Streamlined automation for SOC 2 compliant AWS Control Tower environments
A comprehensive automation suite that guides you through setting up a fully SOC 2 compliant AWS environment using Control Tower with minimal manual intervention.
- Overview
- Features
- Why Use This Suite
- AI Coding Assistant Integration
- Prerequisites
- Installation
- Usage
- Setup Process Details
- Advanced Configuration
- Security Considerations
- Contributing
- License
- Acknowledgements
The AWS Control Tower SOC 2 Automation Suite is a collection of interconnected scripts designed to automate and guide the creation of a secure, compliant, multi-account AWS environment. It reduces the complex, error-prone manual process of implementing SOC 2 requirements within AWS Control Tower into a streamlined, repeatable workflow.
This suite bridges the gap between AWS Control Tower's built-in capabilities and the specific requirements needed for SOC 2 compliance, handling everything from initial account setup to ongoing security controls.
- Guided Setup: Step-by-step interactive process with clear instructions
- Skip-Friendly: Already completed some steps? No problem β the suite can start from any point
- Multi-Account Architecture: Properly configure management, audit, log archive, and workload accounts
- IAM Identity Center Integration: Automated user and permission management
- SOC 2 Security Controls: Automatic enablement of required security services
- Organizational Structure: Create and register the proper OUs for your compliance needs
- Root Account Protection: Ensure proper MFA and access key management
Manually setting up a SOC 2 compliant AWS environment typically takes 8-16 hours of work with numerous opportunities for configuration errors. This suite reduces that time by up to 75% and ensures consistency.
SOC 2 audits examine your environment's historical compliance. Starting with a compliant foundation means no retroactive fixes or explanations needed.
AWS recommends a multi-account strategy for security isolation, but configuring this properly is complex. This suite handles the intricacies of account relationships, permissions, and security service configurations automatically.
The suite automatically disables console access for root users in sub-accounts, following AWS best practices for security. This critical protection helps prevent unauthorized access to your most privileged accounts and satisfies SOC 2 requirements for privileged access management.
Not everyone on your team may be an AWS security expert. This suite codifies best practices and provides clear, actionable guidance throughout the process.
This repository is configured to seamlessly integrate with AI Coding Assistants, leveraging the framework provided by AI Coding Assistants Setup. This integration enhances the development experience by:
- Accelerating Development: AI assistants can help generate boilerplate code, suggest solutions, and automate repetitive tasks.
- Improving Code Quality: Assistants can provide real-time feedback on code style, identify potential bugs, and suggest best practices.
- Facilitating Complex Tasks: AI can assist in understanding complex codebases, refactoring, and implementing new features more efficiently.
- Streamlining Workflows: The setup enables a more interactive and intelligent development environment, allowing developers to focus on higher-level problem-solving.
By incorporating AI-powered tools, this project aims to boost productivity and maintain high standards of code quality and innovation.
- AWS root account with administrator access
- AWS CLI installed and configured
jqcommand-line tool installed- Bash shell environment
- Basic understanding of AWS services
-
Clone this repository:
git clone https://github.com/yourusername/aws-controltower-soc2-automation.git cd aws-controltower-soc2-automation -
Ensure all scripts have execution permissions:
chmod +x *.sh -
Install required dependencies:
# For Debian/Ubuntu sudo apt-get update && sudo apt-get install -y jq awscli # For macOS brew install jq awscli
Run the master script with optional parameters:
./master_control_tower_setup.sh [-a ACCOUNT_ID] [-p PROFILE] [-d ADMIN_PROFILE] [-r REGION] [-h]Parameters:
-a ACCOUNT_ID: Your 12-digit AWS account ID-p PROFILE: Initial AWS CLI profile name (default: sampleproject)-d ADMIN_PROFILE: Admin AWS CLI profile name (default: thehobbyhome-management)-r REGION: AWS region (default: us-east-1)-h: Display help message
Example:
./master_control_tower_setup.sh -a 123456789012 -d my-admin-profile -r us-west-2The setup process follows these key steps, each designed to implement specific SOC 2 requirements:
What it does: Creates a temporary profile with root credentials to bootstrap the environment.
Why it matters: Provides necessary initial access while ensuring we can remove these credentials later for security.
What it does: Guides you through setting up Multi-Factor Authentication for the root account.
Why it matters: Required for SOC 2 compliance and protects your most privileged account from unauthorized access.
What it does: Activates AWS IAM Identity Center (formerly AWS SSO).
Why it matters: Provides centralized access management with fine-grained permissions required for proper segregation of duties.
What it does: Deploys the Control Tower landing zone with appropriate configurations.
Why it matters: Creates the foundation of your multi-account architecture with built-in guardrails and compliance controls.
What it does: Creates an administrative user in IAM Identity Center with appropriate permissions.
Why it matters: Establishes a secure administrative account for ongoing management, moving away from root account usage.
What it does: Creates a group for administrative users.
Why it matters: Enables role-based access control and simplifies permission management.
What it does: Adds users to IAM Identity Center and assigns them to groups.
Why it matters: Ensures proper identity management and access controls.
What it does: Establishes recommended OUs (Infrastructure, Workloads, Sandbox) and registers them with Control Tower.
Why it matters: Provides proper organizational structure for workload isolation and security boundary enforcement.
What it does: Activates essential security services like GuardDuty, Security Hub, Config, Macie, and Inspector.
Why it matters: Implements required security monitoring, detection, and compliance validation services.
What it does: Creates and configures additional AWS accounts through Control Tower Account Factory with automated enrollment completion tracking.
Why it matters: Simplifies the account creation process and ensures all accounts are properly configured and monitored.
What it does: Removes root user credentials from all sub-accounts and configures the organization to create new accounts without root credentials by default.
Why it matters: Critical security measure that prevents unauthorized access to the most privileged account in each sub-account, satisfying SOC 2 privileged access requirements.
For organizations with specific structural needs, modify create_organizational_units.sh to add or change OUs:
# Example: Add a custom OU
./create_organizational_units.sh -p your-admin-profile -n "CustomOU" -d "Custom organizational unit for specific workloads"Additional security controls can be added by modifying enable_security_services.sh.
For organizations requiring additional preventative or detective guardrails:
# Enable specific Control Tower controls
./enable_control_tower_controls.sh -p your-admin-profile -c "CT.IAM.PR.1" -o "Infrastructure"Root user access keys are temporarily created and deleted as part of the setup process. If the process is interrupted, ensure these are manually deleted.
The suite automatically disables console access for root users in all sub-accounts, following AWS security best practices. This ensures that your most privileged accounts can't be compromised, even if credentials are leaked.
When provisioning new accounts via Account Factory, be aware that security services (GuardDuty, Security Hub, Config, etc.) are not automatically enabled on these accounts. After creating new accounts, you should re-run the security service enablement script for each new account to ensure comprehensive security coverage.
Control Tower automatically enables CloudTrail in the Audit account. Consider additional configurations for log retention and analysis.
The automation creates appropriate cross-account roles. Review these regularly to maintain the principle of least privilege.
Contributions are welcome! Please follow these steps:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Please make sure your code follows our coding standards.
This project is licensed under the MIT License - see the LICENSE file for details.
- AWS Control Tower documentation and best practices
- SOC 2 compliance framework
- AWS Organizations Best Practices
- Contributors and early adopters who provided valuable feedback
For questions, issues, or feature requests, please open an issue in this repository.
If you find this project useful, please consider giving it a star on GitHub! βοΈ
Disclaimer: This suite helps implement technical controls relevant to SOC 2 compliance but does not guarantee a successful audit. Organizations should work with qualified auditors to ensure their specific compliance requirements are met.