With customers migrating workloads to AWS, we are starting to see a need for the creation of a prescribed landing zone, which uses native AWS capabilities and meets or exceeds customers' security and compliance objectives. In this session, we will describe an AWS landing zone and will cover solutions for account structure, user configuration, provisioning, networking and operation automation. This solution is based on AWS native capabilities such as AWS Service Catalog, AWS Identity and Access Management, AWS Config Rules, AWS CloudTrail and Amazon Lambda. We will provide an overview of AWS Service Catalog and how it be used to provide self-service infrastructure to applications users, including various options for automation. After this session you will be able to configure an AWS landing zone for successful large scale application migrations. Additionally, Philips will explain their cloud journey and how they have applied their guiding principles when building their landing zone.
2. What is a Landing Zone and do I need one?
H
- A configured secure enterprise multi-account AWS
environment based on best practices
- A starting point for your application migration journey
- An environment that allows for iteration & extension over time
3. What to Expect from the Session
At the end of this session, we hope you
- have an understanding of what a initial AWS Landing Zone
is and why you would need one
- can build an initial AWS Landing Zone, or update your
current one
- can use the initial Landing Zone to accelerate your
application migration journey
H
4. Our Journey Today
Domains Direct
Connect
Start Accounts
End User
Interaction
AutomationService
Catalog
Central
Services
Migrate
Iterate
Operate &
Optimize
Logging Config Access Identities Federation
Network Security
Identity &
Access
Cloud
Users
What’s
Next ?
image
5. Infrastructure
Request
Current State
Typical Enterprise Situation
Governance
&
Service
Management
Central IT
Lines of
Business
Provisioning
Characteristics
• Lead times ~days to weeks
• Service catalogue of components
• Often process-heavy service
management
6. Monitor
&
Respond
Landing Zone
Templates
Policy &
Best Practices
Landscape
Management
Current State
Opportunity to achieve agility and control
Automation
Lines of
Business
Central IT Opportunities
• Lead times in minutes
• Service catalogue of
landscapes
• Automated service
management
9. Account Structure
• Don’t overdo on Day One
• Use separate accounts for:
Security and
Compliance Isolation
(production non-prod,
logging)
Cost Allocation Resource Management
and Ownership
11. AWS Organizations
• New management capability for centrally managing multiple AWS accounts
- Simplified billing
- Programmatic creation of new AWS accounts
- Logically group AWS accounts for management convenience
- Apply organization control policies (OCP)
• A Consolidated Billing (CB) family automatically migrated to an organization
• All organization management activity is logged in AWS CloudTrail
• An AWS account can be a member of only one organization
• V1 OCP – Control which AWS service APIs accessible in AWS account(s)
• Console, SDK, and CLI support for all management tasks
Available in limited public preview: http://aws.amazon.com/organizations/preview
14. Network
Direct Connect for connecting on-prem and AWS environment
Customer
Gateway
VPN backup
Direct Connect Location
Virtual
Interface #1
Virtual
Interface #2
Secondary Direct
Connect Location
`
`
Partner
Network
15. Network
Central services in a central VPC
Central common/core services
• Authentication/directory
• Monitoring
• Logging
• Bastion host
• Remote administration
• Scanning
• Internet proxy
Production
Generic
Production
Business-critical
Central
Services
Non-production
17. Our Landing Zone needs to be safe and secure
Insight is the first step
• Who is accessing our Amazon accounts and what
are they doing?
• How will we know if anyone breaks our security
policy?
• What does the traffic on our infrastructure look like
and are all of our resources isolated?
• How can we easily analyze our logs?
18. AWS CloudTrail records who is accessing APIs
Store/archive
Central logging
account
Troubleshoot
Monitor & alarm
AWS
accounts
make API
call
On a growing
set of AWS
services around
the world..
CloudTrail is
continuously
recording
API calls
Amazon
EBS
19. AWS Config informs you of policy violations
Compliance
Guideline
Non-compliance
Action
All storage
volumes should
be encrypted
Automatically
encrypt storage
volumes
Instances must
not have
unrestricted
Internet access
on Port 22
Remove Port 22
access from any
Internet host
Instances must
be tagged with
environment type
Notify developer
(email, page,
SNS)
Pre-configured rules:
https://github.com/awslabs/aws-config-rules
20. VPC flow logs give you network insights
• Agentless – AWS collects the logs on your behalf
• Enable per network interface, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
22. Log everything centrally for analysis
The AWS centralized logging
solution makes it easy for
security teams to consolidate
AWS logs and analyze them to
detect incidents
Amazon
EC2
flow
logs
VPC subnet
AWS
CloudTrail
Amazon S3
Amazon
CloudWatch
AWS
Lambda
Amazon
Elasticsearch
Service
You can do this by simply using:
• Amazon ElasticSearch Service
• CloudTrail logs
• VPC flow logs
• EC2 server logs
Log Transform Search
https://aws.amazon.com/answers/
logging/centralized-logging
23. Launch
instance
EC2
AMI catalogue Running instance
Your instance
Hardening and configuration
Audit and logging
Vulnerability management
Malware and IPS
Whitelisting and integrity
User administration
Operating system
Configure
instance
Configure your environment as you like
You get to apply your existing security policy
Three options to create or import your own ‘gold’ images
1. Import existing VMs to AWS
2. Procure partner AMI from AWS Marketplace
3. Create and save your own custom images
On 3: choose how to build your standard host security
environment
Choose how to start your compute
Private images or import your current ones
CIS AMI: https://aws.amazon.com/marketplace/seller-profile?id=6b3b0dc2-c6f4-487b-8f29-9edba5f39eed
25. You get to control who can do what in your AWS environment when and
from where
Fine-grained control of your AWS cloud with multi-factor authentication
Integrate with your existing corporate directory and provide SSO to
your customers. Support for SAML 2.0 (like your existing Active Directory)
and OpenID compatible Identity Providers (IdPs).
You can use AWS managed policies, policies for typical job functions
or customer-generated policies using the policy generator and test
with the policy simulator
AWS account
owner
Identity and Access Management
Control access and segregate duties everywhere
26. Identities and Access Control
Example user types with corresponding access policies
IAM Master
Create policies
IAM Manager
Assign policies
Audit
read-only
Access
Managers
Architect
Create landscapes
Storage
Design and build
Network
Design and build
Design
DevOps
API Access
App Owner
Landscape owner
Application
Owners
Billing Support UserOther
Network Admin Administrator
Service Catalog
Administrators
Managed policies for job functions:
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html
Database
Admin
27. Corporate Data Center
Browser interface
Identity
Store
Identity and Access Management
Federation with on-prem directory
AD Group
Identity and
authentication
Mapping to specific
IAM role with
access policy
Access to AWS
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/manage_apps_services.html
28. Identity and Access Management
Federation: Cross-account manager solution
Using AWS CloudFormation
templates to create and
manage roles for a master
account and sub accounts
- Account onboarding
- Role onboarding
https://aws.amazon.com/answers/account-management/cross-account-manager
SEC304 session with deep-dive and demo
30. Henk van Rossum
Director - Platform and Program Manager Hosting and Storage
November 2016
Creating a Landing Zone in AWS
An Enterprise way of working
31. Moving from Legacy to Future proof
31
100+ Sites
3500+
Servers
Extremely high
Fixed costs
Old End-of-
term
Infrastructure
No incentives to
Decomm &
Modernize
Governance
42%
3%
25%
1st tier Datacenter
30% Decommission Infra
Local compute
(Darkroom operated)
Workload
Split
32. From Legacy to Cloud First
32
• “Break-Fix”
• SLA based managed services
• Unplanned business interruptions
• Complex supply chain new demand
• Wide variety of versions
• Not Scalable
• Pay for capacity reserved
• Reporting “after the fact”
• Design for “Always On”
• SLA based managed services
• Self Provisioning, consumer driven
• Standard market available services
• Scalable Resources
• Pay only for what you use
• “real time” usage & performance
Does not represent a
Philips location
33. Creating a Landing Zone
33
network
application
data
runtime
middleware
OS
virtual machine
server
storage
network
application
data
runtime
middleware
OS
virtual machine
server
storage
Legacy
DCpartnerAMSpartner
Mang.PartnerAWSAMSpartner
AWSAMSpartner
network
application
data
runtime
middleware
OS
virtual machine
server
storage
End State
Provider
provider
Provider
On Premise DC Technology Refresh Cloud
Close On Premise DC,
leverage Cloud
34. 34
Creating a Landing Zone – Account Architecture
ENTERPRISE CONTRACT
Market 1 Market X BU X
PayerAccount
Root accountCore
Global
services
FunctionalAccounts
Shared Central Logging Account
Backup Account Backup Account
Shared Central Audit Account
Shared Central Intellectual Property Account
Linkedaccounts–Resources
Resources
Resources
Resources
Resources
Resources
Resources
Resources
Resources
Resources
Resources
Resources
PartnerAccounts
Other Other Other
Shared Users Federation Account
Partner 1
Partner 2
Resources
Backup AccountBackup Account
35. Creating a Landing Zone - Internet Centric Networking
35
The Internet
Sites
Private Network – Provider
Internet Edge
SaaS Cloud
ISP
Cloud
Gateway
1
Cloud
Gateway
2
Cloud
Gateway
N
Partner
Tier1 DC
siteMPLS
Direct Connect
MPLS
38. Organizations
Access to standardization
Organizational Structure Needs
• Control and visibility
• Standardization
• Access control
• Ease of administration
• Automation
• Standardization
• Self-service
• Agility
• Quick implementation
CIO
VP of Analytics
BI Dev Team
VP of Application
Development
Web Dev Team
VP of
Infrastructure
Resource
Team:
Security,
Networking,
Storage…
39. Customers want to:
• Define the resources and
landscapes where software and
applications are deployed
• ‘Approve once and deploy many’
• Enable self-service, deploy with
confidence
• Automate deployments
Agility and Control
What do customers tell us about asset management deployment?
40. Agility and Control
AWS Service Catalog
AWS Service Catalog allows organizations to create and manage
catalogs of IT services. It enables users to quickly deploy approved IT
services they need in a self-service manner.
Administrator Users
Control
Standardization
Governance
Agility
Self-service
Time to market
41. Product =
Template
CloudFormation Running stack
JSON formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS services
Comprehensive service support
Service event-aware
Customizable
Framework
Stack creation
Stack updates
Error detection and rollback
Administrator Interaction
CloudFormation to create products
42. Creates portfolio and
assigns product portfolio
1
Administrator
Adds constraints, grants access
and add tags
4
2 Creates
product
Authors
template
Administrator Interaction
AWS Service Catalog: Managing products
ProductX
Versions
Portfolio BPortfolio A
• Users and roles
• Constraints
• Tags
Service Catalog
3
Landscape
Architect
44. Service Catalog
APIs
11 User API methods Launched July 2016
37 Admin API methods Launched November 2016
Embed
Orchestrate
Automate
45. Agility and Control
Opportunities to strengthen the handshake
User-generated
products to foster
innovation
Back-end microservices
acting on the stacks
Administrator
products
46. Tagged
EC2
instances
for one or
more AWS
accounts
IAM cross
account roles
controls
access to
AWS accounts
Scheduler
role
Scheduler
configuration
table
Instance state
table
EC2 Instance
information
CloudWatch
Logs
CloudWatch
Metrics
CloudWatch rule
triggers Scheduler
Scheduler
Lambda
function
CloudFormation
scheduler
stack
What is the EC2 instance scheduler?
A single template
deploys all solution
components
https://aws.amazon.com/answers/infras
tructure-management/ec2-scheduler/
53. Managing to the Portfolio Value
Portfolio Tier Requirements
Operations
Model
Approx.
%
Portfolio*
IT Spend
Against
Portfolio
Differentiators
High rate of change & innovation;
Possibly business-critical, but not
always
DevOps 15%
60% - 70%
Table Stakes
Business-critical, but low rate of
change. Needs high availability,
maximum reliability, and durable DR
Automated
Efficiency
25%
Commodity
COTS & commodity, minimal risk,
low change, standard downtime &
reliability requirements
Traditional
Operations
60% 30% - 40%
*estimated numbers
Provided Under NDA
54. The Migration Journey
Identify and categorize bulk
candidates
Analysts identify high-value
candidates
Pipeline team prepares
candidates
Applications are migrated
based on patterns
Patterns are created
Greenfield Landing Zone
created
Existing Operations team
manages
Portfolios are prioritized
Project initiated
Innovation teams re-architect
the application
New operating levers are
created
Application is implemented
on cloud
Cloud-native components
are patterned
Core Landing Zone created
Future
Landing Zone
Library
of patterns
Future
operating
model
Brown Field Green Field
Future State
55. Sprint 1
Executing Multi-Modal Migrations
Program
Brown
Green
Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6 Sprint 7
Deploy
Landing Zone
Extend, Integrate and Manage Landing Zone
Migration Business Case
Discovery Prep Discovery
Pipeline Generation
Migration Patterns Creation
Discovery
Greenfield Migrations
Innovation
Re-Factor
Re-Host
Complex App (single sprint)
56. Increasing Levels of Effort with Increasing Levels of Return
Mass
migration
Re-platform /
Refactor
Re-architectMaturity Maturity
Running Multi-Modal Migrations
Minimized
Staffing
Change
Mass
Migration
Capex to
Opex
Cost Out
Facilities
Closure
Consistent
Operations
Traditional Operations
Operational
Transition
Cloud
Capable
Applications
Capex to
Opex
Nascent
Services
Cloud COE
Managed
Services
Hybrid Operations
Cloud
Aware
Applications
Serverless
Compute
Continuous
Integration
Disruptive
Technology
Maximum
Efficiency
Advanced
Architecture
Development and
Operations
57. Multi-Modal Operations
Shift in
Accountability• Many adoptions
are tightly
coupled with agile
delivery adoption.
• Not all workloads
require a DevOps
investment.
• Achieving
business goals
doesn’t always
require
automation.
• Using traditional
support models in
the wrong places
can dilute value.
Mass migration
Re-platform/
Refactor Re-architect
• Data Center-Cloud
Connectivity
• Server/Storage
Provisioning
• Patching/Anti-virus
• Monitoring
• Server
Maintenance/
Incident Response
• Audit/Risk
• Event Management
• Web Server
• DB Mgmt
• Application Software
• Development and
Deployment
Traditional
• Data Center-Cloud
Connectivity
• Patching/Anti-virus
• Monitoring
• Audit/Risk
• Standards/Policy
• Stack Templates
• Server
Maintenance/
Incident Response
• Stack Provisioning
and Decom
• Event Mgmt
• Web Server
• DB Mgmt
• Application Software
• Development and
Deployment
Automated Efficiency
• Data Center-Cloud
Connectivity
• Patching/Anti-virus
• Monitoring Lvl 1
• Monitoring Lvl 2
• Server
Maintenance/
Incident Response
• Stack Templates
and Provisioning
• Audit/Risk
• Event Management
• Web Server
• DB Mgmt
• Application Software
• Development and
Deployment
DevOps
Traditional
Operations
Distributed
Responsibility
59. Available Resources for Landing Zone (1/2)
Domain Link What
Account Mgt https://aws.amazon.com/answers/account-
management/limit-monitor/
Limit Monitor – receive notifications when
you approach AWS service limits
Networking http://docs.aws.amazon.com/quickstart/latest/li
nux-bastion/ &
http://docs.aws.amazon.com/quickstart/latest/r
d-gateway
Bastion Host
Networking https://aws.amazon.com/quickstart/architecture
/accelerator-pci/
PCI Landing Zone, Including
configuration of VPCs, Security Groups,
Access Policies & Bastion Host
Networking https://aws.amazon.com/answers/networking/v
pn-monitor/
VPN Monitoring
Networking https://aws.amazon.com/answers/networking/tr
ansit-vpc/
Transit VPC
Security https://aws.amazon.com/answers/logging/centr
alized-logging
Centralized Logging
Security https://github.com/awslabs/aws-config-rules Config Rules Repository
60. Available Resources for Landing Zone (2/2)
Domain Link What
Security https://aws.amazon.com/marketplace/seller-
profile?id=6b3b0dc2-c6f4-487b-8f29-9edba5f39eed
CIS Security AMI
Security https://aws.amazon.com/blogs/security/tag/cis-aws-
foundations-benchmark/
CIS AWS Foundations
Benchmark
Cross Account
Management
https://aws.amazon.com/answers/account-
management/cross-account-manager
Manage Roles in
accounts centrally
Identity and Access
Mgt
http://docs.aws.amazon.com/quickstart/latest/active-
directory-ds/welcome.html
Active Directory Quick
Start
Identity and Access
Mgt
http://docs.aws.amazon.com/directoryservice/latest/ad
min-guide/manage_apps_services.html
Managing Console
Access for AWS
Directory Service
Identity and Access
Mgt
http://docs.aws.amazon.com/quickstart/latest/wap-
adfs/welcome.html
Web Application Proxy
with ADFS Quick Start
Automation https://aws.amazon.com/answers/infrastructure-
management/ec2-scheduler/
EC2 Scheduler
61. Related Sessions
ENT203 – Enterprise Fundamentals: Design Your Account and VPC Architecture for Enterprise
Operating Models
SAC319 – Architecting Security and Governance Across a Multi-Account Strategy
SAC320 – Deep Dive: Implementing Security and Governance Across a Multi-Account Strategy
SAC323 - Centrally Manage Multiple AWS Accounts with AWS Organizations
SEC304 – Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service