Work In Progress: This is a collection of resources guided to help you with your everyday AWS Security.
If you have many AWS Accounts you will want to take advanatge of AWS Organizations. AWS Organizations allos
This account is where you will run any security type services, tools, or sofware.
For example, this can be:
This account is where your immutable logs will go. It's purpose is to house important security logs that must have a high degree of integrity for security and possibly compliance reasons. This would include Object-Lock and Service Control Policies that prevent the deletion of data.
For example, logs sent here would include:
The following are details on how to best securely create your S3 bucket for CloudTrail use.
Much of this is very similar to AWS S3 Bucket Security Best Practices.
This S3 bucket must live your Logging account. An account
^ The AWS Console will default you to "Quick trail create" as shown below... please DISREGARD. Instead click on the menu icon on the left and select "Trails"
2. Go to Trails
3. Create the Organizational Cloudtrail
Amazon has an excellent guide on the topic: https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html