📄 AWS Account Creation for Security-Automation & Pen-Test¶

Executive Summary

Outcome: Rapid, secure, and cost-effective environment for offensive security tooling—fully aligned with enterprise DevSecOps and FinOps best practices.

The Internet Gateway IGW-only approach best aligns with the stated test-account objectives of the Security-Automation & Pen-Test account: fast, isolated, Internet-facing, low-blast-radius, cost-efficient, and minimizes both operational overhead and cost.
In general, use-cases require east-west integration or central egress inspection; a Transit Gateway (TGW) attachment can be added with a dedicated route-table and firewall VPC to the corporate TGW in minutes without architectural re-work, keeping the Zero-Trust mindset of the production-grade.

Environment : Multi-Org / Multi-Account Landing Zone, Non-Control-Tower

1. Account-Creation Request¶

Business-Level Request

Item	Detail
Proposed Account ID / Alias	`sec-pentest-automation-test`
Business Owner	Director of Cyber Defence & Offensive Security
Technical Steward	DevSecOps Platform Engineering Squad
Mission Statement	“Provide an isolated, Internet-facing sandbox for authorised automated scans and penetration tests, plus CI/CD pipelines that build and validate security tooling.”
Data-Classification	Non-Prod / Internal-Only / No PII
Compliance Baseline	CIS AWS Foundations 1.5, AWS Security Reference Architecture (SRA) controls, AWS FSBP
Budget Tagging	`Environment=Test` · `CostCenter=SEC-1337` · `Owner=Security-Engineering`
Guardrails (SCP)	`DenyDeleteLogArchive`, `DenyRoot`, `EnforceMFA`, `DenyRoute53PrivateHostedZone`, `DenyCrossAccountAssumeRole*`
Logging & Monitoring	Org-Trail → centralized S3 log archive; GuardDuty + Security Hub; VPC Flow Logs to S3 (compressed & encrypted); all KMS keys CMK-backed (XKS not required)

Field	Entry
Business Owner	Head of Security Engineering – PenTest & Automation Guild
Technical Owner	DevSecOps Platform Team
Proposed Account Name / Alias	`sec-pentest-automation-test`
AWS Organization	`<Security-Services-Org>` (Root OU = `Security`)
Purpose / Scope	Hosting of *off-line, non-prod* automation suites and authorised penetration tests. No inbound connectivity to internal networks required.
Compliance Tier	Low (no customer PII, no PCI scope) – adheres to CIS 1.5 & AWS FSBP controls.
Baseline Guardrails	SCP: DenyDeleteLogArchive, EnforceMFA, RestrictRoot, DenyRoute53PrivateHostedZone
Network Topology	Flat, internet facing VPC – 1 VPC / 3 subnets (see diagram)
Connectivity	• Public subnet ⇄ Internet (IGW) • Private subnets ⇄ Internet (NAT GW) • ❌ No TGW peering
Core Services	Amazon ECS (Fargate), Lambda, Amazon RDS (PostgreSQL dev-class)
Logging / Monitoring	Account CloudTrail → Organization Trail (central Logging Acct)	VPC FlowLogs → S3 (`log-archive`)
Budget / Tagging	`Environment=Test` • `CostCenter=SEC-1337` • `Owner=SecEng`

Requested Run-book:

Create account via AWS Organizations API (CreateAccount)

Move to Security OU ➜ attach baseline SCPs

Apply landing-zone bootstrap (Config, GuardDuty, IAM Access Analyzer, All ⇢ central log archive).

Provision network stack via Terraform module vpc-sec-tight/1.4.0.

Hand-over to Security Engineering for application deployment.

2. Network Topology Decision: IGW vs. TGW for the New Account (Pen-Test)¶

1️⃣ Isolated VPC with IGW (no TGW)2️⃣ VPC attached to Corporate TGW with Central Egress/Inspection

%% IGW-centric Pen-Test VPC : 1 AZ – 3 Subnets
flowchart TD
    %% Core endpoints
    Internet((Internet)):::internet

    subgraph "VPC CIDR/16"[" "]
        direction TB
        IGW["Internet Gateway (IGW)"]:::edge
        NAT["NAT Gateway"]:::edge
        %% Subnets
        subgraph PubA["Public Subnet (ALB) CIDR/24"]
            ALB["ALB / NLB"]
        end
        subgraph PrivApp["Private Subnet (App) CIDR/24"]
            LBD["Lambdas | ECS Tasks | SSM-Bastion-Host (SSH)"]
        end
        subgraph PrivData["Private Subnet (Data) CIDR/24"]
            RDS[(RDS PostgreSQL)]
        end
    end

    %% -----------  Flows (Edges) -----------
    Internet e1@--> |"0.0.0.0/0"|IGW
    IGW      e2@--> |"HTTPS & SSH"|ALB
    ALB      e3@--> |"Service traffic"|LBD
    LBD      e4@--> |"DB Port 5432"|RDS
    NAT      e5@--o |"Outbound TLS & REST API"|IGW
    e1@{ animate: true }
    e2@{ animate: true }
    e3@{ animate: true }
    e4@{ animate: true }
    e5@{ animate: true }

    %% Route table arrows (optional, can omit if too busy)
    PubA     e6@--o |Route 0.0.0.0/0|IGW
    PrivApp  e7@--> |Route 0.0.0.0/0|NAT
    PrivData e8@--> |Route 0.0.0.0/0|NAT
    e6@{ animate: true }
    e7@{ animate: true }
    e8@{ animate: true }

    %% -----------  Styles -----------
    classDef edge fill:,stroke:#268bd2,color:,stroke-width:2px;
    classDef internet fill:#268bd2,stroke:green,color:#fff,font-weight:bold;
    classDef subnet fill:,stroke:#93a1a1,stroke-width:1px;
    class PubA,PrivApp,PrivData subnet;

Legend

Blue node = external Internet.
Blue stroke (:::edge) = boundary gateways.
Grey sub-graphs = subnets.

%% TGW-attached Pen-Test VPC with Central Egress/Inspection VPC
flowchart TB
    %% ───────── Transit-Gateway Hub ─────────
    TGW[(Transit Gateway --> DX/VPN & VPC-Accounts)]:::tgw

    %% ───────── NewAccount (Pen-Test) VPC ─────────
    subgraph "NewAccount VPC CIDR/16"
        direction LR
        NewAccount_Attach("TGW-VPCAttachment – NewAccount"):::attach
        subgraph "Public Subnet CIDR/24"
            ALB2[ALB / NLB]
        end
        subgraph "Private Subnet CIDR/24"
            Scanners[Lambda/ECS Scanners]
        end
    end

    %% ───────── Egress / Inspection VPC ─────────
    subgraph "Egress-Firewall VPC CIDR/16"
        direction LR
        Egress_Attach("TGW-VPCAttachment – Egress-Firewall"):::attach
        NetworkFirewall[AWS Network Firewall]:::inspect
        IGW2[Internet Gateway]:::gateway
    end

    Internet2((Internet)):::internet

     %% ───────── Connectivity ─────────
    NewAccount_Attach e1@-- "TGW Route" --> TGW
    Egress_Attach     e2@-- "TGW Route" --> TGW
    ALB2              e3@-- "0.0.0.0/0 via TGW" --> NewAccount_Attach
    Scanners          e4@-- "0.0.0.0/0 via TGW" --> NewAccount_Attach
    TGW               e5@-- "Propagated Routes" --> Egress_Attach
    NetworkFirewall   e6@--> IGW2
    IGW2              e7@--> Internet2
    e1@{ animate: true }
    e2@{ animate: true }
    e3@{ animate: true }
    e4@{ animate: true }
    e5@{ animate: true }
    e6@{ animate: true }
    e7@{ animate: true }

    %% Styles
    classDef attach   fill:#d33682,color:#fff;
    classDef tgw      fill:#2aa198,color:#fff,font-weight:bold;
    classDef inspect  fill:#b58900,color:#fff;
    classDef gateway  fill:green,stroke:#268bd2,stroke-width:2px;
    classDef internet fill:#268bd2,stroke:#005f87,color:#fff,font-weight:bold;
    %% ───────── Class Assignments ─────────
    class NewAccount_Attach,Egress_Attach attach
    class TGW tgw
    class NetworkFirewall inspect
    class IGW2 gateway
    class Internet2 internet

Key Points

Element	Role
`TGW-VPCAttachment`	Isolates route-tables—Pen-Test VPC sees only 0.0.0.0/0 → TGW; can’t reach prod.
Network Firewall	Performs egress inspection (layer-7, TLS decrypt if enabled) before traffic hits IGW.
Cost Note	TGW $36.50/attach/month + $0.02–$0.05/GB; NetworkFirewall adds $0.395/hr + $0.065/GB.

TGW Route Table

┌────────────────────────────────────────┐
│ Destination    | Target                │
│────────────────┼───────────────────────│
│ 0.0.0.0/0      | vpc-egress-attach     │  ← propagated or static
│ 10.77.0.0/16   | vpc-account-attach    │  ← propagated
└────────────────────────────────────────┘

All subnets have Flow Logs (ALL traffic) with REJECT sampling; logs encrypted via Org KMS.
GuardDuty monitors for C2 or port-scan activity.

Decision Matrix¶

Criterion	Transit Gateway (TGW)	Internet Gateway (IGW)
East-West Connectivity to prod & shared-services	✔ Centralised, scalable Routing Hub & Spoke	❌ Explicitly not required (isolation desired)
North-South Egress (Internet)	Requires Egress/Inspection VPC or NAT centralisation	✔ Direct via IGW + per-AZ NAT GW; simplest path
Blast-Radius/Zero-Trust containment	Shared Route-Tables ⇒ potential risk if NewAccount traffic is mis-scoped	Fully isolated; no route propagation
Operational overhead	RAM shares, Route-Table propagation, VPN/Direct Connect zoning	Minimal – single VPC-level resource
Cost	$0.02–$0.05/GB data-processing + $36.50 per TGW-VPC attachment/month	IGW free; NAT-GW ≈ $0.045/GB
Inspection / Egress filtering	Central FW VPC possible (if mandated)	Achievable with AWS Network Firewall embedded in VPC
Pen-Test realism	Internal path may bypass enterprise edge controls WAF/IPS, , reducing test fidelity	Matches real-world attacker path from Internet
Future Flexibility	Can add Security-Inspection VPC, SD-WAN, DX	TGW attachment can be added later in minutes

Recommendation¶

Use an IGW-centric VPC and do not attach to the corporate Transit Gateway.

Rationale

Containment & Risk: Penetration tests intentionally execute exploit traffic; TGW membership would expose internal route tables.
Simplicity: No east-west requirement was stated. IGW + NAT fulfils all north-south needs with the smallest blast radius and cost.
Cost Efficiency: TGW adds per-GB data-processing charges and monthly attachment fees—unjustified for an isolated test account.
Realism for Automation Scripts: Outbound tests to public SaaS (e.g., O365, Atlassian) should egress like any external user would—via IGW.
Future Flexibility: If a later need arises (e.g., integration with a central inspection VPC), we can attach the VPC to TGW in a controlled manner using RAM and scoped route-tables.

3. DevSecOps Implementation Checklist¶

Step-by-Step Implementation Run-Book

#	Responsibility	Action	Tooling / IaC
1	Org Admin	`CreateAccount` API → move to `Security` OU	AWS Organizations
2	Landing-Zone Pipeline	Bootstrap baseline (Config, GuardDuty, CloudTrail, IAM Access Analyzer)	AWS Control-Tower-Lite (custom CodePipeline)
3	NetSec Eng.	Deploy VPC, subnets, IGW, 1× NAT GW, route-tables	Terraform module `vpc-sec-tight/1.4.0`
4	IAM Eng.	Apply SCP set; create permission boundaries for least-priv build roles	Terraform IAM modules
5	DevSecOps	Provision ECS cluster (Fargate), RDS dev‐class, security-scan Lambdas	CDK pipelines
6	SecOps	File “Authorisation to Test” with AWS Abuse/AUP	AWS Support Center
7	FinOps	Attach tag policies; enable Cost Anomaly Detection on “NAT-BytesOut”	AWS BUDGETS, Cost Explorer
8	Observability	Wire up CloudWatch Alarms & Synthetics canaries (Office 365, GitHub)	Terraform / CloudWatch Synthetics
9	Compliance	Run AWS Config Conformance Packs (CIS 1.5 Benchmark)	AWS Config
10	Handover	Produce knowledge-base article & JIRA change record	Confluence / JIRA

Egress Inspection using AWS Network Firewall (TLS proxy POC).
Cross-Account Red-Team via TGW with isolated RT + Stateful FW.
Automated Evidence Collection into Audit Manager framework for ISO 27001 Annex A.

Account Bootstrap – Automated by Control Tower-lite pipeline (Org Config, GuardDuty, CloudTrail).
Terraform Stack – Re-use sec-test-vpc module, parameterised:
- public_subnet_count = 1
- private_subnet_count = 2
- create_natgw = true
- enable_network_firewall = false (Phase-1)
CI/CD Guardrails – OPA / cfn-guard policy: deny creation of SG egress 0.0.0.0/0 except ports 80/443/22/3306.
Pen-Test Window Registration – File “Authorisation to Test” with AWS Support (per AWS Acceptable Use).
FinOps Tagging – Enforce via Tag Policy (CostCenter, Environment, Owner) + Cost Anomaly Detection for NAT.

4. Security & Compliance Deep Dive¶

4.1 Guardrails¶

SCPs: deny root actions, deny deletion of GuardDuty/Config, restrict Region to ap-southeast-2 unless explicit exception.
IAM Access Analyzer: auto-archive findings older than 30 days; guardrail policy denies IAM permission creation without tags.
Security Hub: enable foundational, CIS, and AWS Foundational Security Best Practices standards; auto-forward high-severity to OpsGenie via EventBridge.

4.2 Identity¶

Actor	AuthN	AuthZ Pattern
CI/CD Pipeline Role	IAM OIDC (GitHub Actions)	Scoped to `arn:aws:iam::<acct>:role/Build-Role-Pentest` via trust‐policy
Human Engineers	SSO via AWS IAM Identity Center	ABAC: `sessionTag:Environment=Test AND sessionTag:JobFunc=Security`

4.3 Data Protection¶

RDS encrypted with a new CMK (alias/sec-pentest-rds), rotation = 365 days.
S3 Logs delivered to centralized log-archive bucket with bucket policy deny non-TLS & non-MFA-Delete.

5. Operational Excellence & FinOps¶

Domain	Measure	Target
Availability	99.9 % (non-prod)	Multi-AZ NAT & RDS once workload scales
MTTR	< 30 min	CloudWatch auto-healing + Runbooks
Budget Cap	USD 1 500 / month	Cost Anomaly Detection (±15 %)
Data-Egress Cost / Scan	≤ 0.5 ¢ / GB	Monitor NAT metrics `BytesOutToInternet`

Optimisation backlog: migrate large outbound scans to ECS task with S3 Object Lambda to reduce NAT traversal.

6. Risk Register & Mitigations¶

Risk	Probability	Impact	Control
Pen-test traffic spills into internal VPCs	Low	High	No TGW; explicit SG/NACL deny internal CIDRs
NAT GW cost spike	Med	Med	Cost Anomaly + daily CloudWatch alarm
Tool uploads malware to S3	Med	Low	S3 Object Lock (Compliance) + Macie scan
Priv-Esc via mis-tagged IAM role	Low	High	SCP denies `iam:PassRole` without `Owner=Security` tag