In this session, we provide a crash course on building security guardrails for AWS Landing Zone, as well as templates that you can use in your own environment. We show you how to integrate continuous auditing into the account creation process, and we highlight the immutability and auditability of controls that are deployed by AWS Landing Zone. Topics also include an overview of the security guardrails concept in AWS Landing Zone, best practices for development, and code accelerators to help reduce the time from idea to first detection.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Up and running with multi-account
security guardrails
Eric Rose
Senior Security Consultant
AWS
G R C 3 2 7 - R
Andy Wickersham
Security Consultant
AWS

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What do customers want to do on AWS?
Focus on what
differentiates
Ideation to
instantiation
Secure and compliant
environment

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What do customers want to do on AWS?
Meets the organization’s
security and auditing
requirements
Ready to support highly
available and scalable
workloads
Configurable to
support evolving
business requirements

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customers are faced with
Many
design decisions
Need to configure
multiple accounts
& services
Establishing
security baseline
& governance

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account security considerations
Baseline requirements
Lock
AWS account credential management (root
account)
Enable
AWS CloudTrail
Amazon Guard​Duty
Define
Map enterprise roles and permissions
Federate
Use identity solutions
Establish
InfoSec cross-account roles
Identify
Actions and conditions to enforce
governance

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network architecture considerations
AWS services in
your VPC
VPC endpoints for
Amazon S3
DNS in VPC with
Amazon Route 53
Logging VPC traffic
with VPC flow logs
VPC VPC VPC VPC

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account approach
Developer
sandbox
Dev Pre-prod
Team/group accounts
Security
Core accounts
AWS Organizations
Shared
services
Network
Log archive Prod
Team shared
services
Optional network path
Network path Log flow
Data centerDeveloper accounts
Orgs: Account management
Log archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: AWS Direct Connect
Dev sandbox: Experiments, learning
Dev: Development
Pre-prod: Staging
Prod: Production
Team SS: Team shared services, data lake

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
You need a landing zone
• A configured, secure, scalable, multi-account AWS
environment based on AWS best practices
• A starting point for new development and
experimentation
• A starting point for migrating applications
• An environment that allows for iteration and extension
over time
H

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Landing Zone solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS best
practices and
recommendations
Initial security
and governance controls
Baseline accounts
and account
vending machine
Automated
deployment

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What you get with the AWS Landing Zone
• Framework for creating and baselining a multi-account environment
• Initial multi-account structure including security, audit, & shared service requirements
• An account vending machine that enables automated deployment of additional accounts with
a set of security baselines
Account management
• User account access managed through AWS SSO federation
• Cross-account roles enable centralized management
Identity &
access management
• Multiple accounts enable separation of duties
• Initial account security and AWS Config rules baseline
• Network baseline
• Sets up monitoring and intelligent threat detection (through Amazon GuardDuty)
Security &
governance
• Easily deploy optional add-ons to extend your AWS Landing ZoneSolution extensibility

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone structure: Basic
Amazon S3 bucket
(manifest file)
AWS CodePipeline
AWS
Service Catalog
Account
baseline
Core OU
AWS SSOAWS
Organizations
AWS Organizations account
Shared services account Log archive account
Account
baseline
Security account
Network
baseline
Account
baseline
Aggregate AWS
CloudTrail and
AWS Config logs
Account
baseline
Security cross-
account roles
Security
notifications
Organizations account
• Account provisioning
• Account access (SSO)
Shared services account
• Active Directory
• Log analytics
Log archive
• Security logs
Security account
• Audit/break-glassAmazon GuardDuty
master
Parameter
store

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone structure: With add-ons
Amazon S3 bucket
(manifest file)
AWS CodePipeline
AWS
Service Catalog
Account
baseline
Core OU
AWS SSOAWS
Organizations
AWS Organizations account
Shared services account Log archive account
Account
baseline
Security account
Network
baseline
Account
baseline
AggregateAWS
CloudTrail and
AWS Config logs
Account
baseline
Security cross-
account roles
Security
notifications
Organizations account
• Directory connector
Centralized logging
solution
AWS ManagedMicrosoft
AD
Directory
connector
Amazon GuardDuty
master
Parameter
store
Shared services account
• Microsoft AD
• Centralized logging solution

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account Vending Machine (AVM)
AWS
Service Catalog
AVM (AWS Service Catalog)
• Account creation factory
• User interface to create new accounts
• Account baseline versioning
• Launch constraints
Creates/updates AWS account
Apply account baseline stack sets
Create network baseline
Apply account security control policy
AVM AWS
Organizations
Security
Log archive
Shared services New AWS

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Landing Zone pipeline
Source Validate/build/test
Deploy core account
structure
Deploy core
resources
Deploy Service Catalog
portfolio/products
Deploy baseline
resources
Launch AVM for core
accounts
AWS
Organizations
AWS account
baseline stack sets
Logging Security
credentials
AWS Service
Catalog
Stack set AWS Service
Catalog
Core
Amazon S3 bucket
Vended
accounts
AWS
CloudFormation
templates
Manifest fileAWS Landing Zone
zip file
AWS CodeBuild

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits
Automated Scalable Self-service
Guardrails,
not blockers
Auditable Flexible

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Get started
Check out the workshop site for next steps
https://lz-workshop.com

17. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.