Hacker News new | past | comments | ask | show | jobs | submit login

Great write up. I knew there was a lot, but visualizing really puts it into perspective, especially for the more niche services like cognito & IOT.

My current job has about 14 different AWS accounts, a few are prod, some are lab and others are meta accounts. I've been thinking about having a dedicated account just for security related stuff but I see the value in collect cloudtrail, config and other stuff but, I'm not 100% sure it's worth the effort to get setup right now. Thoughts?

Cloudtrail and config buckets should be in a separate account with no access at all (besides root) otherwise an attacker can delete the cloudtrail logs and you have no idea what he did

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact