Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Multi-Account Architecture and Best Practices

2,853 views

Published on

  • High Paying Jobs On Facebook And Twitter... How? ♣♣♣ http://t.cn/AieX6y8B
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

AWS Multi-Account Architecture and Best Practices

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. T A I P E I 10.15.19
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Multi-Account Architecture and Best Practices AWS 多帳戶架構與最佳實踐 Simon Wang 王舜民 Solutions Architect Amazon Web Services T A I P E I
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • About Multiple Account Strategy and “landing zone” • What’s a landing zone? • Implementing a landing zone – 2 Approaches • Summary
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How many AWS accounts do I need?
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Organizations Master Account (★) • Account used to create the organization (payer account) • Central management and governance hub Organizational Unit (OU) • Set of AWS accounts logically grouped within an organization
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Account - Best Isolation Boundary Security/resource boundary API limits/throttling Billing separation “If Team A can’t support Team B's app when paged at 2 AM, the applications probably shouldn't be in the same account.”
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why One Account isn’t Enough? Billing Many teams Security / compliance controls Business process Isolation
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. You Need a “landing zone” H • A configured, secure, scalable, multi-account AWS environment based on AWS best practices • A starting point for net new development and experimentation • A starting point for migrating applications • An environment that allows for iteration and extension over time
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What accounts should I create?
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Master Account AWS Organizations Master Network Path Data Center No connection to DC Service control policies Consolidated billing Volume discount Minimal resources Limited access Restrict Orgs role! Cloud Platform Engineering Platform Team
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Core Accounts Core Accounts AWS Organizations Master Network Path Data Center Foundational Once per organization Have their own development life cycle (dev/qa/prod)
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Core: Log Archive Account Core Accounts AWS Organizations Master Log Archive Network Path Data Center Versioned Amazon S3 bucket Restricted MFA delete AWS CloudTrail logs Security logs Single source of truth Alarm on user login Limited access Cloud Platform Engineering Operation Team
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Core: Security Account Core Accounts AWS Organizations Master Log Archive Network Path Data Center Optional data center connectivity Security tools and audit Amazon GuardDuty master / Amazon Inspector / Firewall Manager Cross-account read/write Automated Tooling Limited access Security Cloud Platform Engineering Security Team
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Core: Shared Services Account Security Core Accounts AWS Organizations Master Log Archive Network Path Data Center Connected to DC Shared Services to whole organization • DNS • LDAP/Active Directory • Deployment tools • Golden AMI • Source Repo/Pipeline • Scanning infrastructure • Inactive instances • Improper tags • Monitoring Limited access Shared Services Cloud Platform Engineering Platform Team Cloud Platform Engineering Operation Team
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Developer Sandbox Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path No connection to DC Innovation space Fixed spending limit Autonomous Experimentation Developer Sandbox Developer Accounts
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Team/Group Accounts Developer Sandbox Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Based on level of needed isolation Match your development lifecycle Team/Group Accounts Application Devops teams
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Team: Dev Account Developer Sandbox Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Develop and iterate quickly Collaboration space Stage of SDLCDev
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Team: Pre-prod Account Developer Sandbox Dev Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Connected to DC Production-like Staging Testing Automated deployment Pre-Prod
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Team: Production Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Connected to DC Production applications Automated deployments Limited access Prod
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Team: Shared Services Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Network Path Developer Accounts Data Center Grows organically Shared to the team Product-specific common services Common tooling Common services Team Shared Services
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Action Plan for Landing Zone … Create Organizations Master account • Create temporary Amazon S3 bucket for AWS CloudTrail logs • Enable CloudTrail locally • Enable AWS Organizations full feature Create Log Archive account • Create bucket(s) for security logs (AWS CloudTrail, AWS Config) • Enable MFA delete • Enable versioning • Define limited access bucket policy • Add SCP to prevent s3:delete • Backfill: Enable CloudTrail in organizations master account to send logs to Log Archive account • Backfill: Copy CloudTrail logs for actions that happened between Organizations Master creation and log archive Create Security account • Backfill: Cross-account roles with trust to Security account for organizations master and log archive • Read-only role • Read/Write role (fewer permissions for assumption) • <CommonCheckList> • Create security tooling/AWS Lambda functions for security checks Create Shared Services account • <CommonCheckList> • Connect via DX/VPN to DC • Launch common services • Directory services • Limit monitoring Create Team accounts • <CommonCheckList>
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common Checklist for Account Security • Secure Root credentials MFA • OTP • U2F could make this easier for managing them • https://aws.amazon.com/blogs/security/how-to-create- and-manage-users-within-aws-sso/ • Complex password • Establish rotation policy • Link to Organizations Master account if not already a member • Use group email/phone as the contact info • Enable AWS CloudTrail in all regions, send to Log Archive account • Enable Amazon GuardDuty in all regions. • Security Account as Amazon GuardDuty master • Operationalize the findings • Enable AWS Config, send to Log Archive account • Enable appropriate AWS Config rules • Amazon S3 bucket encryptions • Amazon S3 world read/write • ebs encryption etc... • Create read-only cross-account Security role • Create read/write cross-account Security role • Create VPC (non-overlapping IP space) • Enable federation into account • http://federationworkshopreinvent2016.s3-website-us-east- 1.amazonaws.com/ • Define roles and access policies • Peer/Privatelink Amazon VPC with Shared Services • Add a policy for prefix naming conditions to every account—For example, deny access to Lambda functions that start with “security*” • Review CIS Foundations Benchmark and leverage as appropriate
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Approaching to your ”landing zone” AWS Landing Zone (ALZ): • Implementation of a landing zone based on multi-account strategy guidance • Is an AWS Solutions (not an AWS service) that can save time by automating the setup of an environment while implementing an initial security baseline AWS Control Tower (CT): • AWS native-service version of AWS Landing Zone H
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Implementation - AWS Landing Zone
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone Structure Shared Services Log Archive Security AWS Organizations
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Master Account – SSO (Single Sign On)
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Master Account - Account Vending Machine
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Team/Group Account – Baselines Enable Notification Enable Config Rules Create VPC, Delete default VPC, enable Flow Log and peering Strong PWD Policy Setup Security Roles CloudTrail to Log Account Enable GuardDuty
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Services Account AD Service Centralized Logging Search Shared Service VPC Peering
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Log Archive Account S3 bucket for Centralized Logs CloudTrail and Config History
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Account GuardDuty Master View Compliance & Security Notifications
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Implementation - AWS Control Tower
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Control Tower - Set up an AWS landing zone • Landing zone - a preconfigured, secure, scalable, multi-account AWS environment based on best practice blueprints • Multi-account management using AWS Organizations • Identity and federated access management using AWS SSO • Centralized log archive using AWS CloudTrail and AWS Config • Cross-account audit access using AWS SSO and AWS IAM • End user account provisioning through AWS Service Catalog • Centralized monitoring and notifications using Amazon CloudWatch and Amazon SNS Master account AWS Control Tower AWS Organizations AWS Single Sign-On Stack sets AWS Service Catalog Log archive account Aggregate AWS CloudTrail and AWS Config logs Account baseline Audit account Security cross- account roles Account baseline Provisioned accounts Network baseline Account baseline Amazon CloudWatch aggregator Security notifications Core OU Custom OU AWS SSO directory
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Establish Guardrails (Baselines) • Guardrails are preconfigured governance rules for security, compliance, and operations • Expressed in plain English to provide abstraction over granular AWS policies • Preventive guardrails: prevent policy violations through enforcement; implemented using AWS CloudFormation and SCPs • Detective guardrails: detect policy violations and alert in the dashboard; implemented using AWS Config rules • Mandatory and strongly recommended guardrails for prescriptive guidance • Easy selection and enablement on organizational units Organizational units Accounts Enable Enable Output Output Output Organizational units Accounts Preventive guardrail Granular AWS policies SCP Detective/remediable guardrails Granular AWS policies AWS Config rules Always compliant Compliant Non- compliant
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Guardrails
  36. 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Factory
  37. 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dashboard for Oversight
  38. 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Control Tower vs. AWS Landing Zone • AWS Cloudformation-base solution • Fully customizable/owned by customer • Most regions supported • Complete flexibility on account structure • Complex requiring significant expertise • Managed service by AWS • Fixed blueprints and guardrails • Four regions at launch • Two non-configurable core accounts, no Shared Service, no Amazon VPC in core • Self service guided deployment configurable through GUI
  39. 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Which One Should I Choose? AWS Control Tower AWS Landing Zone AWS Control Tower capabilities meet what you need You are willing to start with fresh new environment You are willing to grow with the managed service You don't have a team that can take on the complexity of managing the AWS Landing Zone Solution You have an existing landing zone that meets your current needs and exceeds CT’s feature set You need full customization and full control over every aspect of the landing zone
  40. 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Best Practice - Multi-account Strategy Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Account Shared Services Network Log Archive Prod Team Shared Services Network Path Developer Accounts Data Center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect, Transit Gateway Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake
  41. 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of “landing zone” Set up a best-practices AWS environment
  42. 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resource to Get You Started AWS Control Tower User Guide https://docs.aws.amazon.com/controltower/latest/userguide/controltower-ug.pdf AWS Control Tower Labs https://controltower.aws-management.tools AWS Landing Zone Solution https://aws.amazon.com/solutions/aws-landing-zone/ AWS Landing Zone Online Tech Talks https://pages.awscloud.com/Whats-New-in-AWS-Landing-Zone_2019_0514-ENT_OD.html
  43. 43. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Simon Wang 王舜民 Solutions Architect shunminw@amazon.com

×