Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security and governance with AWS Control Tower and AWS Organizations - SEC204 - New York AWS Summit

574 views

Published on

Whether it is per business unit or per application, many AWS customers use multiple accounts to meet their infrastructure isolation, separation of duties, and billing requirements. In this session, learn about the considerations, limitations, and security patterns of building a multi-account strategy. Get insight into topics such as thought pattern, identity federation, cross-account roles, consolidated logging, and account governance. Finally, see an enterprise-ready landing zone framework and the background needed to implement an AWS Landing Zone using AWS Control Tower and AWS Organizations.

  • To get professional research papers you must go for experts like ⇒ www.WritePaper.info ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Security and governance with AWS Control Tower and AWS Organizations - SEC204 - New York AWS Summit

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Security and governance with AWS Control Tower and AWS Organizations Ryan Malecky Senior Solutions Architect Amazon Web Services S E C 2 0 4
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Agenda An enterprise-ready landing zone framework Action plan and checklist AWS Control Tower overview
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Old world IT Bob – IT and security guy Developers
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Old world IT: Scale More Bobs More developers
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T The cloud makes this easier! Same Bobs More developers!
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T One account: Isolation with AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (Amazon VPC) Gray boundaries Complicated and messy over time Difficult to track resources People stepping on each other Everything
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Separate developer account Still can’t track resources or spend Still have isolation and blast radius concerns Developers are still stepping on each other Bob now has to manage IAM and VPCs here too Development Production
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T The problem On-premises posture for the cloud Inheriting ideas from data center days Management and Operations don’t trust developers with full access Developers want to work—really! DevOps is a great idea Doesn’t work when Operations is in the way
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T A new solution: We need the following • Access to AWS services without barriers • Ability to fail fast without collateral damage • Smaller blast radius • Operations team → Cloud architects • Everyone able to influence digital transformation • Costs and resources tracked to individuals and teams • Optimized code for AWS
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Where do we start? With developer accounts DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Where do we start? With team accounts DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team or group Team or group Team or group Team or group Team or group DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Where do we start? With Operations accounts DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team or group Team or group Team or group Team or group Team or group Production Staging Development and UAT DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Where do we start? With shared services DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team or group Team or group Team or group Team or group Team or group Production Staging Development and UATCore shared DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What are core shared accounts? Security Shared services Log archive Network Core shared
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Shared by tier DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team or group Team or group Team or group Team or group Team or group Production Staging Development and UATCore shared DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team shared Development shared
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Shared by tier DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team or group Team or group Team or group Team or group Team or group Production Staging Development and UAT DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Core shared Team core shared Development core shared
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T A different approach DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team Dev Team Dev Team Dev Team Dev Team Dev Core shared Team core shared Development core shared DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team Stg Team Stg Team Stg Team Stg Team Stg Team Prod Team Prod Team Prod Team Prod Team Prod Production Development and UAT Staging Production core shared Staging core shared
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Your own additions DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer Team Dev Team Dev Team Dev Team Dev Team Dev Team Stg Team Stg Team Stg Team Stg Team Stg Team Prod Team Prod Team Prod Team Prod Team Prod Production Development and UAT Staging PersonalPersonal PersonalPersonal PersonalPersonalPersonal PersonalPersonal Personal PersonalPersonal PersonalPersonal PersonalPersonalPersonal PersonalPersonal Personal Personal shared Development core shared Staging core shared Production core shared
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS account Security and resource boundary API limits and throttling Billing separation
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why one account isn’t enough Billing Many teams Security and compliance controls Business process Isolation
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Goals Guardrails NOT blockers Auditable Flexible Automated Scalable Self-service
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Account security considerations Baseline requirements Lock Enable Define Federate Establish Identify
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What accounts should you create? Security Shared services Billing Development ProductionSandbox OtherPre-production AWS Organizations account Log archive Network
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Organizations Master • No connection to data center • Service control policies (SCPs) • Consolidated billing • Volume discount • Minimal resources • Limited access • Restricted Organizations role! Organizations master Network path Data center
  25. 25. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP: Stop CloudTrail from being disabled { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": ”cloudtrail:StopLogging", "Resource": "*" } ] }
  26. 26. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP: No Internet gateway for Amazon VPC "Statement": [ { "Effect": "Deny", "Action": [ "ec2:AttachInternetGateway”, “ec2:CreateInternetGateway”, “ec2:AttachEgressOnlyInternetGateway”, “ec2:CreateVpcPeeringConnection”, “ec2:AcceptVpcPeeringConnection" ], "Resource": "*" } ]
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Core accounts • Foundational • Building blocks • Once per organization • Their own development lifecycle (development, QA, production) Core accounts Organizations master Network path Data center
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Log archive account • Versioned Amazon Simple Storage Service (Amazon S3) bucket • Restricted • Multi-factor authentication (MFA) delete • CloudTrail logs • Security logs • Single source of truth • Alarm on user login • Limited access Core accounts Organizations master Log archive Network path Data center
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Network path Security account • Optional data center connectivity • Security tools and auditing • GuardDuty master • Cross-account read/write (automated tooling) • Limited access Core accounts Organizations master Log archiveSecurity Data center
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Network path Shared services account • Connection to data center • DNS • LDAP and Active Directory • Shared services VPC • Deployment tools • Golden Amazon Machine Image (AMI) • Pipeline • Scanning infrastructure • Inactive instances • Improper tags • Snapshot lifecycle • Monitoring • Limited access Security Core accounts Organizations master Log archive Shared services Data center
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Network path Network account • Management by network team • Networking services • AWS Direct Connect • Limited access Security Core accounts Organizations master Shared services Log archive Network Data center
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Network path Developer sandbox • No connection to data center • Innovation space • Fixed spending limit • Autonomy • Experimentation Security Core accounts Organizations master Shared services Network Log archive Developer sandbox Developer accounts Data center
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Network path Team or group accounts • Based on level of needed isolation • Match your development lifecycle • Think small Developer sandbox Security Core accounts Organizations master Shared services Network Log archive Developer accounts Team or group accounts Data center
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Network path Development • Quick development and iteration • Collaboration space • Stage of software development lifecycle (SDLC) Developer sandbox Team or group accounts Security Core accounts Organizations master Shared services Network Log archive Developer accounts Development Data center
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Network path Pre-production • Connection to data center • Similarity to production • Staging • Testing • Automated deployment Developer sandbox Development Team or group accounts Security Core accounts Organizations master Shared services Network Log archive Developer accounts Pre-production Data center
  36. 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Network path Production • Connection to data center • Production applications • Promotion from pre-production • Limited access • Automated deployments Developer sandbox Development Pre-production Team or group accounts Security Core accounts Organizations master Shared services Network Log archive Developer accounts Production Data center
  37. 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Network path Team shared services • Organic growth • Sharing to the team • Product-specific common services • Data lake • Common tooling • Common services Developer sandbox Development Pre-production Team or group accounts Security Core accounts Organizations master Shared services Network Log archive Production Developer accounts Team shared services Data center
  38. 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Innovation pipeline Developer accounts Developer accounts PoC Developer accounts Developer accounts Development Pre-production Team or group accounts Production Shared services PoC New initiatives Experimentation Innovation
  39. 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Special exception Flexibility Regulation and compliance Additional isolation and security controls (PCI)
  40. 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Multi-account approach Developer sandbox Development Pre-production Team or group accounts Security Core accounts Organizations master Shared services Network Log archive Production Team shared services Developer accounts Organizations: Account management Log archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Developer sandbox: Experiments, learning Development: Development Pre-production: Staging Production: Production Team shared services: Team shared services, data lake Network path Data center
  41. 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Team: Billing tools • Reduced access to Organizations account • Billing reports • Usage metrics and reporting • Usage optimizations and Reserved Instance (RI) management Developer sandbox Development Pre-production Billing tools team accounts Security Core accounts Organizations master Shared services Network Log archive Production Developer accounts Network path Data center
  42. 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Team: Internal audit • Regulatory compliance • Read-only access to needed logs • Limited access • re:Invent 2018 ENT315: Automate & Audit Cloud Governance & Compliance in Your Landing ZoneDeveloper sandbox Development Pre-production Internal audit team accounts Security Core accounts Organizations master Shared services Network Log archive Production Developer accounts Network path Data center
  43. 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Team: Amazing new product • Match your development lifecycle • Think small Developer sandbox Development Pre-production Amazing new product team accounts Security Core accounts Organizations master Shared services Network Log archive Production Developer accounts Network path Data center
  44. 44. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  45. 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Multi-account approach Developer sandbox Development Pre-production Team or group accounts Security Core accounts Organizations Shared services Network Log archive Production Team shared services Developer accounts Organizations: Account management Log archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: AWS Direct Connect Developer sandbox: Experiments, learning Development: Development Pre-production: Staging Production: Production Team shared services: Team shared services, data lake Network path Data center
  46. 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T QA and staging for the landing zone Developer sandbox Development Pre-production Team or group accounts Security Core accounts Organizations master Shared services Network Log archive Production Team shared services Developer accounts Test landing zone changes Another landing zone Network path Data center
  47. 47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Forensics Developer sandbox Development Pre-production Team or group accounts Security Core accounts Organizations master Shared services Network Log archive Production Team shared services Developer accounts Isolated forensics area Nearly invisible Landing zone with a twist Network path Data center
  48. 48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Next steps • Define tagging strategy • Define automation strategy • Create Organizations master account • Create log archive account • Create security account • Create shared services account • Create developer sandbox accounts
  49. 49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Action plan Create Organizations master account • Create temporary Amazon S3 bucket for CloudTrail logs • Enable CloudTrail locally • Enable Organizations full feature Create log archive account • Create buckets for security logs (CloudTrail, AWS Config) • Enable MFA delete and versioning • Define limited access bucket policy • Add SCP to prevent s3:delete • Backfill: Enable CloudTrail in Organizations master account to send logs to log archive account • Backfill: Copy CloudTrail logs for actions that happened between Organizations master creation and log archive Create security account • Backfill: Cross-account roles with trust to security account for Organizations master and log archive • Read-only role • Read/write role (fewer permissions for assumption) • <CommonCheckList> • Create security tooling and AWS Lambda functions for security checks Create shared services account • <CommonCheckList> • Connect via AWS Direct Connect/VPN to data center • Launch common services (directory services and limit monitoring) Create AWS network account • Order your AWS Direct Connect • <CommonCheckList>
  50. 50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Common checklist • Secure root credentials • MFA • One-time password (OTP) • Universal 2nd Factor (U2F) could make this easier for management https://aws.amazon.com/blogs/security/how-to-create- and-manage-users-within-aws-sso/ • Complex password • Establish rotation policy • Link to Organizations master account if not already a member • Use group email and phone as the contact info • Enable CloudTrail in all Regions, send to log archive account • Enable GuardDuty in all Regions • Operationalize the findings from security account as GuardDuty master • Enable AWS Config, send to log archive account • Enable appropriate AWS Config rules • Amazon S3 bucket encryptions • Amazon S3 world read/write • Amazon EBS encryption (and others) • Create read-only cross-account security role • Create read/write cross-account security role • Create VPC (non-overlapping IP space) • Enable federation in account http://federationworkshopreinvent2016.s3-website-us- east-1.amazonaws.com/ • Define roles and access policies • Peer or AWS PrivateLink VPC with shared services • Add a policy for prefix naming conditions to every account—e.g., deny access to Lambda functions that start with security* • Review CIS AWS Foundations Benchmark, and leverage as appropriate
  51. 51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T The AWS Landing Zone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and account vending machine Automated deployment
  52. 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Landing Zone structure: Basic AWS Organizations Shared services Log archive Security Organizations account Account provisioning Account access (SSO) Shared services account Active Directory Log analytics Log archive Security logs Security account Audit, break-glass Parameter store
  53. 53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Account vending machine • Account vending machine (AWS Service Catalog) • Account creation factory • User interface to create new accounts • Account baseline versioning • Launch constraints • Creation and update of AWS account • Application of account baseline stack sets • Creation of network baseline • Application of account SCP AWS Service Catalog Account vending machine Organizations Security AWS Log archive AWS Shared services AWS AWS New AWS
  54. 54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Next steps • Define tagging strategy • Define automation strategy • Create Organizations master account • Create log archive account • Create security account • Create shared services account • Create developer sandbox accounts
  55. 55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Action plan Create Organizations master account • Create temporary Amazon S3 bucket for CloudTrail logs • Enable CloudTrail locally • Enable Organizations full feature Create log archive account • Create buckets for security logs (CloudTrail, AWS Config) • Enable MFA delete and versioning • Define limited access bucket policy • Add SCP to prevent s3:delete • Backfill: Enable CloudTrail in Organizations master account to send logs to log archive account • Backfill: Copy CloudTrail logs for actions that happened between Organizations master creation and log archive Create security account • Backfill: cross-account roles with trust to security account for Organizations master and log archive • Read-only role • Read/write role (fewer permissions for assumption) • <CommonCheckList> • Create security tooling and AWS Lambda functions for security checks Create shared services account • <CommonCheckList> • Connect via AWS Direct Connect/VPN to data center • Launch common services (directory services and limit monitoring) Create AWS network account • Order your AWS Direct Connect • <CommonCheckList>
  56. 56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Common checklist • Secure root credentials • MFA • OTP • U2F could make this easier for management https://aws.amazon.com/blogs/security/how-to-create- and-manage-users-within-aws-sso/ • Complex password • Establish rotation policy • Link to Organizations master account if not already a member • Use group email and phone as the contact info • Enable CloudTrail in all Regions, send to log archive account • Enable GuardDuty in all Regions • Operationalize the findings from security account as GuardDuty master • Enable AWS Config, send to log archive account • Enable appropriate AWS Config rules • Amazon S3 bucket encryptions • Amazon S3 world read/write • Amazon EBS encryption (and others) • Create read-only cross-account security role • Create read/write cross-account security role • Create VPC (non-overlapping IP space) • Enable federation into account http://federationworkshopreinvent2016.s3-website-us- east-1.amazonaws.com/ • Define roles and access policies • Peer or AWS PrivateLink VPC with shared services • Add a policy for prefix naming conditions to every account—e.g., deny access to Lambda functions that start with security* • Review CIS AWS Foundations Benchmark, and leverage as appropriate
  57. 57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Policy enforcement AWS Landing Zone Policy deployment Notification Remediation Account metadata: Owner, function, policies, BU, SDLC, cost center, etc. Production • Encrypt Amazon EBS • No internet gateway (IGW) • Guardrail “x” QA • Encrypt Amazon EBS • Guardrail “x” • Guardrail “y” Policy “p” • Encrypt Amazon EBS • No IGW • Guardrail “y” Putting it all together
  58. 58. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  59. 59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Introducing AWS Control Tower: Consistent and simple multi-account management Automated AWS setup Launch an automated landing zone with best- practices blueprints Policy enforcement Pre-packaged guardrails to enforce policies or detect violations Dashboard for oversight Continuous visibility into workload compliance with controls
  60. 60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Key features and benefits Account setup Automated, secure, and scalable landing zone Multi-account management using Organizations Central logging and multi-account configuration consistency Built-in best practices Multi-account preventive and detective guardrails Easy-to-use dashboard and notifications Curated rules in plain EnglishAccount provisioning wizard Guardrails Landing zone
  61. 61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Control Tower: Building blocks AWS Control Tower Account management Guardrail enforcement AWS Security Hub Landing zone AWS Landing Zone AWS Organizations
  62. 62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Control Tower’s automated landing zone AWS Control Tower master account AWS Control Tower ✓ AWS Organizations with master and pre-created accounts for central log archive and cross- account audit ✓ Pre-configured directory and SSO using AWS SSO (with Active Directory custom option) ✓ Centralized monitoring and alerts using AWS Config, CloudTrail, and Amazon CloudWatch
  63. 63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Account factory • Account factory for controls on account provisioning • Pre-approved account baselines with VPC options • Pre-approved configuration options • End-user configuration and provisioning through AWS Service Catalog • Create and update AWS accounts under organizational units
  64. 64. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  65. 65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Q&A Which should I use: AWS Organizations, AWS Landing Zone, or AWS Control Tower?
  66. 66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Q&A Can I migrate from AWS Landing Zone to AWS Control Tower?
  67. 67. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Q&A I need feature X, but AWS Control Tower doesn’t support it. What should I do?
  68. 68. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Ryan Malecky rmalecky@amazon.com

×