AWS has unveiled its official Prescriptive Guidance for AWS Cloud Security Maturity [1]. This resource is aimed at assisting Chief Security Officers (CSOs) and Architects in crafting their cloud security strategies and evaluating their progress against a maturity model.

This blog post provides a suggestion on how to distribute the AWS Services over suggested AWS Foundation Core Accounts and how to manage the AWS Resources with Terraform [2] provisioned through granular CI/CD Pipelines.

Reference Implementation

The following diagram illustrates an Infrastructure as Code (IaC) Continuous Integration and Deployment (CI/CD) pipeline to maintain the Foundation Core assets AWS Organization.

The diagram contains repositories (for pipelines, features and specifications), AWS accounts and their AWS services and highlights the interconnectivity between repos and CI/CD pipelines. Most of the feature repositories are part of the ACAI Cloud Foundation (ACF).

CICD Pipeline Overview

All Foundation Core pipelines leverage the following ACF repos for sharing static and dynamic information:

customer-acf-settingsA hierarchical HCL-map organized according to the Foundation Capability domains, which include governance, security, and connectivity, along with their specific features.
terraform-aws-acf-core-configurationStoring and distribution of dynamic information (e.g. KMS-Key ID).

The following table outlines the Foundation Core pipelines :

PipelineUsed ACF ModuleDescriptionTarget AccountsAWS Services in scope
Org-Mgmtacf-org-mgmtOU-Hierarchy, service delegation, tagging policiesAWS Org ManagementAWS Organizations, AWS Control Tower (optional)
Core-Account-Lifecycleacf-account-lifecycleAccount vending, tagging, OU placement, decomissioningAWS Org ManagementAWS Organizations
Core-SCPacf-scpSpecification and assignment of Service Control PoliciesAWS Org ManagementAWS Organizations
Core-Org-CloudTrailacf-org-cloudtrailConfiguration of the Organization CloudTrailAWS Org Management or delegated admin, Core Log ArchiveAWS CloudTrail, Amazon CloudWatch, Amazon S3, AWS KMS
Core-SSOacd-idcDefinition of Permission Sets and management of the assignmentsAWS Org Management or delegated adminAWS IAM Identity Center
Core-Securityacf-firewall-managerHeart of Security OperationsCore SecurityAWS Security Hub, Amazon GuardDuty, Amazon Detective, AWS Config, AWS Firewall Manager, AWS Lambda
Core-Security-SEMPERacai-semperACAI solution for security finding lifecycle managementCore Security, Core Log ArchiveAWS Lambda, Amazon S3, AWS KMS
Core-Loggingacf-loggingBlackhole for audit-logsCore Log ArchiveAmazon S3, AWS KMS, Amazon SNS
Core-Image-Factoryacf-image-factoryLifecycle management for golden imagesCore Image FactoryLambda, EC2 Image Builder, ECR, Amazon Inspector
Core-Private-CAacf-private-caPrivate CACore Private CAAWS Private CA
Core-Backupacf-backupBackup vault and policiesCore Central BackupAWS Backup
Core-Networkingacf-networkingAll networking related aspectsCore NetworkingAmazon VPC, AWS Certificate Manager, AWS Resource Access Manager, Amazon Route 53, Amazon Cloudfront, AWS WAS, AWS Network Firewall
Core-Baseliningacf-managed-stacksetsIndividually baseline all accounts of the AWS OrganizationCore BaseliningAWS Step Functions, AWS CloudFormation

ACAI Consulting is specialized in AWS Multi Account Security and Governance. If you have any questions, feel free to get in touch with us:


[1] Prescriptive Guidance on AWS Cloud Security Maturity