Description
This article describes to get the best value out of FortiCNP it is recommended to implement AWS Security best practices.
According to the AWS Security Reference Architecture (SRA) it is recommended to turn on Services such as Amazon GuardDuty, Amazon Inspector and AWS Security Hub on all accounts across an AWS Organization.
Not turning on these services across the entire organization is analogous to not having smoke detectors in some rooms in a house and security is always as good as the weakest link.
Beyond turning on the services, the AWS SRA defines an architecture to aggregate security information across the entirety of an AWS organization and defines relevant concepts such as delegated administrators, security monitoring accounts, and finding aggregation regions.
This document guide's on how to enable the relevant services and establish security best practices in the organization.
Scope
The scope of this guide is to walk through the process of turning on AWS Security services such as AWS Security Hub, Amazon Inspector and Amazon GuardDuty throughout the AWS Organization.
As mentioned these services are important for the best operation of FortiCNP - the services scope is within a single AWS organization that may have multiple AWS Accounts.
This guide will walk through the most recommended process to turn these services on.
Solution
Amazon GuadDuty
Consult the AWS Guide to make sure having the necessary delegated admin permissions: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html
The following procedure will guides how to enable GuardDuty across the organization.
1) Open AWS console and login into the admin organization account.
2) Open GuardDuty console at https://console.aws.amazon.com/guardduty/ or search for GuardDuty on search engine.
3) Select Get Started button.
4) Now start the configuration of Guard Duty for the organization as seen in the image below.
5) To Enable GuardDuty inside the organization there is a need ti have delegated administrator account, this account will manage GuardDuty policies throughout the organization.
Refer to the following AWS documentation on how to create a delegated admin account https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html
Copy the account id of the delegated administrator into the blank field, then select the Delegate button.
6) Make sure to get the confirmation at the bottom of the page.
7) Select Enable GuardDuty button, to enable GuardDuty and the configuration page can be seen.
At this point, a delegated GuardDuty administrator account has been defined and enabled GuardDuty for this account.
Now enable GuardDuty across the organization and add the existing accounts from the organization.
8) Select the Accounts link on the navigation pane.
9) A very similar page can be seen to the one shown in the picture below.
10) Select the enable button on the top to enable GuardDuty for the organization.
11) Select Enable on to confirm it
Congratulations. GuardDuty for all the accounts inside the organization has been enabled.
Amazon Inspector
Consult the AWS guide to make sure to have the necessary permissions https://docs.aws.amazon.com/inspector/latest/user/designating-admin.html
The procedure below guides how to enable Inspector across the organization.
1) Open AWS console and login into the admin organization account.
2) Open the Inspector console at https://console.aws.amazon.com/Inspector/ or search for Inspector on search engine.
3) Select Get Started button.
4) Now start the configuration of Inspector for the organization as seen in the picture below.
5) To Enable Inspector inside the organization a delegated administrator account will be needed, this account will administer Inspector in the organization.
Consult the AWS guide to make sure the necessary permissions are there.
https://docs.aws.amazon.com/inspector/latest/user/designating-admin.html
6) Copy the account id of the delegated administrator into the blank field, then select the Delegate button.
7) Select the delegate to confirm it.
8) The confirmation at the top of the page that Inspector is enabled will be there.
At this point, a delegated Inspector administrator account is defined and enabled Inspector for this account.
Now enable Inspector across the organization and add the existing accounts from the organization.
9) Select the Account Management link on the navigation pane.
10) A very similar page as shown in the picture below.
11) Select Automatically enable Inspector for a new account, then select Save.
Select all the existing accounts that is needed for Inspector to be activated and select Enable (all Scanning).
Congratulations The Inspector across all AWS accounts inside the organization has been enabled.
AWS Security Hub
The procedure below will guide enabling the Security Hub across the organization.
1) Open AWS console and login with the admin organization account.
2) Open Security Hub Service console at https://console.aws.amazon.com/securityhub/ or search for Security Hub on search engine.
3) Select the Go to Security Hub button on the top right of the screen as seen below.
4) Now the configuration of Security Hub for the organization can be started.
5) To enable Security Hub inside the organization must delegate an administrator for the sub-account.
Consult the AWS guide to make sure there is sufficient permissions https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html
6) These accounts will have Security Hub enabled and assigned to administer Security Hub for the organization – the Security Hub Security standards need not be enabled and they are out of scope for this Guide.
FortiCNP only uses the finding aggregation features of SecurityHub and provides CSPM functionality similar to the Security Hub Security Standards.
7) Copy the account ID of the delegated administrator into the blank field, then select the Delegate button, as shown in the picture below.
8) The confirmation can be seen at the bottom of the page.
9) Select Enable Security Hub button and the Security Hub configuration page can be seen.
10) On the top of the page, 2 messages for enabling Security Hub will be received for the organization and managing the findings from a single region.
11) Select the Settings button and select Enable to activate Security Hub for all the organizations.
12) Select Enable button.
13) Now Security Hub is enabled across the organization.
14) Seelect the Configure finding aggregation button on the top of the page.
15) Select the Configure finding aggregation button.
16) Select US-WEST-2 for Global(US) or EU-WEST-1 for EU as the region of aggregation (These regions are used by FortiCNP), and select all regions below.
17) Scroll down and select Link future Regions, and select Save.
Congratulations the Security Hub has been enabled and finding aggregation across the organization.
