AWS Account Baseline
This repository contains configuration to roll out your AWS Baseline (also known as a Landing Zone). The result will be a flexible setup to give you a basis to build your specific infrastructure on.
The Baseline is implemented through a mix of CloudFormation Stacks and StackSets with individual parts being optional so you can decide the setup of your infrastructure.
Following is a selection of features implemented in this Baseline
- Various Roles and Access Management through Groups for all Subaccounts
- Auditing with CloudTrail, GuardDuty and Config
- Security Review with Prowler and ScoutSuite
- Service Control Policies to prevent access to auditing resources
- Flexible VPC Configuration
- AWS Athena Setup to quickly search through FlowLogs and CloudTrail across accounts
- Budgets so you don't get any expensive surprises at the end of the month
- and more ...
Customisations and Consulting
For more information on tools and guides for AWS and Serverless Infrastructure take a look at The Serverless Way.
Comparison to AWS Control Tower and Landing Zone
With the launch of Control Tower (and previously Landing Zone) AWS has their own Multi Account Organization Setup in place. Control Tower is a great service for new infrastructure, but at the time of this writing not available for existing Organizations. One further issue with Control Tower is its limited flexibility in how to set up accounts and roll out further customizations. In the future this should be resolved by more customisation options in Control Tower, but isn't yet implemented or released.
The plan for this Baseline is in the future to be compatible with Control Tower and provide features on top of it when that makes sense and is possible.
General Baseline Info
main-account-stacks folder contains CloudFormation Stacks that should be deployed first into your main account. It will set up roles and groups for your existing accounts and configure S3 Buckets to store various auditing data.
stack-sets folder contains StackSets that should be created in your main account and then deployed
into your member accounts. For more information on the StackSets check out the README in the
Various stacks are based on or derived from the wonderful Widdix Templates. Check them out they do an amazing job!
AWS Baseline Toolbox
As the AWS Baseline needs a few different tools and dependencies to be set up the easiest way to get started is the toolbox that comes built-in. With
make shell you can start a Docker Container that includes all necessary tools. It forwards all AWS Environment Variables you've set and make the
~/.aws folder accessible in the toolbox. This means you can use all your AWS credentials the same way as outside of the container.
Through this Toolbox you should have a much easier time to get started with rolling out the toolbox, so check it out.
Rolling out the Baseline
Rolling out and updating the Baseline can in essence be done by running
make rollout. Before you do this make sure to read the whole
Rolling Out the AWS Baseline Documentation to set all necessary config values correctly.
Auditing and Security
The Stacks and StackSets deployed to both the main and sub accounts set up a best practice auditing and security solution. That includes CloudTrail, Config and GuardDuty across all accounts and regions. For easy auditing of the current status of your accounts it also includes various AWS Security auditing tools that can be run with just one
Make sure to familiarize yourself with the specific services so you have a good understanding of the auditing setup and understand how to detect issues in your Organization.
User and Access Management
In the main account we're creating several
assume-role groups which allow users to assume roles in sub-accounts. They are created automatically for any account found in the current organization. When you add new accounts you have to redeploy the stack so it picks up the new accounts and creates groups accordingly. For more information on assuming roles in another account check out the Assume Role Documentation
The stacks in the main account also create various groups for User Management. This allows you to add new users to groups to for example create new users or manage group membership. For more information on User Management check out the User Management Documentation
Check out the main-account-stacks README for more detail on each stack that gets deployed to the main AWS account.
The Baseline comes with its own Docker based toolbox that you can start with
make shell. It includes different tools to manage the baseline as well as interacting with the AWS APIs. Check out the files in the toolbox Folder to see all the tools that are installed.
The only required tool to roll out your infrastructure is
Formica. If you do not want to or can't use the Docker based toolbox you need to install this tool.
Deleting default VPCs
Deleting all default VPCs from your account should be one of the first steps you take. The make task
delete-default-vpcs will remove them across all regions with the currently exported credentials. So either set the credentials or the profile through environment variables and start the command. It will run inside of the baseline docker container so you don't need any tools installed on your system.
The AWS Baseline is published under the Apache License Version 2.0.
If you want to Contribute features, propose changes or report bugs please open an issue and fill out the issue template. The more context the better. Make sure that before you implement a specific enhancement to create an issue to discuss it first so we can get on the same page before any time is spent on implementing it. Thanks for helping out!