Provisioning access to security and audit teams in an AWS multi-account environment created by AWS Control Tower
AWS Control Tower offers the easiest way to set up and govern a secure, compliant, and multi-account AWS environment based on best practices established by working with thousands of enterprises. Organizations can leverage built-in preventive, proactive, and detective controls as a starting point to address the customer part of the AWS Shared Responsibility Model. Control Tower sets up and enforces a few key components for governance and auditing purposes:
- AWS Organizations: helps you manage access, billing, and policies across accounts;
- Service Control Policies (SCPs): implements centralized controls and restrictions on AWS services;
- Controls: help enforce policies and best practices across your accounts;
- Audit Logging: aggregates audit logging and manages its retention policy;
- AWS Organizations Audit Trail: records creation and deletion of accounts and changes in SCPs;
- Account Factory: ensures new accounts created adhere to your predefined policies and configurations;
- Integration with AWS Security Hub: centralized view of security findings and compliance checks.
In this blog, we provide guidance for provisioning security and audit user access to the components needed to perform their jobs managing risk and compliance on their AWS environment. We’ll look at the configurations required in Control Tower itself, its underpinning services, as well as other key AWS services that security and risk management teams can leverage to improve their organization’s security posture.
Many customers have split their security team into two functions: 1. security administrators or users, who deploy, configure and manage the security services in use in the environment; 2. security assessors or auditors, viewers who only need to be aware and understand the security configurations to relay the information to teams that can change those configurations to manage and remediate risk.
Organizations should focus on the security best practice of least-privileged-access for their AWS users, and that’s no different for the security team itself. Although assigning the “AdministratorAccess” managed policy to the security administrators and automatically granting access to everything on an account is a simple solution, it is not the recommended approach according to the AWS Well-Architected Framework.
We are going to focus on the required IAM policies that a security member needs to accomplish their job functions. Where possible, we’ll recommend AWS managed policies which are standalone policies created and administered by AWS. Further fine tuning and further enforcement of the least privilege principle may be performed to tailor access to specific needs and to be stricter on providing absolute least privileges. However, most of the time, AWS managed policies strike a balance between ease of management and getting close to the target of risk management. Implementing those doesn’t necessarily comply with least privilege, thus customers can leverage them to develop their own customer policy, according to the Shared Responsibility Model.
The following table is a summary of recommended AWS accounts after deploying AWS Organizations and AWS Control Tower services, and the access required by security administrators and audit users in each one of them. The required permissions will be detailed throughout the blog.
|AWS Account / Type
|Service or Resource examples
(depending on role)
AWS IAM Identity Center
AWS Control Tower
AWS Audit Manager
|AWS CloudTrail Logs
AWS Config Logs
AWS Config Aggregator
|Shared Services Account
|Ops tooling Account
|Security Networking services
|Security Tooling Account
|Proof of concept
While not all customers need to enable all AWS services listed in this document, it offers a general guidance for AWS foundational and security related services.
AWS Control Tower
AWS Control Tower is deployed from the management account of your Organization. Customers that adopt a multi-account approach can leverage Control Tower to manage their multi-account environment. It includes 2 required accounts (named “Audit” and “Log Archive”) created by Control Tower setup, as well as any other accounts provisioned by users. In order to set up these accounts with default resources, configurations, and VPC settings, Control Tower creates the “AWSControlTowerAdmin” role within the provisioned accounts during the setup process. This role requires the attached “AWSControlTowerServiceRolePolicy” managed policy that deploys and maintains Control Tower resources in each account, including AWS CloudFormation stack sets, AWS CloudTrail log files, and more.
Security administrators, from a business perspective, should have access to the Control Tower console within the management account with the necessary permissions to monitor and manage the Landing Zone, configure and manage controls, and perform other related administrative tasks.
Security administrators should have the “AWSControlTowerAdmin” IAM role to be able to manage Control Tower resources.
In the following section, we will explore the necessary permissions for each of these AWS services in detail.
In addition, security members should have the necessary permissions to access each of the following services if those services are in use by the organization and managed by security personnel:
- AWS Organizations
- AWS CloudTrail
- AWS Config
- AWS Health
- AWS IAM Identity Center
- AWS Security Hub
- Amazon GuardDuty
- Amazon Inspector
- AWS Key Management Service
- Amazon Macie
- AWS Transit Gateway Network Manager
- AWS Shield and Firewall Manager
- AWS WAF
- AWS Systems Manager
- AWS Audit Manager
- AWS Artifact
AWS Organizations is a service that allows you to centrally manage multiple AWS accounts. Since Control Tower relies on Organizations to manage its multi-account environments, security administrators should be granted appropriate permissions within Organizations. This includes permissions to manage organizational units (OUs), permissions to create and manage AWS accounts, and permissions to set up SCPs to enforce security and compliance across the organization.
Organizations’ delegated administrator feature allows you to delegate control of specific organizational units (OUs) to different groups or individuals within your organization. Security administrators could have delegated control over the Security OU depending how the organization is managed. The feature supports various requirements, especially when combined with the ability to set and manage Service Control Policies (SCPs) at the OU level:
- Fine-grained control
- Compliance and security
- Autonomy and efficiency
- Resource isolation
- Reduced administrative overhead
- Policy Enforcement
Security administrators should have the “AWSOrganizationsFullAccess” IAM policy to manage Organizations, including creating and managing accounts and applying policies.
Audit users should have the “AWSOrganizationsReadOnlyAccess” IAM policy for read-only access.
AWS CloudTrail is a service that provides a record of all actions taken by a user, role, or AWS service in your AWS environment. During deployment, Control Tower enables trails for all accounts and send the logs to the Audit account, so that security administrator and/or other systems can have read-only access to those records in a centralized way. This is implemented through the organization trail feature. However, a security administrator might need to enable additional trails as needed, including logging data events. Although users with full access could end up disabling or removing trails, you can setup Control Tower guardrails to help prevent this from happening.
Security administrators should have the ability to view and create new trails, including logging data events, thus require the “AWSCloudTrail_FullAccess” IAM policy.
Security administrators or Audit users that need to access to logs need the “AWSCloudTrail_ReadOnlyAccess” IAM policy.
Control Tower leverages AWS Config to implement detective controls and to monitor the AWS environments for compliance using policies and best practices. AWS Config is automatically enabled by Control Tower in the governed regions, with configuration history and snapshots delivered to an Amazon S3 bucket located in a centralized Log Archive account created automatically by Control Tower.
Security administrators that will manage AWS Config will require the IAM policy “AWSConfigMultiAccountSetupPolicy” to be able to create and delete config rules.
Security administrators or audit team members that only need to see config data should have the IAM policy “AWSConfigUserAccess”.
AWS Health provides personalized alerts and notifications to keep users informed about the operational status of their AWS resources and services. It offers a comprehensive view of the health of an AWS environment by aggregating and analyzing data from various sources, such as service health dashboards, scheduled maintenance notifications, and specific resource events. AWS Health delivers proactive insights into ongoing incidents, planned maintenance, and emerging issues that might impact the availability, performance, or security of AWS services. This service aids users in making informed decisions, taking timely actions, and ensuring the overall resilience and stability of their AWS infrastructure.
Although it’s not related to Control Tower, it’s a recommended service to inform security about events that provide general awareness.
The “AWSHealthFullAccess” managed AWS policy allows security administrators to interact with the service providing full access to the following:
- Enable or disable the AWS Health organizational view feature for all accounts in an AWS organization
- The AWS Health Dashboard in the AWS Health console
- AWS Health API operations and notifications
AWS IAM Identity Center
AWS IAM Identity Center is a workforce identity and access management service to manage lifecycle of identities with the ability to implement fine-grained access for employees, services, and workloads. Once implemented, Control Tower will leverage it to setup permissions to every account governed by Control Tower, thus automating the user provisioning and access permissions to every managed account.
The Authentication, Authorization, and Accounting (AAA) is a security team function because it plays a critical role in network management and cybersecurity by controlling access to various resources, enforcing policies, and auditing usage. The AAA framework ensures that only authorized users have access to specific network resources and that their activities are monitored and tracked for security and accountability purposes.
Thus, it’s paramount that security administrators have access to the AWS IAM Identity Center console on the Control Tower Management account. The team should have permissions to configure the service including integration with Identity Providers (idP) such as Okta, Azure AD, LDAP etc. The IAM policy “AWSSSOMasterAccountAdministrator” should be assigned to security administrators with identity management responsibilities.
AWS Security Hub
AWS Security Hub is a cloud security posture management (CSPM) service. It offers a comprehensive view of the security state within an AWS environment and assists users in evaluating their security against industry standards and best practices. The service collects security data from your AWS accounts, AWS services, and supported third-party partner products, allowing security administrators and auditors to analyze security trends and identify high-priority security issues. In addition, Security Hub now integrates with Control Tower, allowing you to pair Security Hub detective controls with Control Tower proactive or preventive controls and manage them together using Control Tower.
We recommend that you enable Security Hub on the Control Tower Management account, and delegate the Audit account as the Security Hub delegated administrator account in all governed regions. On the Audit account, the “Auto-enabled” option should be selected, so that new accounts that are governed by Control Tower will be managed by the delegated account automatically.
The current list of services that support integration with Security Hub are listed in the documentation.
The IAM policy “AWSSecurityHubFullAccess” provides full access to Security Hub, which would be helpful for security administrators that manage and operate the service, including the ability to create a service role required for the activation of the service. In addition, security administrators responsible for the Security Hub setup requires the IAM policy “AWSSecurityHubOrganizationsAccess”.
For security administrators and audit users that will only monitor Security Hub, the “AWSSecurityHubReadOnlyAccess” can be used.
Amazon GuardDuty is a threat detection service. It is designed to help protect AWS environments by continuously monitoring for malicious or unauthorized behavior. GuardDuty analyzes various data sources, such as CloudTrail logs, VPC Flow Logs, DNS logs, and others, including malware activity, to identify potential security threats and suspicious activity across AWS accounts and resources.
We recommend ta you enable GuardDuty on the Control Tower Management account, and access delegated to the Audit account ID as the GuardDuty delegated administrator account in all Regions of the Control Tower managed organization. On the Audit account, the “Auto-enabled Guard Duty” option should be selected, and all existing AWS accounts under the Organization must be added as member.
Security administrators that will manage GuardDuty will require the IAM policy “AmazonGuardDutyFullAccess” to be able to have access to configure the service.
Security administrators or audit users that need only to see threat information should have the IAM policy “AmazonGuardDutyReadOnlyAccess”.
Amazon Inspector is an automated vulnerability management service that continually scans Amazon EC2, Amazon Machine Image (AMI), Lambda, and container workloads for software vulnerabilities and unintended network exposure. It should be enabled on accounts that operates sensitive or production related workloads to be monitored, with the Audit account configured as its delegated administrator, for centralized management.
Security administrators that will manage and operate the service require the IAM policy “AmazonInspectorFullAccess” to be able to have access to configuring the service.
Security administrators or audit users that need only audit capabilities should have the IAM policy “AmazonInspectorReadOnlyAccess” attached to their role or user
AWS Key Management Service (KMS)
AWS Key Management Service is a managed service that enables users to create and control cryptographic keys used to protect sensitive data and ensure its confidentiality, integrity, and availability. AWS KMS integrates with various AWS services, allowing users to encrypt their data easily and securely. Although the service is managed, security administrators and audit users might need access to verify conformity with compliance and regulatory, regarding the permissions for key usage and required rotating of the used keys.
In a multi-account environment, security administrators and audit users’ role is to monitor KMS key rotation which is available in Security Hub ensuring that cryptographic material for KMS keys is being updated as required your security and compliance requirements. In addition, to validate key policies regarding to ownership and user permissions.
Security administrators that will manage and operate the service should have the “AWSKeyManagementServicePowerUser” IAM policy, which provides full access to KMS actions. In addition, auditing of the keys can be done through AWS Config.
Amazon Macie is a data classification and data protection service that uses machine learning and pattern matching to help secure critical data in AWS. It provides an inventory of Amazon Simple Storage Service (Amazon S3) buckets in managed AWS accounts and identifies security risks in S3 buckets. Macie uses machine learning to discover, identify, and create alerts for sensitive data such as personally identifiable information (PII).
Amazon Macie should be enabled on the Control Tower management account, with the Audit account configured as delegated administrator, for centralized management. All the member accounts that hold sensitive data sets, containing confidential or PII data need to be added to the service. By default Macie sends all the findings to Security Hub to be handled by the security administrators.
Assign the IAM policy “AmazonMacieFullAccess”, which provides full access to configuring and managing Amazon Macie, including the ability to setup the required service role during activation of the service to security administrators that will operate the service.
The “AmazonMacieReadOnlyAccess” IAM role can be used by audit users or security administrators in need of read-only access.
AWS Transit Gateway Network Manager
AWS Transit Gateway Network Manager provides tools and features to help you manage and monitor your network on AWS. One of the functions are related to network security and governance (Network Access Analyzer). The Network Access Analyzer aids in the recognition of inadvertent network access to your VPC. Employing this tool enables security teams to gain insights, validate and enhance the network security posture.
Network security administrators need the IAM policy “AWSNetworkManagerFullAccess” to be able to have full access to the service.
The audit users and other security administrators need the IAM policy “AWSNetworkManagerReadOnlyAccess” to be able to access the console.
AWS Shield Advanced and AWS Firewall Manager
AWS Shield Advanced provides enhanced protections against more sophisticated and larger Distributed Denial of Service (DDoS) attacks for your applications running on specific AWS resources like Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, Global Accelerator, and Route 53. Shield Advanced needs to be enabled in each account that needs the protection. For managing Shield Advanced protected resources in multiple accounts, you can set up centralized monitoring using AWS Firewall Manager and Security Hub.
Firewall Manager enables you to create security policies that enforces DDoS protection compliance across all your accounts, or implement security groups across all your accounts. Security Hub automatically integrates with Firewall Manager, allowing you to view Shield Advanced security findings in a single dashboard, along with other high-priority security alerts and compliance statuses. Firewall Manager can automatically bring resources into compliance by creating them as Shield Advanced-protected resources and update Security Hub accordingly when the resources are in a compliant state.
This centralized approach simplifies management and provides a unified view of DDoS events and protections across all your accounts.
Security administrators need the “AWSFMAdminFullAccess” IAM policy to be able to perform all actions as an AWS Firewall Manager administrator, as well as manage the AWS Shield service.
AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that are defined. It’s a responsibility of each workload owner to configure when required, however, the security and audit teams might need the ability to verify and validate its implementation.
Security administrators need the “AWSWAFFullAccess“ IAM policy to be able verify, validate, create, or change WAF configurations and rules.
Audit users and other security administrators need the “AWSWAFConsoleReadOnlyAccess” IAM policy to be able to verify and validate the configurations.
AWS Systems Manager (SSM)
AWS Systems Manager (SSM) facilitates implementation of least privilege access, storing security parameters such as credentials, monitoring of resources regular updates such as operating system patching, and centralized console access management.
Security administrators need the IAM policy “AmazonSSMFullAccess” to be able to execute all the functions required in the service, including triggering of runbook executions, setting up automation of security patching, or gaining console access to EC2 instances.
Audit users need the IAM policy “AmazonSSMReadOnlyAccess” to be able to review compliance status such as automated patching configurations.
AWS Systems Manager Patch Manager
Patching program or product security related vulnerabilities proactively helps organizations improve their security posture. Patch Manager, a capability of Systems Manager, automates the process of patching managed nodes with both security and application related updates.
AWS Systems Manager Patch Manager should be enabled and configured to scan and/or install patches on an account, multiple accounts, multiple OUs, or the entire AWS organization. When centralized, provides security administrators with the ability to manage and mitigate issues from a single place. While organizations might want to leave the responsibility to users to configure and maintain their application patches, security best practices recommend that security patch management becomes a centralized function of the risk management team. Integration with Security Hub provides alerts for non-compliant instances.
This blog provides additional information on centralizing patching operations across an AWS multi-account environment.
AWS Systems Manager Session Manager
AWS Session Manager is a service that provides a secure way to manage and access your EC2 instances. It allows you to open a secure shell (SSH) or establish a remote desktop protocol (RDP) session directly to instances without needing to expose them to the public internet or manage SSH keys. It provides secure access and centralized control over terminal access, audit trail, encrypted communication, without the need of managing SSH keys, logging and recording of the activities on the terminal, and cross platform support.
Security administrators can leverage this service to enforce secure terminal access, but also use it in case of audit or investigation activities that require access to EC2 instance terminals. In order for Session Manager to access an instance, an IAM profile role must be associated to all instances. That can be achieved automatically by using the Host Management feature of SSM.
AWS Audit Manager
AWS Audit Manager is a service that offers an audit preparation framework and tools to assist users in preparing for audits of their AWS environments. It is specifically designed to help organizations assess the compliance of their resources and configurations with various industry standards and regulations.
Users can leverage the Control Tower Controls framework in Audit Manager to streamline their audit preparation process. The framework helps users assess their AWS resources based on the defined controls and gather evidence relevant for a Control Tower audit. Once evidence is collected and reviewed, it can be added to an assessment report, demonstrating compliance with the required controls.
The AWS Audit Manager should be enabled on the Control Tower management account, and the Audit account should be the delegated administrator account. On the Audit account, a S3 bucket will be used to store the report output. Security administrators and/or audit users should have the “AWSAuditManagerAdministratorAccess” that provides permissions to configure the service, create audits, collect evidence, etc.
AWS Artifact offers a collection of compliance reports and certifications, accessible to AWS customers and partners. These reports play a crucial role in understanding how AWS has implemented security and compliance controls throughout its services. Compliance and risk management users with access to an AWS account should be able to retrieve the documents they need to complete their security assessments and/or compliance audits. The audit users should have the following policies in order to access the artifacts, accept and terminate agreements:
Summary of Permissions Recommendations
The table below summarizes the AWS access needed by the various security related functions we typically see reflected on our customers security teams:
In conclusion, security administrators should know about some of the foundational AWS services that are required to meet basic security needs, in order for them to be able to manage security risk and compliance, they need to have proper access and visibility. This includes the appropriate IAM permissions and account access to effectively manage security and compliance in a multi-account AWS environment governed by Control Tower. These permissions include the ability to centrally manage Control Tower and AWS Organizations, monitor and audit AWS resources, and manage security tools and services. Ensuring that security administrators have the necessary permissions helps organizations improve security and compliance for their AWS environments.
For additional guidelines for deploying the full complement of AWS security services in a multi-account environment visit AWS Prescriptive Guidance – AWS Security Reference Architecture.
About the authors