Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding small snippet around AWS orgs #190

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+16 −0
Open

adding small snippet around AWS orgs #190

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
099b162
adding small snippet around AWS orgs
SargeNCharge Apr 12, 2024
678edf4
formatting
Cptwafflez Apr 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions docs/guidelines/aws_security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,22 @@ description: Best practices for securely operating in Amazon Web Services

The goal of this document is to help teams operate safely within Amazon Web Services. All Mozilla AWS accounts should follow the recommendations below.

# Organizations

An [AWS Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) is a method to centralize multiple AWS accounts into a logical group. By doing so, the organization reduces complexity, unifies and increases visibility of child account activity.

## Use an AWS Organization

* How to : Follow the [AWS guided setup](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html) to onboard your AWS accounts into an organization. You can select to do consolidated billing features only or to [allow all features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html) (default). There are some [things to know before proceeding](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html#before-enabling-all) with the enable all features option. By enabling this feature and onboarding child accounts, you can easily deploy features to all accounts uniformally instead of individual accounts and potentially missing coverage.

[Using GuardDuty for Organizations](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html)<br>
[Using Cloudtrail for Organizations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-in-the-console.html)<br>
[Using Security Hub for Organizations](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html)<br>

* Audited: False
* Rationale
- Account management is difficult and easy to lose track of what accounts have which features and/or security enhancements enabled

# Root User

The [root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) of an AWS account is the single identity that has complete access to all AWS services and resources in the account. The root user has no username, is not a part of the AWS IAM product and instead uses their Amazon email address to log in. If an attacker gains control of the root user in an AWS account, there is no higher authority role that a security incident responder can use to eradicate the attackers access. With root user access, the attacker can exploit the resources in the AWS account and infosec will have little ability to respond.
Expand Down