[abdulk]

Up

0

Down

This is a common requirement and you mentioned AWS Transit Gateway which would be the best solution for this type of architecture (especially at scale). You can terminate the VPN tunnel on the Transit Gateway and then that could be shared with many VPCs (each with its own routing rules if needed).

There is also an option to migrate the existing VPN tunnel from the VPC to the Transit Gateway which would also make this simpler: https://aws.amazon.com/premiumsupport/knowledge-center/transit-gateway-migrate-vpn/

There are a lot of advantages to using Transit Gateway in this scenario including multi-account support, the ability to grow to large scale, you can add multiple VPN tunnels or Direct Connect for failover, and you can integrate with security devices (incl. AWS Network Firewall) for inspection of this traffic if this was a requirement.

Hope this helps!

[abdulk]

Up

1

Down

Yes, CloudFormation supports creating both managed and inline IAM policies and attaching them to already existing IAM roles, users or groups.

You can use the AWS::IAM::Policy resource (defined here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html) and specify the IAM role name in the resource properties (Make sure you use this resource as opposed to AWS::IAM:ManagedPolicy).

Hope this helps!

[abdulk]

Up

1

Down

There are two types of events for DynamoDB: Management and Data events. Management events are things like creating/deleting a DynamoDB table, creating/deleting DynamoDB backups, or modifying a table’s settings. These events are captured by default when you have CloudTrail enabled (and for all tables in the account).

Data events capture events like adding, updating or deleting items to a DynamoDB table. CloudTrail can log data events but it is not enabled by default, as it can become expensive to monitor depending on how active a table is. You can also selectively enable data events monitoring on specific DynamoDB tables only (or on all tables in the account/region).

I would recommend enabling data events on tables that might host some sensitive data and you can create some alarms/reports based on things like access from suspicious IPs or anomalous access.

More details can be found here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html

You can use the following template for configuring CloudTrail and  CloudTrail DynamoDB event logging:

https://asecure.cloud/a/CloudTrail/
https://asecure.cloud/a/CloudTrail_DataEventsDynamoDB/

Hope this helps!

[abdulk]

Up

2

Down

Hi Wagner,

I believe that Organization Config Rules do not currently support remediation settings. But you can accomplish what you’re looking for by using CloudFormation or Terraform and deploying the same template to multiple accounts (e.g. template: https://asecure.cloud/a/ar_ssm_ec2_eip_unattached/)

If you already use CloudFormation StackSets, that would be an easy method to deploy the same template across many accounts at once. Otherwise, you can use a deployment pipeline for Terraform or CloudFormation templates.

Another option to consider if you’re goal is auto-remediation across many accounts in an Organization is the following pre-packaged solution from AWS which configures Security Hub and Auto Remediation rules in a multi-account environment: https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/

Hope this helps!

[abdulk]

Up

1

Down

Yes, ALB access logs can be sent to an S3 bucket in another account. So you can set up an S3 bucket in a dedicated logging account and forward all ALB logs to it. A couple of things to take into account:

* You have to use the S3 bucket policy here (including updating the value for the alb account id based on the table provided in the same link): https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions
* The s3 bucket must be in the same region as the ALBs, so if you are using multiple regions, you’ll have to create a separate S3 bucket for each region

There are other requirements that are also listed in the above link

[Author]

Posts