Design
Regions
The selection of Frankfurt and Ireland is driven by their status as the most developed AWS regions in Europe, offering a richer feature set and lower pricing. Ireland is designated as the secondary region due to its competitive pricing and early access to new AWS features. By only implementing the minimal required components (backup vaults) in the secondary region, the baseline costs for operating this region can be significantly reduced compared to an active region. Additionally, planning for IP address space is significantly simplified when allocating CIDR blocks for VPCs that operate in an even number of availability zones. Working with increments of four allows for the full utilization of available IP space.
AWS Security Hub
AWS Security Hub provides a broad overview of all accounts with an organisation and provides a set of best-practice security rules out of the box. The following security rule sets will be enabled: CIS AWS Foundations Benchmark v1.2.0 and AWS Foundational Security Best Practices v1.0.0. AWS Security Hub has been enabled on all AWS accounts, with the Audit account given delegated administrative privileges to access security alerts for all accounts. This provides a central location for the aggregation of alerts, scans and compliance checks. Numerous other services such as AWS Config and GuardDuty integrate with Security Hub to provide a single location for all security needs.
Additionally, AWS Config has been enabled for all accounts and regions in which the Municipality operates. AWS Config findings are now being aggregated in the Audit account. The Log Archive account will maintain historical logs for all AWS Config events. AWS Config is required for deployment of Security Hub. Additionally, the enabling of AWS Config allows operators to understand the timeline of changes during the lifetime of a resource. This can aid investigations related to security or application configuration. Should the Municipality have the requirement for additional compliance rules, either customized or based on existing compliance frameworks, AWS Config can be leveraged to provide such functionality.
Amazon GuardDuty
Finally, Amazon GuardDuty has been enabled in all accounts and regions in which the Municipality operates. Amazon GuardDuty findings are centralized in the Audit account to allow security operators to view and manage events from a single point. Amazon GuardDuty provides timely information about suspicious activity within an AWS account. Security, platform or application operators will be able to view these events and perform further analyses on the resources involved to determine how to handle the events.
