Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
•Download as PPTX, PDF•
0 likes•43 views
Using Control Tower to efficiently manage organizations "Steve Seaney Sushanth Mangalore AWS Community Day Midwest 2023
Recommended
Recommended
More Related Content
Similar to Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Similar to Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx (20)
More from AWS Chicago
More from AWS Chicago (20)
Recently uploaded
Recently uploaded (20)
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
- 1. Using Control Tower to efficiently manage organizations Steve Seaney SVP SaaS Operations and Engineering Rego Consulting, Inc Sushanth Mangalore Sr. Solutions Architect Amazon Web Services
- 2. Agenda • Rego Introduction • AWS Control Tower • Control Tower @ Rego • Lessons Learned • Best practices 2
- 4. Who is Rego? We are PPM strategic advisors, using our deep expertise in PPM software as the entryway to build long-term relationships with our clients. We are experienced practitioners who use our previous PPM job expertise to guide our clients to maximize the value of their PPM software. We bring industry best-practices to assist our clients in developing a strategy for deploying PPM capabilities as well as helping them realize that value. 4
- 6. AWS Control Tower The easiest self-service solution to automate the setup of new AWS multi-account environments Deployment of AWS best practice Blueprints and Guardrails An AWS service, offering automated account creation based on AWS best practices Dashboard for monitoring compliance status AWS Managed Service version of multi account environment
- 7. Enable governance Set up an AWS landing zone Establish controls (guardrails) Automate compliant account provisioning Centralize identity and access Manage continuously
- 8. Out of the Box in < 1 Hr…ZERO lines of code written Dashboard for visibility Automated landing zone Controls (Guardrails) Account factory Built-in identity and access Preconfigured log archive and audit access to accounts Built-in monitoring and notifications Automatic updates
- 9. Landing Zone provisioned by AWS Control Tower Management Account AWS Control Tower AWS Organizations AWS IAM Identity Center AWS CloudFormation StackSets AWS Service Catalog (Account Factory) Security OU Custom OU SSO directory Log Archive Account Audit Account Provisioned accounts Account Baseline Centralized AWS CloudTrail and AWS Config logs Account Baseline Security Notifications Security Cross- account roles Amazon Config Aggregator Account Baseline Network Baseline
- 10. Control Tower @ Rego
- 11. Newly migrated to AWS Lean Operations Team Hard Project End Date 150+ AWS Accounts Early adopters of CfCT Hosting a closed source product Unique challenges in the Rego AWS environment
- 12. Lessons Learnt Centralize security tooling Keep current with the landing zone and CfCT updates Implement all Controls, unless you have a reason not to Automate account and resource provisioning Utilize IAM Identity Center for SSO Utilize Lifecycle events and Organization Events Monitor and maintain security standard compliance Automate, maintain, and monitor patching
- 13. Control Tower Best Practices
- 14. New customer journey AWS Cloud New Payer Account Management account Log archive account Audit account Provisioned accounts AWS Control Tower AWS Organizations AWS Single Sign-On AWS Service Catalog Stack sets Core OU Custom OU AWS SSO directory Account baseline Account baseline Network baseline Aggregate AWS CloudTrail and AWS Config logs Account baseline Security cross- account roles Security notifications Amazon CloudWatch aggregator Additional OU Sandbox • Fixed spending limit • Disconnected from network Workloads • For software development ΔDev ΔPre-Prod ΔProd Policy Staging • Verify & test SCP changes Suspended • Account closures • Tag account prior to moving Individual Users • For individual business users Exceptions • Customized security stance • SCPs at account level • Under greater scrutiny Deployments • For deployment infrastructure Dev 1 Dev 2 Dev 3 Prod SDLC
- 15. Organizations Summary Centrally provision resources in a multi-account environment Share resources and control access to accounts, regions, and services Optimize costs and identify cost-saving measures Rapid innovation with resources provisioned quickly and exclusively for each team Many teams Business process Billing Organize AWS accounts to reflect business processes with different operational, regulatory, and budgetary requirements Simplify billing where resources used within an AWS account can be allocated to the business unit that is responsible for that account Seamless integration with AWS security services Isolation & security Tight security boundaries enforced by built-in isolation between accounts, and consolidation for workloads with similar risk profiles Benefits Use Cases
- 16. Existing customer journey Review and test requirements: - Single Sign-On - Secure Token Service - STS - Service Control Policies (SCP) - AWS Config - CloudTrail - CloudFormation Stack Sets Jump start your Organization AWS Control Tower SCPs AWS Config Service Catalog AWS IAM Identity Center with
- 17. Extend central governance with AWS Organizations AWS Systems Manager AWS Service Catalog AWS CloudFormation AWS Audit Manager AWS Backup & Backup Policies Amazon Cloud Directory AWS IAM Access Analyzer AWS Firewall Manager AWS Security Hub Amazon GuardDuty AWS Resource Access Manager Amazon Macie AWS Personal Health Dashboard AWS Cost Explorer S3 Storage Lens AWS Trusted Advisor AWS License Manager AWS Compute Optimizer Centrally provision resources in a multi- account environment Share resources and control access to accounts, regions, and services Optimize costs and identify cost-saving measures Seamless integration with AWS security services Tag Policies AI/ML Policies
Editor's Notes
- We recommend customers deploying a new environment to start with AWS Control Tower We also recommend that existing customers use the power of Control Tower to extend governance into their legacy accounts and implement Control Tower Guardrails 2. Control Tower takes care of all the best practices for you – from fundamental accounts to Blueprint/Guardrails for security and monitoring 3. Account factory makes account creation and provisioning easy The AWS Landing Zone is a solution that helps customers quickly set up a new AWS environment for multiple accounts. The AWS Landing Zone solution can save customers time by automating the set-up of their environment in line with AWS best practice recommendations. With the AWS Landing Zone, customers receive a baseline environment that gets them started with a multi-account architecture, identity and access management, governance, data security, network design, and logging. This solution was built to help customers set up net new AWS environments, but can scale to support production implementations for large-scale migrations.
- Control Tower enables you to a) set up an AWS landing zone (click) Centralize identity and access (click) Establish guardrails for security, compliance, and operations… (click) Automate compliant account provisioning (click) And manage continuously over time.
- With AWS Control Tower the landing zone is built in just about 1 hour -So customer get an automated landing zone -Guardrails –pre defined rules to help with compliance. There are 2 types of guardrails: Preventive and Detective -Account Factory that you can to create new accounts or enroll existing accounts into C -Provides a centralized dashboard to allow for visibility into the accounts across each region With the built in integration with AWS SSO customers get a centralized location for Identity and Access management They can also integrate into partner solutions such as one login and okta into the SSO dashboard Pre-configured log archive and audit account CT provides a strong governance start Built in monitoring and notifications and automatic updates If customers were to customize the deployment of a landing zone on their own they would be sticking together over 10 services and that would take a long time and very high technical skills. And customers would own the code and have to maintain it
- This base archtecture or foundation is what AWS Control Tower provides to our customers as they are starting to build their multi- account environment. AWS Control Tower provides a framework to set up and extend a well-architected, multi-account AWS environment based on security and compliance best practices. With AWS Control Tower, you can easily provision new AWS accounts using the Account Factory. Account Factory creates new AWS accounts with a baseline security posture enabled by preventive and detective guardrails. As part of this framework, AWS Control Tower automatically: Enables AWS CloudTrail and AWS Config and enables centralize login to an Amazon S3 bucket located in a Log Archive account Pre-configures Amazon Simple Notification Service (Amazon SNS) topics that other services could subscribe to Provides federated access to accounts using AWS Single Sign-On (AWS SSO) Enables guardrails to protect the resources deployed by AWS Control Tower and detects non-compliance across multiple accounts Supports lifecycle events, which allows you to configure any additional custom automations as part of new account creation.
- With AWS Control Tower the landing zone is built in just about 1 hour -So customer get an automated landing zone -Guardrails –pre defined rules to help with compliance. There are 2 types of guardrails: Preventive and Detective -Account Factory that you can to create new accounts or enroll existing accounts into C -Provides a centralized dashboard to allow for visibility into the accounts across each region With the built in integration with AWS SSO customers get a centralized location for Identity and Access management They can also integrate into partner solutions such as one login and okta into the SSO dashboard Pre-configured log archive and audit account CT provides a strong governance start Built in monitoring and notifications and automatic updates If customers were to customize the deployment of a landing zone on their own they would be sticking together over 10 services and that would take a long time and very high technical skills. And customers would own the code and have to maintain it
- With AWS Control Tower the landing zone is built in just about 1 hour -So customer get an automated landing zone -Guardrails –pre defined rules to help with compliance. There are 2 types of guardrails: Preventive and Detective -Account Factory that you can to create new accounts or enroll existing accounts into C -Provides a centralized dashboard to allow for visibility into the accounts across each region With the built in integration with AWS SSO customers get a centralized location for Identity and Access management They can also integrate into partner solutions such as one login and okta into the SSO dashboard Pre-configured log archive and audit account CT provides a strong governance start Built in monitoring and notifications and automatic updates If customers were to customize the deployment of a landing zone on their own they would be sticking together over 10 services and that would take a long time and very high technical skills. And customers would own the code and have to maintain it
- When we first went live in June of 2019 you could only deploy CT into a brand new account. That meant that a new management account would be created and customers would than create all new accounts. That was ok for customers with few accounts to migrate or companies just starting out their cloud journey. But this was difficult for customers who already had existing organizations and a billing structure in place because that meant they had two houses to maintain.
- Whether you are building out your landing zone for the first time with Control Tower, or deploying Control Tower to an existing Organization, you are gaining access to all of the automation and simplicity benefits that Control Tower offers. But, what customers often come to realize after the fact is that because Control Tower is built on top of AWS Organizations, you also have the ability to use all of the multi-account features of Organizations with your Control Tower environment. AWS Organization provides native capabilities, along with providing features for a number of AWS services to operate across accounts. There are four main categories of features that AWS unlocks for customers: Centrally provisioning accounts and resources Share resources and control access to accounts, regions, and services Secure and audit your environment for compliance Optimize costs and identify cost-saving measures This helps you to drive rapid innovation for your teams, allowing them to quickly provision resources for their use. Using AWS Organizations you can reflect your business processes and the different requirements for different business units like Operations, Governance, and Budgets We understand than handling different billing across multiple accounts can be complicated, however, Organizations helps consolidate a view on what resources are being used on each account and offers a detailed view per account. Allowing you to establish budgets for the business units responsible for the accounts and identifying where there are different opportunities. Last, but the most important, organizations helps establish isolation using the boundaries given by an account, allowing you to consolidate workloads that have similar risk profiles. AWS Control Tower can help you to set up this initial environment, providing an orchestration framework to create accounts, establish different guardrails across your organization and offering an overview of the status of the managed accounts by Control Tower in the organization.
- Since you are already using Organizations, you can use Control Tower to automate the management of some of the features and the management of your multi account strategy. However, there is some pre-requisites you need to take into consideration for a smooth transition. AWS Control Tower will deploy certain resources to the accounts under its governance to enforce the security measures and collect logs from this accounts to be stored on the Log Archive Account. To have a smooth transition, before deploying Control Tower on your current Organization, review the management account Service quotas for the services AWS Config Service Control Policies Single Sign-On STS Cloud Trail If you have already deployed Single Sign-On, Control Tower needs to be launched on the same region on the Management account, for Control Tower to be able to adopt it. Additionally, Control Tower allows you to select what regions you would like the service to govern. It is important that STS is enabled on the regions that Control Tower supports so it can assume a role in that region to deploy the resources and do the necessary checks it needs to succeed. AWS Control Tower is going to create a set of 3 SCP’s that will be attached to the OU’s managed by the service. When extending governance to already existing OU’s, make sure there is room on these OU’s so Control Tower can attach these SCPs to them. Additionally, make sure there are not any current SCP’s that are blocking the Control Tower to perform any actions on the Organization or in any particular OU’s that would prevent Control Tower from executing any actions on those accounts. There can only be a Single Config Recorder and a Single Delivery Channel per region on each account, for any account that governance will be extended, The Current config Recorder and Delivery Channels will need to be removed before we extend governance, so Control Tower can record and monitor those regions on the enrolled accounts. For new accounts, Control Tower automatically creates this for you without any nuance. Control Tower will deploy a CloudTrail Trail, that will log the activity on that account and deliver it to the Log Archive Account, make sure, that for any existing accounts, there is space for this CloudTrail trail to be created prior to enrolling the account or the OU. Last, but not least, Control Tower uses Cloud Formation StackSets to deploy resources across the accounts in the organization from the Management account, make sure, there is room on the Management account for creating about 10-15 new StackSets so Control Tower can manage the resources being deployed on your Organization efficiently! Once you have checked, you are ready to start enrolling your already existing OU’s and accounts in the organization in Control Tower.
- This means you get a rich set of capabilities to extend governance across your multi-account environments using services that integrate with Organizations. By using Control Tower, you are taking advantage of the automation and simple management of Control Tower while leveraging the additional Organizations capabilities that are available to you. You can extend your governance across your multi-account environment using consistent provisioning with AWS CloudFormation StackSets, manage our backup with granular policies, monitor your environments for security threats using Amazon Macie, share resources with your accounts using AWS Resource Access Manager, have visibility into your AWS budgets and spend using AWS Cost explorer, and more! You get the best of both worlds by combining Control Tower with the extensibility of Organizations. Would you like us to dive into any of these multi-account capabilities for later discussion ?