AWS management account starter pack

A CloudFormation template with the basics for an organizational management account

Tamás Sallai

5 mins

Photo by Kat Canavan on Unsplash

Code is available on GitHub

Want to learn AWS serverless development? Click here

There are a couple of best practices when setting up a new management account in AWS. My current list:

enable a multi-region organizational CloudTrail
enable a budget alarm with a sensible limit
setup a notification for the root account login
setup a notification for any console sign-ins
setup a notification for any access denied errors

Recently, I realized that in my own account these things were done in an ad-hoc way and then decided to add some IaC automation to it. So now I have a CloudFormation template that I can easily deploy to any new management account and it follows the best practices.

This article describes the reasoning behind these features and what extra manual actions are needed.

The stack needs to be deployed in the us-east-1 region.

Book

A Practical Guide to AWS IAM

How to Write Policies, Control Access, and Secure an AWS Account

CloudTrail

CloudTrail logs events happening in the accounts. It is a best practice to enable it so that when a security incident happens there will be logs available to help the investigation. It writes this data into an S3 bucket.

A trail can be set up to collect all events happening inside the whole organization, even in other accounts. This is very powerful: even if a member account is completely breached these logs will be safe in the management account.

A trail that logs events in all regions in all accounts:

CloudTrail:
  Type: AWS::CloudTrail::Trail
  Properties:
    IncludeGlobalServiceEvents: true
    IsMultiRegionTrail: true
    IsOrganizationTrail: true
    ...

Moreover, it's useful to setup a CloudWatch Log Group for the trail as well as it will be required for some events we'll see later in the stack.

Budget alarm

AWS can publish the end-of-month estimated charges for the account and a CloudWatch alarm can be added to notify if the charges pass a limit.

This is a powerful way to detect issues with an account: a misconfiguration that results in runaway costs or a deliberate denial-of-walled attack results in a notification so you know you'll need to investigate. Without an alarm like this, these kinds of problems only surface at the end of the month in a surprise bill. So it's a best practice to set it up for the management account.

To receive budget alerts, it must be enabled manually on the console:

Open the AWS Billing console at https://console.aws.amazon.com/billing/.

In the navigation pane, choose Billing Preferences.

By Alert preferences choose Edit.

Choose Receive CloudWatch Billing Alerts.

Choose Save preferences.

Using the root account is an anti-pattern and should be avoided. Instead, create an admin user and use that, or even better, use the IAM Identity Center to configure the SSO.

Because the root account credentials is another set of highly sensitive secrets that should not be used, it's useful to set up some notification when they are. Fortunately, EventBridge publishes an event when this happens, so it's possible to set up a notification.

RootLoginEventRule:
  Type: "AWS::Events::Rule"
  Properties:
    State: ENABLED
    EventPattern:
      detail-type:
        - AWS Console Sign In via CloudTrail
      detail:
        userIdentity:
          type:
            - Root

AWS: How to get notified on root account login

The root account is so powerful you shouldn't use it. Then make sure nobody else does

Similar to the root account login, the management account is a high-profile target as it provides an entry point to all other accounts. Also, as a best practice the management account should not contain any application resources, which means it is used very rarely. Because of this, it makes sense to set up a notification when any user signs in to the account.

Setting it up is a bit more tricky:

CloudTrail captures the ConsoleLogin events
it writes into a CloudWatch Log Group
then a metric filter writes a metric about the number of these events
then an alarm fires when it goes above 0

AWS: How to get notified on IAM user logins

Knowing when a user is accessing your account can help detect intrusions. Learn how to set up a notification

Why a multi-account setup is essential for secure systems

Development and production are to be separated by account boundaries

Access denied errors

The thinking behind this is similar to the IAM user logins: the management account holds no application resources and it is seldom used, so any request that is denied should be investigated. And the implementation is similar as well: whenever CloudTrail publishes an event where the access was denied, it triggers an alarm.

How to auto-disable leaked IAM credentials

Attach the AWSDenyAll policy when a user makes a request that is denied

Other manual tasks

There are a couple of manual tasks that should be taken after setting up the management account.

First, the stack creates an SNS topic but you need to subscribe to it to get any notifications.

Second, it's best practice to use IAM Identity Center to set up SSO for the whole organization. This makes managing users way easier and the sign-in experience better. Unfortunately, it can't be scripted at this moment.