AWS Control Tower is a new AWS service for cloud administrators to set up and govern their secure, compliant, multi-account environments on AWS.
In this session, University of York will discuss their implementation of AWS Landing Zone. We’ll also explain how AWS Control Tower automates AWS Landing Zone creation with best-practice blueprints.
39. Who we are…
• University of York
• Campus in North Yorkshire, United Kingdom
• Research intensive University
• Over 30 academic departments
• Over 18,000 students from 140+ countries
• Over 3,000 staff members
40. Key points to note
• BitBucket and BitBucket Pipelines are used to store & deploy code
• CloudFormation written in YAML for core infrastructure
• SAM (& CloudFormation) / CDK for application infrastructure
• Hybrid approach with some data still stored on campus servers*
* for now
42. Why this didn’t work for us…
• A single development account is a hindrance
• A desire to centralise our AWS offering within IT Services
• Creating new accounts didn’t scale well
• Blast radius was too wide
43. Landing Zone Benefits
• Quick and easy way to create multiple accounts
• Achieve a desired state for each account upon provision
• Easy management of accounts through Organizational Units
• Configuration flexibility for ops teams
• Security and auditing baseline
45. Sandbox Infrastructure
• Allows a user access to their own isolated environment
• Promotes experimentation, adoption and upskill
• Fully automated provisioning process (<5 minutes)
• Prevents using other accounts for testing
• Centralised billing & cost monitoring
46. Authentication Infrastructure
• Shibboleth Single Sign-On
• Allows existing University credentials to be used
• Duo Multi-Factor Authentication (2FA)
• SAML based authentication
• Configured via Identity Providers under IAM
• Entirely automated provisioning as a baseline
48. Provisioning Infrastructure
• Service Catalog to create accounts
• Leverage extensive AWS APIs to streamline the process
• Call back to internal authentication APIs to make the account known
• Sends account welcome emails through Simple Email Service
49. • Account Type
• Region
• Username
• Shibboleth Authentication Stack
• VPC Type
• Workorder (for internal billing)
Provisioning Infrastructure
50. Campus Connectivity
• Uses the AWS Transit Gateway service
• Direct AWS VPN connectivity to a “shared services” account
• Allows us to share a single VPN Gateway to multiple accounts
• Reduces cost and allows easier traffic monitoring
51. • GuardRails to monitor compliance in the environment
• AWS Config
• Old pricing model was too costly with multiple accounts
• “Pay as you go” AWS Config pricing reduces costs
• Cloud Custodian
• Free, open source & uses AWS APIs
Compliance
52. Internal Tooling
• Serverless Ruby application
• Lambda, DynamoDB, ElastiCache, ACM, Cognito & ELB
• Background lambdas for task processing
• Not designed to replace AWS functionality, but assist
60. The future for York
• Continue innovating with serverless architecture
• Further expand our AWS offering within the University
• Lessen the hybrid restrictions we currently have
• Increase automation around accounts & deployments