Benchmark: AWS Audit Manager Control Tower Guardrails
Overview
AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. AWS Control Tower orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog, and AWS Single Sign-on, to build a landing zone in less than an hour. Resources are set up and managed on your behalf.
AWS Control Tower orchestration extends the capabilities of AWS Organizations. To help keep your organizations and accounts from drift, which is divergence from best practices, AWS Control Tower applies preventive and detective controls (guardrails). For example, you can use guardrails to ensure that security logs and necessary cross-account access permissions are created, and not altered.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select AWS Audit Manager Control Tower Guardrails.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.audit_manager_control_towerSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.audit_manager_control_tower --shareBenchmarks
- EBS checks
- Disallow Internet Connection
- Multi-Factor Authentication
- Disallow Public Access
- Disallow Instances