Introducing the AWS Baseline

Open Source AWS Baseline to manage multiple accounts with flexible customisation options

Introducing the AWS Baseline

Why build a Baseline

When working with my consulting customers I regularly have to start with setting up or cleaning up their full AWS environment. Over the last years I've started to accumulate different CloudFormation Stacks and StackSets to deploy a standardised but still customisable AWS environment.

Especially medium sized to large customers often have trouble with setting up a clean infrastructure or cleaning up their existing AWS accounts. For those companies a standardised Baseline that can be deployed on top of any existing Organisation setup with the ability to customise where necessary is very important.

Today I'm happy to Open Source this whole collection with tooling on top to make it easy to roll out and update. You can find the whole repository and documentation on Github under theserverlessway/aws-baseline.

Comparison to AWS Control Tower

With the launch of Control Tower (and previously Landing Zone) AWS has their own Multi Account Organization Setup in place. Control Tower is a great service for new infrastructure, but at the time of this writing not available for existing Organizations.

One further issue with Control Tower is its limited flexibility in how to set up accounts and roll out further customizations. In the future this should be resolved by more customisation options in Control Tower, but isn't yet implemented or released.

The plan for this Baseline is in the future to be compatible with Control Tower and provide features on top of it when that makes sense and is possible.

Features of the Baseline

Managing Access for Users across a number of accounts is a hassle. The goal of the Baseline from the beginning was to set up a standard account setup with IAM Users and Groups when starting out. Many companies starting out or with limited complexity in their Setup are fine with IAM Users and Groups. Once they grow beyond that an IDP/SAML Setup becomes necessary (or might be from the start). But as a consultant I've seen many different Accounts with IAM Users across multiple accounts and security issues stemming from that.

To fix this the Baseline automatically creates groups and roles to assume into different accounts with limited rights necessary for specific use cases. For example an Admin, but also Developer, ReadOnly or Operations Role is created with groups to enable access to those roles in every account. A deeper IDP integration with various providers is planned for the future but due to the current setup of the Roles shouldn't be too complicated to implement.

Auditing is important for every company, but the larger the company the more is on the line. A good auditing setup with CloudTrail, Config and GuardDuty to make sure you can find any issues early and analyse/recover from an attack is critical. To that end the Baseline deploys a full setup across all your accounts including Athena search across all your CloudTrail and FlowLogs logs to analyse any attack.

Regular Security Reviews through tooling is critical to find any missing auditing rules or insecure resources. Two of the best tools for that are Prowler and ScoutSuite. The Baseline includes a simple make command that runs both Prowler and ScoutSuite across all of your accounts and delivers HTML reports from both tools. Those can then be analysed to find any insecure parts or discuss the security of your account setup inside your Organisation.

Simple and automated Rollout of the whole Baseline is critical so teams with less knowledge in AWS are able to perform it. While this Baseline isn't targeted to teams without any AWS knowledge (not that you can't use it, but some knowledge is helpful) it makes sure throught the Docker Toolbox Container that you don't have any complications installing any tools and are sure to get up and running quickly.

On top of that so much more from standard Service Control Policies to customisable VPC Setups to region limitations both through SCPs and Role Limitations. Take a look at the Repository for more details.

Rolling out the Baseline

The Baseline comes with a make rollout command that will deploy all Stacks and StackSets in the correct order. Before deploying make sure to read through the Rollout Guide that covers all the different options that you can and should set, especially which region you want to deploy the baseline into.

Under the hood that command uses Formica, an Open Source CloudFormation Client that I've used in many different customer projects for a number of years. For details on all the options check out the documentation linked above, it might help you in your other projects as well.

By default all Stacks and StackSets will be deployed from us-east-1, but that might not be appropriate for every company. In that case make sure you set the default regions in all configuration files appropriately. While this is a bit of a hassle the first time around it makes sure that everything gets deployed exactly where you want it to be deployed by anyone who starts the deployment.

Future of the Baseline

There are lots of features that would be great to have like IDP/SAML support built-in or an automated Pipeline Setup with CodePipeline. For more on that check out the Issues on Github or add new ideas or bugs you're coming across.

Want Customisations or Help with Rollout

If you need some help with rolling out your Baseline or want specific customisations built on top of the existing Baseline, or built on top of an existing Control Tower Setup, send me an email to