3.4.2.4. Automating the Application of Security Controls in Multi-Account and Multi-Region Environments (Security Hub, Organizations, Control Tower, Systems Manager)

3.4.2.4. Automating the Application of Security Controls in Multi-Account Environments

Security controls must be applied automatically as new accounts are created and new resources are provisioned — manual security doesn't scale.

Automated security baseline deployment:

1. Account creation (Control Tower Account Factory) → triggers baseline CloudFormation StackSet
2. StackSet deploys: GuardDuty enabled, Config enabled, CloudTrail configured, VPC Flow Logs enabled
3. SCPs applied via OU membership — prevent disabling security controls
4. Security Hub aggregates findings from all accounts to the security account

# StackSet: Security baseline for every new account
Resources:
  GuardDutyDetector:
    Type: AWS::GuardDuty::Detector
    Properties:
      Enable: true
  ConfigRecorder:
    Type: AWS::Config::ConfigurationRecorder
    Properties:
      RecordingGroup:
        AllSupported: true
        IncludeGlobalResourceTypes: true
  FlowLog:
    Type: AWS::EC2::FlowLog
    Properties:
      ResourceId: !Ref VPC
      ResourceType: VPC
      TrafficType: ALL
      LogDestinationType: cloud-watch-logs

Preventive controls (SCPs):

• Deny disabling CloudTrail, Config, GuardDuty
• Deny creating resources in non-approved regions
• Deny public S3 access at the organizational level

Detective controls (Config + Security Hub):

• Config rules evaluate continuously
• Security Hub consolidates findings with severity scoring
• AWS Firewall Manager manages WAF, Shield, Security Groups centrally

Exam Trap: AWS Firewall Manager requires AWS Organizations with all features enabled AND Security Hub enabled. Without Security Hub, Firewall Manager can't report compliance status. If the exam asks about centrally managing WAF rules or security groups across accounts, the answer is Firewall Manager — not manually deploying WAF rules per account.