kaihendry · May 13, 2026 09:47
diff --git a/aws-account-security.txt b/aws-account-security.txt
  A typical multi-account AWS Organization for security:

  Management account (payer)
    - Empty workload-wise
    - Limited IAM users (1-2 break-glass)
    - SCPs applied to all member OUs
    - Designates delegated admins:
          GuardDuty       → Security account
          Security Hub    → Security account
          Inspector       → Security account
          Macie           → Security account
          Firewall Mgr    → Network/Security account
          Config          → Audit account
          CloudTrail      → Logging account
          Access Analyzer → Security account
          Security Lake   → Security account
          Audit Manager   → Audit account
          IAM IDC         → Identity account

  Security account
    - Aggregates all security findings
    - Security team operates here
    - GuardDuty, Security Hub, Inspector, Macie all aggregated
    - EventBridge fan-out to Slack/Jira/PagerDuty
    - Cross-account roles to investigate findings in member accounts

  Logging account
    - Receives org CloudTrail
    - S3 bucket with Object Lock for log retention
    - Cross-account replication of logs

  Audit account
    - Config aggregator
    - Audit Manager assessments
    - Read-only access for auditors

  Network account
    - Centralized inspection VPC
    - Transit Gateway
    - Network Firewall, Resolver DNS Firewall
    - Firewall Manager delegated admin

  Identity account
    - IAM Identity Center delegated admin (since 2023)
    - Permission sets defined here
    - SAML integration with corp IdP

  Workload OUs
    - Dev, Staging, Prod accounts
    - Application workloads
    - GuardDuty/Inspector/etc. running, reporting up to Security account

  This is sometimes called the AWS Security Reference Architecture (AWS SRA) layout. The exam loves these patterns.
	A typical multi-account AWS Organization for security:

	Management account (payer)
	- Empty workload-wise
	- Limited IAM users (1-2 break-glass)
	- SCPs applied to all member OUs
	- Designates delegated admins:
	GuardDuty → Security account
	Security Hub → Security account
	Inspector → Security account
	Macie → Security account
	Firewall Mgr → Network/Security account
	Config → Audit account
	CloudTrail → Logging account
	Access Analyzer → Security account
	Security Lake → Security account
	Audit Manager → Audit account
	IAM IDC → Identity account

	Security account
	- Aggregates all security findings
	- Security team operates here
	- GuardDuty, Security Hub, Inspector, Macie all aggregated
	- EventBridge fan-out to Slack/Jira/PagerDuty
	- Cross-account roles to investigate findings in member accounts

	Logging account
	- Receives org CloudTrail
	- S3 bucket with Object Lock for log retention
	- Cross-account replication of logs

	Audit account
	- Config aggregator
	- Audit Manager assessments
	- Read-only access for auditors

	Network account
	- Centralized inspection VPC
	- Transit Gateway
	- Network Firewall, Resolver DNS Firewall
	- Firewall Manager delegated admin

	Identity account
	- IAM Identity Center delegated admin (since 2023)
	- Permission sets defined here
	- SAML integration with corp IdP

	Workload OUs
	- Dev, Staging, Prod accounts
	- Application workloads
	- GuardDuty/Inspector/etc. running, reporting up to Security account

	This is sometimes called the AWS Security Reference Architecture (AWS SRA) layout. The exam loves these patterns.
No results found