More Related Content Similar to Setting Up a Landing Zone (20) More from Amazon Web Services (20) Setting Up a Landing Zone1. S A D E G H N A D I M I
Setting up a Landing Zone
Introducing an automated solution for setting up AWS environments at scale
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is a Landing Zone?
H
• A configured, secure, multi-account AWS environment based on
AWS best practices
• A starting point for net new development and experimentation
• A starting point for your application migration journey
• An environment that allows for iteration & extension over time
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
You Need a Landing Zone That Is…
meets the organization’s
security and auditing
requirements
ready to support highly
available and scalable
workloads
configurable to
support evolving business
requirements
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Common Business Outcomes
focus on what
differentiates
reduce time from
ideation to instantiation
secure and compliant
environment
migrate undifferentiated
workloads
deploy and run at a
global scale
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
And Even Though There is Plenty of Support…
• Professional Services
• Technical Account Managers
• Solutions Architects
• AWS Marketplace
• AWS Partner Ecosystem
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Setup Can Still Be Challenging
Numerous design decisions Configuration of multiple
accounts and services
Creation of a security
baseline and governance
100+ Services Documentation
User Access
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Common Design
Considerations
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Starting at the Beginning: AWS Accounts
Security/Resource
Boundary
API Limits/Throttling Billing Separation
Define your AWS account strategy
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
But keep in Mind, One Account Is Not Enough
Multiple Teams
Isolation
Security Controls Business ProcessBilling
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
So What Kinds of Accounts Should I Create?
Security Shared
Services
Billing
Dev ProdSandbox OtherPre-Prod
Organizations Master Account
NetworkLogging
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Define Your Account Security Strategy
InfoSec’s
Cross-
Account
Roles
AWS Account
Credential
Management
(“Root
Account”)
Federation
Baseline Requirements
Actions &
Conditions
Map
Enterprise
Roles
AWS
CloudTrail
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
And Choose Among Multiple VPC Options
AWS Services in
Your VPC
VPC Endpoints for
Amazon S3
DNS in-VPC with
Amazon Route 53
Logging VPC Traffic
with VPC Flow Logs
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Multi-Account Approach
Orgs: Account management
Logging: Centralized logs
Security: AWS Config Rules,
security tools
Shared services: Directory,
DNS, limit monitoring
Billing Tooling: Cost
monitoring
Sandbox: Experiments
Dev: Development
Pre-Prod: Staging
Prod: Production
Developer
Sandbox
Dev Pre-Prod
BU/Product/Resource Accounts
Developer Accounts
Security
Core Accounts
AWS Organizations Master
Billing
Tooling
Shared
Services
Sandbox
Direct
Connect
Internal
Audit
Logging
Prod
Shared
Services
Data Center
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How Can We
Make This Easy?
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing the AWS Landing Zone Solution BETA
An automated, easy-to-deploy solution implementing collective best practices for
running secure and scalable workloads in AWS
Automated
deployment
Based on AWS best
practices and
recommendations
Foundational
security and
governance controls
Baseline accounts
and account vending
machine
16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is the AWS Landing Zone? BETA
The AWS Landing Zone is a baseline AWS environment
that includes the following components:
AWS
Multiple Accounts
Identity and Access
Management
Network DesignData Security Centralized Logging
Governance
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone Tenets
Designed for scalability. Able to grow and scale with your business.
Prescriptive. Implements prescriptive defaults when creating new accounts.
Flexible. Allows you to modify default configurations or add capabilities.
Easy to deploy. Leverages automation to simplify the experience.
Well-architected “compatible”. Allows you to build well-architected applications.
BETA
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What You Get with the AWS Landing Zone BETA
Account
Management
• A multi-account architecture based on AWS best practices
• An account vending machine which enables automated
deployment of new accounts with a set of security baselines
Security &
Governance
• Account security baseline with auditing capabilities (CloudTrail &
Config)
• Data security baseline with governance checks
• Network security baseline
Logging • Centralized logging
19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
BETA
Tagging
mechanism
• Service Catalog default tags for Admin product launches
• Service Catalog custom tags for end users
Mechanism for
separation of
duties out of
the box
• Multiple accounts and defining cross account-roles allow
implementation of separation of duties across all accounts
Enable SSO • Eliminate IAM account sprawl
What You Get with the AWS Landing Zone
20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone Architecture BETA
ACCOUNT
VENDING
MACHINE
LANDING ZONE INITIATION
“MASTER” ACCOUNT
AWS LAMBDA
AWS SSM
PARAMETER
STORE
AWS
SERVICE
CATALOG
AWS
CLOUDFORMATION
STACKSETS
NO
DEFAULT VPC
AWS
ORGANIZATIONS
AMAZON
SNS
CORE OU
CLOUDTRAIL
CONFIG
EBS ENCRYPTION
CLV2
IAM ROLESSTACKS
AMAZON VPC AWS
CLOUDTRAIL
AWS CONFIG CONFIG RULE
(EBS ENCRYPTION)
SHARED SERVICES ACCOUNT
DIRECTORY
SERVICE
CENTRALIZED
LOGGING
(MASTER)
IAM ROLES
EC2
KEY PAIR
LOGGING ACCOUNT
AWS
CLOUDTRAIL
AWS
CONFIG
CONFIG RULE
(EBS ENCRYPTION)
CENTRALIZED
LOGGING
(SPOKE)
IAM ROLES
NO
DEFAULT VPC
S3 BUCKET FOR
CLOUDTRAIL/C
ONFIG
SECURITY ACCOUNT
AWS STSCENTRALIZED
LOGGING
(SPOKE)
CONFIG RULE
(EBS ENCRYPTION)
NO
DEFAULT VPC
AMAZON
SNS
AMAZON
SNS
AMAZON
SNS
AWS
CLOUDTRAIL
AWS
CONFIG
21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone Vending Machine BETA
MASTER ACCOUNT
LOGGING ACCOUNT NEW AWS ACCOUNT
AWS
CLOUDTRAIL
STACK
AWS CONFIG
STACK
EBS ENCRYPTION
STACK
CLV2
SPOKE
ADMIN
ROLE
AMAZON VPC
(DEFAULT)
READ ONLY
ROLE
AMAZON S3
BUCKET
AWS
SERVICE CATALOG
LAMBDA-BACKED
CUSTOM RESOURCE
AWS
ORGANIZATIONS
EXISTING OR
NEW OU
AWS CLOUDFORMATION
STACKSETS
22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of the AWS Automated Landing Zone
Guardrails NOT Blockers Auditable Flexible
Automated Scalable Self-service
23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone Pricing and Availability
• Monthly charges for deployed resources apply
• No additional charge for the AWS Landing Zone solution
• Available in private beta
BETA
24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Next steps
• Lookout for GA release in Q2 2018
• Work with your account team to sign up for beta
• Deploy the solution
• Provide feedback to help prioritize new features
25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank You!