Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SID331_Architecting Security and Governance Across a Multi-Account Strategy

4,286 views

Published on

Whether it is per business unit or per application, many AWS customers use multiple accounts to meet their infrastructure isolation, separation of duties, and billing requirements. In this session, we discuss considerations, limitations, and security patterns when building out a multi-account strategy. We explore topics such as identity federation, cross-account roles, consolidated logging, and account governance. Thomson Reuters shared their journey and their approach to a multi-account strategy. At the end of the session, we present an enterprise-ready, multi-account architecture that you can start leveraging today.

We encourage you attend the full multi-account track:
SID331: Architecting Security and Governance Across a Multi-Account Strategy (Session)
SID335: Implementing Security and Governance Across a Multi-Account Strategy (Chalk Talk)
ENT324: Automating and Auditing Cloud Governance and Compliance in Multi-Account Environments (Session)
SID311: Designing Security and Governance Across a Multi-Account Strategy (Workshop)
SID308: Multi-Account Strategies (Chalk Talk)"

SID331_Architecting Security and Governance Across a Multi-Account Strategy

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Architecting Security and Governance Across a Multi-Account Strategy C S I D 3 3 1 N o v e m b e r 2 7 , 2 0 1 7 S a m E l m a l a k , S o l u t i o n s A r c h i t e c t , A W S B e n W o o d w a r d , A r c h i t e c t , T h o m s o n R e u t e r s
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Once Upon a Time… 0 5 10 15 20 25 30 35 40 1 2 3 4 5 6 7 8 Sales
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Once Upon a Time…(cont’d.) 0 5 10 15 20 25 30 35 40 1 2 3 4 5 6 7 8 9 10 Sales
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Once Upon a Time…(cont’d.) 0 10 20 30 40 50 60 1 2 3 4 5 6 7 8 9 10 11 12 13 Sales Red Riding Hood The Seven Dwarves AWS CloudTrail
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Once Upon a Time…(cont’d.) 0 10 20 30 40 50 60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Sales Red Riding Hood
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to Expect from the Session • An enterprise-ready multi-account framework • Action plan to implement this approach
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security/Resource Boundary API Limits/Throttling Billing Separation AWS Account
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Models One Account 1,000s of Accounts
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why One Isn’t Enough Many Teams Isolation Security Controls Business Process Billing
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thomson Reuters’ Multi-Account Strategy Ben Woodward, Architect, Thomson Reuters C a s e S t u d y
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thomson Reuters • Global organization • 100+ countries • Provide information and products to tax, legal, and financial professionals • Five business units (BUs) • 12,000 technologists STG315 - Case Study: Learn How Thomson Reuters Uses Amazon EFS to Deliver Billions of Pieces of Content to Hundreds of Millions of Visitors Every Year
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Connectivity to Data Centers AWS accounts • Project isolation • AWS API limits • Billing separation AWS regions • Data residency • New growth opportunities • Latency requirements
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Network Topology Availability Zone Region 1 Availability Zone Region 1 VPC Peering Public Subnet Private Subnet AWS Direct Connect 10.0.0.0/16Corporate data center VPN Region 1 Private VIF
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Creation Organizations New Account OrganizationAccount AccessRole 1. Create new account 2. Assume cross- account role 3. Inflate account 5. Delete Organizations Role 4. Move new account into OU • Self-service account creation • Enables use of service control policies (SCPs)
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Inflation Vault root credentials Creation of service management records Federated with corporate identity provider Create initial operations roles VPC and network setup AWS Direct Connect/VPC Peering Security controls and logging setup Enable logging, create Security and Custodian IAM roles • Use a workflow tool • Build up AWS CloudFormation dynamically • Config-driven
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Logging Account • Single source of truth • One place to secure • Very limited access • Multiple Amazon S3 buckets • Add read-only access when needed Logging Shared Services Security AWS Account
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custodian Account • Trust but verify • Need a single pane of glass into all our accounts AWS ConfigAWS Trusted Advisor TR Account ReadOnly ReadWrite Custodian Account ReadOnly ReadWrite AssumeRole AssumeRole • Notify as opposed to enforce • Custodian account • Selecting tooling
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Account Security Security account for SecOps Process logs Host security tooling Perform incident management Conduct security audit Logging Accounts
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Services Accounts Direct Connect DNS Shared Services Shared Services • Separate business critical services • AWS Direct Connect • DNS servers • Bastion hosts • Network monitors • Building AMIs • More limited access • Reduce blast radius
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sandbox Accounts Sandbox Account Per Business Unit • Team innovation • No DC connectivity • Multi-tenant • Restrictive permissions • Full account inflation Sandbox Account Per Developer • Learn and experiment • No DC connectivity • Single tenant • Full permissions • Minimal account inflation
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SDLC Accounts Dev Staging Prod Disaster Recovery • Started small, keep talking to our BUs • Types of resource isolation • Root Vaulted • Base Networking • Security Controls • IAM Federation • Base IAM Roles • Root Vaulted • Base Networking • Security Controls • IAM Federation • Base IAM Roles • Root Vaulted • Base Networking • Security Controls • IAM Federation • Base IAM Roles • Root Vaulted • Base Networking • Security Controls • IAM Federation • Base IAM Roles Non-Prod
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multi-tenant Resource Isolation Using IAM Conditions Action: ec2:TerminateInstances Condition: StringEquals: "ec2:ResourceTag/app-id": "123" Resource Name Action: iam:PassRole Resource: arn:aws:iam::*:Role/123* • IAM can give you resource isolation • Setting tag conditions and resource names in IAM policies • It comes with an overhead • Not 100% coverage • Policy templates and automation
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CI/CD Accounts BU Dev • Host CI/CD pipelines • Perform chaos engineering Build Pipeline Deployment IAM role AWS CloudFormation Artifact Store CICD Account AWS CodeDeploy BU Staging Deployment IAM role AWS CloudFormation AWS CodeDeploy BU Prod Deployment IAM role AWS CloudFormation AWS CodeDeploy Steps 2. Deploy AWS CloudFormation 3. Deploy application 2. For each account 1.Build artifact 1. AssumeRole
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where We Started—Where We Are Now Sandbox Dev Staging Business Unit Accounts Developer Accounts Security Enterprise Accounts AWS Organizations Master Shared Services Sandbox Direct Connect DNS Logging Prod CI/CD Custodian DR
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pros • Complete security and resources isolation • Smaller blast radius • Simplified billing per account Cons • Aggregation/Distribution • Setup and operation overhead • More complex security policies across accounts Multiple Accounts
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Guardrails NOT Blockers Auditable Flexible Automated Scalable Self-service Goals
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Security—Day 1 InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation Baseline Requirements Actions & Conditions Map Enterprise Roles AWS CloudTrail
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What Accounts Should I Create? Security Shared Services Billing Dev ProdSandbox OtherPre-Prod Organizations Master Account Logging Direct Connect
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Organizations Master AWS Organizations Master Data Center No connection to DC Service control policies Consolidated billing Volume discount Minimal resources Limited access Delete Orgs role!
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SCP: Stop CloudTrail Being Disabled { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": ”cloudtrail:StopLogging", "Resource": "*" } ] }
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SCP: No Internet Gateway for Amazon VPC "Statement": [ { "Effect": "Deny", "Action": [ "ec2:AttachInternetGateway”, “ec2:CreateInternetGateway”, “ec2:AttachEgressOnlyInternetGateway”, “ec2:CreateVpcPeeringConnection”, “ec2:AcceptVpcPeeringConnection" ], "Resource": "*" } ]
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Logging Enterprise Accounts AWS Organizations Master Data Center Logging Versioned Amazon S3 bucket Restricted MFA delete CloudTrail logs Security logs Single source of truth Limited access
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Account Enterprise Accounts AWS Organizations Master Data Center Optional data center connectivity Security tools and audit Cross-account read/write Limited access AWS CloudTrail AWS Config Logging Security
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Direct Connect/Network Security Enterprise Accounts AWS Organizations Master Data Center Managed by network team AWS Direct Connect/ networking services Limited access Logging Direct Connect
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Services Security Enterprise Accounts AWS Organizations Master Direct Connect Data Center Connected to DC DNS LDAP/Active Directory Shared Services VPC Deployment tools Golden AMI Pipeline Scanning infrastructure Inactive instances Improper tags Snapshot lifecycle Monitoring Limited access Logging Shared Services
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Billing Tooling Security Enterprise Accounts AWS Organizations Master Shared Services Direct Connect Data Center Reduces access to Master Organizations account Billing reports Usage metrics and reporting Usage optimizations and RI management Limited access Logging Billing Tooling
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Internal Audit Security Enterprise Accounts AWS Organizations Master Billing Tooling Shared Services Direct Connect Data Center Logging Regulatory compliance Read-only access to needed logs Limited access ENT324: Automating and Auditing Cloud Governance and Compliance in Multi- Account Environments Internal Audit
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer Sandbox Security Enterprise Accounts AWS Organizations Master Billing Tooling Shared Services Direct Connect Internal Audit Data Center Logging No connection to DC Innovation space Fixed spending limit Autonomous Experimentation Developer Accounts Developer Sandbox
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. BU/Product/Resource Developer Sandbox Developer Accounts Security Enterprise Accounts AWS Organizations Master Billing Tooling Shared Services Direct Connect Internal Audit Data Center Logging Based on level of needed isolation Match your development lifecycle BU/Product/Resource Accounts
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dev Developer Sandbox Developer Accounts Security Enterprise Accounts AWS Organizations Master Billing Tooling Shared Services Direct Connect Internal Audit Data Center Logging Develop and iterate quickly Collaboration space Stage of SDLC BU/Product/Resource Accounts Dev
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pre-Prod Developer Sandbox Dev BU/Product/Resource Accounts Developer Accounts Security Enterprise Accounts AWS Organizations Master Billing Tooling Shared Services Direct Connect Internal Audit Data Center Logging Connected to DC Production-like Staging QA Automated deployments Pre-Prod
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Production Developer Sandbox Dev Pre-Prod BU/Product/Resource Accounts Developer Accounts Security Enterprise Accounts AWS Organizations Master Billing Tooling Shared Services Direct Connect Internal Audit Data Center Logging Connected to DC Production applications Promoted from Pre-Prod Limited access Prod
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. BU/Team Shared Services Developer Sandbox Dev Pre-Prod BU/Product/Resource Accounts Developer Accounts Security Enterprise Accounts AWS Organizations Master Billing Tooling Shared Services Direct Connect Internal Audit Data Center Logging Prod Grows organically Shared to the BU/team Product-specific common services Data lake Common tooling Common services Shared Services
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. BU/Team Sandbox Developer Sandbox Dev Pre-Prod BU/Product/Resource Accounts Developer Accounts Security Enterprise Accounts AWS Organizations Master Billing Tooling Shared Services Direct Connect Internal Audit Data Center Logging Prod Shared Services No connection to data center New initiatives Disconnected from data center Experimentation Innovation Sandbox
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sandbox/Innovation Pipeline Developer Accounts Developer Accounts PoC Developer Accounts Developer Accounts Dev Pre-Prod BU/Product/Resource Accounts Sandbox Prod Shared Services PoC
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Special/Exception • Be flexible • Regulatory/compliance • Additional isolation/security controls (PII) • Complex platform/product
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multi-account Approach Developer Sandbox Dev Pre-Prod BU/Product/Resource Accounts Developer Accounts Security Enterprise Accounts AWS Organizations Master Billing Tooling Shared Services Sandbox Direct Connect Internal Audit Data Center Logging Prod Shared Services Orgs: Account management Logging: Centralized logs Security: AWS Config Rules, security tools Shared services: Directory, DNS, limit monitoring Billing Tooling: Cost monitoring Sandbox: Experiments Dev: Development Pre-Prod: Staging/dev Prod: Production
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Next Steps • Define tagging strategy • Define automation strategy • Create Organizations account • Create Logging account • Create Security account • Create Shared Services account • Create Billing Tooling account • Create Developer Sandbox account(s)
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Define automation strategy Define tagging strategy http://amzn.to/2du6zJb Define IP address space strategy Non-overlapping from data center Non-overlapping to other accounts/VPCs Create Organizations Master account Create Logging account Create bucket(s) for CloudTrail and AWS Config Enable MFA delete Enable versioning Define limited access bucket policy Backfill: Enable CloudTrail in root account to send logs to logging account Backfill: Copy CloudTrail logs for actions that happened between Organizations Master creation and logging Action Plan
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Create Security account Backfill: cross-account roles with trust to security account for root and logging Read-only role Read/Write role (fewer permissions) Enable CloudTrail and send to logging account Create security tooling/Lambda functions for security checks Create AWS Direct Connect account <CommonCheckList> Create Billing Tooling account <CommonCheckList> Create Shared Services account • <CommonCheckList> • Connect via DX/VPN to DC • Launch common services • Directory services • DNS Action Plan
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Create BU accounts (per stage/dev cycle) Create BU/Team Sandbox account (maybe) <CommonCheckList> Create BU/Team Dev account <CommonCheckList> Connect via DX/VPN to DC dev network Peer VPC with Shared Services Create BU/Team Non-Prod/Pre-Prod Account <CommonCheckList> Connect via DX/VPN to DC non-prod network Peer VPC with Shared Services Create BU/Team Prod account <CommonCheckList> Connect via DX/VPN to DC prod network Peer VPC with Shared Services Create individual Developer Sandbox accounts Ensure cross-account security roles are present Keep isolated and disconnected Secure MFA/root Create Internal Audit account • <CommonCheckList> Action Plan
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Secure Root credentials • MFA • Complex password • Establish rotation policy Link to Organizations Master account if not already a member Enable CloudTrail in all regions, send to logging account Enable AWS Config, send to logging account Create read-only cross-account Security role Create read/write cross-account Security role Create VPC (non-overlapping IP space) Enable federation into account • http://federationworkshopreinvent2016.s3 -website-us-east-1.amazonaws.com/ Define roles and access policies Use group email/phone as the contact info Peer VPC with Shared Services Add a policy around prefix naming conditions to every account—e.g., deny access to Lambda functions that start with “security*” Review CIS Foundations Benchmark and leverage as appropriate <CommonCheckList>
  54. 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multi-Account Track • SID331: Architecting Security and Governance Across a Multi-Account Strategy (Session) • SID335: Implementing Security and Governance Across a Multi-Account Strategy (Chalk Talk) • ENT324: Automating and Auditing Cloud Governance and Compliance in Multi-Account Environments (Session) • SID311: Designing Security and Governance Across a Multi-Account Strategy (Workshop) • ARC325: Managing Multiple AWS Accounts at Scale (Workshop) • SID308: Multi-Account Strategies (Chalk Talk) • SID321: How Capital One Applies AWS Organizations Best Practices to Manage Multiple AWS Accounts (Session)
  55. 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! Pl ease compl ete surveys

×