How to Detect and Mitigate Guardrail Violation with AWS Control Tower
Many companies that I work with would like to innovate fast in the cloud by adopting a self-service infrastructure provisioning model in a multi-account environment. However, maintaining security and governance in such a model is an organizational challenge. Without structured guardrails and baseline configuration enforcement, troubleshooting and mitigating risk can be cumbersome. AWS Control Tower automates account provisioning with consistent baseline configuration and simplifies multi-account compliance governance with prescriptive blueprints and best practices.
In this blog post, I will show you how to create a child organizational unit (OU) and an account under AWS Control Tower management. Then, I will show you how to associate a guardrail with the OU, detect a guardrail violation, mitigate the issue, analyze configuration and compliance history. I will be assuming that you already have a working version of AWS Control Tower. You can configure AWS Control Tower by following Jeff Barr’s blog post here.
AWS Control Tower sets up three baseline accounts (Master, Log archive, and Audit) that provide dedicated environments for specialized roles within your organization.
Here is a brief description of each baseline account:
- Master account contains landing zone configuration, account configuration StackSets, AWS Organizations Service Control Policies (SCPs), and AWS Single Sign-On (SSO) to manage and create new child accounts.
- Log archive account creates a central Amazon S3 bucket for storing a copy of all AWS CloudTrail and AWS Config log files. A replica of AWS CloudTrail logs is created locally in each child account for operational use.
- Audit account is used to receive security and compliance notification from Amazon CloudWatch Events, AWS CloudTrail, and AWS Config for all managed child accounts. AWS Control Tower uses Amazon Simple Notification Service (SNS) to send alerts to the unique email addresses that you provided for Master and Audit accounts during initial setup.
Baseline accounts and accounts are grouped into organizational units (OUs) for centralized accounts management.
The Master account is managed under Root OU while Log archive and Audit accounts are managed under Core OU. You can create new accounts under Custom OU or any additional child OUs to fit your organizational needs. The diagram below shows a high-level organizational structure within AWS Control Tower. I created an account called DevAccount1 under a child OU called DevOU.
AWS Control Tower provides guardrails based on prescriptive and pre-configured governance rules that can be enabled at the organizational units (OUs) level to enforce and detect compliance in a multi-account environment. To learn more, read the Guardrails in AWS Control Tower documentation.
The following diagram outlines the process flow:
- Administrator creates a child OU and an end user in the Master account.
- End user creates an account under the child OU created in step 1 within AWS Control Tower management.
- Administrator enables a guardrail at the child OU.
- Administrator receives alert about guardrail violation.
- End user mitigates guardrail violation.
- End user analyzes the configuration and compliance history.
Step 1: Create a child OU and an end user
To create a child OU:
- Logon to AWS Control Tower console as AWS Control Tower administrator, https://console.aws.amazon.com/controltower
- Navigate to Organizational units from the left panel, select Add an OU button.
- Specify a name for the child OU, call it DevOU.
To create an end user:
- While in the AWS Control Tower console as administrator, navigate to User and access, make a note of User portal URL.
- Select View in AWS Single Sign-On which opens up AWS SSO console. Select Manage your directory.
- Select Add user, fill out the user details including email address, name, and phone number. You can select whether to generate a one-time password that you can share with the user or send an email to the user with password setup instructions.
- In the next window, add the user to AWSAccountFactory group which provides the required permissions to launch a new account. Sign out from the AWS SSO console.
Step 2: Create an account with AWS Control Tower
To create an account:
- Open User portal URL in a new browser window, sign in to Master account as the end user. Select Management console link next to AWSServiceCatalogEndUserAccess.
- Navigate to AWS Service Catalog console, select Product list, select Launch product from AWS Control Tower Account Factory.
- Enter a name for this product.
- Enter the end user email that you created earlier for SSOUserEmail and a unique AccountEmail. The owner of SSOUserEmail will have administrative access to the new account. AccountEmail must be unique and isn’t already associated with an AWS account. Fill out the SSOUserFirstName and SSOUserLastName fields. Select DevOU as the managed OU and enter DevAccount1 in the AccountName.
- Take default values in the next few prompts. Review the settings and select Launch. The new account provisioning process takes approximately 30 minutes.
- Once completes, you should see the new account (DevAccount1) under Provisioned products list. Sign out from AWS Service Catalog Console.
Step 3: Enable a guardrail at the child OU
In this section, I will enable a guardrail at DevOU to detect unrestricted inbound SSH access to TCP port 22 in all child accounts under this OU. As a security group best practice, restricting inbound SSH access to only authorized IP addresses or CIDR range can avoid external attacks that are constantly looking for open ports to intrude EC2 instances. Please refer to this link for more information on how to authorize inbound traffic to your EC2 instances.
To enable a guardrail on an OU:
- Sign in to AWS Control Tower Master account as admin user.
- From the left panel, choose Guardrails, select Disallow internet connection through SSH.
- Choose Enable guardrail on OU button. Select DevOU and confirm the selection by choosing the Enable guardrail on OU.
- I can see a list of OUs that have been enabled with this guardrail by navigating to Guardrails, select Disallow internet connection through SSH, review the Organizational units enabled pane.
- The Audit account receives emails about the enforcement of this guardrail in each region that AWS Control Tower is currently available. At the time of this writing, AWS Control Tower is available in US East (Ohio), Europe (Ireland), US East (N. Virginia), and US West (Oregon).
For details on other guardrails, please refer to the documentation.
Step 4: Detect guardrail violation
Suppose one of the end users accidentally created or modified a security group to allow unrestricted SSH inbound access over port 22, the Audit account will be alerted of this compliance status change.
The owner of the email associated with the Audit Account will receive an email similar to the one below which shows the information about the noncompliant resource such as event timestamp, account ID and the region where this resource resides in, and AWS Config rule (AWSControlTower_AWS-GR_RESTRICTED_SSH) that detects the compliance status transition.
Note there will be a manual SNS subscription, one per each supported region, for the sample compliance email notification above during initial AWS Control Tower launch. Any extended team such as account administrators or security teams can subscribe to the same SNS topic by following the steps below:
- Sign in to the Audit account via user portal as admin user.
- Go to Amazon SNS console, select aws-controltower-AggregateSecurityNotifications.
- Select Create subscription
- Choose the appropriate type of endpoint from the Protocol list. In this case, I select Email and provide a valid email address in the Endpoint field.
- The owner of the new subscriber confirms the SNS topic subscription in the email similar to the one below to receive future compliance notification.
- In AWS Control Tower console, I get a centralized dashboard that shows the noncompliant resource and compliance status of all child OUs and accounts.
Step 5: Mitigate guardrail violation
To mitigate the noncompliant resource:
- Sign in to User portal URL as end user, select DevAccount1.
- Navigate to EC2 Dashboard, find the Security Group that contains the noncompliant configuration.
- Under Inbound tab, I select Edit to update the inbound rule and restrict SSH access to my IP address.
- Approximately five minutes after remediating the guardrail violation, Audit account receives an email that the resource is now compliant. Here is a sample email about the compliance status change.
- In the AWS Control Tower Dashboard, I can validate the overall compliance status of my multi-account environment is now back to green.
Step 6: Analyze configuration and compliance history
For post remediation verification:
- I navigate to AWS Config console in DevAccount1 as end user, select Rules, then AWSControlTower_AWS-GR_RESTRICTED_SSH.
- Select the appropriate filter from Compliance status drop-down menu, select the resource to explore Configuration timeline or Compliance timeline.
- In Configuration timeline tab, I can review the changes and events for this resource.
- Select Changes to view the configuration that triggered the compliance status transition.
- Scroll down the page, I can also find links to AWS CloudTrail that record full event details of each compliance transition for this resource.
- In Compliance Timeline tab, I can view the compliance status transition for this resource.
In this blog post, you saw how to create child OUs and account under AWS Control Tower management. I showed you how to associate guardrails managed by AWS Control Tower and detect when they are out of compliance. I also showed you how to mitigate issues, analyze configuration and compliance history. Now you can enable self-service infrastructure provisioning with AWS Control Tower guardrails to accelerate innovation with your organization.
About the Author
Cher Simon is a Senior Technical Account Manager at AWS. She works with customers building solutions in the cloud.