Multi-Account Security Monitoring with AWS Organizations

Question

Pulumi · Accepted Answer

Setting up multi-account security monitoring with AWS Organizations involves creating a centralized security account which will have visibility into all the other accounts in your AWS Organization for the purpose of aggregating logs, monitoring, and conducting security analysis across your entire AWS environment.

To achieve this using Pulumi, you'll need to configure AWS Organizations, create organizational units, attach permissions policies, and set up AWS GuardDuty for centralized threat detection.

Here's how you can accomplish this with Pulumi in Python:

1. **Create an Organization** - An AWS organization helps you centrally govern your environment as you grow and scale your AWS resources.
2. **Organize Accounts into Organizational Units (OUs)** - OUs help you to categorize your accounts to manage them by group rather than individually.
3. **Attach Service Control Policies** - SCPs offer central control over the maximum available permissions for all accounts in your organization.
4. **Enable AWS GuardDuty** - GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior.

Let's look at how this might be implemented in Pulumi using Python:

```python
import pulumi
import pulumi_aws as aws

# Create an AWS Organization.
org = aws.organizations.Organization("org",
    feature_set="ALL", # "ALL" enables all features and "CONSOLIDATED_BILLING" is for billing only.
)

# Assume we have multiple accounts - we'll create an Organizational Unit (OU) first.
# Organizational Units can help manage policies and automate AWS service usage at scale.
ou = aws.organizations.OrganizationalUnit("sec_ou",
    parent_id=org.roots.apply(lambda roots: roots[0].id),  # Assumes a single root
    name="Security")

# Enable AWS GuardDuty as a delegated admin for the organization.
# This means one account (the security account) is given admin rights over GuardDuty 
# across the entire organization.
guardduty_admin = aws.guardduty.OrganizationAdminAccount("guardduty_admin",
    admin_account_id="SECURITY_ACCOUNT_ID")  # Replace with the actual Account ID

# GuardDuty configuration across the organization.
guardduty_config = aws.guardduty.OrganizationConfiguration("guardduty_config",
    auto_enable=True,
    detector_id=guardduty_admin.id,
    datasources=aws.guardduty.OrganizationConfigurationDatasourcesArgs(
        s3_logs=aws.guardduty.OrganizationConfigurationDatasourcesS3LogsArgs(
            auto_enable=True
        )
    )
)

# Enable AWS Config to monitor compliance at the organization level.
config_rule = aws.cfg.OrganizationManagedRule("config_rule",
    rule_identifier="IAM_PASSWORD_POLICY",
    description="Ensures password policy for IAM users meets specified requirements.")

pulumi.export('organization_arn', org.arn)
pulumi.export('organizational_unit_arn', ou.arn)
pulumi.export('guardduty_admin_account_id', guardduty_admin.admin_account_id)
pulumi.export('config_rule_arn', config_rule.arn)
```

In the example, we first create an organization with all features enabled. We then create an Organizational Unit called 'Security' which could be the designated place for your security-related accounts. We enable GuardDuty as a delegated admin to perform threat detection across the organization and create an AWS Config Managed Rule to enforce an IAM password policy.

Before using this Pulumi code, make sure to replace the placeholder like `SECURITY_ACCOUNT_ID` with actual values that are applicable to your AWS environment. Additionally, ensure you have the necessary AWS credentials configured for Pulumi to interact with your AWS account.

To run this program, you would need to execute it using the Pulumi CLI with the appropriate commands after ensuring you have Pulumi installed and configured correctly with your AWS credentials.

This setup is fundamental and would likely be elaborated upon significantly in a real-world scenario, including potentially more sophisticated event handling, logging, permission setups, and integrations with other AWS services and third-party tools. The details would depend heavily on your specific security requirements and compliance needs.