Security control assessment and refinement

AWS Services Control Policies (SCP)

• Review the control policy based on the services that currently used
• Refine and document the policy
• Develop JSONs for all SCPs

AWS Organizations

• Review existing enabled services
• Enable backup policy and plan for enforced across estate

StackSets in master account

• Review the StackSets functionality and the deployment consistency status
• Update and refine the policy for cloudformation StackSet
• Broken services review and fix
• Potentially issues review and fix

GuardDuty

• Configure Guardduty runs on central delegate master account
• Setup notifications and emails
• Setup process and policies to manage remediation

AWS Config

• Review and apply the agreed config conformance packs
• Review SecurityHub recommendations and impelment the fix
• Review and update the Cloudformation

SecurityHub

• Create scripts to disable certain checks if there are false positives and automate the auto-fix process
• Review and enable SecurityHub out of the box integrations which adds values to the overall security position and security governance monitoring

CloudWatch Eventbus notifications and Dashboard

• Review and update the configurations
• Review master account visibility of security alerts and posture

Application Monitoring (Per Ventures)

• Automate EC2 and app availability monitoring
• Review data visualization
• Review Synthetic monitoring

Governance and Compliance Check

• Setup notification when violation occurs, e.g. security control by OSPAR