Merge branch 'master' into osterman/fix-version-selector

Author: osterman

blog/2025-12-18-security-compliance-components.mdx

@@ -0,0 +1,127 @@
+---
+title: "Comprehensive Security and Compliance Components for AWS Organizations"
+slug: security-compliance-components
+authors: [cloudposse]
+tags: [security, compliance, aws, components, guardduty, security-hub, inspector, macie]
+date: 2025-12-18
+---
+
+import Intro from '@site/src/components/Intro';
+import Steps from '@site/src/components/Steps';
+
+<Intro>
+  We're excited to announce comprehensive documentation for our suite of security and compliance Terraform components.
+  These components enable you to deploy AWS security services across your entire AWS Organization using the delegated
+  administrator pattern, providing centralized security monitoring and compliance assessment.
+</Intro>
+
+Hello SweetOps!
+
+Security and compliance are critical for any organization running workloads on AWS.
+Whether you're pursuing SOC2, HIPAA, PCI DSS, FedRAMP, or CIS benchmarks, you need comprehensive visibility into threats,
+vulnerabilities, and configuration drift across all your accounts.
+
+We've updated and documented our security and compliance components to make deploying these services straightforward and
+maintainable at scale.
+
+## What's Included
+
+Our security and compliance framework includes 9 Terraform components:
+
+| Component | Purpose |
+|-----------|---------|
+| [AWS Config](/layers/security-and-compliance/aws-config/) | Configuration compliance and resource inventory |
+| [AWS CloudTrail](/layers/security-and-compliance/aws-cloudtrail/) | API activity logging and audit trail |
+| [AWS GuardDuty](/layers/security-and-compliance/aws-guardduty/) | Intelligent threat detection |
+| [AWS Security Hub](/layers/security-and-compliance/aws-security-hub/) | Centralized security findings aggregation |
+| [AWS Inspector 2](/layers/security-and-compliance/aws-inspector2/) | Automated vulnerability scanning |
+| [Amazon Macie](/layers/security-and-compliance/aws-macie/) | Sensitive data discovery in S3 |
+| [IAM Access Analyzer](/layers/security-and-compliance/aws-access-analyzer/) | External and unused access detection |
+| [AWS Shield](/layers/security-and-compliance/aws-shield/) | DDoS protection |
+| [AWS Audit Manager](/layers/security-and-compliance/aws-audit-manager/) | Compliance evidence collection |
+
+## Key Architecture Decisions
+
+Our approach uses the **delegated administrator** pattern, centralizing security management while maintaining proper separation of concerns:
+
+<Steps>
+  - **Security Account**: Acts as the delegated administrator for threat detection and security monitoring services
+  - **Audit Account**: Stores immutable logs (CloudTrail) and configuration snapshots (Config)
+  - **Root Account**: Delegates administration but doesn't manage day-to-day security operations
+  - **Member Accounts**: Automatically enrolled and monitored by the security account
+</Steps>
+
+## Deployment Models
+
+Different AWS services require different deployment approaches. We've documented each pattern:
+
+### 3-Step Delegated Administrator
+Used by GuardDuty, Security Hub, and Macie:
+1. Deploy to security account (creates the service)
+2. Deploy to root account (delegates administration)
+3. Deploy org settings to security account (configures organization-wide settings)
+
+### 2-Step Delegated Administrator
+Used by Inspector and Access Analyzer:
+1. Deploy to root account (delegates administration)
+2. Deploy org settings to security account
+
+### Per-Account Deployment
+Used by Config and CloudTrail, with central aggregation in security/audit accounts.
+
+### Per-Resource Deployment
+Used by Shield Advanced for protecting specific resources like ALBs, CloudFront distributions, and Route53 hosted zones.
+
+## Compliance Framework Support
+
+These components support multiple compliance frameworks out of the box:
+
+- **CIS AWS Foundations Benchmark** (v1.4, v1.5)
+- **AWS Foundational Security Best Practices**
+- **PCI DSS** (Payment Card Industry)
+- **HIPAA** (Healthcare)
+- **SOC 2** (Service Organization Control)
+- **NIST 800-53** (Federal)
+- **FedRAMP** (Federal Risk and Authorization)
+- **CMMC** (Cybersecurity Maturity Model Certification)
+
+## Getting Started
+
+We've created comprehensive documentation to help you deploy these components:
+
+1. **[Security and Compliance Overview](/layers/security-and-compliance/)** - Architecture and component descriptions
+2. **[Setup Guide](/layers/security-and-compliance/setup/)** - Step-by-step deployment instructions
+3. **[FAQ](/layers/security-and-compliance/faq/)** - Common issues and troubleshooting
+
+Each component also has its own detailed documentation page with stack configurations, deployment commands, and key variables.
+
+## Component Repositories
+
+All components are available in the [`cloudposse-terraform-components`](https://github.com/cloudposse-terraform-components) GitHub organization:
+
+- [aws-config](https://github.com/cloudposse-terraform-components/aws-config)
+- [aws-cloudtrail](https://github.com/cloudposse-terraform-components/aws-cloudtrail)
+- [aws-guardduty](https://github.com/cloudposse-terraform-components/aws-guardduty)
+- [aws-security-hub](https://github.com/cloudposse-terraform-components/aws-security-hub)
+- [aws-inspector2](https://github.com/cloudposse-terraform-components/aws-inspector2)
+- [aws-macie](https://github.com/cloudposse-terraform-components/aws-macie)
+- [aws-access-analyzer](https://github.com/cloudposse-terraform-components/aws-access-analyzer)
+- [aws-shield](https://github.com/cloudposse-terraform-components/aws-shield)
+- [aws-audit-manager](https://github.com/cloudposse-terraform-components/aws-audit-manager)
+
+## What's Next
+
+We're continuing to improve our security and compliance components:
+
+- Additional conformance pack templates for common compliance frameworks
+- Enhanced integration between services
+- More automated remediation patterns via EventBridge
+- Expanded documentation for GovCloud deployments
+
+:::tip Need Help?
+If you have questions about deploying security and compliance components, reach out in the [SweetOps Slack](https://cloudposse.com/slack)
+or check our [FAQ](/layers/security-and-compliance/faq/) for common issues.
+:::
+
+We'd love to hear your feedback on these components. Let us know what compliance frameworks you're targeting and how we
+can make these components work better for your organization!

blog/authors.yml

@@ -23,4 +23,10 @@ Benbentwo:
   title: Cloud Posse
   url: https://github.com/Benbentwo
   image_url: https://github.com/Benbentwo.png
-# TODO add your name here
+aknysh:
+  name: Andriy Knysh
+  title: Principal Architect @ Cloud Posse
+  url: https://github.com/aknysh
+  image_url: https://github.com/aknysh.png
+
+# TODO add your name here

docs/layers/security-and-compliance/aws-access-analyzer.mdx

@@ -0,0 +1,189 @@
+---
+title: AWS IAM Access Analyzer
+sidebar_label: AWS Access Analyzer
+sidebar_position: 9
+description: "Identify external access to resources and unused IAM permissions"
+---
+import Intro from '@site/src/components/Intro';
+import KeyPoints from '@site/src/components/KeyPoints';
+import Note from '@site/src/components/Note';
+
+<Intro>
+AWS IAM Access Analyzer identifies resources shared with external entities and detects unused IAM permissions,
+enabling you to implement least-privilege access and identify unintended access to your resources.
+</Intro>
+
+## Overview
+
+Access Analyzer provides:
+
+- **External Access Analysis**: Identifies resources shared with external principals outside your organization
+- **Unused Access Analysis**: Detects unused IAM roles, users, and permissions
+- **Policy Validation**: Validates IAM policies against best practices
+- **Policy Generation**: Generates least-privilege policies based on CloudTrail activity
+- **Multi-account Coverage**: Organization-wide analysis from a central account
+
+## Analyzer Types
+
+This component creates two types of organization-wide analyzers:
+
+| Analyzer Type | Purpose | Findings |
+|---------------|---------|----------|
+| `ORGANIZATION` | External access analysis | Public access, cross-account access, cross-organization access |
+| `ORGANIZATION_UNUSED_ACCESS` | Unused access analysis | Unused roles, users, permissions (configurable threshold) |
+
+## Supported Resources
+
+External access analyzer monitors:
+
+- Amazon S3 buckets and access points
+- IAM roles and policies
+- AWS KMS keys
+- AWS Lambda functions and layers
+- Amazon SQS queues
+- AWS Secrets Manager secrets
+- Amazon SNS topics
+- Amazon EBS volume snapshots
+- Amazon RDS DB snapshots
+- Amazon ECR repositories
+- Amazon EFS file systems
+
+## Architecture
+
+```mermaid
+flowchart LR
+    subgraph root["Root Account"]
+        step1["STEP 1: Delegate"]
+    end
+
+    subgraph security["Security Account"]
+        step2["STEP 2: Create Analyzers"]
+        dashboard["Access Analyzer Dashboard"]
+    end
+
+    subgraph members["Member Accounts"]
+        member["Auto-analyzed"]
+    end
+
+    root -->|"Delegation"| security
+    members -->|"Findings"| dashboard
+```
+
+## Deployment
+
+Access Analyzer uses a **2-step delegated administrator** deployment model.
+
+### Step 1: Deploy to Organization Management Account
+
+<Note title="Root Access Required">
+This step requires root account access (such as with the `managers` profile).
+</Note>
+
+```yaml
+# core-gbl-root
+components:
+  terraform:
+    aws-access-analyzer/root:
+      metadata:
+        component: aws-access-analyzer
+      backend:
+        s3:
+          role_arn: null
+      vars:
+        enabled: true
+        delegated_administrator_account_name: core-security
+        organizations_delegated_administrator_enabled: true
+        service_linked_role_enabled: true
+        # Analyzers created in security account
+        accessanalyzer_organization_enabled: false
+        accessanalyzer_organization_unused_access_enabled: false
+```
+
+```bash
+atmos terraform apply aws-access-analyzer/root -s core-gbl-root
+```
+
+### Step 2: Deploy Organization Analyzers
+
+```yaml
+# core-ue1-security
+components:
+  terraform:
+    aws-access-analyzer/org-settings:
+      metadata:
+        component: aws-access-analyzer
+      vars:
+        enabled: true
+        delegated_administrator_account_name: core-security
+        environment: ue1
+        region: us-east-1
+        # Create organization analyzers
+        accessanalyzer_organization_enabled: true
+        accessanalyzer_organization_unused_access_enabled: true
+        unused_access_age: 30
+        # Already delegated
+        organizations_delegated_administrator_enabled: false
+```
+
+```bash
+atmos terraform apply aws-access-analyzer/org-settings -s core-ue1-security
+```
+
+## Multi-Region Deployment
+
+Access Analyzer is a regional service. Deploy analyzers to each region:
+
+```bash
+# Delegation (once, globally)
+atmos terraform apply aws-access-analyzer/root -s core-gbl-root
+
+# Analyzers per region
+atmos terraform apply aws-access-analyzer/org-settings -s core-ue1-security
+atmos terraform apply aws-access-analyzer/org-settings -s core-uw2-security
+```
+
+## Unused Access Configuration
+
+Configure the threshold for unused access findings:
+
+```yaml
+components:
+  terraform:
+    aws-access-analyzer/org-settings:
+      vars:
+        accessanalyzer_organization_unused_access_enabled: true
+        # Days without use before generating findings (default: 30)
+        unused_access_age: 30
+```
+
+## Key Variables
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `organizations_delegated_administrator_enabled` | Enable delegation to security account | `false` |
+| `service_linked_role_enabled` | Create the service-linked role | `true` |
+| `accessanalyzer_organization_enabled` | Enable external access analyzer | `false` |
+| `accessanalyzer_organization_unused_access_enabled` | Enable unused access analyzer | `false` |
+| `unused_access_age` | Days without use before generating findings | `30` |
+
+## Cost Considerations
+
+- **External Access Analyzer**: No additional charge (included with AWS account)
+- **Unused Access Analyzer**: Charged per IAM role or user analyzed per month
+
+## Security Hub Integration
+
+Access Analyzer findings are automatically sent to Security Hub when both services are enabled.
+
+## See Also
+
+- [AWS Security Hub](/layers/security-and-compliance/aws-security-hub/) - Aggregates Access Analyzer findings
+- [AWS Config](/layers/security-and-compliance/aws-config/) - Monitors IAM policy configurations
+- [Setup Guide](/layers/security-and-compliance/setup/) - Complete deployment instructions
+
+## References
+
+- [AWS IAM Access Analyzer Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)
+- [aws-access-analyzer Component](https://github.com/cloudposse-terraform-components/aws-access-analyzer)
+- [Access Analyzer Findings](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html)
+- [Unused Access Analysis](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-unused-access.html)