Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 23

Using AWS Control Tower to govern multi-account AWS environments at scale - GRC313-R - AWS re:Inforce 2019

Jun. 28, 2019
8 likes 6,939 views

8

Share

Download to read offline

AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard.
AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard.

Recommended

Related Books

Free with a 30 day trial from Scribd

See all
Believe IT: How to Go from Underestimated to Unstoppable Jamie Kern Lima
(4.5/5)
Free
How I Built This: The Unexpected Paths to Success from the World's Most Inspiring Entrepreneurs Guy Raz
(4.5/5)
Free
Ladies Get Paid: The Ultimate Guide to Breaking Barriers, Owning Your Worth, and Taking Command of Your Career Claire Wasserman
(5/5)
Free
Hot Seat: What I Learned Leading a Great American Company Jeff Immelt
(5/5)
Free
The Ministry of Common Sense: How to Eliminate Bureaucratic Red Tape, Bad Excuses, and Corporate BS Martin Lindstrom
(3.5/5)
Free
Inclusify: The Power of Uniqueness and Belonging to Build Innovative Teams Stefanie K. Johnson
(0/5)
Free
The Catalyst: How to Change Anyone's Mind Jonah Berger
(4.5/5)
Free
Blue-Collar Cash: Love Your Work, Secure Your Future, and Find Happiness for Life Ken Rusk
(0/5)
Free
The Fix: Overcome the Invisible Barriers That Are Holding Women Back at Work Michelle P. King
(5/5)
Free
Billion Dollar Brand Club: How Dollar Shave Club, Warby Parker, and Other Disruptors Are Remaking What We Buy Lawrence Ingrassia
(0/5)
Free
Ask for More: 10 Questions to Negotiate Anything Alexandra Carter
(4/5)
Free
How to Lead: Wisdom from the World's Greatest CEOs, Founders, and Game Changers David M. Rubenstein
(4.5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4.5/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free

Related Audiobooks

Free with a 30 day trial from Scribd

See all
You're Invited: The Art and Science of Cultivating Influence Jon Levy
(4.5/5)
Free
We Should All Be Millionaires: Change Your Thinking, Build Bank, and Claim Your Independence Rachel Rodgers
(5/5)
Free
The Perfect Day to Boss Up Rick Ross
(4.5/5)
Free
Business Networking for Introverts: How to Build Relationships the Authentic Way Karlo Krznarić
(4.5/5)
Free
Power, for All: How It Really Works and Why It's Everyone's Business Julie Battilana
(4.5/5)
Free
Larger Than Yourself: Reimagine Industries, Lead with Purpose & Grow Ideas into Movements Thibault Manekin
(4.5/5)
Free
Winning: The Unforgiving Race to Greatness Tim S. Grover
(5/5)
Free
Impact Players: How to Take the Lead, Play Bigger, and Multiply Your Impact Liz Wiseman
(5/5)
Free
The One Week Marketing Plan: The Set It & Forget It Approach for Quickly Growing Your Business Mark Satterfield
(4.5/5)
Free
Pressure Makes Diamonds: Becoming the Woman I Pretended to Be Valerie Graves
(4.5/5)
Free
Flex: Reinventing Work for a Smarter, Happier Life Annie Auerbach
(4.5/5)
Free
Nailing the Interview: A Comprehensive Guide to Job Interviewing Imran Afzal
(4.5/5)
Free
Everybody Has a Podcast (Except You): A How-To Guide from the First Family of Podcasting Justin McElroy
(5/5)
Free
Invent and Wander: The Collected Writings of Jeff Bezos, With an Introduction by Walter Isaacson Walter Isaacson
(4.5/5)
Free
Create: Tools from Seriously Talented People to Unleash Your Creative Life Marc Silber
(4.5/5)
Free
Subtract: The Untapped Science of Less Leidy Klotz
(4/5)
Free

Using AWS Control Tower to govern multi-account AWS environments at scale - GRC313-R - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Using AWS Control Tower to govern multi- account AWS environments at scale Chandar Venkataraman Director, New Enterprise Initiative AWS G R C 3 1 3 - R 1 Mahdi Sajjadpour Principal BD Manager AWS
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Balancing the needs of builders and central cloud IT Builders: Stay agile Innovate with the speed and agility of AWS Cloud IT: Establish governance Govern at scale with central controls
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Business agility and governance control Governance — Agility — Self-service access Experiment fast Respond quickly to change
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern AWS at scale — Enable Business agility + governance control
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable Enable for governance at scale
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable governance Enable Set up an AWS landing zone Establish guardrails for governance Automate compliant account provisioning Centralize identity and access Manage continuously
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Set up an AWS landing zone • Landing zone - a preconfigured, secure, scalable, multi-account AWS environment based on best practice blueprints • Multi-account management using AWS Organizations • Identity and federated access management using AWS SSO • Centralized log archive using AWS CloudTrail and AWS Config • Cross-account audit access using AWS SSO and AWS IAM • End user account provisioning through AWS Service Catalog • Centralized monitoring and notifications using Amazon CloudWatch and Amazon SNS Master account AWS Control Tower AWS Organizations AWS Single Sign-On Stack sets AWS Service Catalog Log archive account Aggregate AWS CloudTrail and AWS Config logs Account baseline Audit account Security cross- account roles Account baseline Provisioned accounts Network baseline Account baseline Amazon CloudWatch aggregator Security notifications Core OU Custom OU AWS SSO directory
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account architecture • Master account: designation of your existing account to create a new organization. Also your master payer account • Organization consists of 2 OUs with pre-configured accounts - • Core OU: AWS Control Tower-created accounts, i.e., Audit account and Log archive account • Custom OU: Your provisioned accounts Master account AWS Organizations Log archive account Audit account Provisioned accounts Core OU Custom OU
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Centralize identity and access • AWS SSO provides default directory for identity • AWS SSO also enables federated access management across all accounts in your organization • Preconfigured groups (e.g., AWS Control Tower administrators, auditors, AWS Service Catalog end users) • Preconfigured permission sets (e.g., admin, read-only, write) • Option to integrate with your managed or on-premises Active Directory (AD)
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Establish guardrails • Guardrails are preconfigured governance rules for security, compliance, and operations • Expressed in plain English to provide abstraction over granular AWS policies • Preventive guardrails: prevent policy violations through enforcement; implemented using AWS CloudFormation and SCPs • Detective guardrails: detect policy violations and alert in the dashboard; implemented using AWS Config rules • Mandatory and strongly recommended guardrails for prescriptive guidance • Easy selection and enablement on organizational units Organizational units Accounts Enable Enable Output Output Output Organizational units Accounts Preventive guardrail Granular AWS policies SCP Detective/remediable guardrails Granular AWS policies AWS Config rules Always compliant Compliant Non- compliant
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Guardrail examples Goal/category Example IAM security Require MFA for root user Data security Disallow public read access to Amazon S3 buckets Network security Disallow internet connection via Remote Desktop Protocol (RDP) Audit logs Enable AWS CloudTrail and AWS Config Monitoring Enable AWS CloudTrail integration with Amazon CloudWatch Encryption Ensure encryption of Amazon EBS volumes attached to Amazon EC2 instances Drift Disallow changes to AWS Config rules set up by AWS Control Tower
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate compliant account provisioning • Built-in account factory provides a template to standardize account provisioning • Configurable network settings (e.g., subnets, IP addresses) • Automatic enforcement of account baselines and guardrails • Published to AWS Service Catalog Account factory Network baseline Network CIDR Network regions OU Account baseline AWS Service Catalog AWS Service Catalog product New AWS account Network baseline Account baseline Guardrails
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern at scale — Enable Business agility + governance control
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Self-service account provisioning in AWS Service Catalog Users can configure and provision AWS accounts and resources without needing full privileges to AWS services (e.g., Amazon EC2, Amazon RDS) 3 2 1
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern at scale — Enable Business agility + governance control
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Operate with agility + control Operate Dashboard Continuous visibility into your multi-account environment Act Take operational action on resources Audit Audit resource configurations, user access, and policy enforcement Monitor Monitor resources and workloads
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Dashboard for oversight
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenge Solution Benefits Slalom automates an AWS landing zone and bootstraps new accounts with AWS best practices using AWS Control Tower
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Pricing and availability US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why use AWS Control Tower? Set up a best-practices AWS environment in a few clicks
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Summary of key features
  23. 23. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Chandar Venkataraman Mahdi Sajjadpour

×