SlideShare a Scribd company logo
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bryan Miller
Solutions Builder, Amazon Web Services
November 29, 2016
Reduce Your Blast Radius by
Using Multiple AWS Accounts
Per Region and Service
SEC304
What to expect from the session
• How AWS manages multiple accounts and how
customers can leverage multiple AWS accounts to
manage security and reduce the blast radius by
deploying a single application into one account per
region
• Some insight into AWS account and security practices
• How to deploy the cross-account manager solution to
assist in managing role-based access to these accounts
Production application deployment diagram
Application accounts
Corporate data center
AWS backbone
AWS Direct Connect Security account
Master (billing) account
Production application deployment on AWS
• Two accounts: One for the application and one for
security isolation
• The main account is owned by the application team and is
deployed in a single VPC
• The second account is owned by the security team and is
used to audit and control access to the first account and
control network connectivity between the first account and the
on-premises data center
• The accounts are connected using VPC peering and access
is managed by a federated role-based service
How did we arrive at this conclusion?
• Only applies to production, business critical applications,
or logical application groups
• A trade off between one large account and many small
accounts – what is the proper balance?
• Managing multiple accounts simplified with role-based
user federation solution – cross-account manager
solution
Cross-account manager solution
Using AWS
CloudFormation
templates to
create and
manage roles for
a master
account and sub
accounts
How AWS thinks about AWS
• Apply the right levels of control and change
management at the right time
• Automating the creation and management of resources
provides better traceability
• Verification and audit of configuration and access is
critical for production business-critical applications
How AWS thinks about security
• Simple, easily understood security invariants vs. subtle
and complex reasoning
• Historically have been overindexing on prevention
• Bias towards simpler policies and few objects to manage
• Shift to detection and response
• Turn on all logging and visibility features as possible in
the production application account Prevention Detection
ResponseAnalysis
How AWS manages identity and access
• AWS uses an internal tool to manage employee access
to accounts
• Users authenticate to corporate directory
• Uses IAM roles to control access to resources in each
account using AWS STS AssumeRole
• Accounts are flagged as production/nonproduction or
contain customer data – three tiers with progressively
higher levels of control and auditing
How AWS manages usage
• Review application use case and in some cases,
disallow the use of a specific service for sensitive data
• The use of our internal tool does allow us to allow some
sensitive data to be delivered to logs since we are
comfortable that access to the account is controlled
• Use of programmatic tools to quickly determine policy
changes and remediate quickly using those tools
How AWS thinks about VPCs and accounts
• Use separate VPCs or accounts for things that are
clearly separate
• For this case, we chose to use two separate accounts,
one for the business owner and one for a security
gateway
• This doesn’t mean that we would hold hard and fast to
only one account per application but would make that
decision based on similarity of policies, groups, and
routing tables required to protect a group of applications
How AWS thinks about decision making
• Two-way doors vs. one-way doors – policies can be
changed, security groups can be modified, and instance
sizes and counts can be adjusted
• Often it’s better to deploy quickly and adjust rather than
get stuck trying to analyze for the ideal case for too long
How AWS thinks about system design
• “Modality is evil” – a system that works one way when
things are normal and switches to another mode when
there’s a problem
• Example: A system that provisions administrator access
on failure – when it’s more likely that the failure might
keep this from occurring – rather one should provision
admin access all of the time and use other mechanisms
to make sure it’s being used correctly
Flashback to re:Invent 2015
• SEC315 – AWS Directory Service Deep Dive
Fast forward – Cross-account manager solution
• Look familiar?
• Using AWS
CloudFormation
templates to create
and manage roles
for a master
account and sub
accounts.
CloudFormation components
Account onboarding
Role onboarding
Simple HTML access links
Demo
Live demo of solution here
Get started today!
Visit our website -
https://aws.amazon.com/answers/
Launch the solution -
https://aws.amazon.com/answers/account-
management/cross-account-manager
AWS Organizations
• New management capability for centrally managing multiple AWS accounts
- Simplified billing
- Programmatic creation of new AWS accounts
- Logically group AWS accounts for management convenience
- Apply organization control policies (OCP)
• A Consolidated Billing (CB) family automatically migrated to an organization
• All organization management activity is logged in AWS CloudTrail
• An AWS account can be a member of only one organization
• V1 OCP – Control which AWS service APIs accessible in AWS account(s)
• Console, SDK, and CLI support for all management tasks
Available in limited public preview: http://aws.amazon.com/organizations/preview
Related sessions
ARC314 – Enabling Enterprise Migrations: Creating an AWS Landing Zone
ENT203 – Enterprise Fundamentals: Design Your Account and VPC
Architecture for Enterprise Operating Models
SAC319 – Architecting Security and Governance Across a Multi-Account
Strategy
SAC320 – Deep Dive: Implementing Security and Governance Across a
Multi-Account Strategy
SAC323 - Centrally Manage Multiple AWS Accounts with AWS
Organizations
SEC304 – Reduce Your Blast Radius by Using Multiple AWS Accounts Per
Region and Service
Thank you!
Remember to complete
your evaluations!

More Related Content

What's hot

Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud Services
David J Rosenthal
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Ping Identity
 
Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900
thisiswali
 
Introduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud ComputingIntroduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud Computing
Amazon Web Services
 
Cost Optimization on AWS
Cost Optimization on AWSCost Optimization on AWS
Cost Optimization on AWS
Amazon Web Services
 
Data quality and data profiling
Data quality and data profilingData quality and data profiling
Data quality and data profiling
Shailja Khurana
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Amazon Web Services
 
Solutions Architect's Handbook 2nd Edition - Book Review
Solutions Architect's Handbook 2nd Edition - Book ReviewSolutions Architect's Handbook 2nd Edition - Book Review
Solutions Architect's Handbook 2nd Edition - Book Review
Ashraf Fouad
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Amazon Web Services
 
cloud computing architecture.pptx
cloud computing architecture.pptxcloud computing architecture.pptx
cloud computing architecture.pptx
SourodeepChakraborty3
 
Azure Cloud PPT
Azure Cloud PPTAzure Cloud PPT
Azure Cloud PPT
Aniket Kanitkar
 
AWS 환경에서의 위협 탐지 및 사냥 - 신은수, AWS 솔루션즈 아키텍트:: AWS Summit Online Korea 2020
AWS 환경에서의 위협 탐지 및 사냥 - 신은수, AWS  솔루션즈 아키텍트::  AWS Summit Online Korea 2020AWS 환경에서의 위협 탐지 및 사냥 - 신은수, AWS  솔루션즈 아키텍트::  AWS Summit Online Korea 2020
AWS 환경에서의 위협 탐지 및 사냥 - 신은수, AWS 솔루션즈 아키텍트:: AWS Summit Online Korea 2020
Amazon Web Services Korea
 
Architecting Security & Governance across Your AWS Landing Zone - SEC301 - An...
Architecting Security & Governance across Your AWS Landing Zone - SEC301 - An...Architecting Security & Governance across Your AWS Landing Zone - SEC301 - An...
Architecting Security & Governance across Your AWS Landing Zone - SEC301 - An...
Amazon Web Services
 
Optimizing Total Cost of Ownership for the AWS Cloud
Optimizing Total Cost of Ownership for the AWS CloudOptimizing Total Cost of Ownership for the AWS Cloud
Optimizing Total Cost of Ownership for the AWS Cloud
Amazon Web Services
 
Azure Training + Certification Guide.pdf
Azure Training + Certification Guide.pdfAzure Training + Certification Guide.pdf
Azure Training + Certification Guide.pdf
AnonymousN22tyB6UN
 
Kubernetes on AWS with Amazon EKS
Kubernetes on AWS with Amazon EKSKubernetes on AWS with Amazon EKS
Kubernetes on AWS with Amazon EKS
Amazon Web Services
 
IaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud ComputingIaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud Computing
Software Park Thailand
 
What is AWS | AWS Certified Solutions Architect | AWS Tutorial | AWS Training...
What is AWS | AWS Certified Solutions Architect | AWS Tutorial | AWS Training...What is AWS | AWS Certified Solutions Architect | AWS Tutorial | AWS Training...
What is AWS | AWS Certified Solutions Architect | AWS Tutorial | AWS Training...
Edureka!
 
AWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and WorkshopsAWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and Workshops
Tom Laszewski
 

What's hot (20)

Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
 
Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900
 
Introduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud ComputingIntroduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud Computing
 
Cost Optimization on AWS
Cost Optimization on AWSCost Optimization on AWS
Cost Optimization on AWS
 
Data quality and data profiling
Data quality and data profilingData quality and data profiling
Data quality and data profiling
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
Solutions Architect's Handbook 2nd Edition - Book Review
Solutions Architect's Handbook 2nd Edition - Book ReviewSolutions Architect's Handbook 2nd Edition - Book Review
Solutions Architect's Handbook 2nd Edition - Book Review
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
 
cloud computing architecture.pptx
cloud computing architecture.pptxcloud computing architecture.pptx
cloud computing architecture.pptx
 
Azure Cloud PPT
Azure Cloud PPTAzure Cloud PPT
Azure Cloud PPT
 
AWS 환경에서의 위협 탐지 및 사냥 - 신은수, AWS 솔루션즈 아키텍트:: AWS Summit Online Korea 2020
AWS 환경에서의 위협 탐지 및 사냥 - 신은수, AWS  솔루션즈 아키텍트::  AWS Summit Online Korea 2020AWS 환경에서의 위협 탐지 및 사냥 - 신은수, AWS  솔루션즈 아키텍트::  AWS Summit Online Korea 2020
AWS 환경에서의 위협 탐지 및 사냥 - 신은수, AWS 솔루션즈 아키텍트:: AWS Summit Online Korea 2020
 
Architecting Security & Governance across Your AWS Landing Zone - SEC301 - An...
Architecting Security & Governance across Your AWS Landing Zone - SEC301 - An...Architecting Security & Governance across Your AWS Landing Zone - SEC301 - An...
Architecting Security & Governance across Your AWS Landing Zone - SEC301 - An...
 
Optimizing Total Cost of Ownership for the AWS Cloud
Optimizing Total Cost of Ownership for the AWS CloudOptimizing Total Cost of Ownership for the AWS Cloud
Optimizing Total Cost of Ownership for the AWS Cloud
 
Azure Training + Certification Guide.pdf
Azure Training + Certification Guide.pdfAzure Training + Certification Guide.pdf
Azure Training + Certification Guide.pdf
 
Kubernetes on AWS with Amazon EKS
Kubernetes on AWS with Amazon EKSKubernetes on AWS with Amazon EKS
Kubernetes on AWS with Amazon EKS
 
IaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud ComputingIaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud Computing
 
What is AWS | AWS Certified Solutions Architect | AWS Tutorial | AWS Training...
What is AWS | AWS Certified Solutions Architect | AWS Tutorial | AWS Training...What is AWS | AWS Certified Solutions Architect | AWS Tutorial | AWS Training...
What is AWS | AWS Certified Solutions Architect | AWS Tutorial | AWS Training...
 
AWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and WorkshopsAWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and Workshops
 

Viewers also liked

AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
Amazon Web Services
 
AWS re:Invent 2016: Enterprise Fundamentals: Design Your Account and VPC Arch...
AWS re:Invent 2016: Enterprise Fundamentals: Design Your Account and VPC Arch...AWS re:Invent 2016: Enterprise Fundamentals: Design Your Account and VPC Arch...
AWS re:Invent 2016: Enterprise Fundamentals: Design Your Account and VPC Arch...
Amazon Web Services
 
AWS Account Best Practices
AWS Account Best PracticesAWS Account Best Practices
AWS Account Best Practices
Amazon Web Services
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
Amazon Web Services
 
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
Amazon Web Services
 
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
Amazon Web Services
 
(ARC403) From One To Many: Evolving VPC Design
(ARC403) From One To Many: Evolving VPC Design(ARC403) From One To Many: Evolving VPC Design
(ARC403) From One To Many: Evolving VPC Design
Amazon Web Services
 
From One to Many: Evolving VPC Design
From One to Many: Evolving VPC DesignFrom One to Many: Evolving VPC Design
From One to Many: Evolving VPC Design
Amazon Web Services
 
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
Amazon Web Services
 
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Amazon Web Services
 
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
Amazon Web Services
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best Practices
Gary Silverman
 
AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...
AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...
AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...
Amazon Web Services
 
AWS re:Invent 2016: Introduction to Managed Database Services on AWS (DAT307)
AWS re:Invent 2016: Introduction to Managed Database Services on AWS (DAT307)AWS re:Invent 2016: Introduction to Managed Database Services on AWS (DAT307)
AWS re:Invent 2016: Introduction to Managed Database Services on AWS (DAT307)
Amazon Web Services
 
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...
Amazon Web Services
 
AWS re:Invent 2016: Automated Governance of Your AWS Resources (DEV302)
AWS re:Invent 2016: Automated Governance of Your AWS Resources (DEV302)AWS re:Invent 2016: Automated Governance of Your AWS Resources (DEV302)
AWS re:Invent 2016: Automated Governance of Your AWS Resources (DEV302)
Amazon Web Services
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan Naydenov
Bogdan Naydenov
 
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
Amazon Web Services
 
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
Amazon Web Services
 
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
Amazon Web Services
 

Viewers also liked (20)

AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
 
AWS re:Invent 2016: Enterprise Fundamentals: Design Your Account and VPC Arch...
AWS re:Invent 2016: Enterprise Fundamentals: Design Your Account and VPC Arch...AWS re:Invent 2016: Enterprise Fundamentals: Design Your Account and VPC Arch...
AWS re:Invent 2016: Enterprise Fundamentals: Design Your Account and VPC Arch...
 
AWS Account Best Practices
AWS Account Best PracticesAWS Account Best Practices
AWS Account Best Practices
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
 
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
AWS re:Invent 2016: Creating Your Virtual Data Center: VPC Fundamentals and C...
 
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
AWS re:Invent 2016: From One to Many: Evolving VPC Design (ARC302)
 
(ARC403) From One To Many: Evolving VPC Design
(ARC403) From One To Many: Evolving VPC Design(ARC403) From One To Many: Evolving VPC Design
(ARC403) From One To Many: Evolving VPC Design
 
From One to Many: Evolving VPC Design
From One to Many: Evolving VPC DesignFrom One to Many: Evolving VPC Design
From One to Many: Evolving VPC Design
 
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
 
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
 
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best Practices
 
AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...
AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...
AWS re:Invent 2016: Extending Datacenters to the Cloud: Connectivity Options ...
 
AWS re:Invent 2016: Introduction to Managed Database Services on AWS (DAT307)
AWS re:Invent 2016: Introduction to Managed Database Services on AWS (DAT307)AWS re:Invent 2016: Introduction to Managed Database Services on AWS (DAT307)
AWS re:Invent 2016: Introduction to Managed Database Services on AWS (DAT307)
 
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...
AWS re:Invent 2016: Moving Mission Critical Apps from One Region to Multi-Reg...
 
AWS re:Invent 2016: Automated Governance of Your AWS Resources (DEV302)
AWS re:Invent 2016: Automated Governance of Your AWS Resources (DEV302)AWS re:Invent 2016: Automated Governance of Your AWS Resources (DEV302)
AWS re:Invent 2016: Automated Governance of Your AWS Resources (DEV302)
 
AWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan NaydenovAWS VPC best practices 2016 by Bogdan Naydenov
AWS VPC best practices 2016 by Bogdan Naydenov
 
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
 
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
High Availability Application Architectures in Amazon VPC (ARC202) | AWS re:I...
 
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
 

Similar to AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service (SEC304)

Governance at Scale
Governance at Scale Governance at Scale
Governance at Scale
Amazon Web Services
 
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Amazon Web Services
 
Using AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudUsing AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your Cloud
Amazon Web Services
 
AWS Landing Zone - Architecting Security and Governance.pptx
AWS Landing Zone - Architecting Security and Governance.pptxAWS Landing Zone - Architecting Security and Governance.pptx
AWS Landing Zone - Architecting Security and Governance.pptx
Akesh Patil
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentation
TATA LILIAN SHULIKA
 
Benefits of Cloud Computing
Benefits of Cloud ComputingBenefits of Cloud Computing
Benefits of Cloud Computing
Amazon Web Services
 
ENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New Launches
Amazon Web Services
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Amazon Web Services
 
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptxSteve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
AWS Chicago
 
ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools
Amazon Web Services
 
Managing your AWS Organization using org-formation
Managing your AWS Organization using org-formationManaging your AWS Organization using org-formation
Managing your AWS Organization using org-formation
Olaf Conijn
 
Windsor AWS UG Deep Dive - AWS Organizations
Windsor AWS UG  Deep Dive - AWS OrganizationsWindsor AWS UG  Deep Dive - AWS Organizations
Windsor AWS UG Deep Dive - AWS Organizations
Goran Karmisevic
 
Mastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as codeMastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as code
Yan Cui
 
Aws organizations
Aws organizationsAws organizations
Aws organizations
Olaf Conijn
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Amazon Web Services
 
AWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyAWS Organizations & Service Control Policy
AWS Organizations & Service Control Policy
Bhuvaneswari Subramani
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Amazon Web Services
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your Resources
Amazon Web Services
 
Raleigh DevDay 2017: Deep Dive on AWS Management Tools
Raleigh DevDay 2017: Deep Dive on AWS Management ToolsRaleigh DevDay 2017: Deep Dive on AWS Management Tools
Raleigh DevDay 2017: Deep Dive on AWS Management Tools
Amazon Web Services
 
Raleigh DevDay 2017: Are you well architected learn best practices to build r...
Raleigh DevDay 2017: Are you well architected learn best practices to build r...Raleigh DevDay 2017: Are you well architected learn best practices to build r...
Raleigh DevDay 2017: Are you well architected learn best practices to build r...
Amazon Web Services
 

Similar to AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service (SEC304) (20)

Governance at Scale
Governance at Scale Governance at Scale
Governance at Scale
 
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
 
Using AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudUsing AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your Cloud
 
AWS Landing Zone - Architecting Security and Governance.pptx
AWS Landing Zone - Architecting Security and Governance.pptxAWS Landing Zone - Architecting Security and Governance.pptx
AWS Landing Zone - Architecting Security and Governance.pptx
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentation
 
Benefits of Cloud Computing
Benefits of Cloud ComputingBenefits of Cloud Computing
Benefits of Cloud Computing
 
ENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New LaunchesENT302 Deep Dive on AWS Management Tools and New Launches
ENT302 Deep Dive on AWS Management Tools and New Launches
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
 
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptxSteve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
 
ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools
 
Managing your AWS Organization using org-formation
Managing your AWS Organization using org-formationManaging your AWS Organization using org-formation
Managing your AWS Organization using org-formation
 
Windsor AWS UG Deep Dive - AWS Organizations
Windsor AWS UG  Deep Dive - AWS OrganizationsWindsor AWS UG  Deep Dive - AWS Organizations
Windsor AWS UG Deep Dive - AWS Organizations
 
Mastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as codeMastering AWS Organizations with Infrastructure as code
Mastering AWS Organizations with Infrastructure as code
 
Aws organizations
Aws organizationsAws organizations
Aws organizations
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
 
AWS Organizations & Service Control Policy
AWS Organizations & Service Control PolicyAWS Organizations & Service Control Policy
AWS Organizations & Service Control Policy
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your Resources
 
Raleigh DevDay 2017: Deep Dive on AWS Management Tools
Raleigh DevDay 2017: Deep Dive on AWS Management ToolsRaleigh DevDay 2017: Deep Dive on AWS Management Tools
Raleigh DevDay 2017: Deep Dive on AWS Management Tools
 
Raleigh DevDay 2017: Are you well architected learn best practices to build r...
Raleigh DevDay 2017: Are you well architected learn best practices to build r...Raleigh DevDay 2017: Are you well architected learn best practices to build r...
Raleigh DevDay 2017: Are you well architected learn best practices to build r...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
Shiv Technolabs
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
Ivanti
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
Axel Rennoch
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 

Recently uploaded (20)

The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 

AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service (SEC304)

  • 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bryan Miller Solutions Builder, Amazon Web Services November 29, 2016 Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service SEC304
  • 2. What to expect from the session • How AWS manages multiple accounts and how customers can leverage multiple AWS accounts to manage security and reduce the blast radius by deploying a single application into one account per region • Some insight into AWS account and security practices • How to deploy the cross-account manager solution to assist in managing role-based access to these accounts
  • 3. Production application deployment diagram Application accounts Corporate data center AWS backbone AWS Direct Connect Security account Master (billing) account
  • 4. Production application deployment on AWS • Two accounts: One for the application and one for security isolation • The main account is owned by the application team and is deployed in a single VPC • The second account is owned by the security team and is used to audit and control access to the first account and control network connectivity between the first account and the on-premises data center • The accounts are connected using VPC peering and access is managed by a federated role-based service
  • 5. How did we arrive at this conclusion? • Only applies to production, business critical applications, or logical application groups • A trade off between one large account and many small accounts – what is the proper balance? • Managing multiple accounts simplified with role-based user federation solution – cross-account manager solution
  • 6. Cross-account manager solution Using AWS CloudFormation templates to create and manage roles for a master account and sub accounts
  • 7. How AWS thinks about AWS • Apply the right levels of control and change management at the right time • Automating the creation and management of resources provides better traceability • Verification and audit of configuration and access is critical for production business-critical applications
  • 8. How AWS thinks about security • Simple, easily understood security invariants vs. subtle and complex reasoning • Historically have been overindexing on prevention • Bias towards simpler policies and few objects to manage • Shift to detection and response • Turn on all logging and visibility features as possible in the production application account Prevention Detection ResponseAnalysis
  • 9. How AWS manages identity and access • AWS uses an internal tool to manage employee access to accounts • Users authenticate to corporate directory • Uses IAM roles to control access to resources in each account using AWS STS AssumeRole • Accounts are flagged as production/nonproduction or contain customer data – three tiers with progressively higher levels of control and auditing
  • 10. How AWS manages usage • Review application use case and in some cases, disallow the use of a specific service for sensitive data • The use of our internal tool does allow us to allow some sensitive data to be delivered to logs since we are comfortable that access to the account is controlled • Use of programmatic tools to quickly determine policy changes and remediate quickly using those tools
  • 11. How AWS thinks about VPCs and accounts • Use separate VPCs or accounts for things that are clearly separate • For this case, we chose to use two separate accounts, one for the business owner and one for a security gateway • This doesn’t mean that we would hold hard and fast to only one account per application but would make that decision based on similarity of policies, groups, and routing tables required to protect a group of applications
  • 12. How AWS thinks about decision making • Two-way doors vs. one-way doors – policies can be changed, security groups can be modified, and instance sizes and counts can be adjusted • Often it’s better to deploy quickly and adjust rather than get stuck trying to analyze for the ideal case for too long
  • 13. How AWS thinks about system design • “Modality is evil” – a system that works one way when things are normal and switches to another mode when there’s a problem • Example: A system that provisions administrator access on failure – when it’s more likely that the failure might keep this from occurring – rather one should provision admin access all of the time and use other mechanisms to make sure it’s being used correctly
  • 14. Flashback to re:Invent 2015 • SEC315 – AWS Directory Service Deep Dive
  • 15. Fast forward – Cross-account manager solution • Look familiar? • Using AWS CloudFormation templates to create and manage roles for a master account and sub accounts.
  • 20. Demo Live demo of solution here
  • 21. Get started today! Visit our website - https://aws.amazon.com/answers/ Launch the solution - https://aws.amazon.com/answers/account- management/cross-account-manager
  • 22. AWS Organizations • New management capability for centrally managing multiple AWS accounts - Simplified billing - Programmatic creation of new AWS accounts - Logically group AWS accounts for management convenience - Apply organization control policies (OCP) • A Consolidated Billing (CB) family automatically migrated to an organization • All organization management activity is logged in AWS CloudTrail • An AWS account can be a member of only one organization • V1 OCP – Control which AWS service APIs accessible in AWS account(s) • Console, SDK, and CLI support for all management tasks Available in limited public preview: http://aws.amazon.com/organizations/preview
  • 23. Related sessions ARC314 – Enabling Enterprise Migrations: Creating an AWS Landing Zone ENT203 – Enterprise Fundamentals: Design Your Account and VPC Architecture for Enterprise Operating Models SAC319 – Architecting Security and Governance Across a Multi-Account Strategy SAC320 – Deep Dive: Implementing Security and Governance Across a Multi-Account Strategy SAC323 - Centrally Manage Multiple AWS Accounts with AWS Organizations SEC304 – Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service