In this article we are going to see how Megallan Health designed the initial architecture for centralizing security for multiple AWS accounts. Even though the architecture has a few areas that can be improved but it still provides a lot of practical insights into building one. From my understanding, it is a very good architecture to start from and build upon. This architecture has been taken from This is My Architecture, AWS series and I’ve explained some of the architectures in detail already, you can look up here

centralized-security

Following are the key decision decisions that are worth mentioning:

  • CodePipeline is used to commit code.

  • CodeBuild is used execute the committed code and ultimately generating CloudFormation templates to control all the accounts.

  • CloudTrail is used to feed in rule for CloudWatch events. For example: which events to listen to.

  • Three main functions of security lambdas:

    1. Geomatch Lambda: Geo restriction is to ensure that any region that security team deems is unsafe will be restricted from accessing the site.

    2. Registration/Association Lambda: Make sure new AWS resources are protected. For example: assume ALB or ELB instance is created. It will trigger registration function and will assume role on the account that it was created from. This function will check if the new resource was updated or added and is it protected by WAF or not. If it isn’t then it will make sure to add it. Conversely, if the resource was deprecated then WAF will remove the resource from the list to accurately depict what is protected and what is not.

    3. Custom Rules Applicator Lambda: This applicator facilitates security team to create custom rules for exceptions. Good thing about this lambda is that it’s all code and allows the application team to audit trail on 1. who created the exception? 2. why was it created? and 3. who approved the code commit? It helps to isolate and delegate the responsibility.

  • Any time any event happens AWS WAF or AWS Shield will trigger SNS notification which alerts the security team.

In retrospect we can use AWS Firewall Manager to configure and manage these WAF rules across all the accounts and applications. I’m assuming by now the team would have changed the architecture and could very well be using Firewall Manager.

Reference : This is My Architecture, AWS