Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Invent 2018

1,072 views

Published on

In this workshop, we present best practices for establishing an AWS Landing Zone. We provide a demonstration of the automated AWS Landing Zone solution, and we show you how it builds a multi-account architecture that is enterprise-ready for application deployment and compliant with common operations, security, and procurement processes. You have the opportunity to modify the code for custom deployments. Leave the workshop with an understanding of the mechanism to update the AWS Landing Zone using a CI/CD pipeline, how to create new AWS accounts using the built-in account vending machine, and how the AWS Landing Zone solution components integrate to provide a secure, scalable starting environment for your cloud journey. We encourage you to attend the full AWS Landing Zone track. Search for #awslandingzone in the session catalog.

Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Building your own Landing Zone E N T 3 5 1 - R Brandon Bouier Solutions Architect Amazon Web Services Wallace Printz Solutions Architect Amazon Web Services Lon Miller Solutions Architect Amazon Web Services Workshop registration: http://lz-workshop.us-west-2.elasticbeanstalk.com/
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Register for Workshop http://lz-workshop.us-west-2.elasticbeanstalk.com Workshop materials, login password will be sent via email
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Why do you need a Landing Zone? Understand the AWS Landing Zone Design Demo 1: Tour of AWS Landing Zone deployment and functions Demo 2: Creating a new AWS Account via the Account Vending Machine Demo 3: Extending the AWS Landing Zone via the Landing Zone Add-On feature
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customers are faced with Many design decisions Need to configure multiple accounts & services Establish security baseline & governance
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why one account isn’t enough Billing Many Teams Security / Compliance Controls Business Process Isolation
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Developer Accounts Data Center Orgs: Account management Log Archive: Security logs Security: security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Developer Accounts Data Center Orgs: Account management Log Archive: Security logs Security: security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Developer Accounts Data Center Orgs: Account management Log Archive: Security logs Security: security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and account vending machine Automated deployment
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What you get with the AWS Landing Zone Framework for creating and baselining a multi-account environment Initial multi-account structure that includes security, audit, and shared service requirements An account vending machine that enables automated deployment of additional accounts with a set of security baselines Account Management User account access managed through AWS SSO federation Cross-account roles enable centralized management Identity & Access Management Initial account security and AWS Config rules baseline Network baseline Security & Governance Add on to your AWS Landing Zone deploymentSolution Extensibility
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure – default deployment AWS Organizations Shared Services Log Archive Security Organizations Account • Account Provisioning • Account Access (SSO) Shared Services Account • Active Directory • Log Analytics Log Archive • Security Logs Security Account • Audit / Break-glass Parameter store
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure – with optional Add-Ons AWS Organizations Shared Services Log Archive Security Log Archive • Security Logs Security Account • Audit / Break-glass Parameter store Organizations Account • Account Provisioning • Account Access (SSO) Shared Services Account • Active Directory • Log Analytics
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Baseline AWS CloudTrail – CloudTrail to local and log archive S3 bucket AWS Config – Configuration data forward to log archive S3 bucket AWS Config rules – Resource security rules (Amazon EBS encryption, etc.) GuardDuty – Associate member to GuardDuty Master IAM roles and policies – Security Admin and Read-only roles IAM password policy – Password complexity required Notifications – CloudTrail API activity alarm VPC infrastructure – Options for Multi-AZ, multi-subnet Account AWS CloudFormation
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone Pipeline Source Validate/Build/Test Deploy Core Account Structure Deploy Core Resources Deploy Service Catalog Portfolio/Products Deploy Baseline Resources Launch AVM for Core accounts AWS Organizations AWS Account Baseline StackSets Logging Security credentials AWS Service Catalog StackSet AWS Service Catalog Core Amazon S3 bucket Vended Accounts AWS CloudFormation templates Manifest fileLanding Zone Zip File AWS CodeBuild
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key Solution Components Configure AWS Landing Zone infrastructure as code • Configuration templates define: Core account structure, Service Control Policies, network and security baselines, AWS Service Catalog portfolios/products • Enable developers to change or extend the AWS Landing Zone implementation Implementation with AWS CloudFormation templates & StackSets • Out-of-the-box example AWS Landing Zone implementation to get started quickly. Includes core accounts for security, log audit, and shared services. Deployment orchestration with AWS CodePipeline and AWS Step Functions • Enable CI/CD; control event sequencing and synchronization
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key Solution Components (cont.) Account baseline • Provide guardrails for preventive control, detective control, and remediation • Applied to specified Organizational Units and accounts The Account Vending Machine • Allow user to create new accounts through Service Catalog • New accounts baselined automatically Add-On to your AWS Landing Zone deployment • Extend with optional add-on capabilities through Service Catalog
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • To prohibit or restrict user access from disabling or deleting the baseline controls e.g. SCP to prevent deleting or disabling CloudTrail/AWS Config Preventive Controls • To monitor the resources for compliance and alert when the resource go out of compliance e.g. AWS Config rules to monitor Amazon S3 server-side encryption for all S3 buckets created in an account Detective Controls • To take corrective action to remediate the out of compliance resources and bring them back to compliance state e.g. SSM document triggered from AWS Config rule to enable Amazon S3 server-side encryption for out-of- compliance S3 bucket Remediation AWS Landing Zone – Control Types (Guardrails)
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS SSO Endpoint AWS Organizations Account users us-east-1 AWS Directory Connector Shared Services Account AWS Managed AD eu-west-1 VPC Peering Federated Access to AWS accounts All Regions Introduction to the Landing Zone’s Add-On products for Single Sign On (SSO) • AWS Managed Microsoft Active Directory in the Shared Services account • AD Connector in the Master account • AWS SSO configured with Permission Sets • AD users login from SSO URL to access the Landing Zone accounts Attendee LZ access via SSO
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone deployment Stacksets that implement Account Baseline Effect of enabled ConfigRules Multi-account structure under Organizations Logging and aggregation in Log Archive account Demo 1 (by presenter) Review of GuardDuty Setup and run-time status Lab 1 (by attendees with Lab 1 Guide)
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Account Vending Machine (AVM) An AWS Service Catalog Product, which creates new AWS accounts in Organizational Units (OUs), preconfigured with an account security baseline and a predefined networkAWS Service Catalog
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Vending Machine (AVM) Architecture AWS Service Catalog Account Vending Machine (AWS Service Catalog) • Account creation UI • Account baseline versioning • Launch constraints Creates/updates AWS account Apply account baseline stack sets Create network baseline Apply account security control policy Account Vending Machine AWS Organizations Security Log Archive Shared Services New AWS
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo 2 (by presenter) Access the new AWS account via SSO Review account baseline in CloudFormation console Examine Config Rule status Lab 2 (by attendees with Lab 2 Guide) Launch AVM from Service Catalog Console in the master account Verify Service Control Policy baseline View StackSet that created the new AWS account Configure SSO to access the new AWS account
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Easily add new optional services into your existing AWS Landing Zone deployment These Add-On products enable: • Partners, ISVs to build and share their solutions with customers • Customers to create new solutions to extend their own deployment Add on to your AWS Landing Zone
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Two AWS Landing Zone add-ons available today • AWS Active Directory with Remote-Desktop Gateway, and Active Directory Connector for SSO • Centralized logging solution
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customer Bucket Master AWS Landing Zone Configuration Zip File Partner Add-On Configuration Zip File ISV Add-On Configuration Zip FilePartner Bucket ISV Bucket Customer Bucket Customer Bucket Add-On Deployment Workflow
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Launch Add-On Product In combination with AWS managed services and Amazon Elasticsearch, this solution offers customers a highly available, turnkey environment to begin logging and analyzing their AWS environment and applications.
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone Pipeline Source Validate/Build/Test Deploy Core Account Structure and Policies Deploy Core Resources Deploy Service Catalog Portfolio/Products Deploy Baseline Resources Launch AVM for Core accounts AWS Organizations AWS Account Baseline StackSets AWS Service Catalog Core StackSet AWS Service Catalog Landing Zone Zip File AWS CodeBuild Organizations / SCP State Machine State Machine Trigger Lambda StackSet State Machine Service Catalog State Machine StackSet State Machine Launch AVM State Machine AWS Landing Zone Master Configuration AWS CodeBuild
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. All other accounts Shared Services Account AWS Organizations master account AWS Landing Zone Master Configuration “CoreResource“ Stage “LaunchAVM” Stage 1 23 Centralized Logging Add-On Deployment Flow AWS Step Functions AWS Step Functions AWS CodePipelineLanding Zone Zip File
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Back to demo AWS CodePipeline AWS CloudFormation AWS Step Functions
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of the AWS Landing Zone Automated Scalable Self-Service Guardrails not blockers Auditable Flexible
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone Track: search: “awslandingzone” Architecture: SEC303: Architecting Security & Governance across your AWS Landing Zone (Session) ENT315: Automate & Audit Cloud Governance & Compliance in Your Landing Zone (Session) Implementation: ENT350: AWS Landing Zone Deep Dive (Chalk Talk) SEC349: Governance at Scale (Chalk Talk) ENT318: Landing Zone Design: What to Do When Your Company Splits in Half (Session) Workshops (First three are same content): ENT351: Enterprise Governance: Build Your AWS Landing Zone (Workshop) SEC315: Enterprise Governance and Security - Build Your AWS Landing Zone (Workshop) GPSWS407A: Automated Solution for Deploying AWS Landing Zone (Workshop/Partners) SEC334: Operational Excellence for Identity & Access Management (Workshop) Summary/Feedback: SEC360: AWS Landing Zone Strategies (Chalk Talk)
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  42. 42. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone Workshop Team alzws@amazon.com
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key things you should know • The solution sets up new environments, it does not modify existing environments • Both new and mature customers can use the solution • This is an AWS Partner/Professional Services deployable solution, not a service • It is available now and designed to be used for production deployments • The solution was designed to scale
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Accounts • New Master account: • The solution requires a new Organizations Master • Existing accounts: • The solution does not currently support the importing of existing accounts • Use cases for mature customers: • Set up a new environment for a new team/ business unit • Learn if there are things they want to build into their existing environments • Create a scalable environment if they are running into limits with their current AWS environment set up • Customization / Integration: • If customers want modifications or integration of AWS Landing Zone into existing environments, engage AWS Professional Services / Partners
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone pricing No additional charge for the AWS Landing Zone solution. Customers are responsible for the charges of the underlying services (e.g., AWS Config Service, AWS CloudTrail, etc.). Cost for the basic solution: ~$200 / month Monthly cost for optional add-ons: • Centralized logging solution: <$400 • Directory Connector: <$50 • AWS Managed AD plus Remote Desktop Gateway: ~$300

×