SlideShare a Scribd company logo

Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS re:Invent 2018

Amazon Web Services
Amazon Web Services

In this workshop, we present best practices for establishing an AWS Landing Zone. You will see a demonstration of the automated AWS Landing Zone solution and how it builds a multi-account architecture that is enterprise-ready for application deployment and compliant with common operations, security, and procurement processes, as well as experience how to modify the code for custom deployments. You will leave the workshop with an understanding of the mechanism to update the Landing Zone using a CI/CD pipeline, how to create new AWS accounts using the built-in account vending machine, and how the AWS Landing Zone solution components integrate to provide a secure, scalable starting environment for your cloud journey. We encourage you to attend the full AWS Landing Zone track. Search for #awslandingzone in the session catalog.

1 of 48
Download to read offline
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Building Your Own Landing Zone S E C 3 1 5 Lalit Grover Solutions Builder Amazon Web Services Hitendra Nishar Solutions Builder Amazon Web Services Wallace Printz Solutions Architect Amazon Web Services Workshop registration: http://lz-workshop.us-west-2.elasticbeanstalk.com/
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Register for workshop http://lz-workshop.us-west-2.elasticbeanstalk.com Workshop materials, login password will be sent via email
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Why do you need a landing zone? Understand the AWS Landing Zone design Demo 1: Tour of AWS Landing Zone deployment and functions Demo 2: Creating a new AWS account via the Account Vending Machine (AVM) Demo 3: Extending the AWS Landing Zone via the Landing Zone add-on feature
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customers are faced with Many design decisions Need to configure multiple accounts & services Establish security baseline & governance
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why one account isn’t enough Billing Many teams Security/Compliance controls Business process Isolation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Developer Accounts Data Center Orgs: Account management Log archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-prod: Staging Prod: Production Team SS: Team shared services, data lake
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Developer Accounts Data Center Orgs: Account management Log archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-prod: Staging Prod: Production Team SS: Team shared services, data lake
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Developer Accounts Data Center Orgs: Account management Log archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-prod: Staging Prod: Production Team SS: Team shared services, data lake
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and AVM Automated deployment
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What you get with the AWS Landing Zone Framework for creating and baselining a multi-account environment Initial multi-account structure that includes security, audit, and shared service requirements An account vending machine that enables automated deployment of additional accounts with a set of security baselines Account management User account access managed through AWS SSO federation Cross-account roles enable centralized management Identity & access management Initial account security and AWS Config rules baseline Network baseline Security & governance Add on to your AWS Landing Zone deploymentSolution extensibility
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure—Default deployment AWS Organizations Shared Services Log Archive Security Organizations account • Account provisioning • Account access (AWS Single Sign-On (SSO) Shared services account • Active directory • Log analytics Log archive • Security logs Security account • Audit/Break-glass Parameter Store
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure—With optional add-ons AWS Organizations Shared Services Log Archive Security Parameter store Organizations account • Account provisioning • Account access (AWS Single Sign-On (SSO) Shared services account • Active directory • Log analytics Log archive • Security logs Security account • Audit/Break-glass
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account baseline AWS CloudTrail—CloudTrail to local and log archive Amazon Simple Storage Service (Amazon S3) bucket AWS Config—configuration data forward to log archive Amazon S3 bucket AWS Config rules—resource security rules (Amazon Elastic Block Store [Amazon EBS] encryption, others) Amazon GuardDuty—Associate member to GuardDuty master AWS Identity and Access Management (IAM) roles and policies—security admin and read- only roles IAM password policy—password complexity required Notifications—CloudTrail API activity alarm Amazon Virtual Private Cloud (Amazon VPC) infrastructure— Options for multi-AZ, multi-subnet Account CloudFormation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone pipeline Source Validate/Build/Test Deploy core account structure Deploy core resources Deploy Service Catalog portfolio/products Deploy baseline resources Launch AVM for core accounts AWS Organizations AWS Account Baseline StackSets Logging Security credentials AWS Service Catalog StackSet AWS Service Catalog Core Amazon S3 bucket Vended Accounts AWS CloudFormation templates Manifest fileLanding Zone Zip File AWS CodeBuild
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key solution components Configure AWS Landing Zone infrastructure as code • Configuration templates define: core account structure, Service Control Policies, network and security baselines, AWS Service Catalog portfolios/products • Enable developers to change or extend the AWS Landing Zone implementation Implementation with AWS CloudFormation templates & StackSets • Out-of-the-box example AWS Landing Zone implementation to get started quickly. Includes core accounts for security, log audit, and shared services. Deployment orchestration with AWS CodePipeline and AWS Step Functions • Enable CI/CD; control event sequencing and synchronization
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key solution components (cont.) Account baseline • Provide guardrails for preventive control, detective control, and remediation • Applied to specified organizational units and accounts The Account Vending Machine • Allow user to create new accounts through AWS Service Catalog • New accounts baselined automatically Add-on to your AWS Landing Zone deployment • Extend with optional add-on capabilities through AWS Service Catalog
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • To prohibit or restrict user access from disabling or deleting the baseline controls, such as SCP to prevent deleting or disabling AWS CloudTrail/Config Preventive controls • To monitor the resources for compliance and alert when the resource go out of compliance, such as AWS Config rules to monitor Amazon S3 server-side encryption for all S3 buckets created in an account Detective controls • To take corrective action to remediate the out-of-compliance resources and bring them back to compliance state, such as SSM document triggered from Config rule to enable Amazon S3 server-side encryption for out-of- compliance S3 bucket Remediation AWS Landing Zone—Control types (guardrails)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS SSO Endpoint AWS Organizations Account users us-east-1 AWS Directory Connector Shared Services Account AWS Managed AD eu-west-1 VPC Peering Federated Access to AWS Accounts All Regions Introduction to the Landing Zone’s add-on products for AWS SSO • AWS Managed Microsoft Active Directory in the Shared Services account • AD Connector in the master account • AWS SSO configured with permission sets • AD users login from AWS SSO URL to access the Landing Zone accounts Attendee LZ access via AWS SSO
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone deployment StackSets that implement account baseline Effect of enabled ConfigRules Multi-account structure under AWS Organizations Logging and aggregation in Log Archive account Demo 1 (by presenter) Review of GuardDuty Setup and run-time status Lab 1 (by attendees with Lab 1 Guide)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Account Vending Machine (AVM) An AWS Service Catalog product, which creates new AWS accounts in organizational units (OUs), preconfigured with an account security baseline and a predefined networkAWS Service Catalog
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AVM architecture AWS Service Catalog AVM (AWS Service Catalog) • Account creation UI • Account baseline versioning • Launch constraints Creates/Updates AWS account Apply account baseline stack sets Create network baseline Apply account security control policy Account Vending Machine AWS Organizations Security Log Archive Shared Services New AWS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo 2 (by presenter) Access the new AWS account via SSO Review account baseline in CloudFormation console Examine Config Rule status Lab 2 (by attendees with Lab 2 Guide) Launch AVM from Service Catalog Console in the master account Verify Service Control Policy baseline View StackSet that created the new AWS account Configure SSO to access the new AWS account
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Easily add new optional services into your existing AWS Landing Zone deployment These add-on products enable: • Partners, ISVs to build and share their solutions with customers • Customers to create new solutions to extend their own deployment Add on to your AWS Landing Zone
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Two AWS Landing Zone add-ons available today • AWS Active Directory with Remote-Desktop Gateway, and Active Directory Connector for SSO • Centralized logging solution
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customer Bucket Master AWS Landing Zone Configuration Zip File Partner Add-On Configuration Zip File ISV Add-On Configuration Zip FilePartner Bucket ISV Bucket Customer Bucket Customer Bucket Add-on deployment workflow
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Launch add-on product In combination with AWS managed services and Amazon Elasticsearch Service Service, this solution offers customers a highly available, turnkey environment to begin logging and analyzing their AWS environment and applications
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone pipeline Source Validate/Build/Test Deploy core account structure and policies Deploy core resources Deploy Service Catalog portfolio/products Deploy baseline resources Launch AVM for core accounts AWS Organizations AWS Account Baseline StackSets AWS Service Catalog Core StackSet AWS Service Catalog Landing Zone Zip File AWS CodeBuild Organizations/ SCP State Machine State Machine Trigger Lambda StackSet State Machine Service Catalog State Machine StackSet State Machine Launch AVM State Machine AWS Landing Zone Master Configuration AWS CodeBuild
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. All other accounts Shared Services Account AWS Organizations master account AWS Landing Zone Master Configuration “CoreResource“ Stage “LaunchAVM” Stage 1 23 Centralized logging add-on deployment flow AWS Step Functions AWS Step Functions AWS CodePipelineLanding Zone Zip File
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Back to demo AWS CodePipeline AWS CloudFormation AWS Step Functions
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of the AWS Landing Zone Automated Scalable Self-Service Guardrails not blockers Auditable Flexible
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone track: search: “awslandingzone” Architecture: SEC303: Architecting Security & Governance across Your AWS Landing Zone (Session) ENT315: Automate & Audit Cloud Governance & Compliance in Your Landing Zone (Session) Implementation: ENT350: AWS Landing Zone Deep Dive (Chalk Talk) SEC349: Governance at Scale (Chalk Talk) ENT318: Landing Zone Design: What to Do When Your Company Splits in Half (Session) Workshops (First three are same content): ENT351: Enterprise Governance: Build Your AWS Landing Zone (Workshop) SEC315: Enterprise Governance and Security—Build Your AWS Landing Zone (Workshop) GPSWS407A: Automated Solution for Deploying AWS Landing Zone (Workshop/Partners) SEC334: Operational Excellence for Identity & Access Management (Workshop) Summary/Feedback: SEC360: AWS Landing Zone Strategies (Chalk Talk)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone Workshop Team alzws@amazon.com
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key things you should know • The solution sets up new environments; it does not modify existing environments • Both new and mature customers can use the solution • This is an AWS Partner/Professional Services deployable solution, not a service • It is available now and designed to be used for production deployments • The solution was designed to scale
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS accounts • New master account: • The solution requires a new AWS Organizations master • Existing accounts: • The solution does not currently support the importing of existing accounts • Use cases for mature customers: • Set up a new environment for a new team/ business unit • Learn if there are things they want to build into their existing environments • Create a scalable environment if they are running into limits with their current AWS environment set-up • Customization/Integration: • If customers want modifications or integration of AWS Landing Zone into existing environments, engage AWS Professional Services/Partners
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone pricing No additional charge for the AWS Landing Zone solution Customers are responsible for the charges of the underlying services (such as AWS Config service, CloudTrail, others) Cost for the basic solution: ~$200/month Monthly cost for optional add-ons: • Centralized logging solution: <$400 • Directory Connector: <$50 • AWS Managed AD plus Remote Desktop Gateway: ~$300

Recommended

Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
 
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...Amazon Web Services
 
Operating at Scale - Preparing for the Journey
Operating at Scale - Preparing for the JourneyOperating at Scale - Preparing for the Journey
Operating at Scale - Preparing for the JourneyAmazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Amazon Web Services
 
Moving to DevOps the Amazon Way (DEV210-R1) - AWS re:Invent 2018
Moving to DevOps the Amazon Way (DEV210-R1) - AWS re:Invent 2018Moving to DevOps the Amazon Way (DEV210-R1) - AWS re:Invent 2018
Moving to DevOps the Amazon Way (DEV210-R1) - AWS re:Invent 2018Amazon Web Services
 
Multi-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveMulti-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveAmazon Web Services
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...Amazon Web Services
 

Recommended

Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
 
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...
Petabyte-Scale Migration to Amazon S3 Building Photobox's Data Lake (STG393) ...Amazon Web Services
 
Operating at Scale - Preparing for the Journey
Operating at Scale - Preparing for the JourneyOperating at Scale - Preparing for the Journey
Operating at Scale - Preparing for the JourneyAmazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Amazon Web Services
 
Moving to DevOps the Amazon Way (DEV210-R1) - AWS re:Invent 2018
Moving to DevOps the Amazon Way (DEV210-R1) - AWS re:Invent 2018Moving to DevOps the Amazon Way (DEV210-R1) - AWS re:Invent 2018
Moving to DevOps the Amazon Way (DEV210-R1) - AWS re:Invent 2018Amazon Web Services
 
Multi-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveMulti-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveAmazon Web Services
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...Amazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
Come Out From Behind Your Firewall
Come Out From Behind Your FirewallCome Out From Behind Your Firewall
Come Out From Behind Your FirewallAmazon Web Services
 
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018Amazon Web Services
 
Analyze Slide Images and Process Phenotypic Assays at Scale on AWS (CMP358) -...
Analyze Slide Images and Process Phenotypic Assays at Scale on AWS (CMP358) -...Analyze Slide Images and Process Phenotypic Assays at Scale on AWS (CMP358) -...
Analyze Slide Images and Process Phenotypic Assays at Scale on AWS (CMP358) -...Amazon Web Services
 
Resiliency Testing: Verify That Your System Is as Reliable as You Think (ARC4...
Resiliency Testing: Verify That Your System Is as Reliable as You Think (ARC4...Resiliency Testing: Verify That Your System Is as Reliable as You Think (ARC4...
Resiliency Testing: Verify That Your System Is as Reliable as You Think (ARC4...Amazon Web Services
 
How Amazon WorkSpaces Powers the Hands-On Labs (BAP317) - AWS re:Invent 2018
How Amazon WorkSpaces Powers the Hands-On Labs (BAP317) - AWS re:Invent 2018How Amazon WorkSpaces Powers the Hands-On Labs (BAP317) - AWS re:Invent 2018
How Amazon WorkSpaces Powers the Hands-On Labs (BAP317) - AWS re:Invent 2018Amazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
 
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Amazon Web Services
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Amazon Web Services
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...Amazon Web Services
 
AWS Security in Your Sleep: Build End-to-End Automation for IR Workflows (SEC...
AWS Security in Your Sleep: Build End-to-End Automation for IR Workflows (SEC...AWS Security in Your Sleep: Build End-to-End Automation for IR Workflows (SEC...
AWS Security in Your Sleep: Build End-to-End Automation for IR Workflows (SEC...Amazon Web Services
 
Deep dive - AWS Fargate
Deep dive - AWS FargateDeep dive - AWS Fargate
Deep dive - AWS FargateAmazon Web Services
 
What's New with the AWS CLI (DEV322-R1) - AWS re:Invent 2018
What's New with the AWS CLI (DEV322-R1) - AWS re:Invent 2018What's New with the AWS CLI (DEV322-R1) - AWS re:Invent 2018
What's New with the AWS CLI (DEV322-R1) - AWS re:Invent 2018Amazon Web Services
 
Optimize Performance and Reduce Risk Using AWS Support Tools (ENT316-R1) - AW...
Optimize Performance and Reduce Risk Using AWS Support Tools (ENT316-R1) - AW...Optimize Performance and Reduce Risk Using AWS Support Tools (ENT316-R1) - AW...
Optimize Performance and Reduce Risk Using AWS Support Tools (ENT316-R1) - AW...Amazon Web Services
 
VMware Cloud on AWS – Technical Deep Dive.pdf
VMware Cloud on AWS – Technical Deep Dive.pdfVMware Cloud on AWS – Technical Deep Dive.pdf
VMware Cloud on AWS – Technical Deep Dive.pdfAmazon Web Services
 
Design with Ops in Mind.pdf
Design with Ops in Mind.pdfDesign with Ops in Mind.pdf
Design with Ops in Mind.pdfAmazon Web Services
 
Best Practices for Centrally Monitoring Resource Configuration & Compliance (...
Best Practices for Centrally Monitoring Resource Configuration & Compliance (...Best Practices for Centrally Monitoring Resource Configuration & Compliance (...
Best Practices for Centrally Monitoring Resource Configuration & Compliance (...Amazon Web Services
 
Hitchhiker's Guide to Cloud Ops
Hitchhiker's Guide to Cloud Ops Hitchhiker's Guide to Cloud Ops
Hitchhiker's Guide to Cloud Ops Amazon Web Services
 
SRV207 Orchestrating AWS Lambda with Step Functions
SRV207 Orchestrating AWS Lambda with Step Functions SRV207 Orchestrating AWS Lambda with Step Functions
SRV207 Orchestrating AWS Lambda with Step FunctionsAmazon Web Services
 
Container Scheduling
Container SchedulingContainer Scheduling
Container SchedulingAmazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksAmazon Web Services
 

More Related Content

What's hot

Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
Come Out From Behind Your Firewall
Come Out From Behind Your FirewallCome Out From Behind Your Firewall
Come Out From Behind Your FirewallAmazon Web Services
 
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018Amazon Web Services
 
Analyze Slide Images and Process Phenotypic Assays at Scale on AWS (CMP358) -...
Analyze Slide Images and Process Phenotypic Assays at Scale on AWS (CMP358) -...Analyze Slide Images and Process Phenotypic Assays at Scale on AWS (CMP358) -...
Analyze Slide Images and Process Phenotypic Assays at Scale on AWS (CMP358) -...Amazon Web Services
 
Resiliency Testing: Verify That Your System Is as Reliable as You Think (ARC4...
Resiliency Testing: Verify That Your System Is as Reliable as You Think (ARC4...Resiliency Testing: Verify That Your System Is as Reliable as You Think (ARC4...
Resiliency Testing: Verify That Your System Is as Reliable as You Think (ARC4...Amazon Web Services
 
How Amazon WorkSpaces Powers the Hands-On Labs (BAP317) - AWS re:Invent 2018
How Amazon WorkSpaces Powers the Hands-On Labs (BAP317) - AWS re:Invent 2018How Amazon WorkSpaces Powers the Hands-On Labs (BAP317) - AWS re:Invent 2018
How Amazon WorkSpaces Powers the Hands-On Labs (BAP317) - AWS re:Invent 2018Amazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
 
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Amazon Web Services
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Amazon Web Services
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...Amazon Web Services
 
AWS Security in Your Sleep: Build End-to-End Automation for IR Workflows (SEC...
AWS Security in Your Sleep: Build End-to-End Automation for IR Workflows (SEC...AWS Security in Your Sleep: Build End-to-End Automation for IR Workflows (SEC...
AWS Security in Your Sleep: Build End-to-End Automation for IR Workflows (SEC...Amazon Web Services
 
What's New with the AWS CLI (DEV322-R1) - AWS re:Invent 2018
What's New with the AWS CLI (DEV322-R1) - AWS re:Invent 2018What's New with the AWS CLI (DEV322-R1) - AWS re:Invent 2018
What's New with the AWS CLI (DEV322-R1) - AWS re:Invent 2018Amazon Web Services
 
Optimize Performance and Reduce Risk Using AWS Support Tools (ENT316-R1) - AW...
Optimize Performance and Reduce Risk Using AWS Support Tools (ENT316-R1) - AW...Optimize Performance and Reduce Risk Using AWS Support Tools (ENT316-R1) - AW...
Optimize Performance and Reduce Risk Using AWS Support Tools (ENT316-R1) - AW...Amazon Web Services
 
VMware Cloud on AWS – Technical Deep Dive.pdf
VMware Cloud on AWS – Technical Deep Dive.pdfVMware Cloud on AWS – Technical Deep Dive.pdf
VMware Cloud on AWS – Technical Deep Dive.pdfAmazon Web Services
 
Best Practices for Centrally Monitoring Resource Configuration & Compliance (...
Best Practices for Centrally Monitoring Resource Configuration & Compliance (...Best Practices for Centrally Monitoring Resource Configuration & Compliance (...
Best Practices for Centrally Monitoring Resource Configuration & Compliance (...Amazon Web Services
 
Hitchhiker's Guide to Cloud Ops
Hitchhiker's Guide to Cloud Ops Hitchhiker's Guide to Cloud Ops
Hitchhiker's Guide to Cloud Ops Amazon Web Services
 
SRV207 Orchestrating AWS Lambda with Step Functions
SRV207 Orchestrating AWS Lambda with Step Functions SRV207 Orchestrating AWS Lambda with Step Functions
SRV207 Orchestrating AWS Lambda with Step FunctionsAmazon Web Services
 

What's hot (20)

Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
Come Out From Behind Your Firewall
Come Out From Behind Your FirewallCome Out From Behind Your Firewall
Come Out From Behind Your Firewall
 
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
 
Analyze Slide Images and Process Phenotypic Assays at Scale on AWS (CMP358) -...
Analyze Slide Images and Process Phenotypic Assays at Scale on AWS (CMP358) -...Analyze Slide Images and Process Phenotypic Assays at Scale on AWS (CMP358) -...
Analyze Slide Images and Process Phenotypic Assays at Scale on AWS (CMP358) -...
 
Resiliency Testing: Verify That Your System Is as Reliable as You Think (ARC4...
Resiliency Testing: Verify That Your System Is as Reliable as You Think (ARC4...Resiliency Testing: Verify That Your System Is as Reliable as You Think (ARC4...
Resiliency Testing: Verify That Your System Is as Reliable as You Think (ARC4...
 
How Amazon WorkSpaces Powers the Hands-On Labs (BAP317) - AWS re:Invent 2018
How Amazon WorkSpaces Powers the Hands-On Labs (BAP317) - AWS re:Invent 2018How Amazon WorkSpaces Powers the Hands-On Labs (BAP317) - AWS re:Invent 2018
How Amazon WorkSpaces Powers the Hands-On Labs (BAP317) - AWS re:Invent 2018
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
 
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
 
AWS Security in Your Sleep: Build End-to-End Automation for IR Workflows (SEC...
AWS Security in Your Sleep: Build End-to-End Automation for IR Workflows (SEC...AWS Security in Your Sleep: Build End-to-End Automation for IR Workflows (SEC...
AWS Security in Your Sleep: Build End-to-End Automation for IR Workflows (SEC...
 
Deep dive - AWS Fargate
Deep dive - AWS FargateDeep dive - AWS Fargate
Deep dive - AWS Fargate
 
What's New with the AWS CLI (DEV322-R1) - AWS re:Invent 2018
What's New with the AWS CLI (DEV322-R1) - AWS re:Invent 2018What's New with the AWS CLI (DEV322-R1) - AWS re:Invent 2018
What's New with the AWS CLI (DEV322-R1) - AWS re:Invent 2018
 
Optimize Performance and Reduce Risk Using AWS Support Tools (ENT316-R1) - AW...
Optimize Performance and Reduce Risk Using AWS Support Tools (ENT316-R1) - AW...Optimize Performance and Reduce Risk Using AWS Support Tools (ENT316-R1) - AW...
Optimize Performance and Reduce Risk Using AWS Support Tools (ENT316-R1) - AW...
 
VMware Cloud on AWS – Technical Deep Dive.pdf
VMware Cloud on AWS – Technical Deep Dive.pdfVMware Cloud on AWS – Technical Deep Dive.pdf
VMware Cloud on AWS – Technical Deep Dive.pdf
 
Design with Ops in Mind.pdf
Design with Ops in Mind.pdfDesign with Ops in Mind.pdf
Design with Ops in Mind.pdf
 
Best Practices for Centrally Monitoring Resource Configuration & Compliance (...
Best Practices for Centrally Monitoring Resource Configuration & Compliance (...Best Practices for Centrally Monitoring Resource Configuration & Compliance (...
Best Practices for Centrally Monitoring Resource Configuration & Compliance (...
 
Hitchhiker's Guide to Cloud Ops
Hitchhiker's Guide to Cloud Ops Hitchhiker's Guide to Cloud Ops
Hitchhiker's Guide to Cloud Ops
 
SRV207 Orchestrating AWS Lambda with Step Functions
SRV207 Orchestrating AWS Lambda with Step Functions SRV207 Orchestrating AWS Lambda with Step Functions
SRV207 Orchestrating AWS Lambda with Step Functions
 
Container Scheduling
Container SchedulingContainer Scheduling
Container Scheduling
 

Similar to Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS re:Invent 2018

AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksAmazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Amazon Web Services
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management ToolsAmazon Web Services
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Amazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...
Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...
Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Amazon Web Services
 
How to Manage Multiple AWS Accounts using AWS Organizations
How to Manage Multiple AWS Accounts using AWS OrganizationsHow to Manage Multiple AWS Accounts using AWS Organizations
How to Manage Multiple AWS Accounts using AWS OrganizationsAmazon Web Services
 
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...Amazon Web Services
 
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...Amazon Web Services
 
Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...
Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...
Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...Amazon Web Services
 

Similar to Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS re:Invent 2018 (20)

AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...
Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...
Enabling Your Organization’s Amazon Redshift Adoption – Going from Zero to He...
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
 
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
How to Manage Multiple AWS Accounts using AWS Organizations
How to Manage Multiple AWS Accounts using AWS OrganizationsHow to Manage Multiple AWS Accounts using AWS Organizations
How to Manage Multiple AWS Accounts using AWS Organizations
 
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
 
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...
 
Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...
Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...
Using AWS CloudTrail to Enhance Governance and Compliance of Amazon S3 - DEV3...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS re:Invent 2018

  • 1.
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Building Your Own Landing Zone S E C 3 1 5 Lalit Grover Solutions Builder Amazon Web Services Hitendra Nishar Solutions Builder Amazon Web Services Wallace Printz Solutions Architect Amazon Web Services Workshop registration: http://lz-workshop.us-west-2.elasticbeanstalk.com/
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Register for workshop http://lz-workshop.us-west-2.elasticbeanstalk.com Workshop materials, login password will be sent via email
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Why do you need a landing zone? Understand the AWS Landing Zone design Demo 1: Tour of AWS Landing Zone deployment and functions Demo 2: Creating a new AWS account via the Account Vending Machine (AVM) Demo 3: Extending the AWS Landing Zone via the Landing Zone add-on feature
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customers are faced with Many design decisions Need to configure multiple accounts & services Establish security baseline & governance
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why one account isn’t enough Billing Many teams Security/Compliance controls Business process Isolation
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Developer Accounts Data Center Orgs: Account management Log archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-prod: Staging Prod: Production Team SS: Team shared services, data lake
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Developer Accounts Data Center Orgs: Account management Log archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-prod: Staging Prod: Production Team SS: Team shared services, data lake
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Developer Accounts Data Center Orgs: Account management Log archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-prod: Staging Prod: Production Team SS: Team shared services, data lake
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and AVM Automated deployment
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What you get with the AWS Landing Zone Framework for creating and baselining a multi-account environment Initial multi-account structure that includes security, audit, and shared service requirements An account vending machine that enables automated deployment of additional accounts with a set of security baselines Account management User account access managed through AWS SSO federation Cross-account roles enable centralized management Identity & access management Initial account security and AWS Config rules baseline Network baseline Security & governance Add on to your AWS Landing Zone deploymentSolution extensibility
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure—Default deployment AWS Organizations Shared Services Log Archive Security Organizations account • Account provisioning • Account access (AWS Single Sign-On (SSO) Shared services account • Active directory • Log analytics Log archive • Security logs Security account • Audit/Break-glass Parameter Store
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure—With optional add-ons AWS Organizations Shared Services Log Archive Security Parameter store Organizations account • Account provisioning • Account access (AWS Single Sign-On (SSO) Shared services account • Active directory • Log analytics Log archive • Security logs Security account • Audit/Break-glass
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account baseline AWS CloudTrail—CloudTrail to local and log archive Amazon Simple Storage Service (Amazon S3) bucket AWS Config—configuration data forward to log archive Amazon S3 bucket AWS Config rules—resource security rules (Amazon Elastic Block Store [Amazon EBS] encryption, others) Amazon GuardDuty—Associate member to GuardDuty master AWS Identity and Access Management (IAM) roles and policies—security admin and read- only roles IAM password policy—password complexity required Notifications—CloudTrail API activity alarm Amazon Virtual Private Cloud (Amazon VPC) infrastructure— Options for multi-AZ, multi-subnet Account CloudFormation
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone pipeline Source Validate/Build/Test Deploy core account structure Deploy core resources Deploy Service Catalog portfolio/products Deploy baseline resources Launch AVM for core accounts AWS Organizations AWS Account Baseline StackSets Logging Security credentials AWS Service Catalog StackSet AWS Service Catalog Core Amazon S3 bucket Vended Accounts AWS CloudFormation templates Manifest fileLanding Zone Zip File AWS CodeBuild
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key solution components Configure AWS Landing Zone infrastructure as code • Configuration templates define: core account structure, Service Control Policies, network and security baselines, AWS Service Catalog portfolios/products • Enable developers to change or extend the AWS Landing Zone implementation Implementation with AWS CloudFormation templates & StackSets • Out-of-the-box example AWS Landing Zone implementation to get started quickly. Includes core accounts for security, log audit, and shared services. Deployment orchestration with AWS CodePipeline and AWS Step Functions • Enable CI/CD; control event sequencing and synchronization
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key solution components (cont.) Account baseline • Provide guardrails for preventive control, detective control, and remediation • Applied to specified organizational units and accounts The Account Vending Machine • Allow user to create new accounts through AWS Service Catalog • New accounts baselined automatically Add-on to your AWS Landing Zone deployment • Extend with optional add-on capabilities through AWS Service Catalog
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • To prohibit or restrict user access from disabling or deleting the baseline controls, such as SCP to prevent deleting or disabling AWS CloudTrail/Config Preventive controls • To monitor the resources for compliance and alert when the resource go out of compliance, such as AWS Config rules to monitor Amazon S3 server-side encryption for all S3 buckets created in an account Detective controls • To take corrective action to remediate the out-of-compliance resources and bring them back to compliance state, such as SSM document triggered from Config rule to enable Amazon S3 server-side encryption for out-of- compliance S3 bucket Remediation AWS Landing Zone—Control types (guardrails)
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS SSO Endpoint AWS Organizations Account users us-east-1 AWS Directory Connector Shared Services Account AWS Managed AD eu-west-1 VPC Peering Federated Access to AWS Accounts All Regions Introduction to the Landing Zone’s add-on products for AWS SSO • AWS Managed Microsoft Active Directory in the Shared Services account • AD Connector in the master account • AWS SSO configured with permission sets • AD users login from AWS SSO URL to access the Landing Zone accounts Attendee LZ access via AWS SSO
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone deployment StackSets that implement account baseline Effect of enabled ConfigRules Multi-account structure under AWS Organizations Logging and aggregation in Log Archive account Demo 1 (by presenter) Review of GuardDuty Setup and run-time status Lab 1 (by attendees with Lab 1 Guide)
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Account Vending Machine (AVM) An AWS Service Catalog product, which creates new AWS accounts in organizational units (OUs), preconfigured with an account security baseline and a predefined networkAWS Service Catalog
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AVM architecture AWS Service Catalog AVM (AWS Service Catalog) • Account creation UI • Account baseline versioning • Launch constraints Creates/Updates AWS account Apply account baseline stack sets Create network baseline Apply account security control policy Account Vending Machine AWS Organizations Security Log Archive Shared Services New AWS
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo 2 (by presenter) Access the new AWS account via SSO Review account baseline in CloudFormation console Examine Config Rule status Lab 2 (by attendees with Lab 2 Guide) Launch AVM from Service Catalog Console in the master account Verify Service Control Policy baseline View StackSet that created the new AWS account Configure SSO to access the new AWS account
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Easily add new optional services into your existing AWS Landing Zone deployment These add-on products enable: • Partners, ISVs to build and share their solutions with customers • Customers to create new solutions to extend their own deployment Add on to your AWS Landing Zone
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Two AWS Landing Zone add-ons available today • AWS Active Directory with Remote-Desktop Gateway, and Active Directory Connector for SSO • Centralized logging solution
  • 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customer Bucket Master AWS Landing Zone Configuration Zip File Partner Add-On Configuration Zip File ISV Add-On Configuration Zip FilePartner Bucket ISV Bucket Customer Bucket Customer Bucket Add-on deployment workflow
  • 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Launch add-on product In combination with AWS managed services and Amazon Elasticsearch Service Service, this solution offers customers a highly available, turnkey environment to begin logging and analyzing their AWS environment and applications
  • 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone pipeline Source Validate/Build/Test Deploy core account structure and policies Deploy core resources Deploy Service Catalog portfolio/products Deploy baseline resources Launch AVM for core accounts AWS Organizations AWS Account Baseline StackSets AWS Service Catalog Core StackSet AWS Service Catalog Landing Zone Zip File AWS CodeBuild Organizations/ SCP State Machine State Machine Trigger Lambda StackSet State Machine Service Catalog State Machine StackSet State Machine Launch AVM State Machine AWS Landing Zone Master Configuration AWS CodeBuild
  • 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. All other accounts Shared Services Account AWS Organizations master account AWS Landing Zone Master Configuration “CoreResource“ Stage “LaunchAVM” Stage 1 23 Centralized logging add-on deployment flow AWS Step Functions AWS Step Functions AWS CodePipelineLanding Zone Zip File
  • 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Back to demo AWS CodePipeline AWS CloudFormation AWS Step Functions
  • 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of the AWS Landing Zone Automated Scalable Self-Service Guardrails not blockers Auditable Flexible
  • 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone track: search: “awslandingzone” Architecture: SEC303: Architecting Security & Governance across Your AWS Landing Zone (Session) ENT315: Automate & Audit Cloud Governance & Compliance in Your Landing Zone (Session) Implementation: ENT350: AWS Landing Zone Deep Dive (Chalk Talk) SEC349: Governance at Scale (Chalk Talk) ENT318: Landing Zone Design: What to Do When Your Company Splits in Half (Session) Workshops (First three are same content): ENT351: Enterprise Governance: Build Your AWS Landing Zone (Workshop) SEC315: Enterprise Governance and Security—Build Your AWS Landing Zone (Workshop) GPSWS407A: Automated Solution for Deploying AWS Landing Zone (Workshop/Partners) SEC334: Operational Excellence for Identity & Access Management (Workshop) Summary/Feedback: SEC360: AWS Landing Zone Strategies (Chalk Talk)
  • 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 43. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone Workshop Team alzws@amazon.com
  • 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key things you should know • The solution sets up new environments; it does not modify existing environments • Both new and mature customers can use the solution • This is an AWS Partner/Professional Services deployable solution, not a service • It is available now and designed to be used for production deployments • The solution was designed to scale
  • 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS accounts • New master account: • The solution requires a new AWS Organizations master • Existing accounts: • The solution does not currently support the importing of existing accounts • Use cases for mature customers: • Set up a new environment for a new team/ business unit • Learn if there are things they want to build into their existing environments • Create a scalable environment if they are running into limits with their current AWS environment set-up • Customization/Integration: • If customers want modifications or integration of AWS Landing Zone into existing environments, engage AWS Professional Services/Partners
  • 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone pricing No additional charge for the AWS Landing Zone solution Customers are responsible for the charges of the underlying services (such as AWS Config service, CloudTrail, others) Cost for the basic solution: ~$200/month Monthly cost for optional add-ons: • Centralized logging solution: <$400 • Directory Connector: <$50 • AWS Managed AD plus Remote Desktop Gateway: ~$300