates a log metric filter and alarm | |
| CloudWatch.10 | Ensure a log metric filter and alarm exist for security group changes | ○ | This template creates a log metric filter and alarm | |
| CloudWatch.11 | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | ○ | This template creates a log metric filter and alarm | |
| CloudWatch.12 | Ensure a log metric filter and alarm exist for changes to network gateways | ○ | This template creates a log metric filter and alarm | |
| CloudWatch.13 | Ensure a log metric filter and alarm exist for route table changes | ○ | This template creates a log metric filter and alarm | |
| CloudWatch.14 | Ensure a log metric filter and alarm exist for VPC changes | ○ | This template creates a log metric filter and alarm | |
| Config.1 | AWS Config should be enabled | ○ | ○ | ed |
| EC2.2 | Ensure the default security group of every VPC restricts all traffic | ○ | ○ | Config checks it and SSM Automation remediates the policy automatically |
| EC2.6 | Ensure VPC flow logging is enabled in all VPCs | ○ | ○ | Config checks it and SSM Automation remediates the policy automatically |
| EC2.13 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | ○ | Config checks it and SSM Automation remediates the policy automatically | |
| EC2.14 | Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | ○ | Config checks it and SSM Automation remediates the policy automatically | |
| IAM.3 | Ensure access keys are rotated every 90 days or less | ○ | ○ | Config checks it and Lambda removes it automatically |
| IAM.4 | IAM root user access key should not exist | ○ | ○ | Config checks it and SSM Automation remediates the policy automatically |
| IAM.7 | Password policies for IAM users should have strong configurations | ○ | ○ | Config checks it and SSM Automation remediates the policy automatically |
| IAM.18 | Ensure a support role has been created to manage incidents with AWS Support | ○ | ○ | This template creates IAM Role for AWS Support |
| IAM.22 | Ensure credentials unused for 45 days or greater are disabled | ○ | ○ | Config checks it and Lambda removes it automatically |
| S3.17 | S3 buckets should have server-side encryption enabled | Config checks it and SSM Automation remediates the policy automatically |