Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
1. Using Control Tower to efficiently
manage organizations
Steve Seaney
SVP SaaS Operations and Engineering
Rego Consulting, Inc
Sushanth Mangalore
Sr. Solutions Architect
Amazon Web Services
4. Who is Rego?
We are PPM strategic advisors, using our deep expertise in
PPM software as the entryway to build long-term
relationships with our clients.
We are experienced practitioners who use our previous
PPM job expertise to guide our clients to maximize the
value of their PPM software.
We bring industry best-practices to assist our clients in
developing a strategy for deploying PPM capabilities as well
as helping them realize that value.
4
6. AWS Control Tower
The easiest self-service solution to automate the setup of new AWS multi-account environments
Deployment of AWS
best practice Blueprints
and Guardrails
An AWS service,
offering automated
account creation based
on AWS best practices
Dashboard for
monitoring compliance
status
AWS Managed Service
version of multi
account environment
7. Enable governance
Set up an AWS
landing zone
Establish controls
(guardrails)
Automate compliant
account provisioning
Centralize identity
and access
Manage
continuously
8. Out of the Box in < 1 Hr…ZERO lines of code written
Dashboard for visibility
Automated landing zone
Controls (Guardrails)
Account factory
Built-in identity and access
Preconfigured log archive and
audit access to accounts
Built-in monitoring and
notifications
Automatic updates
9. Landing Zone provisioned by AWS Control Tower
Management Account
AWS Control Tower AWS Organizations AWS IAM Identity
Center
AWS CloudFormation
StackSets
AWS Service Catalog
(Account Factory)
Security OU Custom OU SSO directory
Log Archive
Account
Audit Account Provisioned accounts
Account
Baseline
Centralized AWS CloudTrail
and AWS Config logs
Account
Baseline
Security
Notifications
Security Cross-
account roles
Amazon
Config Aggregator
Account
Baseline
Network
Baseline
11. Newly migrated to AWS Lean Operations Team Hard Project End Date
150+ AWS Accounts Early adopters of CfCT
Hosting a closed source
product
Unique challenges in the Rego AWS environment
12. Lessons Learnt
Centralize security tooling
Keep current with the landing
zone and CfCT updates
Implement all Controls, unless
you have a reason not to
Automate account and
resource provisioning
Utilize IAM Identity Center for
SSO
Utilize Lifecycle events and
Organization Events
Monitor and maintain security
standard compliance
Automate, maintain, and
monitor patching
14. New customer journey
AWS Cloud
New Payer
Account
Management account
Log archive account Audit account Provisioned accounts
AWS Control Tower AWS Organizations AWS Single Sign-On
AWS Service Catalog
Stack sets Core OU Custom OU AWS SSO directory
Account
baseline
Account
baseline
Network
baseline
Aggregate
AWS CloudTrail
and AWS Config
logs
Account
baseline
Security cross-
account roles
Security
notifications
Amazon
CloudWatch
aggregator
Additional OU
Sandbox
• Fixed spending
limit
• Disconnected
from network
Workloads
• For software
development
ΔDev
ΔPre-Prod
ΔProd
Policy Staging
• Verify & test
SCP changes
Suspended
• Account
closures
• Tag account
prior to moving
Individual Users
• For individual
business users
Exceptions
• Customized
security stance
• SCPs at
account level
• Under greater
scrutiny
Deployments
• For
deployment
infrastructure
Dev 1
Dev 2 Dev 3
Prod
SDLC
15. Organizations Summary
Centrally provision resources
in a multi-account
environment
Share resources and control
access to accounts, regions, and
services
Optimize costs and identify
cost-saving measures
Rapid innovation with resources provisioned
quickly and exclusively for each team
Many teams
Business
process
Billing
Organize AWS accounts to reflect business
processes with different operational,
regulatory, and budgetary requirements
Simplify billing where resources used
within an AWS account can be
allocated to the business unit that is
responsible for that account
Seamless integration with AWS
security services
Isolation &
security
Tight security boundaries enforced by
built-in isolation between accounts, and
consolidation for workloads with similar
risk profiles
Benefits Use Cases
16. Existing customer journey
Review and test requirements:
- Single Sign-On
- Secure Token Service - STS
- Service Control Policies (SCP)
- AWS Config
- CloudTrail
- CloudFormation Stack Sets
Jump start your Organization
AWS Control Tower
SCPs
AWS Config
Service
Catalog
AWS IAM
Identity
Center
with
17. Extend central governance with AWS Organizations
AWS Systems Manager
AWS Service Catalog
AWS CloudFormation
AWS Audit Manager
AWS Backup
&
Backup Policies
Amazon Cloud Directory
AWS IAM Access
Analyzer
AWS Firewall Manager
AWS Security Hub
Amazon GuardDuty
AWS Resource
Access Manager
Amazon Macie
AWS Personal
Health Dashboard
AWS Cost Explorer
S3 Storage
Lens
AWS Trusted Advisor
AWS License Manager
AWS Compute Optimizer
Centrally provision
resources in a multi-
account environment
Share resources and control
access to accounts, regions,
and services
Optimize costs and identify
cost-saving measures
Seamless integration with
AWS security services
Tag Policies
AI/ML Policies
We recommend customers deploying a new environment to start with AWS Control Tower
We also recommend that existing customers use the power of Control Tower to extend governance into their legacy accounts and implement Control Tower Guardrails
2. Control Tower takes care of all the best practices for you – from fundamental accounts to Blueprint/Guardrails for security and monitoring
3. Account factory makes account creation and provisioning easy
The AWS Landing Zone is a solution that helps customers quickly set up a new AWS environment for multiple accounts. The AWS Landing Zone solution can save customers time by automating the set-up of their environment in line with AWS best practice recommendations.
With the AWS Landing Zone, customers receive a baseline environment that gets them started with a multi-account architecture, identity and access management, governance, data security, network design, and logging. This solution was built to help customers set up net new AWS environments, but can scale to support production implementations for large-scale migrations.
Control Tower enables you to a) set up an AWS landing zone
(click)
Centralize identity and access
(click)
Establish guardrails for security, compliance, and operations…
(click)
Automate compliant account provisioning
(click)
And manage continuously over time.
With AWS Control Tower the landing zone is built in just about 1 hour
-So customer get an automated landing zone
-Guardrails –pre defined rules to help with compliance. There are 2 types of guardrails: Preventive and Detective
-Account Factory that you can to create new accounts or enroll existing accounts into C
-Provides a centralized dashboard to allow for visibility into the accounts across each region
With the built in integration with AWS SSO customers get a centralized location for Identity and Access management
They can also integrate into partner solutions such as one login and okta into the SSO dashboard
Pre-configured log archive and audit account CT provides a strong governance start
Built in monitoring and notifications and automatic updates
If customers were to customize the deployment of a landing zone on their own they would be sticking together over 10 services and that would take a long time and very high technical skills. And customers would own the code and have to maintain it
This base archtecture or foundation is what AWS Control Tower provides to our customers as they are starting to build their multi- account environment.
AWS Control Tower provides a framework to set up and extend a well-architected, multi-account AWS environment based on security and compliance best practices. With AWS Control Tower, you can easily provision new AWS accounts using the Account Factory. Account Factory creates new AWS accounts with a baseline security posture enabled by preventive and detective guardrails. As part of this framework, AWS Control Tower automatically:
Enables AWS CloudTrail and AWS Config and enables centralize login to an Amazon S3 bucket located in a Log Archive account
Pre-configures Amazon Simple Notification Service (Amazon SNS) topics that other services could subscribe to
Provides federated access to accounts using AWS Single Sign-On (AWS SSO)
Enables guardrails to protect the resources deployed by AWS Control Tower and detects non-compliance across multiple accounts
Supports lifecycle events, which allows you to configure any additional custom automations as part of new account creation.
With AWS Control Tower the landing zone is built in just about 1 hour
-So customer get an automated landing zone
-Guardrails –pre defined rules to help with compliance. There are 2 types of guardrails: Preventive and Detective
-Account Factory that you can to create new accounts or enroll existing accounts into C
-Provides a centralized dashboard to allow for visibility into the accounts across each region
With the built in integration with AWS SSO customers get a centralized location for Identity and Access management
They can also integrate into partner solutions such as one login and okta into the SSO dashboard
Pre-configured log archive and audit account CT provides a strong governance start
Built in monitoring and notifications and automatic updates
If customers were to customize the deployment of a landing zone on their own they would be sticking together over 10 services and that would take a long time and very high technical skills. And customers would own the code and have to maintain it
With AWS Control Tower the landing zone is built in just about 1 hour
-So customer get an automated landing zone
-Guardrails –pre defined rules to help with compliance. There are 2 types of guardrails: Preventive and Detective
-Account Factory that you can to create new accounts or enroll existing accounts into C
-Provides a centralized dashboard to allow for visibility into the accounts across each region
With the built in integration with AWS SSO customers get a centralized location for Identity and Access management
They can also integrate into partner solutions such as one login and okta into the SSO dashboard
Pre-configured log archive and audit account CT provides a strong governance start
Built in monitoring and notifications and automatic updates
If customers were to customize the deployment of a landing zone on their own they would be sticking together over 10 services and that would take a long time and very high technical skills. And customers would own the code and have to maintain it
When we first went live in June of 2019 you could only deploy CT into a brand new account.
That meant that a new management account would be created and customers would than create all new accounts.
That was ok for customers with few accounts to migrate or companies just starting out their cloud journey.
But this was difficult for customers who already had existing organizations and a billing structure in place because that meant they had two houses to maintain.
Whether you are building out your landing zone for the first time with Control Tower, or deploying Control Tower to an existing Organization, you are gaining access to all of the automation and simplicity benefits that Control Tower offers.
But, what customers often come to realize after the fact is that because Control Tower is built on top of AWS Organizations, you also have the ability to use all of the multi-account features of Organizations with your Control Tower environment. AWS Organization provides native capabilities, along with providing features for a number of AWS services to operate across accounts. There are four main categories of features that AWS unlocks for customers:
Centrally provisioning accounts and resources
Share resources and control access to accounts, regions, and services
Secure and audit your environment for compliance
Optimize costs and identify cost-saving measures
This helps you to drive rapid innovation for your teams, allowing them to quickly provision resources for their use.
Using AWS Organizations you can reflect your business processes and the different requirements for different business units like Operations, Governance, and Budgets
We understand than handling different billing across multiple accounts can be complicated, however, Organizations helps consolidate a view on what resources are being used on each account and offers a detailed view per account. Allowing you to establish budgets for the business units responsible for the accounts and identifying where there are different opportunities.
Last, but the most important, organizations helps establish isolation using the boundaries given by an account, allowing you to consolidate workloads that have similar risk profiles.
AWS Control Tower can help you to set up this initial environment, providing an orchestration framework to create accounts, establish different guardrails across your organization and offering an overview of the status of the managed accounts by Control Tower in the organization.
Since you are already using Organizations, you can use Control Tower to automate the management of some of the features and the management of your multi account strategy. However, there is some pre-requisites you need to take into consideration for a smooth transition.
AWS Control Tower will deploy certain resources to the accounts under its governance to enforce the security measures and collect logs from this accounts to be stored on the Log Archive Account.
To have a smooth transition, before deploying Control Tower on your current Organization, review the management account Service quotas for the services
AWS Config
Service Control Policies
Single Sign-On
STS
Cloud Trail
If you have already deployed Single Sign-On, Control Tower needs to be launched on the same region on the Management account, for Control Tower to be able to adopt it. Additionally, Control Tower allows you to select what regions you would like the service to govern. It is important that STS is enabled on the regions that Control Tower supports so it can assume a role in that region to deploy the resources and do the necessary checks it needs to succeed.
AWS Control Tower is going to create a set of 3 SCP’s that will be attached to the OU’s managed by the service. When extending governance to already existing OU’s, make sure there is room on these OU’s so Control Tower can attach these SCPs to them. Additionally, make sure there are not any current SCP’s that are blocking the Control Tower to perform any actions on the Organization or in any particular OU’s that would prevent Control Tower from executing any actions on those accounts.
There can only be a Single Config Recorder and a Single Delivery Channel per region on each account, for any account that governance will be extended, The Current config Recorder and Delivery Channels will need to be removed before we extend governance, so Control Tower can record and monitor those regions on the enrolled accounts. For new accounts, Control Tower automatically creates this for you without any nuance.
Control Tower will deploy a CloudTrail Trail, that will log the activity on that account and deliver it to the Log Archive Account, make sure, that for any existing accounts, there is space for this CloudTrail trail to be created prior to enrolling the account or the OU.
Last, but not least, Control Tower uses Cloud Formation StackSets to deploy resources across the accounts in the organization from the Management account, make sure, there is room on the Management account for creating about 10-15 new StackSets so Control Tower can manage the resources being deployed on your Organization efficiently!
Once you have checked, you are ready to start enrolling your already existing OU’s and accounts in the organization in Control Tower.
This means you get a rich set of capabilities to extend governance across your multi-account environments using services that integrate with Organizations.
By using Control Tower, you are taking advantage of the automation and simple management of Control Tower while leveraging the additional Organizations capabilities that are available to you. You can extend your governance across your multi-account environment using consistent provisioning with AWS CloudFormation StackSets, manage our backup with granular policies, monitor your environments for security threats using Amazon Macie, share resources with your accounts using AWS Resource Access Manager, have visibility into your AWS budgets and spend using AWS Cost explorer, and more!
You get the best of both worlds by combining Control Tower with the extensibility of Organizations.
Would you like us to dive into any of these multi-account capabilities for later discussion ?