Class CentralSecurityServicesConfig

SecurityConfig / CentralSecurityServicesConfig

AWS Accelerator central security services configuration

Example

centralSecurityServices:
  delegatedAdminAccount: Audit
  ebsDefaultVolumeEncryption:
    enable: true
    excludeRegions: []
  s3PublicAccessBlock:
    enable: true
    excludeAccounts: []
  scpRevertChangesConfig:
    enable: true
    snsTopicName: Security
  guardduty:
    enable: true
    excludeRegions: []
    s3Protection:
      enable: true
      excludeRegions: []
    eksProtection:
      enable: true
      excludeRegions: []
    exportConfiguration:
      enable: true
      overrideExisting: true
      destinationType: S3
      exportFrequency: FIFTEEN_MINUTES
  macie:
    enable: true
    excludeRegions: []
    policyFindingsPublishingFrequency: FIFTEEN_MINUTES
    publishSensitiveDataFindings: true
  snsSubscriptions: []
  securityHub:
    enable: true
    regionAggregation: true
    snsTopicName: Security
    notificationLevel: HIGH
    excludeRegions: []
    standards:
      - name: AWS Foundational Security Best Practices v1.0.0
        enable: true
      - name: PCI DSS v3.2.1
        enable: true
        controlsToDisable:
          # Refer to the document for the controls
          # https://docs.aws.amazon.com/securityhub/latest/userguide/pci-standard.html
          - Control1
          - Control2
      - name: CIS AWS Foundations Benchmark v1.2.0
        enable: true
      - name: CIS AWS Foundations Benchmark v1.4.0
        enable: true
        controlsToDisable:
          # Refer to the document for the controls
          # https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html#cis1v4-standard
          - Control1
          - Control2
      - name: NIST Special Publication 800-53 Revision 5
        enable: true
        controlsToDisable:
          # Refer to the document for the controls
          # https://docs.aws.amazon.com/securityhub/latest/userguide/nist-standard.html
          - Control1
          - Control2
  ssmAutomation:
    documentSets: []

Hierarchy

  • CentralSecurityServicesConfig

Implements

Constructors

constructor

Properties

auditManager delegatedAdminAccount detective ebsDefaultVolumeEncryption guardduty macie s3PublicAccessBlock scpRevertChangesConfig securityHub snsSubscriptions ssmAutomation

Constructors

constructor

Properties

Readonly auditManager

auditManager: undefined | AuditManagerConfig = undefined

(OPTIONAL) Amazon Audit Manager Configuration

Readonly delegatedAdminAccount

delegatedAdminAccount: "Audit" = 'Audit'

Designated administrator account name for accelerator security services. AWS organizations designate a member account as a delegated administrator for the organization users and roles from that account can perform administrative actions for security services like Macie, GuardDuty, Detective and Security Hub. Without designated administrator account administrative tasks for security services are performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of these security services. Accelerator use Audit account as designated administrator account.

Default

Audit

To make Audit account as designated administrator account for every security services configured by accelerator, you need to provide below value for this parameter

Example

delegatedAdminAccount: Audit

Readonly detective

detective: undefined | DetectiveConfig = undefined

(OPTIONAL) Amazon Detective Configuration

Readonly ebsDefaultVolumeEncryption

ebsDefaultVolumeEncryption: EbsDefaultVolumeEncryptionConfig = ...

AWS Elastic Block Store default encryption configuration

Accelerator use this parameter to configure EBS default encryption. Accelerator will create KMS key for every AWS environment (account and region), which will be used as default EBS encryption key.

To enable EBS default encryption in every region accelerator implemented, you need to provide below value for this parameter.

Example

ebsDefaultVolumeEncryption:
    enable: true
    excludeRegions: []

Readonly guardduty

guardduty: GuardDutyConfig = ...

Amazon GuardDuty Configuration

Readonly macie

macie: MacieConfig = ...

Amazon Macie Configuration

Accelerator use this parameter to define AWS Macie configuration.

To enable Macie in every region accelerator implemented and set fifteen minutes of frequency to publish updates to policy findings for the account with publishing sensitive data findings to Security Hub. you need to provide below value for this parameter.

Example

macie:
    enable: true
    excludeRegions: []
    policyFindingsPublishingFrequency: FIFTEEN_MINUTES
    publishSensitiveDataFindings: true

Readonly s3PublicAccessBlock

s3PublicAccessBlock: S3PublicAccessBlockConfig = ...

AWS S3 public access block configuration

Accelerator use this parameter to block AWS S3 public access

To enable S3 public access blocking in every region accelerator implemented, you need to provide below value for this parameter.

Example

s3PublicAccessBlock:
    enable: true
    excludeAccounts: []

Readonly scpRevertChangesConfig

scpRevertChangesConfig: ScpRevertChangesConfig = ...

(OPTIONAL) AWS Service Control Policies Revert Manual Changes configuration

Example

scpRevertChangesConfig:
    enable: true
    snsTopicName: Security

Readonly securityHub

securityHub: SecurityHubConfig = ...

AWS Security Hub configuration

Accelerator use this parameter to define AWS Security Hub configuration.

To enable AWS Security Hub for all regions and enable "AWS Foundational Security Best Practices v1.0.0" security standard, deployment targets and disable controls you need provide below value for this parameter.

Example

securityHub:
    enable: true
    regionAggregation: true
    snsTopicName: Security
    notificationLevel: HIGH
    excludeRegions: []
    standards:
      - name: AWS Foundational Security Best Practices v1.0.0
        deploymentTargets:
         organizationalUnits:
           - Root
        enable: true
        controlsToDisable:
          # Refer to the document for the control ID
          # https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html
          - Control1
          - Control2

Readonly snsSubscriptions

snsSubscriptions: SnsSubscriptionConfig[] = []

AWS SNS subscription configuration Deprecated

NOTICE: The configuration of SNS topics is being moved to the Global Config. This block is deprecated and will be removed in a future release

Accelerator use this parameter to define AWS SNS notification configuration.

To enable high, medium and low SNS notifications, you need to provide below value for this parameter.

Example

snsSubscriptions:
    - level: High
      email: <notify-high>@example.com
    - level: Medium
      email: <notify-medium>@example.com
    - level: Low
      email: <notify-low>@example.com

Readonly ssmAutomation

ssmAutomation: SsmAutomationConfig = ...

AWS Systems Manager Document configuration

Accelerator use this parameter to define AWS Systems Manager documents configuration. SSM documents are created in designated administrator account for security services, i.e. Audit account.

To create a SSM document named as "SSM-ELB-Enable-Logging" in every region accelerator implemented and share this document with Root organizational unit(OU), you need to provide below value for this parameter. To share document to specific account uncomment accounts list. A valid SSM document template file ssm-documents/ssm-elb-enable-logging.yaml must be present in Accelerator config repository. Accelerator will use this template file to create the document.

Example

ssmAutomation:
    excludeRegions: []
    documentSets:
      - shareTargets:
          organizationalUnits:
            - Root
          # accounts:
          #   - Network
        documents:
          - name: SSM-ELB-Enable-Logging
            template: ssm-documents/ssm-elb-enable-logging.yaml

Settings

Member Visibility

Theme

Generated using TypeDoc