Every account I create starts off with the same essential security settings using a serverless.yml, such as the one in this recipe. I create no other stacks in the account until this account-scoped stack is created. All further changes, other than creating users, are delivered as changes to this stack. The first responsibility of this stack is to turn on CloudTrail. In Chapter 7, Optimizing Observability, we will see how we can use this audit trail to monitor and alert about unexpected changes to security policies. AuditBucket is also a candidate for replicating to the recovery account as discussed in the Replicating the data lake for disaster recovery recipe.
Next, the stack creates the user groups that will be used for granting ...