Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[REPEAT 1] Architecting Security & Governance across your AWS Landing Zone (SEC303-R1) - AWS re:Invent 2018

976 views

Published on

Whether it is per business unit or per application, many AWS customers use multiple accounts to meet their infrastructure isolation, separation of duties, and billing requirements to establish their AWS Landing Zone. In this session, formerly called "Architecting Security & Governance across a Multi-Account Strategy," we discuss the latest updates around establishing your AWS Landing Zone. We cover considerations, limitations, and security patterns when building a multi-account strategy. We explore topics such as thought pattern, identity federation, cross-account roles, consolidated logging, and account governance. In addition, BP shares its journey and approach to establishing its AWS Landing Zone. At the end of the session, we present an enterprise-ready landing zone framework and provide the background needed to implement an AWS Landing Zone. We encourage you to attend the full AWS Landing Zone track; search for #awslandingzone in the session catalog. Please join us for a speaker meet-and-greet following this session at the Speaker Lounge (ARIA East, Level 1, Willow Lounge). The meet-and-greet starts 15 minutes after the session and runs for half an hour.

  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

[REPEAT 1] Architecting Security & Governance across your AWS Landing Zone (SEC303-R1) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ArchitectingSecurity &Governance across yourAWS LandingZone Sam Elmalak Solutions Architect Amazon Web Services S E C 3 0 3 David Ninnis Senior Enterprise Architect, Cloud BP
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda An enterprise-ready landing zone framework BP’s landing zone journey Action plan & checklist
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. LastYear
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Once upon atime…(Continued) 0 10 20 30 40 50 60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Sales Red Riding Hood
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. OldWorld IT Bob – IT/security guy Developers
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. OldWorld IT -Scale More Bobs More developers
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thecloud willmakethiseasier! Same Bobs More developers!
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. One account, IsolationwithIAMandVPC “Gray” boundaries Complicated and messy over time Difficult to track resources People stepping on each other Everything
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Separatedeveloper account Still can’t track resources or spend Still have isolation and blast radius concerns Developers still stepping on each other Bob now has to manage IAM and VPCs, here too Dev Prod
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Theproblem On-premises posture for the cloud Inheriting ideas from datacenter days Management and Ops don’t trust dev with full access Developers want to work – Really! DevOps is a great idea Doesn’t work when Ops is in the way
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. A NewSolution –Weneed Access to AWS services without barriers Ability to fail fast without collateral damage Smaller blast-radius Operations team  Cloud architects Everyone able to influence digital transformation Costs and resources tracked to individuals and teams Optimize code for AWS
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. WhereDo IStart? Developer accounts DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. WhereDo IStart?Teamaccounts DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team/Group Team/Group Team/Group Team/Group Team/Group DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. WhereDo IStart?Ops accounts DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team/Group Team/Group Team/Group Team/Group Team/Group Production Staging Dev/UAT DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. WhereDo IStart?Shared services DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team/Group Team/Group Team/Group Team/Group Team/Group Production Staging Dev/UAT Core/Shared DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Whatare core sharedaccounts? Security Shared Services Log Archive Network Core/Shared
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sharedby tier DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team/Group Team/Group Team/Group Team/Group Team/Group Production Staging Dev/UAT Core/Shared DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team Shared Dev Shared
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sharedby tier DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team/Group Team/Group Team/Group Team/Group Team/Group Production Staging Dev/UAT DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Core/Shared Team Core/Shared Dev Core/Shared
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Adifferent approach DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team Dev Team Dev Team Dev Team Dev Team Dev Core/Shared Team Core/Shared Dev Core/Shared DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team Stg Team Stg Team Stg Team Stg Team Stg Team Prod Team Prod Team Prod Team Prod Team ProdProduction Dev/UAT Staging Prod Core/Shared Staging Core/Shared
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your own additions DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team Dev Team Dev Team Dev Team Dev Team Dev Team Stg Team Stg Team Stg Team Stg Team Stg Team Prod Team Prod Team Prod Team Prod Team ProdProduction Dev/UAT Staging PersonalPersonal PersonalPersonal PersonalPersonalPersonal PersonalPersonal Personal PersonalPersonal PersonalPersonal PersonalPersonalPersonal PersonalPersonal Personal Personal Shared Dev Core/Shared Staging Core/Shared Prod Core/Shared
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security/Resource Boundary API Limits/Throttling Billing Separation AWS Account
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why one account isn’t enough Billing Many Teams Security / Compliance Controls Business Process Isolation
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Guardrails NOT Blockers Auditable Flexible Automated Scalable Self-service Goals
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account securityconsiderations Baseline Requirements Lock Enable Define Federate Establish Identify
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What accounts should I create? Security Shared Services Billing Dev ProdSandbox OtherPre-Prod Organizations Account Log Archive Network
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSOrganizations Master AWS Organizations Master Network Path Data Center No connection to DC Service control policies Consolidated billing Volume discount Minimal resources Limited access Restrict Orgs role!
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP:StopCloudTrailfrombeing disabled { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": ”cloudtrail:StopLogging", "Resource": "*" } ] }
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP:NointernetgatewayforAmazonVirtualPrivate Cloud (AmazonVPC)"Statement": [ { "Effect": "Deny", "Action": [ "ec2:AttachInternetGateway”, “ec2:CreateInternetGateway”, “ec2:AttachEgressOnlyInternetGateway”, “ec2:CreateVpcPeeringConnection”, “ec2:AcceptVpcPeeringConnection" ], "Resource": "*" } ]
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Coreaccounts Core Accounts AWS Organizations Master Network Path Data Center Foundational Building Blocks Once per organization Have their own development life cycle (dev/qa/prod)
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Log archiveaccount Core Accounts AWS Organizations Master Log Archive Network Path Data Center Versioned Amazon S3 bucket Restricted MFA delete CloudTrail logs Security logs Single source of truth Alarm on user login Limited access
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securityaccount Core Accounts AWS Organizations Master Log Archive Network Path Data Center Optional data center connectivity Security tools and audit GuardDuty Master Cross-account read/write Automated Tooling Limited access Security
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sharedservicesaccount Security Core Accounts AWS Organizations Master Log Archive Network Path Data Center Connected to DC DNS LDAP/Active Directory Shared Services VPC Deployment tools Golden AMI Pipeline Scanning infrastructure Inactive instances Improper tags Snapshot lifecycle Monitoring Limited access Shared Services
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Networkaccount Security Core Accounts AWS Organizations Master Shared Services Log Archive Network Path Data Center Managed by network team Networking services AWS Direct Connect Limited access Network
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Developer sandbox Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path No connection to DC Innovation space Fixed spending limit Autonomous ExperimentationDeveloper Sandbox Developer Accounts
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Team/group accounts Developer Sandbox Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Based on level of needed isolation Match your development lifecycle Think Small Team/Group Accounts
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dev Developer Sandbox Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Develop and iterate quickly Collaboration space Stage of SDLC Dev
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Pre-production Developer Sandbox Dev Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Connected to DC Production-like Staging Testing Automated Deployment Pre-Prod
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Production Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Connected to DC Production applications Promoted from Pre-Prod Limited access Automated Deployments Prod
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Teamsharedservices Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Network Path Developer Accounts Data Center Grows organically Shared to the team Product-specific common services Data lake Common tooling Common services Team Shared Services
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Innovation pipeline Developer Accounts Developer Accounts PoC Developer Accounts Developer Accounts Dev Pre-Prod Team/Group Accounts Prod Shared Services PoC New initiatives Experimentation Innovation
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Special/exception Be flexible Regulatory/compliance Additional isolation/security controls (PCI)
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Team Shared Services Network Path Developer Accounts Data Center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Team:Billingtools Developer Sandbox Dev Pre-Prod Billing Tools Team Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Network Path Developer Accounts Data Center Reduces access to Organizations account Billing reports Usage metrics and reporting Usage optimizations and RI management
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Team:Internalaudit Developer Sandbox Dev Pre-Prod Internal Audit Team Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Network Path Developer Accounts Data Center Regulatory compliance Read-only access to needed logs Limited access ENT315: Automate and Audit Cloud Governance and Compliance in your Landing Zone
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Team:Amazing newproduct Developer Sandbox Dev Pre-Prod Amazing New Product Team Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Network Path Developer Accounts Data Center Match your development lifecycle Think Small
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. BP’s journey David Ninnis Senior Enterprise Architect, Cloud
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. We areBP OIG301: A quantum leap transformation to make BP’s global network cloud first
  48. 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. OurAWS journey
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our 2016 LandingZone Dev Pre-Prod Resource AccountsCore Accounts Master Payer Account Billing Network Internal Audit Data Center Logs Prod Master: Consolidated billing Logs: Security logs Enterprise Shared Services: Directory, DNS, Patching, and more Billing Tooling: Cost management Network: Direct Connect Dev: Development Pre-Prod: Staging Prod: Production DB: Database as a Service Shared Services Network Path DB
  50. 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Along cametheusers More access More services “Special” accounts In-line policy management Self service Tag-based/resource level Does IaaS well
  51. 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IteratingtheLZ
  52. 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IteratingtheLZ
  53. 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New/improvedservicessince2016 AWS Organizations CreateAccount { "AccountName": "string", "Email": "string", "IamUserAccessToBilling": "string", "RoleName": "string" } MoveAccount { "AccountId": "string", "DestinationParentId": "string", "SourceParentId": "string" }
  54. 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New/improvedservicessince2016
  55. 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New/improvedservicessince2016 { "Version" : "2012-10-17", "Statement" : [ { "Effect": “Deny", "Action": [ "ec2:AcceptVpcPeeringConnection", "ec2:CreateVpcPeeringConnection", "ec2:DeleteVpcPeeringConnection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "eu-west-1" } } } ] { "Version" : "2012-10-17", "Statement" : [ { "Effect": “Allow", "Action": [ "ec2:*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "eu-west } } } ]
  56. 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. TheAWS LandingZone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and account vending machine Automated deployment
  57. 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Here’swhereweare now Took the core of the Landing Zone Solution Created a metadata store in Amazon DynamoDB Extended Landing Zone to call existing capability for RBAC and networking Re-used our core accounts
  58. 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NewLandingZone Developer Sandbox Dev Pre-Prod Spoke Accounts Security Hub Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Network Path Sandbox Spoke Accounts Data Center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake DB: Database as a Service DB
  59. 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. End toend requestworkflow 1. New Account SNOW Form 2. Form data used to create initial record on DynamoDB Table 3. Service Catalog Vending Machine Account Product Creation Invoked 4. Provisioning of Security & Logging Baseline with Stacksets 201. Stackset Creation Error Notified to Developers / Ops 5. Provisioning of RBAC Roles and SSO Providers 6. Provisioning of Networking (including Peering) 101. SNOW Integration Error with AWS APIs notified to SNOW Team 7. Account Provisioning Notifications 8. DS is notified of new Spoke account 9. DS provisions additional controls 10. SNOW is notified of new Spoke account being provisioned 11. SNOW rescan DynamoDB table and syncs back metadata to SNOW CMDB 12. SNOW provisions AD groups for the new Account 102. SNOW Incident Created 202. HS Dev Team Incident Created 13. Email to end user informing of account provisioning 501. DS Complete 502. SNOW Complete 301. DS Internal Error notified to DS 302. DS Internal Incident Created 103. AWS Post Provisioning Error notified to SNOW Team 102. SNOW Incident Created 203. Post Provisiong Notification error notified to Developers / Ops 202. HS Dev Team Incident Created 503. AWS Account Provisioning Complete Error Error SNS Topic Error Error SNS Topic Error Error
  60. 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. End toend requestworkflow Process AWS Account Submission Email AWS Account Creation AWS Account Status AWS Account AD AWS Account AAD Sync AWS Account Completion Email
  61. 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securityand governance outcomes Amazon WorkSpaces
  62. 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Eventgovernance
  63. 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Eventgovernance
  64. 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Eventgovernance
  65. 65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Eventgovernance =
  66. 66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Eventgovernance
  67. 67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Eventgovernance
  68. 68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Eventgovernance
  69. 69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Eventgovernance
  70. 70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. In closing We’ve got this far It’s not perfect It helps us to get out of the way We will keep listening to our users and evolving AWS will keep evolving
  71. 71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  72. 72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Network Path Developer Accounts Data Center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake
  73. 73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. QA/Staging for thelanding zone Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Team Shared Services Network Path Developer Accounts Data Center Test Landing Zone changes Another Landing Zone
  74. 74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Forensics Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Team Shared Services Network Path Developer Accounts Data Center Isolated Forensics area Nearly Invisible Landing Zone with a twist
  75. 75. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nextsteps Define tagging strategy Define automation strategy Create Organizations Master account Create Log Archive account Create Security account Create Shared Services account Create Developer Sandbox account(s)
  76. 76. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Action plan Create Organizations Master account • Create temporary s3 bucket for CloudTrail logs • Enable CloudTrail locally • Enable organizations full feature Create Log Archive account • Create bucket(s) for security logs (CloudTrail, AWS Config) • Enable MFA delete • Enable versioning • Define limited access bucket policy • Add SCP to prevent s3:delete • Backfill: Enable CloudTrail in organizations master account to send logs to Log Archive account • Backfill: Copy CloudTrail logs for actions that happened between Organizations Master creation and log archive Create Security account • Backfill: Cross-account roles with trust to security account for organizations master and log archive • Read-only role • Read/Write role (fewer permissions for assumption) • <CommonCheckList> • Create security tooling/Lambda functions for security checks Create Shared Services account • <CommonCheckList> • Connect via DX/VPN to DC • Launch common services • Directory services • Limit monitoring Create AWS Network account • Order your Direct Connect • <CommonCheckList>
  77. 77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common checklist • Secure Root credentials MFA • OTP • U2F could make this easier for managing them • https://aws.amazon.com/blogs/security/how-to- create-and-manage-users-within-aws-sso/ • Complex password • Establish rotation policy • Link to Organizations Master account if not already a member • Use group email/phone as the contact info • Enable CloudTrail in all regions, send to Log Archive account • Enable GuardDuty in all regions. • Security Account as GuardDuty master • Operationalize the findings • Enable AWS Config, send to Log Archive account • Enable appropriate AWS Config rules • s3 bucket encryptions • s3 world read/write • ebs encryption etc... • Create read-only cross-account Security role • Create read/write cross-account Security role • Create VPC (non-overlapping IP space) • Enable federation into account • http://federationworkshopreinvent2016.s3-website- us-east-1.amazonaws.com/ • Define roles and access policies • Peer/Privatelink VPC with Shared Services • Add a policy for prefix naming conditions to every account—For example, deny access to Lambda functions that start with “security*” • Review CIS Foundations Benchmark and leverage as appropriate
  78. 78. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. TheAWS LandingZone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and account vending machine Automated deployment
  79. 79. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS LandingZone structure -Basic AWS Organizations Shared Services Log Archive Security Organizations Account • Account Provisioning • Account Access (SSO) Shared Services Account • Active Directory • Log Analytics Log Archive • Security Logs Security Account • Audit / Break-glass Parameter store
  80. 80. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account vending machine AWS Service Catalog Account Vending Machine (AWS Service Catalog) • Account creation factory • User Interface to create new accounts • Account baseline versioning • Launch constraints Creates/updates AWS account Apply account baseline stack sets Create network baseline Apply account security control policy Account Vending Machine AWS Organizations Security AW S Log Archive AW S Shared Services AW S AW S New AWS
  81. 81. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nextsteps Define tagging strategy Define automation strategy Create Organizations Master account Create Log Archive account Create Security account Create Shared Services account Create Developer Sandbox account(s)
  82. 82. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Action Plan Create Organizations Master account • Create temporary s3 bucket for CloudTrail logs • Enable CloudTrail locally • Enable organizations full feature Create Log Archive account • Create bucket(s) for security logs (CloudTrail, AWS Config) • Enable MFA delete • Enable versioning • Define limited access bucket policy • Add SCP to prevent s3:delete • Backfill: Enable CloudTrail in organizations master account to send logs to Log Archive account • Backfill: Copy CloudTrail logs for actions that happened between Organizations Master creation and log archive Create Security account • Backfill: cross-account roles with trust to security account for organizations master and log archive • Read-only role • Read/Write role (fewer permissions for assumption) • <CommonCheckList> • Create security tooling/Lambda functions for security checks Create Shared Services account • <CommonCheckList> • Connect via DX/VPN to DC • Launch common services • Directory services • Limit monitoring Create AWS Network account • Order your Direct Connect • <CommonCheckList>
  83. 83. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CommonChecklist • Secure Root credentials MFA • OTP • U2F could make this easier for managing them • https://aws.amazon.com/blogs/security/how-to- create-and-manage-users-within-aws-sso/ • Complex password • Establish rotation policy • Link to Organizations Master account if not already a member • Use group email/phone as the contact info • Enable CloudTrail in all regions, send to Log Archive account • Enable GuardDuty in all regions. • Security Account as GuardDuty master • Operationalize the findings • Enable AWS Config, send to Log Archive account • Enable appropriate AWS Config rules • s3 bucket encryptions • s3 world read/write • ebs encryption etc... • Create read-only cross-account Security role • Create read/write cross-account Security role • Create VPC (non-overlapping IP space) • Enable federation into account • http://federationworkshopreinvent2016.s3-website- us-east-1.amazonaws.com/ • Define roles and access policies • Peer/Privatelink VPC with Shared Services • Add a policy for prefix naming conditions to every account—For example, deny access to Lambda functions that start with “security*” • Review CIS Foundations Benchmark and leverage as appropriate
  84. 84. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. PuttingitAllTogether Policy Enforcement AWS Landing Zone Policy Deployment Notification Remediation Account Metadata: Owner, Function, Policies, BU, SDLC, Cost Center etc… Prod • Encrypt EBS • No IGW • Guardrail “x” QA • Encrypt EBS • Guardrail “x” • Guardrail “y” Policy “p” • Encrypt EBS • No IGW • Guardrail “y”
  85. 85. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS LandingZone track: search:awslandingzone Architecture: SEC303: Architecting Security & Governance across your AWS Landing Zone (Session) ENT315: Automate & Audit Cloud Governance & Compliance in Your Landing Zone (Session) Implementation: ENT350: AWS Landing Zone Deep Dive (Chalk Talk) SEC349: Governance at Scale (Chalk Talk) ENT318: Landing Zone Design: What to Do When Your Company Splits in Half (Session) Workshops (First three are same content): ENT351: Enterprise Governance: Build Your AWS Landing Zone (Workshop) SEC315: Enterprise Governance and Security - Build Your AWS Landing Zone (Workshop) GPSWS407A: Automated Solution for Deploying AWS Landing Zone (Workshop/Partners) SEC334: Operational Excellence for Identity & Access Management (Workshop) Summary/Feedback: SEC360: AWS Landing Zone Strategies (Chalk Talk)
  86. 86. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sam Elmalak @SamElmalak David Ninnis
  87. 87. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×