SID331_Architecting Security and Governance Across a Multi-Account Strategy

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
Architecting Security and
Governance Across a Multi-Account
Strategy
C
S I D 3 3 1
N o v e m b e r 2 7 , 2 0 1 7
S a m E l m a l a k , S o l u t i o n s A r c h i t e c t , A W S
B e n W o o d w a r d , A r c h i t e c t , T h o m s o n R e u t e r s

Once Upon a Time…
0
5
10
15
20
25
30
35
40
1 2 3 4 5 6 7 8
Sales

Once Upon a Time…(cont’d.)
0
5
10
15
20
25
30
35
40
1 2 3 4 5 6 7 8 9 10
Sales

0
10
20
30
40
50
60
1 2 3 4 5 6 7 8 9 10 11 12 13
Sales
Red Riding
Hood
The Seven
Dwarves
AWS
CloudTrail

0
10
20
30
40
50
60
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Sales
Red Riding
Hood

What to Expect from the Session
• An enterprise-ready multi-account framework
• Action plan to implement this approach

Security/Resource
Boundary
API Limits/Throttling
Billing Separation
AWS Account

Account Models
One
Account
1,000s of
Accounts

Why One Isn’t Enough
Many Teams Isolation
Security Controls Business Process
Billing

Thomson Reuters’ Multi-Account
Strategy
Ben Woodward, Architect, Thomson Reuters
C a s e S t u d y

Thomson Reuters
• Global organization
• 100+ countries
• Provide information and products to tax, legal, and financial
professionals
• Five business units (BUs)
• 12,000 technologists
STG315 - Case Study: Learn How
Thomson Reuters Uses Amazon EFS
to Deliver Billions of Pieces of
Content to Hundreds of Millions of
Visitors Every Year

Connectivity to Data Centers
AWS accounts
• Project isolation
• AWS API limits
• Billing separation
AWS regions
• Data residency
• New growth opportunities
• Latency requirements

Network Topology
Availability Zone
Region 1
Availability Zone
Region 1
VPC
Peering
Public Subnet Private Subnet
AWS
Direct Connect
10.0.0.0/16Corporate data
center
VPN
Region 1
Private
VIF

Account Creation
Organizations
New
Account
OrganizationAccount
AccessRole
1. Create new
account
2. Assume cross-
account role
3. Inflate account
5. Delete
Organizations
Role
4. Move new
account into OU
• Self-service
account creation
• Enables use of
service control
policies (SCPs)

Account Inflation
Vault root credentials
Creation of service management records
Federated with corporate identity provider
Create initial operations roles
VPC and network setup
AWS Direct Connect/VPC Peering
Security controls and logging setup
Enable logging, create Security and
Custodian IAM roles
• Use a workflow tool
• Build up
AWS CloudFormation
dynamically
• Config-driven

Logging Account
• Single source of truth
• One place to secure
• Very limited access
• Multiple Amazon S3
buckets
• Add read-only access
when needed
Logging
Shared
Services
Security
AWS
Account

Custodian Account
• Trust but verify
• Need a single pane
of glass into all our
accounts
AWS ConfigAWS Trusted Advisor
TR Account
ReadOnly
ReadWrite
Custodian Account
ReadOnly
ReadWrite
AssumeRole
AssumeRole
• Notify as opposed
to enforce
• Custodian account
• Selecting tooling

Security Account
Security Security account for SecOps
Process logs
Host security tooling
Perform incident management
Conduct security audit
Logging
Accounts

Shared Services Accounts
Direct
Connect
DNS Shared
Services
Shared
Services
• Separate business critical
services
• AWS Direct Connect
• DNS servers
• Bastion hosts
• Network monitors
• Building AMIs
• More limited access
• Reduce blast radius

Sandbox Accounts
Sandbox Account
Per Business Unit
• Team innovation
• No DC connectivity
• Multi-tenant
• Restrictive permissions
• Full account inflation
Sandbox Account
Per Developer
• Learn and experiment
• No DC connectivity
• Single tenant
• Full permissions
• Minimal account inflation

SDLC Accounts
Dev Staging Prod Disaster Recovery
• Started small, keep talking to our BUs
• Types of resource isolation
• Root Vaulted
• Base Networking
• Security Controls
• IAM Federation
• Base IAM Roles
• Root Vaulted
• Base Networking
• IAM Federation
• Base IAM Roles
• Root Vaulted
• Base Networking
• IAM Federation
• Base IAM Roles
• Root Vaulted
• Base Networking
• IAM Federation
• Base IAM Roles
Non-Prod

Multi-tenant Resource Isolation Using IAM
Conditions
Action: ec2:TerminateInstances
Condition:
StringEquals:
"ec2:ResourceTag/app-id": "123"
Resource Name
Action: iam:PassRole
Resource: arn:aws:iam::*:Role/123*
• IAM can give you
resource isolation
• Setting tag conditions
and resource names in
IAM policies
• It comes with an overhead
• Not 100% coverage
• Policy templates and
automation

CI/CD Accounts
BU Dev
• Host CI/CD pipelines
• Perform chaos engineering
Build Pipeline
Deployment
IAM role
AWS
CloudFormation
Artifact
Store
CICD Account
AWS
CodeDeploy
BU Staging
Deployment
IAM role
AWS
CloudFormation
AWS
CodeDeploy
BU Prod
Deployment
IAM role
AWS
CloudFormation
AWS
CodeDeploy
Steps
2. Deploy
AWS CloudFormation
3. Deploy application
2. For each account
1.Build artifact
1. AssumeRole

Where We Started—Where We Are Now
Sandbox
Dev Staging
Business Unit Accounts
Developer Accounts
Security
Enterprise Accounts
AWS Organizations Master
Shared
Services Sandbox
Direct
Connect
DNS Logging
Prod
CI/CD
Custodian
DR

Pros
• Complete security and resources
isolation
• Smaller blast radius
• Simplified billing per account
Cons
• Aggregation/Distribution
• Setup and operation overhead
• More complex security policies across
accounts
Multiple Accounts

Guardrails NOT Blockers Auditable Flexible
Automated Scalable Self-service
Goals

Account Security—Day 1
InfoSec’s
Cross-
Account
Roles
AWS Account
Credential
Management
(“Root Account”)
Federation
Baseline Requirements
Actions &
Conditions
Map
Enterprise
Roles
AWS
CloudTrail

What Accounts Should I Create?
Security Shared Services Billing
Dev ProdSandbox OtherPre-Prod
Organizations Master Account
Logging Direct Connect

Data Center
No connection to DC
Service control policies
Consolidated billing
Volume discount
Minimal resources
Limited access
Delete Orgs role!

SCP: Stop CloudTrail Being Disabled
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": ”cloudtrail:StopLogging",
"Resource": "*"
}
]
}

SCP: No Internet Gateway for Amazon VPC
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:AttachInternetGateway”,
“ec2:CreateInternetGateway”,
“ec2:AttachEgressOnlyInternetGateway”,
“ec2:CreateVpcPeeringConnection”,
“ec2:AcceptVpcPeeringConnection"
],
"Resource": "*"
}
]

Logging
Enterprise Accounts
Data Center
Logging
Versioned Amazon S3
bucket
Restricted
MFA delete
CloudTrail logs
Security logs
Single source of truth
Limited access

Security Account
Enterprise Accounts
Data Center
Optional data center
connectivity
Security tools and audit
Cross-account
read/write
Limited access
AWS
CloudTrail
AWS
Config
Logging
Security

Direct Connect/Network
Security
Enterprise Accounts
Data Center
Managed by network
team
AWS Direct Connect/
networking services
Limited access
Logging
Direct
Connect

Shared Services
Security
Enterprise Accounts
Direct
Connect
Data Center
Connected to DC
DNS
LDAP/Active Directory
Shared Services VPC
Deployment tools
Golden AMI
Pipeline
Scanning infrastructure
Inactive instances
Improper tags
Snapshot lifecycle
Monitoring
Limited access
Logging
Shared
Services

Billing Tooling
Security
Enterprise Accounts
Shared
Services
Direct
Connect
Data Center
Reduces access to
Master Organizations
account
Billing reports
Usage metrics and
reporting
Usage optimizations
and RI management
Limited access
Logging
Billing
Tooling

Internal Audit
Security
Enterprise Accounts
Billing
Tooling
Shared
Services
Direct
Connect
Data Center
Logging
Regulatory compliance
Read-only access to
needed logs
Limited access
ENT324: Automating
and Auditing Cloud
Governance and
Compliance in Multi-
Account Environments
Internal
Audit

Developer Sandbox
Security
Enterprise Accounts
Billing
Tooling
Shared
Services
Direct
Connect
Internal
Audit
Data Center
Logging
No connection to DC
Innovation space
Fixed spending limit
Autonomous
Experimentation
Developer Accounts
Developer
Sandbox

BU/Product/Resource
Developer
Sandbox
Developer Accounts
Security
Enterprise Accounts
Billing
Tooling
Shared
Services
Direct
Connect
Internal
Audit
Data Center
Logging
Based on level of
needed isolation
Match your
development lifecycle
BU/Product/Resource Accounts

Dev
Developer
Sandbox
Developer Accounts
Security
Enterprise Accounts
Billing
Tooling
Shared
Services
Direct
Connect
Internal
Audit
Data Center
Logging
Develop and iterate
quickly
Collaboration space
Stage of SDLC
Dev

Pre-Prod
Developer
Sandbox
Dev
Developer Accounts
Security
Enterprise Accounts
Billing
Tooling
Shared
Services
Direct
Connect
Internal
Audit
Data Center
Logging
Connected to DC
Production-like
Staging
QA
Automated
deployments
Pre-Prod

Production
Developer
Sandbox
Dev Pre-Prod
Developer Accounts
Security
Enterprise Accounts
Billing
Tooling
Shared
Services
Direct
Connect
Internal
Audit
Data Center
Logging
Connected to DC
Production applications
Promoted from Pre-Prod
Limited access
Prod

BU/Team Shared Services
Developer
Sandbox
Dev Pre-Prod
Developer Accounts
Security
Enterprise Accounts
Billing
Tooling
Shared
Services
Direct
Connect
Internal
Audit
Data Center
Logging
Prod
Grows organically
Shared to the
BU/team
Product-specific
common services
Data lake
Common tooling
Common services
Shared
Services

BU/Team Sandbox
Developer
Sandbox
Dev Pre-Prod
Developer Accounts
Security
Enterprise Accounts
Billing
Tooling
Shared
Services
Direct
Connect
Internal
Audit
Data Center
Logging
Prod
Shared
Services
No connection to data
center
New initiatives
Disconnected from
data center
Experimentation
Innovation
Sandbox

Sandbox/Innovation Pipeline
Developer
Accounts
Developer Accounts
PoC
Developer
Accounts
Developer Accounts
Dev
Pre-Prod
Sandbox Prod
Shared
Services
PoC

Special/Exception
• Be flexible
• Regulatory/compliance
• Additional isolation/security controls (PII)
• Complex platform/product

Summary

Multi-account Approach
Developer
Sandbox
Dev Pre-Prod
Developer Accounts
Security
Enterprise Accounts
Billing
Tooling
Shared
Services
Sandbox
Direct
Connect
Internal
Audit
Data Center
Logging
Prod
Shared
Services
Orgs: Account management
Logging: Centralized logs
Security: AWS Config Rules,
security tools
Shared services: Directory, DNS,
limit monitoring
Billing Tooling: Cost monitoring
Sandbox: Experiments
Dev: Development
Pre-Prod: Staging/dev
Prod: Production

Next Steps
• Define tagging strategy
• Define automation strategy
• Create Organizations account
• Create Logging account
• Create Security account
• Create Shared Services account
• Create Billing Tooling account
• Create Developer Sandbox account(s)

Define automation strategy
Define tagging strategy
http://amzn.to/2du6zJb
Define IP address space strategy
Non-overlapping from data center
Non-overlapping to other accounts/VPCs
Create Organizations Master account
Create Logging account
Create bucket(s) for CloudTrail and AWS Config
Enable MFA delete
Enable versioning
Define limited access bucket policy
Backfill: Enable CloudTrail in root account to
send logs to logging account
Backfill: Copy CloudTrail logs for actions that
happened between Organizations Master
creation and logging
Action Plan

Create Security account
Backfill: cross-account roles with trust to
security account for root and logging
Read-only role
Read/Write role (fewer permissions)
Enable CloudTrail and send to logging account
Create security tooling/Lambda functions for
security checks
Create AWS Direct Connect account
<CommonCheckList>
Create Billing Tooling account
<CommonCheckList>
Create Shared Services account
• <CommonCheckList>
• Connect via DX/VPN to DC
• Launch common services
• Directory services
• DNS
Action Plan

Create BU accounts (per stage/dev cycle)
Create BU/Team Sandbox account (maybe)
<CommonCheckList>
Create BU/Team Dev account
<CommonCheckList>
Connect via DX/VPN to DC dev network
Peer VPC with Shared Services
Create BU/Team Non-Prod/Pre-Prod Account
<CommonCheckList>
Connect via DX/VPN to DC non-prod
network
Create BU/Team Prod account
<CommonCheckList>
Connect via DX/VPN to DC prod network
Create individual Developer Sandbox accounts
Ensure cross-account security roles are present
Keep isolated and disconnected
Secure MFA/root
Create Internal Audit account
• <CommonCheckList>
Action Plan

Secure Root credentials
• MFA
• Complex password
• Establish rotation policy
Link to Organizations Master account if not already
a member
Enable CloudTrail in all regions, send to logging
account
Enable AWS Config, send to logging account
Create read-only cross-account Security role
Create read/write cross-account Security role
Create VPC (non-overlapping IP space)
Enable federation into account
• http://federationworkshopreinvent2016.s3
-website-us-east-1.amazonaws.com/
Define roles and access policies
Use group email/phone as the contact info
Add a policy around prefix naming conditions to
every account—e.g., deny access to Lambda
functions that start with “security*”
Review CIS Foundations Benchmark and leverage as
appropriate
<CommonCheckList>

Multi-Account Track
• SID331: Architecting Security and Governance Across a Multi-Account
Strategy (Session)
• SID335: Implementing Security and Governance Across a Multi-Account
Strategy (Chalk Talk)
• ENT324: Automating and Auditing Cloud Governance and Compliance in
Multi-Account Environments (Session)
• SID311: Designing Security and Governance Across a Multi-Account
Strategy (Workshop)
• ARC325: Managing Multiple AWS Accounts at Scale (Workshop)
• SID308: Multi-Account Strategies (Chalk Talk)
• SID321: How Capital One Applies AWS Organizations Best Practices to
Manage Multiple AWS Accounts (Session)

Thank you!
Pl ease compl ete surveys

SID331_Architecting Security and Governance Across a Multi-Account Strategy

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to SID331_Architecting Security and Governance Across a Multi-Account Strategy

Similar to SID331_Architecting Security and Governance Across a Multi-Account Strategy (20)

More from Amazon Web Services

More from Amazon Web Services (20)

SID331_Architecting Security and Governance Across a Multi-Account Strategy