Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Using AWS Control Tower to govern multi-account AWS environments at scale - GRC313-R - AWS re:Inforce 2019

1,819 views

Published on

AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard.
AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard.

  • Be the first to comment

Using AWS Control Tower to govern multi-account AWS environments at scale - GRC313-R - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Using AWS Control Tower to govern multi- account AWS environments at scale Chandar Venkataraman Director, New Enterprise Initiative AWS G R C 3 1 3 - R 1 Mahdi Sajjadpour Principal BD Manager AWS
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Balancing the needs of builders and central cloud IT Builders: Stay agile Innovate with the speed and agility of AWS Cloud IT: Establish governance Govern at scale with central controls
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Business agility and governance control Governance — Agility — Self-service access Experiment fast Respond quickly to change
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern AWS at scale — Enable Business agility + governance control
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable Enable for governance at scale
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable governance Enable Set up an AWS landing zone Establish guardrails for governance Automate compliant account provisioning Centralize identity and access Manage continuously
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Set up an AWS landing zone • Landing zone - a preconfigured, secure, scalable, multi-account AWS environment based on best practice blueprints • Multi-account management using AWS Organizations • Identity and federated access management using AWS SSO • Centralized log archive using AWS CloudTrail and AWS Config • Cross-account audit access using AWS SSO and AWS IAM • End user account provisioning through AWS Service Catalog • Centralized monitoring and notifications using Amazon CloudWatch and Amazon SNS Master account AWS Control Tower AWS Organizations AWS Single Sign-On Stack sets AWS Service Catalog Log archive account Aggregate AWS CloudTrail and AWS Config logs Account baseline Audit account Security cross- account roles Account baseline Provisioned accounts Network baseline Account baseline Amazon CloudWatch aggregator Security notifications Core OU Custom OU AWS SSO directory
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account architecture • Master account: designation of your existing account to create a new organization. Also your master payer account • Organization consists of 2 OUs with pre-configured accounts - • Core OU: AWS Control Tower-created accounts, i.e., Audit account and Log archive account • Custom OU: Your provisioned accounts Master account AWS Organizations Log archive account Audit account Provisioned accounts Core OU Custom OU
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Centralize identity and access • AWS SSO provides default directory for identity • AWS SSO also enables federated access management across all accounts in your organization • Preconfigured groups (e.g., AWS Control Tower administrators, auditors, AWS Service Catalog end users) • Preconfigured permission sets (e.g., admin, read-only, write) • Option to integrate with your managed or on-premises Active Directory (AD)
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Establish guardrails • Guardrails are preconfigured governance rules for security, compliance, and operations • Expressed in plain English to provide abstraction over granular AWS policies • Preventive guardrails: prevent policy violations through enforcement; implemented using AWS CloudFormation and SCPs • Detective guardrails: detect policy violations and alert in the dashboard; implemented using AWS Config rules • Mandatory and strongly recommended guardrails for prescriptive guidance • Easy selection and enablement on organizational units Organizational units Accounts Enable Enable Output Output Output Organizational units Accounts Preventive guardrail Granular AWS policies SCP Detective/remediable guardrails Granular AWS policies AWS Config rules Always compliant Compliant Non- compliant
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Guardrail examples Goal/category Example IAM security Require MFA for root user Data security Disallow public read access to Amazon S3 buckets Network security Disallow internet connection via Remote Desktop Protocol (RDP) Audit logs Enable AWS CloudTrail and AWS Config Monitoring Enable AWS CloudTrail integration with Amazon CloudWatch Encryption Ensure encryption of Amazon EBS volumes attached to Amazon EC2 instances Drift Disallow changes to AWS Config rules set up by AWS Control Tower
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate compliant account provisioning • Built-in account factory provides a template to standardize account provisioning • Configurable network settings (e.g., subnets, IP addresses) • Automatic enforcement of account baselines and guardrails • Published to AWS Service Catalog Account factory Network baseline Network CIDR Network regions OU Account baseline AWS Service Catalog AWS Service Catalog product New AWS account Network baseline Account baseline Guardrails
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern at scale — Enable Business agility + governance control
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Self-service account provisioning in AWS Service Catalog Users can configure and provision AWS accounts and resources without needing full privileges to AWS services (e.g., Amazon EC2, Amazon RDS) 3 2 1
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern at scale — Enable Business agility + governance control
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Operate with agility + control Operate Dashboard Continuous visibility into your multi-account environment Act Take operational action on resources Audit Audit resource configurations, user access, and policy enforcement Monitor Monitor resources and workloads
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Dashboard for oversight
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenge Solution Benefits Slalom automates an AWS landing zone and bootstraps new accounts with AWS best practices using AWS Control Tower
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Pricing and availability US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why use AWS Control Tower? Set up a best-practices AWS environment in a few clicks
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Summary of key features
  23. 23. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Chandar Venkataraman Mahdi Sajjadpour

×