Aws Multi Account Best Practice

VIET-AWS
AWS User Group |

Ho Chi Minh City - Hanoi
INTRODUCTION
@vietaws
KEY INFORMATION
& DEMOGRAPHIC
@vietaws
#KEY_INFORMATION
Official AWS User Group

in Vietnam
8,850 Members (27/09/2022)
Engagement Award (ASEAN)
(18/12/2021); Nominates -
AWS User Group of the Year -
APAC (Deliver Results) - 2022
@vietaws
UPCOMING
ACTIVITIES
Technical Sessions . Charity . Fundraising
@vietaws
#2022 - UPCOMING MEETUPS
Meetup 09 - Danang (Startup +

Cost Optimization)
Meetup 10 - Ho Chi Minh

(Serverless)
2nd Birthday of Viet-AWS

@vietaws
#2022 - UPCOMING EVENTS
Cloud Career Fair - FPT Education

(HCMC) - Cloud Orientation
Cloud Career Fair (Hanoi)
AWS Community Builders program
Fundraising (Swag Store)

@vietaws
#2022 - FUNDRAISING
T-Shirt Selling
MDF from vendors
Swag Gift Selling

@vietaws
#2022 - FUNDRAISING
@vietaws
#2022 - FUNDRAISING
Best practices for multi-account
environments
Huy Tran
Sr. Solutions Architect - AWS
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• Multi-account environments – benefits & characteristics
• Separating workloads using multiple accounts
• Architecting your environment
What is an AWS account? AWS Cloud
Account A
Each AWS account

• Is a resource container for AWS Cloud services Compute
• Is an explicit security boundary
• Is a container for cost tracking and billing
Networking
• Is a mechanism to enforce service quotas and
API thresholds
and content
delivery
Over time, customers will add more accounts

to support more applications and services Storage
and much more
With one account…
AWS account
Workload Workload Workload
VPC 1 VPC 3
VPC 2
Public subnet
Workload Workload Workload

Private subnet
AWS Organizations
Provides you tools to centrally

govern and manage your cloud
environment
• Quickly scale by creating accounts and

allocating resources
• Customize your environment by applying
governance policies
• Secure and audit your environment
• Manage costs and identify cost-saving measures
What is an organization?
• Organizations contain a root, a management account,
organizational units (OUs), and member accounts
Root
• The organization root is the top-most node
Root
of the organization and defines the boundaries of Management account
the organization
• The management account is used to manage the
organization
OU OU
§ Activate cross-account services and delegate
administration to member accounts
Nested OUs
§ Limited access to management account
• OUs are groups of accounts

§ Can be used to enable policies on groups of accounts Member
§ Nested OUs can be used for separation – for example, dev and
accounts
prod accounts
Benefits of a multi-account environment
Benefits Use cases
Centrally provision accounts and Innovate with exclusive resources

resources for each team
Many teams
Share resources and control access Organize AWS accounts

Business
process
Optimize costs Simplify billing

Billing
Secure and audit your environment

Tight security boundaries
for compliance Isolation
& security
Architecting your
environment
Architecting your environment
START SMALL
AWS Organizations OUs
Security OU
Sandbox OU Workloads OU
Test OU Production OU
Infrastructure OU
Foundational
OUs
Account Structure
EXAMPLE STRUCTURE OF ACCOUNTS IN AWS ORGANIZATION
AWS Organizations OUs

Management Account
Foundation Workloads
Prod
Security
Workload 1 Prod
Logs Archive
Workload 2 Prod
Security-Toolings
Infrastructure
Test
Network Workload 1 Test
OU
Shared-Infra Workload 2 Test
Account
Management account
CENTRALIZE ACCESS, CONTROL, AND RESOURCE MANAGEMENT
AWS account
Management account
AWS Control Tower AWS Single Sign-On AWS Organizations
Management account
CENTRALIZE ACCESS, CONTROL, AND RESOURCE MANAGEMENT
AWS account
Management account
AWS Control Tower AWS Single Sign-On AWS Organizations
Security organizational unit
Security OU
AWS account AWS account
Security Tooling Log Archive
AWS Security Hub Amazon GuardDuty AWS Config Access DNS Flow AWS CloudTrail
logs logs Logs events
Security OU
Security OU
Infrastructure organizational unit
Infrastructure OU
Network Shared services
AWS Transit Gateway Amazon Virtual Private AWS Service Catalog AWS AWS CloudFormation
Cloud (Amazon VPC) Systems Manager
Explorer
Infrastructure organizational unit
Infrastructure OU
Network Shared services
AWS Transit Gateway Amazon Virtual Private AWS Service Catalog AWS AWS CloudFormation
Cloud (Amazon VPC) Systems Manager
Explorer
Separating workloads in the workload OU
AWS Organizations OUs Prod OU Test OU
Security OU Sandbox OU Policy staging OU Suspended OU Workload A prod Workload A test
Workloads OU
Infrastructure OU
Foundational
OUs Prod OU Test OU Workload B prod Workload B test
AWS Control Tower
Using AWS Control Tower to govern multi-
account AWS environments at scale
© 2021, Amazon Web Services, Inc. or its Affiliates.

AWS management and governance services
Enable AWS
Control
AWS
Organizations
AWS
Budgets
AWS
License Manager
AWS Well-
Architected Tool
Tower
Provision AWS AWS AWS AWS

CloudFormation Service Catalog OpsWorks Marketplace
Operate Amazon AWS AWS AWS Systems AWS Cost and AWS
CloudWatch CloudTrail Config Manager Usage Report Cost Explorer
BUSINESS AGILITY + GOVERNANCE CONTROL
Business agility and governance control
Governance Agility
— —
Self-service access
Experiment fast
Respond quickly
to change
Enable governance
Set up an AWS Establish

landing zone guardrails
Manage
continuously
Centralize identity Automate compliant

and access account provisioning
Landing Zone provisioned by AWS Control Tower
Management
Account
AWS Control Tower AWS Organizations AWS Single Sign-On
AWS CloudFormation AWS Service Catalog Core OU Custom OU AWS SSO directory
StackSets (Account Factory)
Log Archive Audit Account Provisioned accounts

Account
Account Account Security Cross- Account

Baseline Baseline account roles Baseline
Centralized AWS CloudTrail Security Amazon Network

and AWS Config logs Notifications Config Aggregator Baseline
Establish guardrails
Organizational
Preventive guardrail
units
Enable Output Always

Granular AWS SCP Accounts compliant
policies
Detective/remediable Organizational
guardrails units
Output Compliant
Enable
Granular AWS Config Accounts Output
AWS policies rules Non-
compliant
Guardrail Examples
Guardrail Type Requirement
Enable MFA for the Root User Detective Strongly Recommended
Disallow public read access to S3 Detective Strongly Recommended
Enable AWS Config in All Available Regions Preventive Mandatory
Disallow Policy Changes to Log Archive Preventive Mandatory
Integrate CloudTrail Events with CloudWatch Logs Preventive Mandatory
Disallow Amazon S3 Buckets That Are Not Versioning Enabled Detective Elective
Disallow Delete Actions on Amazon S3 Buckets Without MFA Detective Elective
Automate Compliant Account Provisioning
AWS Control Tower
Applied Guardrails
Account factory Defaults
AWS Service New Governed AWS account

Catalog Automation
Network Network Network

baseline CIDR regions
Network Account
baseline baseline
OU Account
baseline
Centralize identity and access
• AWS SSO provides default directory for identity

• AWS SSO also enables federated access management across all
accounts in your organization
• Preconfigured groups (e.g., AWS Control Tower administrators,
auditors, AWS Service Catalog end users)
• Preconfigured permission sets (e.g., admin, read-only, write)
• AWS SSO integrates with 3rd party IDP (Microsoft Azure AD,
PING, OKTA)
Dashboard
for
oversight
Call to action
WHAT’S NEXT
• Review our multi-account strategy whitepaper for the latest guidance
• Explore AWS Organizations and AWS Control Tower
• Check out our multi-account workshops and Immersion Days
• Attend the AWS sessions related to multi-account if you want to learn more!
Thank you!
Connecting to On-Premises
Networks
Tran Tuan Anh – Viet-AWS

Agenda
• AWS Site-to-Site VPN

• AWS Direct Connect
• DNS resolution in a Hybrid-Cloud

AWS Site-to-Site VPN

AWS Site-to-Site VPN
• Fully managed and highly available VPN termination

endpoints at AWS end
• Two VPN tunnels per one VPN connection
• IPSec Site-to-Site tunnel with AES-256, SHA-2, and latest DH groups
• Support for NAT-T
• Charged per hour per VPN connection

AWS Site-to-Site VPN setup options
Static Dynamic
• Policy- or route-based • Route-based only
• Static routing • Dynamic routing (BGP)
• Authentication: Pre-shared key or • Authentication: Pre-shared key or

certificate-based certificate-based

Multiple AWS Site-to-Site VPNs via VGW with resilience
VPC
VPC
Corporate data center
172.16.0.0/16
VPC
VPC Cost dimensions:

Multiple AWS Site-to-Site VPNs via AWS Transit
Gateway
VPC
VP
Ca
tta
ch
me
nt
VPC VPC a
ttac hm VPN attachment Corporate data center
ent 172.16.0.0/16
en t
VPC V P C attac hm
e nt
h m AWS Transit Gateway
t t ac
C a
VP
Vpc TGW route table
172.16.0.0/16 via VPN
VPC route table
172.16.0.0/16 via TGW
AWS Direct Connect

AWS Direct Connect – Physical connection
AWS global network

172.16.0.0/16
AWS Customer Customer router

router router
Direct Connect
location

AWS Direct Connect – Interface types
• Private VIF – Used to connect to Amazon VPCs using private IP

addresses; directly or via Direct Connect gateway
• Transit VIF – Used to connect to transit gateways via Direct
Connect gateway
• Public VIF – Used to access all AWS public services using public IP
addresses
All virtual interfaces are 802.1Q VLANs with BGP peering

AWS Direct Connect Gateway – Private VIF
AWS global network
Region
VPC Corporate data center

10.0.0.0/16 Private virtual 172.16.0.0/16
interface
VPC
10.1.0.0/16
router router
Region
Direct Connect
VPC
10.2.0.0/16 location
Direct Connect
gateway

AWS Direct Connect Gateway – Transit VIF
AWS global network
Region
VPC Corporate data center

10.0.0.0/16 Transit virtual 172.16.0.0/16
interface
VPC AWS
10.1.0.0/16 Transit
Gateway
router router
Region
Direct Connect
VPC
AWS Transit
Gateway
Direct Connect
gateway

AWS Direct Connect – Public VIF
AWS global network
Amazon DynamoDB
Amazon Simple Storage Public virtual 172.16.0.0/16
Service (S3)
Amazon CloudWatch
interface

router router
Direct Connect
VPC

Hybrid connectivity at scale
On-premises
Amazon VPC
Site-to-site
1
VPN
Cross-
region Transit virtual interface
peering
Amazon VPC
1 On-Premises
Customer or
2
AWS cage partner cage
AWS Direct
2 Connect gateway
AWS Direct Connect location
TGW Connect attachment
N AWS
Amazon VPC Transit
AWS Direct
Gateway Connect gateway On-Premises
N TGW Connect
attachment
AWS cage
Customer or
partner cage
(5,000)
AWS Direct Connect location GRE tunnel
(BGP sessions)
Amazon VPC
GRE tunnel
© 2020, Amazon Web Services, Inc. or its Affiliates. (BGP sessions)
DNS Resolution in a Hybrid-
Cloud

Introducing Amazon Route 53

What is Amazon Route 53?
DNS Resolution Request
Amazon Route 53
• AWS DNS service Yes Main No
Site
• Domain Registration Healthy
• Domain name resolution Region us-east-1 Region us-west-2

(N. Virginia) (Oregon)
• 100% availability SLA App Version A App Version B App DR
• Health Checks 95% Traffic A/B

Testing
5% Traffic
• DNS Failover
• Latency Based Routing
• Geo Based Routing Elastic Load Balancer Elastic Load Balancer Elastic Load Balancer
• Weighted Round Robin

Web Service Web Service Web Service
• Private DNS for VPC
Route 53 Concepts: Hosted Zones
Public Hosted Zone Private Hosted Zone

AWS Cloud AWS Cloud
DNS Queries VPC Association

Hosted zone Hosted zone
VPC VPC Route 53 Resolver

Client
DNS Qu
eries
Customer Customer Client

Resources Resources
• For internet name resolution • For name resolution inside a VPC

• Delegation set – for authoritative • Can be associated with multiple VPCs
name servers to be provided to and across accounts.
registrar or parent domain.
DNS Resolution in Amazon VPC
and Hybrid Scenarios

DNS in a hybrid network
Managed DNS resolver service from

Amazon Route 53
Inbound resolver endpoints Provides hybrid DNS resolution over

AWS Direct Connect and managed VPN
Makes use of conditional forwarding

rules to re-direct query traffic
Outbound resolver
endpoints

Resolving AWS domains within a VPC
VPC 10.0.0.0/16
Q: www.aws.example.internal
Instance
A: www.aws.example.internal
1.2.3.4 10.0.0.2
Amazon R53 resolver
Private hosted zone:

aws.example.internal

Resolving AWS domains in hybrid networks
VPC 10.0.0.0/16

R53 Resolver 172.16.0.0/16
inbound endpoint
Instance
A: www.aws.example.internal
Q: www.aws.example.internal Server
10.2.0.3.0
.4.2
Amazon R53 resolver
Private hosted zone:

aws.example.internal

Resolving on-premises domains in hybrid networks
VPC 10.0.0.0/16
Q: www.dc.example.internal
R53 Resolver 172.16.0.0/16
outbound
endpoint
Instance
A: www.dc.example.internal
172.16.0.150 DNS server
10.0.0.2 172.16.0.10
Amazon R53 resolver
Private zone:
dc.example.internal

Questions?

Applying GitOps to implement and operate
AWS Network Firewall
Nguyen Quang Hieu Tung NX Hung Vu Hoang Manh Tung Hai Nguyen Nguyen Ba Thanh
github.com/hieuchaya4 github.com/hiimtung github.com/hungran github.com/kerashanog github.com/haicasgox github.com/lacoski
Agenda
1. Networking Basic on AWS
2. Multi-VPC & Account on AWS
3. AWS Transit Gateway (TGW)
4. Hub & Spoke Architecture
5. Applying GitOps with Multi-VPC/Account with Network
Firewall & OpenSource Tools
Networking Basic on AWS
Back to old school
VPC
Subnet Subnet
Availability Zone A Availability Zone B

Single Account & Single VPC
Single Account & Single VPC
When Single Account & Single VPC is the right choice?
Pros Cons
- Simple setup - Complexity at scale
- Flat network
- Shared service limits
- No inter-VPC cost - Blast radius
- 5 * /16 CIDRs
~327,680 IPs - Policy complexity
- Segmentation with route - Cost allocation complexity
tables and NACLs
Multi-VPC & Account on AWS
Single Account & Multi-VPC
Multi-Account & Multi-VPC
When Multi-Account & Multi-VPC is the right choice?
Pros Cons
- Isolated blast radius - Complexity
- Fine-grained access control
- How do you handle IP
- Granular cost management?
allocation - How do you handle DNS?
- Distributed/isolated service
limits - How do you manage access
control between accounts an
VPCs?
VPC Peering
AWS Cloud
VPC A
10.0.0.0/16
Peering
VPC C
172.31.0.0/16
AWS Cloud
VPC A Peering VPC B
X
Peering
VPC C
VPC Peering
AWS Cloud
Peering VPC B
VPC A
10.0.0.0/16 192.168.0.0/16
Peering Peering
VPC C
172.31.0.0/16
Can be Intra-Region, Inter-Region, Inter-Account

Complexity of VPC Peering
Full mesh:
n(n-1)
2
Transit Gateway
DX
gateway
AWS Transit
Gateway
Amazon VPC Amazon VPC
Amazon VPC Amazon VPC
VPN
connection
Customer
gateway
AWS Cloud Corporate Network
ProdA PordB ProdC
DX
or
VPN
AWS Transit Gateway
DevA DevB DevC

AWS Cloud
VPC VPC VPC
Attachment
Attachment Attachment
Attachment Attachment
AWS Transit Gateway
VPC VPC VPC

Transit Gateway Attachment
AWS Cloud
VPC A VPC B
Attachment
AWS Transit Gateway Attachment
VPC C VPC D
Single attachment can span multiple Availability Zones
AWS Region
AWS Cloud
VPC
Availability Zone Availability Zone Availability Zone
Subnet 1 Subnet 1 Subnet 1

AWS Transit Gateway associations
• Associating an attachment to a route table

• Allows traffic to be sent from the attachment to the target route table
• An attachment can only be associated to one route table.
AWS Transit Gateway associations
• Associating an attachment to a route table

• Allows traffic to be sent from the attachment to the target route table
• An attachment can only be associated to one route table.
Hub & Spoke Architecture
Transit Gateway Route Table
Hub and Spoke Topology
To allow the integration, a Transit Gateway will be
deployed between these new VPCs and a Direct Connect
will be created to connect to AWS. Proper rules have to be
create to avoid connections across the environments; the
only connection possible will be to Azure (i.e. Dev, Usertest, Coporate
network
and Staging must not be able to connect to Production, but

only to connect to Azure)
Hub and Spoke Topology
the connectivity between each VPC need to be blocked. In order
to that, we are going to use x 02 Transit Gateway Routable, it
called by Isolation router, all attachments associated with an
isolated router propagate and associate with its route table.
Attachments associated with one isolated router can route
packets to each other, but cannot route packets to or receive
X
packets from the attachments for another isolated router. ;
Coporate
network
It mean for example: Packets from one VPC that have a
destination of a subnet in another VPC, for example from
10.100.0.0/16 - Prod to 10.102.0.0/16, route through the
transit gateway, where they are blocked because there is no
route for them in the transit gateway route table. The traffic
between Azure and AWS still through to 2 route table
• TGW can have many Route Tables
• Similar to virtual routing and forwarding (VRFs)
• Can build complex network topologies, e.g. Hub & Spoke
• Route distribution between to tables can be controlled
via Propagations
• Can define static and blackhole routes
Attachment
VPC Dev
Attachment AWS Transit Gateway
10.x.0.0/16 VPC
Route
Table
DX Gateway attachment
192.168.x.x/y
VPC Prd
Attachment
10.x.0.0/16 VPC
Route
Table
Associate Attachment to TGW Rtb
VPC Dev AWS Transit Gateway
Attachment
10.x.0.0/16 VPC
Route
Table Tgw route table
association
Spoke association DX GW Attachment
association Tgw route table 192.168.x.x/y

VPC Prd Attachment Hub
10.x.0.0/16 VPC
Route
Table
Attachment
10.x.0.0/16 VPC
Route
association
Spoke VPN Attachment
association Tgw route table 10.x.0.0/16

10.x.0.0/16 VPC
Route
Table
Attachment
10.x.0.0/16 VPC
Route
Tgw route table
association Hub
Spoke VPNAttachment
DX Attachment
association 192.168.x.x/y
VPC Prd Attachment
10.x.0.0/16 VPC
Route
Table
Propagation
Attachment
Propagation
10.x.0.0/16 Propagation
VPC
Route
Spoke DX Attachment
Tgw route table 192.168.x.x/y

VPC Prd Attachment Propagation Hub
10.x.0.0/16 VPC
Route
Table
Propagation
Attachment
Propagation
10.x.0.0/16 VPC
Route
Spoke DX Attachment
Tgw route table 192.168.x.x/y

10.x.0.0/16 VPC
Route
Table
Attachment
VPC Dev
AWS Transit Gateway
10.x.0.0/16 Subnet
Route
Table
DX Attachment
Coporate Network
VPC Prd
192.168.x.x/y
10.x.0.0/16 Subnet
Route
Table
Traffic Flow D: 10.1.0.10 S: 10.0.0.10 Payload

Attachment
Propagation
10.x.0.0/16 VPC
Route
association
Spoke association DX GW Attachment

10.x.0.0/16 VPC
Route
Table
Traffic Flow D: 10.101.0.10 S: 10.0.0.10 Payload

Attachment
Propagation
10.101.0.0/16 VPC
Route
Table
association
association DX GW Attachment

10.100.0.0/16 VPC
Route
Table
Traffic Flow Payload S: 10.101.0.10 D: 192.168.x.x

Attachment
10.101.0.0/16 Propagation
VPC
Route
Table
association
DX GW Attachment

10.100.0.0/16 VPC
Route
Table
Traffic Flow
VPC Dev
Payload S: 10.101.0.10 D: 10.100.0.10
AWS Transit Gateway

X
Attachment
10.101.0.0/16 Propagation
VPC
Route
Table
association
X
DX GW Attachment

10.100.0.0/16 VPC
Route
Table
What is AWS Network Firewall
Types of threats that exist today
DDoS App vulnerabilities Bots/Takeovers
HTTP floods SQL injection Under the radar

Reflection attack Cross-site scripting (XSS) Lateral Movement
Application Other OWASP Top 10 Privilege Escalation
Common vulnerabilities and exposures (CVE)
What is AWS Network Firewall ?
• Stateful, managed, network firewall and intrusion detection

and prevention service
• Automatically scales with your traffic, ensuring high
availability with no additional customer investment in
security infrastructure
• Consistent policy management across VPCs and accounts
Key features
Fully Flexible Fined-Grained Partner Configurable

Managed Deployments controls integrated logging
Network Firewall Manages AWS resource types:
Firewall RuleGroup
FirewallPolicy
How AWS Network Firewall protects resources
Deployment model
• Distributed • Centralized • Combined

Distributed
deployment model
• AWS Network Firewall is deployed

into each individual VPC.
Centralized
deployment model
• East-West (VPC-to-VPC) and/or North-South

(internet egress and ingress, on-premises) traffic
Combined centralized and distributed
East-West (VPC-to-VPC) and subset of North-South (On Premises/Egress) traffic.
Reference Architectures:
https://aws.amazon.com/vi/blogs/networking-and-content-delivery/deployment-
models-for-aws-network-firewall
AWS Network Firewall partners
Operation
On-premise Firewall vs AWS Network Firewall
VS
On-premise Firewall
Flow Diagram – Change Process
→ Takes effort to build change and save documents

Difficult to monitor implementation
Risk of issue when deploying
Complex testing and validating
Flow Diagram – Change Process
→ Less build change

CI/CD integrated
Mitigates issue when deploying
Easier testing and validating
About GitOps
GitOps delivers:
•A standard workflow for application development
•Increased security for setting application
requirements upfront
•Improved reliability with visibility and version control
through Github
•Consistency across any cluster, any cloud, and any on-
premise environment
Workflow
AWS Network Firewall demo with GitOps
Terraform doc Checkov report
Telegram notification Cost estimate

Thank You!
For Your Attention

Aws Multi Account Best Practice

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aws Multi Account Best Practice

Uploaded by

Copyright:

Available Formats

VIET-AWS

AWS User Group |

Official AWS User Group

Meetup 09 - Danang (Startup +

Meetup 10 - Ho Chi Minh

2nd Birthday of Viet-AWS

Cloud Career Fair - FPT Education

Cloud Career Fair (Hanoi)

AWS Community Builders program

Fundraising (Swag Store)

MDF from vendors

Swag Gift Selling

• Separating workloads using multiple accounts

• Architecting your environment

Each AWS account

Over time, customers will add more accounts

and much more

Workload Workload Workload

Workload Workload Workload

Provides you tools to centrally

• Quickly scale by creating accounts and

• OUs are groups of accounts

Centrally provision accounts and Innovate with exclusive resources

Share resources and control access Organize AWS accounts

Optimize costs Simplify billing

Secure and audit your environment

AWS Organizations OUs

AWS Organizations OUs

Network Workload 1 Test

AWS Control Tower AWS Single Sign-On AWS Organizations

AWS Control Tower AWS Single Sign-On AWS Organizations

AWS account AWS account

Security Tooling Log Archive

AWS account AWS account

Security Tooling Log Archive

AWS account AWS account

Security Tooling Log Archive

AWS account AWS account

Network Shared services

AWS account AWS account

Network Shared services

AWS Organizations OUs Prod OU Test OU

AWS account AWS account

Security OU Sandbox OU Policy staging OU Suspended OU Workload A prod Workload A test

© 2021, Amazon Web Services, Inc. or its Affiliates.

Provision AWS AWS AWS AWS

BUSINESS AGILITY + GOVERNANCE CONTROL

Set up an AWS Establish

Centralize identity Automate compliant

AWS Control Tower AWS Organizations AWS Single Sign-On

Log Archive Audit Account Provisioned accounts

Account Account Security Cross- Account

Centralized AWS CloudTrail Security Amazon Network

Enable Output Always

Enable MFA for the Root User Detective Strongly Recommended

Disallow public read access to S3 Detective Strongly Recommended

Enable AWS Config in All Available Regions Preventive Mandatory

Disallow Policy Changes to Log Archive Preventive Mandatory

Integrate CloudTrail Events with CloudWatch Logs Preventive Mandatory

Disallow Delete Actions on Amazon S3 Buckets Without MFA Detective Elective

Account factory Defaults

AWS Service New Governed AWS account

Network Network Network

• AWS SSO provides default directory for identity