AWS Security Documentation

Production-ready AWS security baseline delivered as code. Deploy foundations, enable continuous monitoring, and automate audit evidence for CIS, ISO 27001, and NIS2.

Quickstart Baseline

Deploy the complete security baseline in this order:

CloudTrail Org trail, multi-region, encrypted storage

AWS Config Recorder + baseline compliance rules

GuardDuty Org-wide threat detection

Security Hub Aggregation + standards enablement

EventBridge Routes for notifications and remediation

Baseline Components

These components form the StudioAsCode AWS security baseline. Start with the quickstart, then deepen per service.

GuardDuty

Threat detection signal source. Feeds Security Hub and automation.

View guide →

Security Hub

Findings aggregation and compliance posture scoring.

View guide →

AWS Config

Configuration inventory + compliance evaluation + drift triggers.

View guide →

CloudTrail

Authoritative API audit trail. Evidence source for change history.

View guide →

EventBridge

Event bus for notifications, evidence capture, and remediation.

View guide →

Reference Architecture

How baseline components connect to form the security monitoring pipeline:

Data Sources

CloudTrail Logs VPC Flow Logs DNS Queries

Detection

GuardDuty AWS Config

Aggregation

Security Hub

Automation

EventBridge SNS / Lambda

Framework Mapping

This baseline maps to these compliance frameworks:

CIS AWS Foundations Benchmark

ISO ISO 27001 Information Security

NIS2 EU Network and Information Security

DORA Digital Operational Resilience Act

FSBP AWS Foundational Security Best Practices

GDPR Technical Controls