Beta

AWS Solutions Architect Associate Certification

Designing for Security

Turning up Security on Management Services Part 2

In this article, we explore designing secure architectures around AWS management services. Building on our previous discussion on Compute Optimizer and Trusted Advisor, we now delve deeper into management tools, focusing on AWS Organizations, IAM, and logging. These strategies help enhance security across multi-account environments while ensuring centralized monitoring and governance.

AWS Organizations

AWS Organizations allows you to group multiple AWS accounts into organizational units, simplifying policy management and security control enforcement across an enterprise. A crucial feature is Service Control Policies (SCPs). SCPs serve as an account-level permission guard: when an SCP denies access to a service, no account-level configuration can override that decision. This approach enforces consistent IAM policies and logging practices.

The image illustrates an AWS Organizations structure, showing a hierarchy of accounts and organizational units with a focus on IAM and logging.

Centralizing logging is also simplified with AWS Organizations. For example, a centralized CloudTrail in the master account can capture events from all member accounts, ensuring consistency in log retention, formatting, and storage—typically directing all logs to a single S3 bucket. This process is further enhanced by AWS Control Tower, which automates best practices for multi-account governance.

The image presents a scenario about managing IAM policies in AWS Organizations for a large enterprise, with four suggested approaches to enhance security and maintain consistency.

CloudTrail and Centralized Logging

Centralizing CloudTrail logging across AWS Organizations simplifies the management of global events. With a single trail capturing events from all accounts, compliance and auditing are streamlined, and uniform security monitoring is maintained. Integration with AWS Control Tower further improves the automated enforcement of security standards.

The image illustrates the design for security using AWS Organizations, showing the relationship between management and member accounts, CloudTrail, and S3 for log storage. It highlights how AWS Organizations supports CloudTrail across accounts and CloudWatch Events.

For example, a Solutions Architect might recommend configuring CloudTrail in the master account to audit activities throughout the organization. This centralized approach reduces operational overhead and strengthens security controls.

The image presents a scenario where a corporation is using AWS Organizations to manage multiple accounts and is considering strategies for implementing and monitoring AWS CloudTrail. It lists four approaches for managing CloudTrail effectively within AWS Organizations.

AWS Control Tower and IAM Identity Center

AWS Control Tower simplifies the setup and governance of multi-account environments by integrating AWS Organizations with AWS Identity Center (formerly SSO). Control Tower automatically configures IAM Identity Center to enable centralized user management, automated account provisioning, and governance. This setup not only activates CloudTrail but also enforces both proactive prevention and detection controls via AWS Config.

The image is a diagram explaining AWS Control Tower, highlighting its role in setting up AWS Organizations, SSO, and security, with a flowchart detailing the process of managing a multi-account environment.

For organizations requiring secure, centralized management, AWS Control Tower seamlessly integrates IAM Identity Center with supporting services to ensure that all activities are logged and policies consistently enforced.

The image presents a scenario where a multinational corporation is integrating AWS Control Tower with IAM Identity Center for user access management, offering four potential solutions for efficient management.

AWS Systems Manager

AWS Systems Manager is a comprehensive management suite designed for routine operational tasks such as patching, inventory management, session management, and compliance reporting for both EC2 and on-premises servers. By installing the Systems Manager (SSM) agent, you can perform secure operations at scale.

Key Components of Systems Manager

  • Systems Manager Explorer and OpsCenter
    Use Explorer for gaining operational insights, while OpsCenter facilitates incident management. Together with CloudTrail, CloudWatch, and IAM, these components secure and log operational actions.
    The image is a dashboard from AWS Systems Manager, showing instance counts, managed instances, and operational summaries with graphs and charts. It highlights features of SSM Explorer for securely storing system data and mentions standard IAM access.

  • Systems Manager Diagrams
    Diagrams illustrate how several subservices, including AWS Config, OpsCenter, and Inventory, work together to provide secure logging and management.
    The image is a diagram illustrating the AWS Systems Manager, showing components like AWS Config, OpsCenter, and the Systems Manager Explorer Dashboard, with a note about secure data storage and logging.

  • Incident Manager
    Incident Manager enables the creation and management of response plans for operational events and failures, making it ideal for coordinating incident response efforts in complex environments.
    The image presents a scenario where a global retail company using AWS needs a solution for managing critical incidents. It lists four approaches for a Solutions Architect to consider, focusing on AWS Systems Manager Incident Manager and other AWS services.

  • Application Manager and AppConfig
    Application Manager provides alarms and operational insights for custom applications and services. AppConfig enables you to securely manage, validate, and deploy application configurations using IAM controls.
    The image presents a scenario where a financial services company needs a solution for managing and monitoring their AWS application stack, with four options provided for the Solutions Architect to consider.
    The image is a diagram illustrating the interaction between customers, an application, a server, and AWS AppConfig within the AWS Cloud. It shows the process of sending requests, checking for new configurations, and returning responses, emphasizing the security of SSM AppConfig through IAM authentication.

  • Parameter Store
    Parameter Store is a secure repository for environment variables, credentials, and configuration parameters. With native KMS encryption, sensitive data is protected using SecureString.
    The image is a diagram illustrating the AWS Systems Manager Parameter Store, showing how parameters are stored and encrypted using a KMS key. It highlights the use of SecureString for encrypted storage of environment parameters.

  • Change Manager and Automation
    Change Manager allows you to define and automate operational workflows with runbooks, ensuring that changes are consistent and auditable. Its automation processes, secured by IAM and logged by CloudTrail, help streamline repetitive tasks such as patch updates and configuration changes.
    The image is a flowchart illustrating the AWS Systems Manager Change Manager process, showing steps from request to automation and execution on a managed instance. It includes roles like requestor, approver, and operator, and mentions Amazon SNS for notifications.
    The image is a flowchart illustrating the process of AWS Systems Manager automation, involving AWS Config, EBS Volumes, Secrets Manager, and a Slack Channel. It highlights the secure and trackable nature of IAM through CloudTrail with encrypted data.

  • Maintenance Windows
    Maintenance Windows, in conjunction with Patch Manager, schedule patching during approved windows. This ensures that updates occur in a controlled and secure manner, grouping instances by tags regardless of the operating system.
    The image is a flowchart illustrating the AWS Systems Manager Change Calendar process, showing steps from creating a calendar and event to running maintenance tasks.
    The image presents a scenario where a healthcare company needs to automate AWS maintenance tasks, with four suggested solutions: AWS Systems Manager Maintenance Windows, AWS Lambda, Amazon EC2 Auto Scaling, and AWS Batch.

  • Fleet Manager and Compliance
    Fleet Manager provides a centralized console to monitor and troubleshoot a fleet of EC2 or on-premises servers. With Compliance and Inventory features, it reinforces security by tracking configuration and patch adherence.
    The image is a diagram explaining the AWS Systems Manager Fleet Manager, highlighting its features like checking status, identifying issues, taking action, and connecting remotely for fleet management and troubleshooting.
    The image presents a scenario where an e-commerce company needs to maintain compliance for managed nodes, and it asks which AWS Systems Manager feature should be recommended. Four options are provided: AWS Systems Manager for Node Management Compliance, AWS Config, Amazon Inspector, and AWS CloudTrail.
    The image shows a dashboard from a Systems Manager Inventory, displaying various data visualizations such as managed instances, inventory coverage, custom inventory types, OS versions, applications, and server roles. It highlights that SSM Inventory securely stores all data.

  • Hybrid Activations
    Hybrid Activations serve as a registration engine for on-premises servers, allowing them to securely register with AWS Systems Manager using activation codes.
    The image shows an AWS Systems Manager interface with details about SSM Hybrid Activations, including an activation code and ID. It highlights that SSM Hybrid Activations is a status and registration engine with minimal risk.

  • Session Manager and Run Command
    Session Manager enables secure remote access (via SSH or RDP) without public endpoints, while Run Command allows execution of one-off commands across multiple instances. Both integrate with IAM, CloudTrail, and CloudWatch for robust security and logging. Additionally, State Manager ensures that instances maintain their desired configuration state—for example, enforcing that a web server only listens on port 443.

    The image illustrates the use of AWS Systems Manager State Manager to manage and detect the state of EC2 and RDS instances, highlighting its security features.

  • Patch Manager and Distributor
    Patch Manager automates system patching based on predefined baselines and maintenance windows. In parallel, SSM Distributor securely distributes custom software packages across your environment using controlled IAM permissions.
    The image is a diagram illustrating the AWS Systems Manager Patch Manager process, showing the flow from tasks and maintenance windows to patch groups and tagged instances. It highlights the security aspect of SSM Patch Manager in software delivery.
    The image is a diagram illustrating the AWS Systems Manager process for distributing software packages across multiple accounts using SSM Distributor. It shows the flow from uploading assets to an S3 bucket to distributing software to instances.

  • SSM Documents
    SSM Documents are AWS-hosted, encrypted scripts designed to standardize operational tasks. When used with the automation engine and State Manager, they help enforce consistent configurations and manage routine tasks across your environment.
    The image presents a scenario where a software development team needs to automate operational tasks in AWS, with four options for AWS Systems Manager features to recommend. The options include using AWS Systems Manager Documents, AWS Lambda, AWS CloudFormation, and Amazon EC2 Auto Scaling.

AWS Service Catalog and License Manager

  • Service Catalog
    AWS Service Catalog allows you to offer pre-configured AWS resources packaged as CloudFormation or Terraform templates. You maintain security by managing access through strict IAM policies and roles.

    The image presents a scenario where a financial services company needs to manage authentication for AWS Service Catalog. It lists four approaches for a Solutions Architect to consider for securely managing authentication.

  • License Manager
    AWS License Manager helps track and manage licenses, including notifications for license overages or expirations while adhering to AWS security best practices to safeguard sensitive information.

    The image is a diagram explaining the AWS License Manager, showing steps for defining rules, attaching licensing rules, tracking licenses, and using alerts for management. It highlights the security and management of sensitive information.

AWS Proton

AWS Proton is designed for automated container and serverless deployments. While Proton abstracts much of the deployment process with limited direct security controls, it integrates CloudTrail for thorough logging. Secure deployments with Proton require ensuring that logs are stored in encrypted S3 buckets and that built-in security controls for environment templates are fully leveraged.

The image presents a scenario where a software company uses AWS Proton for deployments and seeks logging solutions for auditing and troubleshooting. It lists four recommended approaches for a Solutions Architect to securely meet this requirement.

A best practice is to utilize Proton’s built-in security features for both environments and templates, including regular vulnerability assessments and automated scans.

The image provides security best practices for deploying microservices using AWS Proton, including scanning templates for vulnerabilities, encrypting data, utilizing built-in security controls, and implementing network firewalls.

Additional Management Tools

Other management services such as Tag Editor, Resource Explorer, Resource Groups, Resource Access Manager, and Resilience Hub primarily rely on IAM for security. Typically, these services do not offer additional logging mechanisms beyond standard AWS managed security practices. All management and governance tools include encryption in transit and at rest by default, ensuring that sensitive operations remain protected.

Conclusion

In summary, we reviewed a variety of AWS management services and examined how security is integrated across each. From AWS Organizations with SCPs and centralized CloudTrail logging to AWS Control Tower’s automated setup and the comprehensive feature set of AWS Systems Manager, AWS offers robust security and governance mechanisms primarily anchored by IAM, CloudTrail, and native encryption.

The image is a summary slide listing four key points about management services, including their range, management level, encryption features, and extensiveness. The slide has a gradient blue background on the left and numbered points on the right.

Next Steps

Stay tuned for our next article, where we continue to explore additional aspects of security and operational excellence. For more detailed guidance, refer to the AWS Documentation.

Watch Video

Watch video content

Previous
Turning up Security on Management Services Part 1
Next
Turning up Security on Security Services Part 1