| 1 |
|
| 2 |
Create CloudTrail buckets (cft) in Security or Logging Account |
| 3 |
Enable OrgTrails (cft) to go to the bucket in the Security Account:- Depending on volume, split your Read and Management Events
- Depending on budget and volume, enable DataEvents into their own S3 bucket (but don’t do data events on your DateEvent bucket)
- Note: You cannot enable an Organization trail via CloudFormation, so you must check the box in the CloudTrail console once the OrgTrail templates are deployed
|
| 4 |
Ingest logs/events into a SIEM |
| 5 |
Enable Delegated Admin to your Security account for:- CloudFormation
- GuardDuty (sh) - this must be done in each region
- IAM Access Analyzer
- Macie
- Config (sh)
- Security Hub
|
| 6 |
Require MFA (cft) in the Payer and Security Account |
| 7 |
Deploy the AuditRole (cft, stackset) into the payer and all child accounts |
| 8 |
- Configure GuardDuty for the Organization (sh) in the Security Account
- Configure GuardDuty to send Events to Slack (cft)
|
| 9 |
- Deploy Config Recorders (cft) to all accounts and active regions in your Organization
- Deploy a Config Aggregator (cft) in the Security Account
|