AWS Organizations Setup

Stage Description
2 Create CloudTrail buckets (cft) in Security or Logging Account
3 Enable OrgTrails (cft) to go to the bucket in the Security Account:
  • Depending on volume, split your Read and Management Events
  • Depending on budget and volume, enable DataEvents into their own S3 bucket (but don’t do data events on your DateEvent bucket)
  • Note: You cannot enable an Organization trail via CloudFormation, so you must check the box in the CloudTrail console once the OrgTrail templates are deployed
4 Ingest logs/events into a SIEM
5 Enable Delegated Admin to your Security account for:
  • CloudFormation
  • GuardDuty (sh) - this must be done in each region
  • IAM Access Analyzer
  • Macie
  • Config (sh)
  • Security Hub
6 Require MFA (cft) in the Payer and Security Account
7 Deploy the AuditRole (cft, stackset) into the payer and all child accounts
  • Configure GuardDuty for the Organization (sh) in the Security Account
  • Configure GuardDuty to send Events to Slack (cft)
  • Deploy Config Recorders (cft) to all accounts and active regions in your Organization
  • Deploy a Config Aggregator (cft) in the Security Account