SlideShare a Scribd company logo
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using AWS Control Tower to govern multi-
account AWS environments at scale
Chandar Venkataraman
Director, New Enterprise Initiative
AWS
G R C 3 1 3 - R 1
Mahdi Sajjadpour
Principal BD Manager
AWS
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Balancing the needs of builders and central cloud IT
Builders: Stay
agile
Innovate with the speed and
agility of AWS
Cloud IT: Establish
governance
Govern at scale with central
controls
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Business agility and governance control
Governance
—
Agility
—
Self-service access
Experiment fast
Respond quickly
to change
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
—
Provision
—
Operate
AWS Control Tower: Easiest way to set up and govern AWS
at scale
—
Enable
Business agility + governance control
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enable
Enable for governance at scale
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enable governance Enable
Set up an AWS
landing zone
Establish guardrails for
governance
Automate compliant
account provisioning
Centralize identity
and access
Manage
continuously
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Set up an AWS landing zone
• Landing zone - a preconfigured, secure, scalable,
multi-account AWS environment based on best
practice blueprints
• Multi-account management using AWS
Organizations
• Identity and federated access management using
AWS SSO
• Centralized log archive using AWS CloudTrail and
AWS Config
• Cross-account audit access using AWS SSO and
AWS IAM
• End user account provisioning through AWS
Service Catalog
• Centralized monitoring and notifications using
Amazon CloudWatch and Amazon SNS
Master account
AWS Control Tower AWS Organizations AWS Single
Sign-On
Stack sets AWS Service
Catalog
Log archive
account
Aggregate
AWS CloudTrail
and AWS Config
logs
Account
baseline
Audit account
Security cross-
account roles
Account
baseline
Provisioned
accounts
Network
baseline
Account
baseline
Amazon
CloudWatch
aggregator
Security
notifications
Core OU Custom OU AWS SSO
directory
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account architecture
• Master account: designation of your
existing account to create a new
organization. Also your master payer
account
• Organization consists of 2 OUs with
pre-configured accounts -
• Core OU: AWS Control Tower-created
accounts, i.e., Audit account and Log archive
account
• Custom OU: Your provisioned accounts
Master account
AWS Organizations
Log archive
account
Audit
account
Provisioned
accounts
Core OU Custom OU
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralize identity and access
• AWS SSO provides default directory for identity
• AWS SSO also enables federated access management across all
accounts in your organization
• Preconfigured groups (e.g., AWS Control Tower administrators,
auditors, AWS Service Catalog end users)
• Preconfigured permission sets (e.g., admin, read-only, write)
• Option to integrate with your managed or on-premises Active
Directory (AD)
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish guardrails
• Guardrails are preconfigured governance rules for
security, compliance, and operations
• Expressed in plain English to provide abstraction
over granular AWS policies
• Preventive guardrails: prevent policy violations
through enforcement; implemented using AWS
CloudFormation and SCPs
• Detective guardrails: detect policy violations and
alert in the dashboard; implemented using AWS
Config rules
• Mandatory and strongly recommended guardrails
for prescriptive guidance
• Easy selection and enablement on organizational
units
Organizational
units
Accounts
Enable
Enable
Output
Output
Output
Organizational
units
Accounts
Preventive guardrail
Granular AWS
policies
SCP
Detective/remediable
guardrails
Granular AWS
policies
AWS Config
rules
Always
compliant
Compliant
Non-
compliant
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Guardrail examples
Goal/category Example
IAM security Require MFA for root user
Data security Disallow public read access to Amazon S3 buckets
Network security Disallow internet connection via Remote Desktop Protocol (RDP)
Audit logs Enable AWS CloudTrail and AWS Config
Monitoring Enable AWS CloudTrail integration with Amazon CloudWatch
Encryption Ensure encryption of Amazon EBS volumes attached to Amazon EC2 instances
Drift Disallow changes to AWS Config rules set up by AWS Control Tower
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate compliant account provisioning
• Built-in account factory provides
a template to standardize
account provisioning
• Configurable network settings
(e.g., subnets, IP addresses)
• Automatic enforcement of
account baselines and guardrails
• Published to AWS Service
Catalog
Account factory
Network
baseline
Network
CIDR
Network
regions
OU Account
baseline
AWS Service
Catalog
AWS Service
Catalog product
New AWS account
Network
baseline
Account
baseline
Guardrails
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
—
Provision
—
Operate
AWS Control Tower: Easiest way to set up and govern at
scale
—
Enable
Business agility + governance control
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Self-service account provisioning in AWS Service Catalog
Users can configure and provision AWS accounts and resources without needing
full privileges to AWS services (e.g., Amazon EC2, Amazon RDS)
3 2
1
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
—
Provision
—
Operate
AWS Control Tower: Easiest way to set up and govern at
scale
—
Enable
Business agility + governance control
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Operate with agility + control Operate
Dashboard
Continuous visibility into your
multi-account environment
Act
Take operational
action on resources
Audit
Audit resource configurations,
user access, and policy
enforcement
Monitor
Monitor resources
and workloads
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dashboard for
oversight
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenge
Solution
Benefits
Slalom automates an AWS
landing zone and
bootstraps new accounts
with AWS best practices
using AWS Control Tower
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pricing and availability
US East (N. Virginia), US East
(Ohio), US West (Oregon), and
EU (Ireland
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why use AWS Control Tower?
Set up a best-practices AWS environment in a few clicks
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Summary of key features
Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Chandar Venkataraman
Mahdi Sajjadpour

More Related Content

What's hot

AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
Amazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
Amazon Web Services
 
AWS 101
AWS 101AWS 101
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
Amazon Web Services
 
AWS Security & Compliance
AWS Security & ComplianceAWS Security & Compliance
AWS Security & Compliance
Amazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Amazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Amazon Web Services
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
Amazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
Amazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
Amazon Web Services
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Amazon Web Services
 
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
 Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019  Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
Amazon Web Services
 
AWS WAF
AWS WAFAWS WAF
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWS
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Deep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep DiveDeep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep Dive
Amazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
Amazon Web Services
 

What's hot (20)

AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
 
AWS 101
AWS 101AWS 101
AWS 101
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
 
AWS Security & Compliance
AWS Security & ComplianceAWS Security & Compliance
AWS Security & Compliance
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
 
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
 Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019  Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWS
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Deep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep DiveDeep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep Dive
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 

Similar to Using AWS Control Tower to govern multi-account AWS environments at scale - GRC313-R - AWS re:Inforce 2019

Control your cloud environment with AWS management tools
Control your cloud environment with AWS management toolsControl your cloud environment with AWS management tools
Control your cloud environment with AWS management tools
Amazon Web Services
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Amazon Web Services
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Amazon Web Services
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Amazon Web Services
 
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Amazon Web Services
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
Amazon Web Services
 
Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...
Amazon Web Services
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
Amazon Web Services
 
Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...
Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...
Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...
Amazon Web Services
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
Amazon Web Services
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Amazon Web Services
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Amazon Web Services
 
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Amazon Web Services
 
SRV209 Monitor Cross-Account and Cross-Region Compliance Status with AWS Config
SRV209 Monitor Cross-Account and Cross-Region Compliance Status with AWS ConfigSRV209 Monitor Cross-Account and Cross-Region Compliance Status with AWS Config
SRV209 Monitor Cross-Account and Cross-Region Compliance Status with AWS Config
Amazon Web Services
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...
Amazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
 Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
Amazon Web Services
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Amazon Web Services
 
Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018
Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018
Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018
Amazon Web Services
 
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
Amazon Web Services
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
Amazon Web Services
 

Similar to Using AWS Control Tower to govern multi-account AWS environments at scale - GRC313-R - AWS re:Inforce 2019 (20)

Control your cloud environment with AWS management tools
Control your cloud environment with AWS management toolsControl your cloud environment with AWS management tools
Control your cloud environment with AWS management tools
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
 
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
 
Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 
Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...
Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...
Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
 
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
 
SRV209 Monitor Cross-Account and Cross-Region Compliance Status with AWS Config
SRV209 Monitor Cross-Account and Cross-Region Compliance Status with AWS ConfigSRV209 Monitor Cross-Account and Cross-Region Compliance Status with AWS Config
SRV209 Monitor Cross-Account and Cross-Region Compliance Status with AWS Config
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...
 
Building a well-engaged and secure AWS account access management - FND207-R ...
 Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
 
Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018
Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018
Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018
 
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
Centralized IAM Governance using CloudFormation StackSets and AWS Organizatio...
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Using AWS Control Tower to govern multi-account AWS environments at scale - GRC313-R - AWS re:Inforce 2019

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Using AWS Control Tower to govern multi- account AWS environments at scale Chandar Venkataraman Director, New Enterprise Initiative AWS G R C 3 1 3 - R 1 Mahdi Sajjadpour Principal BD Manager AWS
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Balancing the needs of builders and central cloud IT Builders: Stay agile Innovate with the speed and agility of AWS Cloud IT: Establish governance Govern at scale with central controls
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Business agility and governance control Governance — Agility — Self-service access Experiment fast Respond quickly to change
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern AWS at scale — Enable Business agility + governance control
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable Enable for governance at scale
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable governance Enable Set up an AWS landing zone Establish guardrails for governance Automate compliant account provisioning Centralize identity and access Manage continuously
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Set up an AWS landing zone • Landing zone - a preconfigured, secure, scalable, multi-account AWS environment based on best practice blueprints • Multi-account management using AWS Organizations • Identity and federated access management using AWS SSO • Centralized log archive using AWS CloudTrail and AWS Config • Cross-account audit access using AWS SSO and AWS IAM • End user account provisioning through AWS Service Catalog • Centralized monitoring and notifications using Amazon CloudWatch and Amazon SNS Master account AWS Control Tower AWS Organizations AWS Single Sign-On Stack sets AWS Service Catalog Log archive account Aggregate AWS CloudTrail and AWS Config logs Account baseline Audit account Security cross- account roles Account baseline Provisioned accounts Network baseline Account baseline Amazon CloudWatch aggregator Security notifications Core OU Custom OU AWS SSO directory
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account architecture • Master account: designation of your existing account to create a new organization. Also your master payer account • Organization consists of 2 OUs with pre-configured accounts - • Core OU: AWS Control Tower-created accounts, i.e., Audit account and Log archive account • Custom OU: Your provisioned accounts Master account AWS Organizations Log archive account Audit account Provisioned accounts Core OU Custom OU
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Centralize identity and access • AWS SSO provides default directory for identity • AWS SSO also enables federated access management across all accounts in your organization • Preconfigured groups (e.g., AWS Control Tower administrators, auditors, AWS Service Catalog end users) • Preconfigured permission sets (e.g., admin, read-only, write) • Option to integrate with your managed or on-premises Active Directory (AD)
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Establish guardrails • Guardrails are preconfigured governance rules for security, compliance, and operations • Expressed in plain English to provide abstraction over granular AWS policies • Preventive guardrails: prevent policy violations through enforcement; implemented using AWS CloudFormation and SCPs • Detective guardrails: detect policy violations and alert in the dashboard; implemented using AWS Config rules • Mandatory and strongly recommended guardrails for prescriptive guidance • Easy selection and enablement on organizational units Organizational units Accounts Enable Enable Output Output Output Organizational units Accounts Preventive guardrail Granular AWS policies SCP Detective/remediable guardrails Granular AWS policies AWS Config rules Always compliant Compliant Non- compliant
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Guardrail examples Goal/category Example IAM security Require MFA for root user Data security Disallow public read access to Amazon S3 buckets Network security Disallow internet connection via Remote Desktop Protocol (RDP) Audit logs Enable AWS CloudTrail and AWS Config Monitoring Enable AWS CloudTrail integration with Amazon CloudWatch Encryption Ensure encryption of Amazon EBS volumes attached to Amazon EC2 instances Drift Disallow changes to AWS Config rules set up by AWS Control Tower
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate compliant account provisioning • Built-in account factory provides a template to standardize account provisioning • Configurable network settings (e.g., subnets, IP addresses) • Automatic enforcement of account baselines and guardrails • Published to AWS Service Catalog Account factory Network baseline Network CIDR Network regions OU Account baseline AWS Service Catalog AWS Service Catalog product New AWS account Network baseline Account baseline Guardrails
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern at scale — Enable Business agility + governance control
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Self-service account provisioning in AWS Service Catalog Users can configure and provision AWS accounts and resources without needing full privileges to AWS services (e.g., Amazon EC2, Amazon RDS) 3 2 1
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern at scale — Enable Business agility + governance control
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Operate with agility + control Operate Dashboard Continuous visibility into your multi-account environment Act Take operational action on resources Audit Audit resource configurations, user access, and policy enforcement Monitor Monitor resources and workloads
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Dashboard for oversight
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenge Solution Benefits Slalom automates an AWS landing zone and bootstraps new accounts with AWS best practices using AWS Control Tower
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Pricing and availability US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why use AWS Control Tower? Set up a best-practices AWS environment in a few clicks
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Summary of key features
  • 23. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Chandar Venkataraman Mahdi Sajjadpour