SlideShare a Scribd company logo

Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent 2018

Amazon Web Services
Amazon Web Services

The document discusses an automated solution for deploying an AWS Landing Zone. It describes the AWS Landing Zone as providing an easy way to set up a new multi-account AWS environment based on AWS best practices. The solution automates the initial setup of accounts and baseline security and governance controls. It also includes an AWS Account Vending Machine that allows additional accounts to be automatically provisioned with security baselines. The workshop will include demos of deploying a Landing Zone, creating new accounts via the AWS Vending Machine, and extending the Landing Zone with add-on features.

1 of 41
Download to read offline
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated Solution for Deploying AWS Landing Zone G P S W S 4 0 7 Jim Huang Partner Solutions Architect AWS Lalit Grover Solutions Builder AWS Hitendra Nishar Solutions Builder AWS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Register for workshop http://lz-workshop.us-west-2.elasticbeanstalk.com Workshop materials, login password will be sent via email
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Why do you need a landing zone Understand the AWS Landing Zone design and automation Demo & Lab 1: Tour of AWS Landing Zone deployment and functions Demo & Lab 2: Creating a new AWS account via the AWS Account Vending Machine (AVM) Demo & Lab 3: Extending the Landing Zone via the Landing Zone add-on feature
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customers are faced with Many design decisions Need to configure multiple accounts & services Establish security baseline & governance
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why one account isn’t enough Billing Many teams Security/compliance controls Business process Isolation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer sandbox Dev Pre-Prod Team/group accounts Security Core accounts AWS Organizations Shared services Network Log archive Prod Team shared services Developer accounts Data center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team shared services, data lake
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer sandbox Dev Pre-Prod Team/group accounts Security Core accounts AWS Organizations Shared services Network Log archive Prod Team shared services Developer accounts Data center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team shared services, data lake
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer sandbox Dev Pre-Prod Team/group accounts Security Core accounts AWS Organizations Shared services Network Log archive Prod Team shared services Developer accounts Data center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team shared services, data lake
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and AWS Account Vending Machine Automated deployment
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What you get with the AWS Landing Zone Framework for creating and baselining a multi-account environment Initial multi-account structure that includes security, audit, and shared service requirements An AWS Account Vending Machine that enables automated deployment of additional accounts with a set of security baselines Account management User account access managed through AWS Single Sign-On federation Cross-account roles enable centralized management Identity & access management Initial account security and AWS Config rules baseline Amazon GuardDuty enabled in all regions Network baseline Security & governance Add on to your AWS Landing Zone deploymentSolution extensibility
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure – Basic AWS Organizations Shared services Log archive Security AWS Organizations account • Account provisioning • Account access (AWS SSO) Shared services account • Active directory • Log analytics Log archive • Security logs Security account • Audit/break-glass Parameter store
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure – With optional add-ons AWS Organizations Shared services Log archive Security Organizations account • Account provisioning • Account access (AWS SSO) Shared services account • Active directory • Log analytics Log archive • Security logs Security account • Audit/break-glass Parameter store
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account baseline AWS CloudTrail – CloudTrail to local and log archive Amazon Simple Storage Service (Amazon S3) bucket AWS Config – Configuration data forward to log archive Amazon S3 bucket AWS Config rules – Resource security rules (EBS encryption, and more) Amazon GuardDuty – Associate member to GuardDuty Master AWS Identity and Access Management (IAM) roles and policies – Security admin and read-only roles IAM password policy – Password complexity required Notifications – CloudTrail API activity alarm Amazon Virtual Private Cloud (Amazon VPC) infrastructure – Options for multi-AZ, multi-subnet Account AWS CloudFormation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The Landing Zone pipeline Source Validate/Build/Test Deploy core account structure Deploy core resources Deploy AWS Service Catalog portfolio/products Deploy baseline resources Launch AVM for core accounts AWS CodePipeline AWS Organizations AWS account baseline StackSets Logging Security credentials AWS Service Catalog AWS CloudFormation StackSets AWS Service Catalog Core Amazon S3 bucket Vended accounts AWS CloudFormation templates Manifest fileLanding Zone zip file AWS CodeBuild
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key solution components AWS Landing Zone infrastructure as code • Configuration templates define: core account structure, service control policies, service baseline resources, AWS Service Catalog portfolios/products. • Enable developers to change or extend the Landing Zone implementation. Implementation with AWS CloudFormation templates & StackSets • Out-of-the-box example Landing Zone implementation to get started quickly. Includes core accounts for security, log audit, and shared services. Deployment orchestration with AWS CodePipeline and AWS Step Functions • Enable CI/CD; control event sequencing and synchronization
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key solution components (cont.) Account baseline • Provide guardrail for preventive control, detective control, and remediation • Applied to different Organizations units and accounts The AWS Account Vending Machine • Allow user to create new accounts through AWS Service Catalog • New accounts baselined automatically Add-on to your AWS Landing Zone deployment • Extend to add-on optional capabilities through AWS Service Catalog
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • To prohibit or restrict user access from disabling or deleting the baseline controls, for example, SCP to prevent deleting or disabling CloudTrail/AWS Config Preventive controls • To monitor the resources for compliance and alert when the resource go out of compliance, for example, AWS Config rules to monitor Amazon S3 server- side encryption for all S3 buckets created in an account Detective controls • To take corrective action to remediate the out of compliance resources and bring them back to compliance state, for example, SSM document triggered from AWS Config rule to enable Amazon S3 server-side encryption for out-of- compliance S3 bucket Remediation Landing Zone – Control types (guardrail types)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introduction to the AWS Landing Zone’s add- on products for AWS SSO • AWS managed Microsoft Active Directory in the shared services account • AD connector in the master account • AWS SSO configured with permission sets • AD users log in from AWS SSO URL to access the Landing Zone accounts Access via AWS SSO AWS SSO endpoint AWS Organizations account users us-east-1 AWS Directory Connector Shared services account AWS Managed AD eu-west-1 Amazon VPC peering Federated access to AWS accounts All regions
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone deployment StackSets that implement account baseline Effect of enabled ConfigRules Multi-account structure under organizations Logging and aggregation in Log Archive account Demo 1 (by presenter) Review of GuardDuty Setup and run-time status Lab 1 (by attendees with Lab 1 Guide)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Account Vending Machine (AVM) An AWS Service Catalog product that allows customers to create new AWS accounts in Organizational Units (OUs) preconfigured with an account security baseline and a predefined network
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Vending Machine architecture AWS Service Catalog Account Vending Machine (AWS Service Catalog) • Account creation UI • Account baseline versioning • Launch constraints Creates/updates AWS account Apply account baseline stack sets Create network baseline Apply account security control policy Account Vending Machine AWS Organizations Security Log archive Shared services New AWS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo 2 (by presenter) Access the new AWS account via AWS SSO Review account baseline in AWS CloudFormation console Examine Config Rule status Lab 2 (by attendees with Lab 2 Guide) Launch AVM from Service Catalog Console in the master account Verify Service Control Policy baseline View StackSets that created the new AWS account Configure AWS SSO to access the new AWS account
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Easily add new optional services into your existing AWS Landing Zone deployment These add-on services enable: • Partners, ISVs to build and share new solutions with customers • Customers to create new solutions to add onto their own deployment Easily add on to your implementation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Two AWS Landing Zone add-ons available today • AWS active directory and remote-desktop gateway and active directory connector for AWS SSO • Centralized logging solution
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customer bucket Master AWS Landing Zone configuration zip file Partner add-on configuration zip file ISV add-on configuration zip filePartner bucket ISV Bucket Customer bucket Customer bucket Add-on deployment workflow
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Launch add-on product In combination with AWS managed services and Amazon Elasticsearch Service, this solution offers customers a highly available, turnkey environment to begin logging and analyzing their AWS environment and applications.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone pipeline Source Validate/Build/Test Deploy core account structure and policies Deploy core resources Deploy Service Catalog portfolio/products Deploy baseline resources Launch AVM for core accounts AWS Organizations AWS account baseline stack sets AWS Service Catalog Core StackSets AWS Service Catalog Landing Zone zip file AWS CodeBuild Organizations/ SCP state machine State machine trigger Lambda Stack set state machine Service Catalog state machine Stack set state machine Launch AVM state machine AWS Landing Zone Master Configuration AWS CodeBuild
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. All other accounts Shared Services account AWS Organizations account AWS Landing Zone Master Configuration “CoreResource“ Stage “LaunchAVM” Stage 1 23 Centralized logging add-on deployment flow AWS Step Functions AWS Step Functions AWS CodePipelineLanding Zone zip file
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Back to demo
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of the AWS Landing Zone Automated Scalable Self-service Guardrails not blockers Auditable Flexible
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone track: (search: awslandingzone) Architecture: SEC303: Architecting Security & Governance Across Your AWS Landing Zone (Session) ENT315: Automate & Audit Cloud Governance & Compliance in Your Landing Zone (Session) Implementation: ENT350: AWS Landing Zone Deep Dive (Chalk Talk) SEC349: Governance at Scale (Chalk Talk) ENT318: Landing Zone Design: What to Do When Your Company Splits in Half (Session) Workshops (First three are same content): ENT351: Enterprise Governance: Build Your AWS Landing Zone (Workshop) SEC315: Enterprise Governance and Security—Build Your AWS Landing Zone (Workshop) GPSWS407A: Automated Solution for Deploying AWS Landing Zone (Workshop/Partners) SEC334: Operational Excellence for Identity & Access Management (Workshop) Summary/feedback: SEC360: AWS Landing Zone Strategies (Chalk Talk)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Jim Huang, Partner Solutions Architect, AWS jimhuan@amazon.com
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recommended

Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing ZoneAmazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Amazon Web Services
 
Aws landing zone
Aws landing zoneAws landing zone
Aws landing zoneIgor Ivanovic
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
Considerations for your Cloud Journey
Considerations for your Cloud JourneyConsiderations for your Cloud Journey
Considerations for your Cloud JourneyAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 

Recommended

Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing ZoneAmazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Amazon Web Services
 
Aws landing zone
Aws landing zoneAws landing zone
Aws landing zoneIgor Ivanovic
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
Considerations for your Cloud Journey
Considerations for your Cloud JourneyConsiderations for your Cloud Journey
Considerations for your Cloud JourneyAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Disaster Recovery Options with AWS
Disaster Recovery Options with AWSDisaster Recovery Options with AWS
Disaster Recovery Options with AWSAmazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
AWS solution Architect Associate study material
AWS solution Architect Associate study materialAWS solution Architect Associate study material
AWS solution Architect Associate study materialNagesh Ramamoorthy
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials DayAmazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 
Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Tom Laszewski
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesGary Silverman
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
AWS 101
AWS 101AWS 101
AWS 101Amazon Web Services
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAmazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAmazon Web Services
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksAmazon Web Services
 
AWS for Backup and Recovery
AWS for Backup and RecoveryAWS for Backup and Recovery
AWS for Backup and RecoveryAmazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Amazon Web Services
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Amazon Web Services
 

More Related Content

What's hot

Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Disaster Recovery Options with AWS
Disaster Recovery Options with AWSDisaster Recovery Options with AWS
Disaster Recovery Options with AWSAmazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
AWS solution Architect Associate study material
AWS solution Architect Associate study materialAWS solution Architect Associate study material
AWS solution Architect Associate study materialNagesh Ramamoorthy
 
Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Tom Laszewski
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesGary Silverman
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAmazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCAmazon Web Services
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksAmazon Web Services
 

What's hot (20)

AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Disaster Recovery Options with AWS
Disaster Recovery Options with AWSDisaster Recovery Options with AWS
Disaster Recovery Options with AWS
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
AWS solution Architect Associate study material
AWS solution Architect Associate study materialAWS solution Architect Associate study material
AWS solution Architect Associate study material
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials Day
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best Practices
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
AWS 101
AWS 101AWS 101
AWS 101
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
 
AWS for Backup and Recovery
AWS for Backup and RecoveryAWS for Backup and Recovery
AWS for Backup and Recovery
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 

Similar to Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent 2018

Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Amazon Web Services
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Amazon Web Services
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management ToolsAmazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Amazon Web Services
 
Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...
Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...
Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...Amazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
The Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudThe Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudAmazon Web Services
 
Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...
Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...
Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...Amazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfAmazon Web Services
 
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
ENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service CatalogENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service CatalogAmazon Web Services
 

Similar to Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent 2018 (20)

Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
 
Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...
Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...
Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
The Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudThe Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the Cloud
 
Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...
Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...
Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
 
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
ENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service CatalogENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent 2018

  • 1.
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated Solution for Deploying AWS Landing Zone G P S W S 4 0 7 Jim Huang Partner Solutions Architect AWS Lalit Grover Solutions Builder AWS Hitendra Nishar Solutions Builder AWS
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Register for workshop http://lz-workshop.us-west-2.elasticbeanstalk.com Workshop materials, login password will be sent via email
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Why do you need a landing zone Understand the AWS Landing Zone design and automation Demo & Lab 1: Tour of AWS Landing Zone deployment and functions Demo & Lab 2: Creating a new AWS account via the AWS Account Vending Machine (AVM) Demo & Lab 3: Extending the Landing Zone via the Landing Zone add-on feature
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customers are faced with Many design decisions Need to configure multiple accounts & services Establish security baseline & governance
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why one account isn’t enough Billing Many teams Security/compliance controls Business process Isolation
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer sandbox Dev Pre-Prod Team/group accounts Security Core accounts AWS Organizations Shared services Network Log archive Prod Team shared services Developer accounts Data center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team shared services, data lake
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer sandbox Dev Pre-Prod Team/group accounts Security Core accounts AWS Organizations Shared services Network Log archive Prod Team shared services Developer accounts Data center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team shared services, data lake
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer sandbox Dev Pre-Prod Team/group accounts Security Core accounts AWS Organizations Shared services Network Log archive Prod Team shared services Developer accounts Data center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team shared services, data lake
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and AWS Account Vending Machine Automated deployment
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What you get with the AWS Landing Zone Framework for creating and baselining a multi-account environment Initial multi-account structure that includes security, audit, and shared service requirements An AWS Account Vending Machine that enables automated deployment of additional accounts with a set of security baselines Account management User account access managed through AWS Single Sign-On federation Cross-account roles enable centralized management Identity & access management Initial account security and AWS Config rules baseline Amazon GuardDuty enabled in all regions Network baseline Security & governance Add on to your AWS Landing Zone deploymentSolution extensibility
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure – Basic AWS Organizations Shared services Log archive Security AWS Organizations account • Account provisioning • Account access (AWS SSO) Shared services account • Active directory • Log analytics Log archive • Security logs Security account • Audit/break-glass Parameter store
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure – With optional add-ons AWS Organizations Shared services Log archive Security Organizations account • Account provisioning • Account access (AWS SSO) Shared services account • Active directory • Log analytics Log archive • Security logs Security account • Audit/break-glass Parameter store
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account baseline AWS CloudTrail – CloudTrail to local and log archive Amazon Simple Storage Service (Amazon S3) bucket AWS Config – Configuration data forward to log archive Amazon S3 bucket AWS Config rules – Resource security rules (EBS encryption, and more) Amazon GuardDuty – Associate member to GuardDuty Master AWS Identity and Access Management (IAM) roles and policies – Security admin and read-only roles IAM password policy – Password complexity required Notifications – CloudTrail API activity alarm Amazon Virtual Private Cloud (Amazon VPC) infrastructure – Options for multi-AZ, multi-subnet Account AWS CloudFormation
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The Landing Zone pipeline Source Validate/Build/Test Deploy core account structure Deploy core resources Deploy AWS Service Catalog portfolio/products Deploy baseline resources Launch AVM for core accounts AWS CodePipeline AWS Organizations AWS account baseline StackSets Logging Security credentials AWS Service Catalog AWS CloudFormation StackSets AWS Service Catalog Core Amazon S3 bucket Vended accounts AWS CloudFormation templates Manifest fileLanding Zone zip file AWS CodeBuild
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key solution components AWS Landing Zone infrastructure as code • Configuration templates define: core account structure, service control policies, service baseline resources, AWS Service Catalog portfolios/products. • Enable developers to change or extend the Landing Zone implementation. Implementation with AWS CloudFormation templates & StackSets • Out-of-the-box example Landing Zone implementation to get started quickly. Includes core accounts for security, log audit, and shared services. Deployment orchestration with AWS CodePipeline and AWS Step Functions • Enable CI/CD; control event sequencing and synchronization
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key solution components (cont.) Account baseline • Provide guardrail for preventive control, detective control, and remediation • Applied to different Organizations units and accounts The AWS Account Vending Machine • Allow user to create new accounts through AWS Service Catalog • New accounts baselined automatically Add-on to your AWS Landing Zone deployment • Extend to add-on optional capabilities through AWS Service Catalog
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • To prohibit or restrict user access from disabling or deleting the baseline controls, for example, SCP to prevent deleting or disabling CloudTrail/AWS Config Preventive controls • To monitor the resources for compliance and alert when the resource go out of compliance, for example, AWS Config rules to monitor Amazon S3 server- side encryption for all S3 buckets created in an account Detective controls • To take corrective action to remediate the out of compliance resources and bring them back to compliance state, for example, SSM document triggered from AWS Config rule to enable Amazon S3 server-side encryption for out-of- compliance S3 bucket Remediation Landing Zone – Control types (guardrail types)
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introduction to the AWS Landing Zone’s add- on products for AWS SSO • AWS managed Microsoft Active Directory in the shared services account • AD connector in the master account • AWS SSO configured with permission sets • AD users log in from AWS SSO URL to access the Landing Zone accounts Access via AWS SSO AWS SSO endpoint AWS Organizations account users us-east-1 AWS Directory Connector Shared services account AWS Managed AD eu-west-1 Amazon VPC peering Federated access to AWS accounts All regions
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone deployment StackSets that implement account baseline Effect of enabled ConfigRules Multi-account structure under organizations Logging and aggregation in Log Archive account Demo 1 (by presenter) Review of GuardDuty Setup and run-time status Lab 1 (by attendees with Lab 1 Guide)
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Account Vending Machine (AVM) An AWS Service Catalog product that allows customers to create new AWS accounts in Organizational Units (OUs) preconfigured with an account security baseline and a predefined network
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Vending Machine architecture AWS Service Catalog Account Vending Machine (AWS Service Catalog) • Account creation UI • Account baseline versioning • Launch constraints Creates/updates AWS account Apply account baseline stack sets Create network baseline Apply account security control policy Account Vending Machine AWS Organizations Security Log archive Shared services New AWS
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo 2 (by presenter) Access the new AWS account via AWS SSO Review account baseline in AWS CloudFormation console Examine Config Rule status Lab 2 (by attendees with Lab 2 Guide) Launch AVM from Service Catalog Console in the master account Verify Service Control Policy baseline View StackSets that created the new AWS account Configure AWS SSO to access the new AWS account
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Easily add new optional services into your existing AWS Landing Zone deployment These add-on services enable: • Partners, ISVs to build and share new solutions with customers • Customers to create new solutions to add onto their own deployment Easily add on to your implementation
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Two AWS Landing Zone add-ons available today • AWS active directory and remote-desktop gateway and active directory connector for AWS SSO • Centralized logging solution
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customer bucket Master AWS Landing Zone configuration zip file Partner add-on configuration zip file ISV add-on configuration zip filePartner bucket ISV Bucket Customer bucket Customer bucket Add-on deployment workflow
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Launch add-on product In combination with AWS managed services and Amazon Elasticsearch Service, this solution offers customers a highly available, turnkey environment to begin logging and analyzing their AWS environment and applications.
  • 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone pipeline Source Validate/Build/Test Deploy core account structure and policies Deploy core resources Deploy Service Catalog portfolio/products Deploy baseline resources Launch AVM for core accounts AWS Organizations AWS account baseline stack sets AWS Service Catalog Core StackSets AWS Service Catalog Landing Zone zip file AWS CodeBuild Organizations/ SCP state machine State machine trigger Lambda Stack set state machine Service Catalog state machine Stack set state machine Launch AVM state machine AWS Landing Zone Master Configuration AWS CodeBuild
  • 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. All other accounts Shared Services account AWS Organizations account AWS Landing Zone Master Configuration “CoreResource“ Stage “LaunchAVM” Stage 1 23 Centralized logging add-on deployment flow AWS Step Functions AWS Step Functions AWS CodePipelineLanding Zone zip file
  • 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Back to demo
  • 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of the AWS Landing Zone Automated Scalable Self-service Guardrails not blockers Auditable Flexible
  • 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone track: (search: awslandingzone) Architecture: SEC303: Architecting Security & Governance Across Your AWS Landing Zone (Session) ENT315: Automate & Audit Cloud Governance & Compliance in Your Landing Zone (Session) Implementation: ENT350: AWS Landing Zone Deep Dive (Chalk Talk) SEC349: Governance at Scale (Chalk Talk) ENT318: Landing Zone Design: What to Do When Your Company Splits in Half (Session) Workshops (First three are same content): ENT351: Enterprise Governance: Build Your AWS Landing Zone (Workshop) SEC315: Enterprise Governance and Security—Build Your AWS Landing Zone (Workshop) GPSWS407A: Automated Solution for Deploying AWS Landing Zone (Workshop/Partners) SEC334: Operational Excellence for Identity & Access Management (Workshop) Summary/feedback: SEC360: AWS Landing Zone Strategies (Chalk Talk)
  • 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 40. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Jim Huang, Partner Solutions Architect, AWS jimhuan@amazon.com
  • 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.