What each control does, why it’s there, and what security benefit it provides.
| Control | What it does | Why / benefit |
|---|---|---|
| CloudTrail (multi-region) | Records API and console activity across all regions. | Single place to investigate who did what and when; required for many compliance and incident-response scenarios. |
| Log file validation | Ensures CloudTrail log files have not been modified. | Detects tampering with the audit trail. |
| KMS for logs | Encrypts CloudTrail and CloudWatch log data with a customer-managed key. | You control the key and access; log data is protected at rest. |
| S3 bucket policy | Restricts write access to CloudTrail and denies non-HTTPS. | Only CloudTrail can write; traffic to the bucket must be TLS. |
| Metric filters and alarms | Root usage, console without MFA, unauthorized calls, IAM changes → SNS. | Fast signal for high-risk events without scanning logs manually. |
| Control | What it does | Why / benefit |
|---|---|---|
| Password policy | Enforces length, complexity, reuse, and max age for IAM user passwords. | Reduces risk of weak or stale passwords when IAM users are still used (e.g. break-glass). |
| Break-glass admin | Role with full admin, MFA required, 1h session. | Emergencies only; no standing full-admin access; session time-bounded. |
| Operator role | PowerUser with deny policy on CloudTrail and CloudTrail S3. | Day-to-day work without ability to delete or stop the trail or delete audit logs. |
| Read-only role | ReadOnlyAccess, no MFA condition. | Safe for automation and read-only tooling; no write or delete. |
| Control | What it does | Why / benefit |
|---|---|---|
| GuardDuty | Managed threat detection (S3, EBS, etc.). | Detects malicious activity and suspicious behavior with minimal operational overhead. |
| AWS Config (optional) | Records configuration and evaluates rules (e.g. CloudTrail on, root MFA, S3 public access blocks). | Supports compliance and configuration drift detection. |
| Budgets | Alerts at 80% and 100% of monthly budget to admin_email. |
Reduces risk of unexpected cost from misuse or compromise. |
Security scanning (e.g. Checkov) may report findings that are explicitly accepted in v1 and documented:
- S3 access logging / event notifications / replication — Deferred to v2 (separate logging bucket, multi-account).
- AdministratorAccess on break-glass — Intentional; access is MFA-gated and time-limited.
See BUILD_CHECKLIST.md and inline comments for the full list of documented skips.