Multi-Account Security Operations
A centralized security operations center modeled as "Galactic Federation Sector Command" monitoring multiple workload accounts. An Organizations management account delegates GuardDuty, Security Hub, Config, and Access Analyzer administration across member accounts. Findings flow through EventBridge to a Lambda enrichment function and into S3 storage. Alert notifications reach operators via SNS and SQS. This scenario validates Simfra's multi-account and security service aggregation capabilities.
Services
| Service | Role |
|---|---|
| Organizations | Management account with two member accounts (Sector Alpha, Sector Beta) |
| GuardDuty | Organization admin with member detectors for threat detection |
| Security Hub | Cross-account finding aggregation with standards enabled |
| CloudTrail | Organization-wide trail logging to S3 |
| Config | Configuration recorders with cross-account aggregator |
| Access Analyzer | Organization-level analyzer for external access detection |
| EventBridge | Custom event bus receiving security findings |
| Lambda | Python enrichment function adding sector metadata to findings |
| SNS | Alert notification topic with KMS encryption |
| SQS | Alert queue (SNS subscription) and DLQ |
| S3 | CloudTrail logs and enriched findings storage, SSE-KMS |
| KMS | Customer-managed key with grants for S3, SNS, SQS, CloudTrail |
| IAM/STS | Roles for Lambda, cross-account delegation, CI/CD |
| CodeCommit | Source repository |
| CodeBuild | Lambda packaging |
| CodePipeline | Deployment orchestration |
| CodeDeploy | Lambda deployment |
Architecture
Sector Alpha (workload account) Sector Beta (workload account)
├── GuardDuty detector ├── GuardDuty detector
├── Security Hub ├── Security Hub
└── Config recorder └── Config recorder
| |
└────────────────┬───────────────────┘
|
v
Sector Command (management account)
├── Organizations
├── GuardDuty admin (delegated)
├── Security Hub admin (aggregation)
├── Config aggregator
├── Access Analyzer (org scope)
├── CloudTrail org trail --> S3
│
├── EventBridge custom bus
│ ├── SecurityHub findings --> Lambda enrichment --> S3
│ └── GuardDuty findings --> SNS --> SQS
│
└── KMS key (grants: S3, SNS, SQS, CloudTrail)
The management account acts as the aggregation point for all security data. GuardDuty and Security Hub use delegated administration to enroll member accounts. Config uses a cross-account aggregator with explicit authorization from each member. The Lambda enrichment function adds sector metadata (account name, sector classification) to findings before storing them in S3.
What This Validates
- Organizations account creation and membership management
- GuardDuty organization admin delegation and member detector enrollment
- Security Hub cross-account finding import and aggregation
- CloudTrail organization-wide trail with S3 delivery
- Config recorder and cross-account configuration aggregator
- Access Analyzer with organization-level scope
- EventBridge custom event bus with rule-based routing to Lambda and SNS
- Lambda finding enrichment with S3 storage
- SNS-to-SQS notification delivery with KMS encryption
- Multi-account credential management via Simfra admin API
- KMS key grants for cross-service encryption (S3, SNS, SQS, CloudTrail)
Test Coverage
Tests include smoke checks for the full organizational structure (accounts, detectors, hub, trail, analyzer, event bus, Lambda, SNS, SQS, S3, KMS), integration tests for sample finding generation, batch finding import (50 findings), enrichment flow verification (Lambda processes and stores in S3), notification delivery (EventBridge to SNS to SQS), and Config aggregator data collection. Security tests validate KMS encryption and member enrollment authorization. Performance tests cover batch import of 50 findings and 20 concurrent EventBridge events.