Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Implementing your landing zone - FND210 - AWS re:Inforce 2019

1,400 views

Published on

One of the first questions that customers ask during their cloud journeys is how to establish and build AWS environments or landing zones. In this session, we discuss best practices for establishing a scalable approach and necessary landing zone framework. We present an overview of the approach and solutions to help you implement a landing zone. We also introduce the AWS Landing Zone, which is an automated solution for setting up a robust, flexible AWS environment, and we discuss how it reduces the time needed to get started. Finally, we provide a high level overview of AWS Control Tower and how it fits into the overall approach.

  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Fact: Penis Enlargement CAN Work. Here's How. ➤➤ http://t.cn/Ai88iYkP
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Did You Get Dumped? Do you still want him back? If you act now, I can help you. ▲▲▲ http://ow.ly/f23I301xGAo
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Implementing your landing zone - FND210 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Implementing your landing zone Sam Elmalak Worldwide Tech Leader, Enterprise Greenfield Amazon Web Services F N D 2 1 0
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Have you seen this before? // Multi-account Strategy Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Network Path Developer Accounts Data Center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda What’s a landing zone and an AWS Landing Zone? Implementing a landing zone AWS Landing Zone AWS Control Tower AWS Landing Zone or AWS Control Tower? How does it all fit together: Multi-account Strategy, AWS Landing Zone, AWS Control Tower, AMS?
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What do customers want to do on AWS? Focus on what differentiates Ideation to instantiation Secure and compliant environment
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What do customers need to achieve? Meets the organization’s security and auditing requirements Ready to support highly available and scalable workloads Configurable to support evolving business requirements
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. You need a “landing zone” H • A configured, secure, scalable, multi-account AWS environment based on AWS best practices • A starting point for net new development and experimentation • A starting point for migrating applications • An environment that allows for iteration and extension over time
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone vs. landing zone landing zone: • Secure pre-configured environment for your AWS presence • Scalable and flexible • Enables agility and innovation AWS Landing Zone: • Implementation of a landing zone based on multi-account strategy guidance AWS Control Tower: • AWS Service version of AWS Landing Zone
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security/resource boundary API limits/throttling Billing separation AWS account // best isolation boundary
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Account models One account 1,000s of accounts
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why one account isn’t enough Billing Many teams Security / compliance controls Business process Isolation
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Guardrails NOT blockers Auditable Flexible Automated Scalable Self-service Goals
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Account security considerations Baseline Requirements Lock Enable Define Federate Establish Identify
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What accounts should I create? Security Shared Services Billing Dev ProdSandbox OtherPre-Prod Organizations Account Log Archive Network
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Organizations Master AWS Organizations Master Network Path Data Center No connection to DC Service control policies Consolidated billing Volume discount Minimal resources Limited access Restrict Orgs role!
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP: Stop AWS CloudTrail from being disabled { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": ”cloudtrail:StopLogging", "Resource": "*" } ] }
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP: No internet gateway for Amazon Virtual Private Cloud (Amazon VPC)"Statement": [ { "Effect": "Deny", "Action": [ "ec2:AttachInternetGateway”, “ec2:CreateInternetGateway”, “ec2:AttachEgressOnlyInternetGateway”, “ec2:CreateVpcPeeringConnection”, “ec2:AcceptVpcPeeringConnection" ], "Resource": "*" } ]
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Core accounts Core Accounts AWS Organizations Master Network Path Data Center Foundational Building blocks Once per organization Have their own development life cycle (dev/qa/prod)
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Log Archive account Core Accounts AWS Organizations Master Log Archive Network Path Data Center Versioned Amazon S3 bucket Restricted MFA delete AWS CloudTrail logs Security logs Single source of truth Alarm on user login Limited access
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security account Core Accounts AWS Organizations Master Log Archive Network Path Data Center Optional data center connectivity Security tools and audit Amazon GuardDuty master Cross-account read/write Automated Tooling Limited access Security
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Services account Security Core Accounts AWS Organizations Master Log Archive Network Path Data Center Connected to DC DNS LDAP/Active Directory Shared Services VPC Deployment tools Golden AMI Pipeline Scanning infrastructure Inactive instances Improper tags Snapshot lifecycle Monitoring Limited access Shared Services
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Network account Security Core Accounts AWS Organizations Master Shared Services Log Archive Network Path Data Center Managed by network team Networking services AWS Direct Connect Limited access Network
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Developer sandbox Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path No connection to DC Innovation space Fixed spending limit Autonomous ExperimentationDeveloper Sandbox Developer Accounts
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Team/group accounts Developer Sandbox Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Based on level of needed isolation Match your development lifecycle Think Small Team/Group Accounts
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Dev Developer Sandbox Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Develop and iterate quickly Collaboration space Stage of SDLCDev
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Pre-production Developer Sandbox Dev Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Connected to DC Production-like Staging Testing Automated deployment Pre-Prod
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Production Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Connected to DC Production applications Promoted from Pre-Prod Limited access Automated deployments Prod
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Team Shared Services Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Network Path Developer Accounts Data Center Grows organically Shared to the team Product-specific common services Data lake Common tooling Common services Team Shared Services
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Innovation pipeline Developer accounts Developer accounts PoC Developer accounts Developer accounts Dev Pre-Prod Team/Group accounts Prod Shared Services PoC New initiatives Experimentation Innovation
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Special/exception Be flexible Regulatory/compliance Additional isolation/security controls (PCI)
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Team Shared Services Network Path Developer Accounts Data Center Orgs: Account management Log archive: Security logs Security: Security tools, AWS Config rules Shared Services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-prod: Staging Prod: Production Team SS: Team Shared Services, Data lake
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Team: Billing tools Developer Sandbox Dev Pre-Prod Billing Tools Team Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Network Path Developer Accounts Data Center Reduces access to Organizations account Billing reports Usage metrics and reporting Usage optimizations and RI management
  32. 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Team: Internal audit Developer Sandbox Dev Pre-Prod Internal Audit Team Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Network Path Developer Accounts Data Center Regulatory compliance Read-only access to needed logs Limited access
  33. 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Team: Amazing new product Developer Sandbox Dev Pre-Prod Amazing New Product Team Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Network Path Developer Accounts Data Center Match your development lifecycle Think small
  34. 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  35. 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Network Path Developer Accounts Data Center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared Services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-prod: Staging Prod: Production Team SS: Team Shared Services, Data lake
  36. 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. QA/Staging for the landing zone Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Team Shared Services Network Path Developer Accounts Data Center Test landing zone changes Another landing zone
  37. 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Next steps Define tagging strategy Define automation strategy Create AWS Organizations Master account Create Log Archive account Create Security account Create Shared Services account Create Developer sandbox account(s)
  38. 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Action plan Create Organizations Master account • Create temporary Amazon S3 bucket for AWS CloudTrail logs • Enable CloudTrail locally • Enable AWS Organizations full feature Create Log Archive account • Create bucket(s) for security logs (AWS CloudTrail, AWS Config) • Enable MFA delete • Enable versioning • Define limited access bucket policy • Add SCP to prevent s3:delete • Backfill: Enable CloudTrail in organizations master account to send logs to Log Archive account • Backfill: Copy CloudTrail logs for actions that happened between Organizations Master creation and log archive Create Security account • Backfill: Cross-account roles with trust to Security account for organizations master and log archive • Read-only role • Read/Write role (fewer permissions for assumption) • <CommonCheckList> • Create security tooling/AWS Lambda functions for security checks Create Shared Services account • <CommonCheckList> • Connect via DX/VPN to DC • Launch common services • Directory services • Limit monitoring Create AWS Network account • Order your Direct Connect • <CommonCheckList>
  39. 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Common checklist • Secure Root credentials MFA • OTP • U2F could make this easier for managing them • https://aws.amazon.com/blogs/security/how-to- create-and-manage-users-within-aws-sso/ • Complex password • Establish rotation policy • Link to Organizations Master account if not already a member • Use group email/phone as the contact info • Enable AWS CloudTrail in all regions, send to Log Archive account • Enable Amazon GuardDuty in all regions. • Security Account as Amazon GuardDuty master • Operationalize the findings • Enable AWS Config, send to Log Archive account • Enable appropriate AWS Config rules • Amazon S3 bucket encryptions • Amazon S3 world read/write • ebs encryption etc... • Create read-only cross-account Security role • Create read/write cross-account Security role • Create VPC (non-overlapping IP space) • Enable federation into account • http://federationworkshopreinvent2016.s3-website-us- east-1.amazonaws.com/ • Define roles and access policies • Peer/Privatelink Amazon VPC with Shared Services • Add a policy for prefix naming conditions to every account—For example, deny access to Lambda functions that start with “security*” • Review CIS Foundations Benchmark and leverage as appropriate
  40. 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  41. 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and account vending machine Automated deployment
  42. 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure - basic AWS Organizations Shared Services Log Archive Security Organizations Account • Account Provisioning • Account Access (SSO) Shared Services Account • Active Directory • Log Analytics Log Archive • Security Logs Security Account • Audit / Break-glass Parameter store
  43. 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Vending Machine AWS Service Catalog Account Vending Machine (AWS Service Catalog) • Account creation factory • User Interface to create new accounts • Account baseline versioning • Launch constraints Creates/updates AWS account Apply account baseline stack sets Create network baseline Apply account security control policy Account Vending Machine AWS Organizations Security AWS Log Archive AWS Shared Services AWS AWS New AWS
  44. 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Next steps Define tagging strategy Define automation strategy Create AWS Organizations Master account Create Log Archive account Create Security account Create Shared Services account Create Developer sandbox account(s)
  45. 45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Action Plan Create AWS Organizations Master account • Create temporary Amazon S3 bucket for AWS CloudTrail logs • Enable AWS CloudTrail locally • Enable AWS Organizations full feature Create Log Archive account • Create bucket(s) for security logs (CloudTrail, AWS Config) • Enable MFA delete • Enable versioning • Define limited access bucket policy • Add SCP to prevent AWS S3:delete • Backfill: Enable AWS CloudTrail in organizations master account to send logs to Log Archive account • Backfill: Copy AWS CloudTrail logs for actions that happened between AWS Organizations Master creation and log archive Create Security account • Backfill: cross-account roles with trust to Security account for organizations master and log archive • Read-only role • Read/Write role (fewer permissions for assumption) • <CommonCheckList> • Create security tooling/AWS Lambda functions for security checks Create Shared Services account • <CommonCheckList> • Connect via DX/VPN to DC • Launch common services • Directory services • Limit monitoring Create AWS Network account • Order your Direct Connect • <CommonCheckList>
  46. 46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Common Checklist • Secure Root credentials MFA • OTP • U2F could make this easier for managing them • https://aws.amazon.com/blogs/security/how-to- create-and-manage-users-within-aws-sso/ • Complex password • Establish rotation policy • Link to AWS Organizations Master account if not already a member • Use group email/phone as the contact info • Enable AWS CloudTrail in all regions, send to Log Archive account • Enable Amazon GuardDuty in all regions. • Security Account as Amazon GuardDuty master • Operationalize the findings • Enable AWS Config, send to Log Archive account • Enable appropriate AWS Config rules • Amazon S3 bucket encryptions • Amazon S3 world read/write • ebs encryption etc... • Create read-only cross-account Security role • Create read/write cross-account Security role • Create Amazon VPC (non-overlapping IP space) • Enable federation into account • http://federationworkshopreinvent2016.s3-website-us- east-1.amazonaws.com/ • Define roles and access policies • Peer/Privatelink Amazon VPC with Shared Services • Add a policy for prefix naming conditions to every account—For example, deny access to Lambda functions that start with “security*” • Review CIS Foundations Benchmark and leverage as appropriate
  47. 47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone in context Policy enforcement Account management Policy deployment Notification Remediation Account metadata: Owner, function, policies, BU, SDLC, cost center etc … Prod • Encrypt EBS • No IGW • Guardrail “x” QA • Encrypt EBS • Guardrail “x” • Guardrail “y” Policy “p” • Encrypt EBS • No IGW • Guardrail “y”
  48. 48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  49. 49. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern AWS at scale — Enable Business agility + governance control
  50. 50. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Set up an AWS landing zone • Landing zone - a preconfigured, secure, scalable, multi-account AWS environment based on best practice blueprints • Multi-account management using AWS Organizations • Identity and federated access management using AWS SSO • Centralized log archive using AWS CloudTrail and AWS Config • Cross-account audit access using AWS SSO and AWS IAM • End user account provisioning through AWS Service Catalog • Centralized monitoring and notifications using Amazon CloudWatch and Amazon SNS Master account AWS Control Tower AWS Organizations AWS Single Sign-On Stack sets AWS Service Catalog Log archive account Aggregate AWS CloudTrail and AWS Config logs Account baseline Audit account Security cross- account roles Account baseline Provisioned accounts Network baseline Account baseline Amazon CloudWatch aggregator Security notifications Core OU Custom OU AWS SSO directory
  51. 51. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account architecture • Master account: designation of your existing account to create a new organization. Also your master payer account • Organization consists of 2 OUs with pre-configured accounts - • Core OU: AWS Control Tower-created accounts, i.e., Audit account and Log archive account • Custom OU: Your provisioned accounts Master account AWS Organizations Log archive account Audit account Provisioned accounts Core OU Custom OU
  52. 52. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable governance Enable Set up an AWS landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously
  53. 53. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Dashboard for oversight
  54. 54. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Summary of key features
  55. 55. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Next steps Define tagging strategy Define automation strategy Create AWS Organizations Master account Create Log Archive account Create Security account Create Shared Services account Create Developer sandbox account(s)
  56. 56. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Action Plan Create AWS Organizations Master account • Create temporary Amazon S3 bucket for AWS CloudTrail logs • Enable AWS CloudTrail locally • Enable AWS Organizations full feature Create Log Archive account • Create bucket(s) for security logs (CloudTrail, AWS Config) • Enable MFA delete • Enable versioning • Define limited access bucket policy • Add SCP to prevent AWS S3:delete • Backfill: Enable AWS CloudTrail in organizations master account to send logs to Log Archive account • Backfill: Copy AWS CloudTrail logs for actions that happened between AWS Organizations Master creation and log archive Create Security account • Backfill: cross-account roles with trust to Security account for organizations master and log archive • Read-only role • Read/Write role (fewer permissions for assumption) • <CommonCheckList> • Create security tooling/AWS Lambda functions for security checks Create Shared Services account • <CommonCheckList> • Connect via DX/VPN to DC • Launch common services • Directory services • Limit monitoring Create AWS Network account • Order your Direct Connect • <CommonCheckList>
  57. 57. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Common Checklist • Secure Root credentials MFA • OTP • U2F could make this easier for managing them • https://aws.amazon.com/blogs/security/how-to- create-and-manage-users-within-aws-sso/ • Complex password • Establish rotation policy • Link to AWS Organizations Master account if not already a member • Use group email/phone as the contact info • Enable AWS CloudTrail in all regions, send to Log Archive account • Enable Amazon GuardDuty in all regions. • Security Account as Amazon GuardDuty master • Operationalize the findings • Enable AWS Config, send to Log Archive account • Enable appropriate AWS Config rules • Amazon S3 bucket encryptions • Amazon S3 world read/write • ebs encryption etc... • Create read-only cross-account Security role • Create read/write cross-account Security role • Create Amazon VPC (non-overlapping IP space) • Enable federation into account • http://federationworkshopreinvent2016.s3-website-us- east-1.amazonaws.com/ • Define roles and access policies • Peer/Privatelink Amazon VPC with Shared Services • Add a policy for prefix naming conditions to every account—For example, deny access to Lambda functions that start with “security*” • Review CIS Foundations Benchmark and leverage as appropriate
  58. 58. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Control Tower in context policy enforcement account management policy deployment Notification Remediation Account Metadata: Owner, function, policies, BU, SDLC, cost center etc … Prod • Encrypt EBS • No IGW • Guardrail “x” QA • Encrypt EBS • Guardrail “x” • Guardrail “y” Policy “p” • Encrypt EBS • No IGW • Guardrail “y”
  59. 59. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  60. 60. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone vs. AWS Control Tower • AWS Cloudformation deployment • Fully customizable/owned by customer • Most regions supported • Complete flexibility on account structure • Complex requiring significant expertise • Managed service by AWS • Fixed blueprints and guardrails • Four regions at launch • Two non-configurable core accounts, no SS, no Amazon VPC in core • Self service guided deployment configurable through GUI
  61. 61. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone to AWS Control Tower? Is there a migration path from AWS Landing Zone to AWS Control Tower? Yes, in the near future, you will be able to migrate your existing accounts created with the AWS Landing Zone solution to AWS Control Tower. The migration path will occur in several phases to ensure compatibility between Control Tower and your AWS Landing Zone solution starting with ability to deploy Control Tower to an existing Organizations, followed by enabling custom guardrails and custom blueprints for Control Tower.
  62. 62. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Which one should I choose? • Review AWS Control Tower and its capabilities. Does it meet what you need? CT • Are you willing to start with fresh new environment? CT • Are you willing to grow with the service? CT • Do you have a team that can take on the complexity of managing the AWS Landing Zone Solution? If Not, CT • Do you have an existing landing zone that meets your current needs and exceeds CT’s feature set? Evaluate CT, but may need to wait • Do you need full customization and full control over every aspect of the landing zone? Use ALZ
  63. 63. 2016 Multi-account strategy approach Billing: Centralized bills Security: AWS CloudTrail, AWS Config Rules, security logs/tools Shared services: Directory, DNS Sandbox: Experiments Non-prod: Staging/dev Prod: Production Billing Security Prod Non-Prod Sandbox Shared Services Corporate Data Center Billing Log Flow Network Path optional
  64. 64. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account Strategy Guidance Approach on how to setup isolation and security controls in AWS environment.. Isolation through AWS accounts… AWS Landing Zone AWS Control Tower Customer/ Partner built Implementation (SA/PS Advise) AMS Customer Ops Team MSPInfr. Operations MSPApp Operations Customer Ops Team DevOps/ DevSecOps? Security&Governance
  65. 65. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Wednesday, Jun 26 GRC313-R - [REPEAT] Using AWS Control Tower to govern multi-account AWS environments at scale 2:00 PM - 3:00 PM | Level 0, Hall B2, Yellow Wednesday, Jun 26 GRC313-R1 - [REPEAT 1] Using AWS Control Tower to govern multi- account AWS environments at scale 05:00 PM – 06:00 PM | Level 0, Hall B2, Yellow
  66. 66. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Ideas and guidance // Multi-account Strategy • Service control policies strategies and recommendations • Identify Federation best practices and details • Steps to migrate into a multi-account environment • Networking recommendations (Transit gateway, Shared Amazon VPC, Private Link, peering etc …) • Security specific tooling and where to run/how e.g. Firewalls, IDS/IPS • Alerting and alarming recommendations • Forensics landing zone • QA/Staging landing zone • Backup/disaster recovery recommendations at account level • Cost implications of many accounts vs. few • CI/CD in a multi-account environment
  67. 67. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Sam Elmalak
  68. 68. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Ideas and guidance // multi-account strategy • Service control policies strategies and recommendations • Identify Federation best practices and details • Steps to migrate into a multi-account environment • Networking recommendations (Transit gateway, Shared Amazon VPC, Private Link, peering etc …) • Security specific tooling and where to run/how e.g. Firewalls, IDS/IPS • Alerting and alarming recommendations • Forensics landing zone • QA/Staging landing zone • Backup/disaster recovery recommendations at account level • Cost implications of many accounts vs. few • CI/CD in a multi-account environment

×