SlideShare une entreprise Scribd logo

Deploy and Govern at Scale with AWS Control Tower

Amazon Web Services
Amazon Web Services

AWS Control Tower is a new AWS service for cloud administrators to set up and govern their secure, compliant, multi-account environments on AWS. In this session, University of York will discuss their implementation of AWS Landing Zone. We’ll also explain how AWS Control Tower automates AWS Landing Zone creation with best-practice blueprints.

1  sur  66
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy and Govern at Scale with AWS Control Tower Juan Manuel Gomez Solutions Architect – Public Sector UK AWS Dan Miller Infrastructure Engineer University of York
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda What’s a landing zone and an AWS Landing Zone? Implementing a landing zone AWS Landing Zone AWS Control Tower University of York’s landing zone journey AWS Landing Zone or AWS Control Tower?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What do customers want to do on AWS? Focus on what differentiates Ideation to instantiation Secure and compliant environment
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What do customers need to achieve? Meets the organization’s security and auditing requirements Ready to support highly available and scalable workloads Configurable to support evolving business requirements
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. You need a “landing zone” H • A configured, secure, scalable, multi-account AWS environment based on AWS best practices • A starting point for net new development and experimentation • A starting point for migrating applications • An environment that allows for iteration and extension over time
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone vs. landing zone landing zone: • Secure pre-configured environment for your AWS presence • Scalable and flexible • Enables agility and innovation AWS Landing Zone: • Implementation of a landing zone based on multi-account strategy guidance AWS Control Tower: • AWS Service version of AWS Landing Zone
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security/resource boundary API limits/throttling Billing separation AWS account // best isolation boundary
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account models One account 1,000s of accounts
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why one account isn’t enough Billing Many teams Security / compliance controls Business process Isolation
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Guardrails NOT blockers Auditable Flexible Automated Scalable Self-service Goals
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account security considerations Baseline Requirements Lock Enable Define Federate Establish Identify
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What accounts should I create? Security Shared Services Billing Dev ProdSandbox OtherPre-Prod Organizations Account Log Archive Network
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Network Path Developer Accounts Data Center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared Services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-prod: Staging Prod: Production Team SS: Team Shared Services, Data lake
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and account vending machine Automated deployment
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure - basic AWS Organizations Shared Services Log Archive Security Organizations Account • Account Provisioning • Account Access (SSO) Shared Services Account • Active Directory • Log Analytics Log Archive • Security Logs Security Account • Audit / Break-glass Parameter store
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Vending Machine AWS Service Catalog Account Vending Machine (AWS Service Catalog) • Account creation factory • User Interface to create new accounts • Account baseline versioning • Launch constraints Creates/updates AWS account Apply account baseline stack sets Create network baseline Apply account security control policy Account Vending Machine AWS Organizations Security AW S Log Archive AW S Shared Services AW S AW S New AWS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Balancing the needs of builders and central cloud IT Builders: Stay agile Innovate with the speed and agility of AWS Cloud IT: Establish governance Govern at scale with central controls
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Business agility and governance control Governance — Agility — Self-service access Experiment fast Respond quickly to change
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern AWS at scale — Enable Business agility + governance control
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable Enable for governance at scale
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable governance Enable Set up an AWS landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Set up an AWS landing zone • Landing zone - a preconfigured, secure, scalable, multi-account AWS environment based on best practice blueprints • Multi-account management using AWS Organizations • Identity and federated access management using AWS SSO • Centralized log archive using AWS CloudTrail and AWS Config • Cross-account audit access using AWS SSO and AWS IAM • End user account provisioning through AWS Service Catalog • Centralized monitoring and notifications using Amazon CloudWatch and Amazon SNS Master account AWS Control Tower AWS Organizations AWS Single Sign-On Stack sets AWS Service Catalog Log archive account Aggregate AWS CloudTrail and AWS Config logs Account baseline Audit account Security cross- account roles Account baseline Provisioned accounts Network baseline Account baseline Amazon CloudWatch aggregator Security notifications Core OU Custom OU AWS SSO directory
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account architecture • Master account: designation of your existing account to create a new organization. Also your master payer account • Organization consists of 2 OUs with pre-configured accounts - o Core OU: AWS Control Tower-created accounts, i.e., Audit account and Log archive account o Custom OU: Your provisioned accounts Master account AWS Organizations Log archive account Audit account Provisioned accounts Core OU Custom OU
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Centralize identity and access • AWS SSO provides default directory for identity • AWS SSO also enables federated access management across all accounts in your organization • Preconfigured groups (e.g., AWS Control Tower administrators, auditors, AWS Service Catalog end users) • Preconfigured permission sets (e.g., admin, read-only, write)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Establish guardrails • Guardrails are preconfigured governance rules for security, compliance, and operations • Expressed in plain English to provide abstraction over granular AWS policies • Preventive guardrails: prevent policy violations through enforcement; implemented using AWS CloudFormation and SCPs • Detective guardrails: detect policy violations and alert in the dashboard; implemented using AWS Config rules • Mandatory and strongly recommended guardrails for prescriptive guidance • Easy selection and enablement on organizational units Organizational units Accounts Enable Enable Output Output Output Organizational units Accounts Preventive guardrail Granular AWS policies SCP Detective/remediable guardrails Granular AWS policies AWS Config rules Always compliant Compliant Non- compliant
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Guardrail examples Goal/category Example IAM security Require MFA for root user Data security Disallow public read access to Amazon S3 buckets Network security Disallow internet connection via Remote Desktop Protocol (RDP) Audit logs Enable AWS CloudTrail and AWS Config Monitoring Enable AWS CloudTrail integration with Amazon CloudWatch Encryption Ensure encryption of Amazon EBS volumes attached to Amazon EC2 instances Drift Disallow changes to AWS Config rules set up by AWS Control Tower
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate compliant account provisioning • Built-in account factory provides a template to standardize account provisioning • Configurable network settings (e.g., subnets, IP addresses) • Automatic enforcement of account baselines and guardrails • Published to AWS Service Catalog Account factory Network baseline Network CIDR Network regions OU Account baseline AWS Service Catalog AWS Service Catalog product New AWS account Network baseline Account baseline Guardrails
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern at scale — Enable Business agility + governance control
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Self-service account provisioning in AWS Service Catalog Users can configure and provision AWS accounts and resources without needing full privileges to AWS services (e.g., Amazon EC2, Amazon RDS) 3 2 1
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern at scale — Enable Business agility + governance control
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Operate with agility + control Operate Dashboard Continuous visibility into your multi-account environment Act Take operational action on resources Audit Audit resource configurations, user access, and policy enforcement Monitor Monitor resources and workloads
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dashboard for oversight
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Pricing and availability US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why use AWS Control Tower? Set up a best-practices AWS environment in a few clicks
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Summary of key features
Dan Miller Multi-account AWS environments at scale Systems & Infrastructure Engineer University of York
Who we are… • University of York • Campus in North Yorkshire, United Kingdom • Research intensive University • Over 30 academic departments • Over 18,000 students from 140+ countries • Over 3,000 staff members
Key points to note • BitBucket and BitBucket Pipelines are used to store & deploy code • CloudFormation written in YAML for core infrastructure • SAM (& CloudFormation) / CDK for application infrastructure • Hybrid approach with some data still stored on campus servers* * for now
Our old, monolithic structure
Why this didn’t work for us… • A single development account is a hindrance • A desire to centralise our AWS offering within IT Services • Creating new accounts didn’t scale well • Blast radius was too wide
Landing Zone Benefits • Quick and easy way to create multiple accounts • Achieve a desired state for each account upon provision • Easy management of accounts through Organizational Units • Configuration flexibility for ops teams • Security and auditing baseline
Organizational Units • Sandbox • IT Services • Departmental • Research • Quarantine
Sandbox Infrastructure • Allows a user access to their own isolated environment • Promotes experimentation, adoption and upskill • Fully automated provisioning process (<5 minutes) • Prevents using other accounts for testing • Centralised billing & cost monitoring
Authentication Infrastructure • Shibboleth Single Sign-On • Allows existing University credentials to be used • Duo Multi-Factor Authentication (2FA) • SAML based authentication • Configured via Identity Providers under IAM • Entirely automated provisioning as a baseline
Authentication Infrastructure (Login Screen)
Provisioning Infrastructure • Service Catalog to create accounts • Leverage extensive AWS APIs to streamline the process • Call back to internal authentication APIs to make the account known • Sends account welcome emails through Simple Email Service
• Account Type • Region • Username • Shibboleth Authentication Stack • VPC Type • Workorder (for internal billing) Provisioning Infrastructure
Campus Connectivity • Uses the AWS Transit Gateway service • Direct AWS VPN connectivity to a “shared services” account • Allows us to share a single VPN Gateway to multiple accounts • Reduces cost and allows easier traffic monitoring
• GuardRails to monitor compliance in the environment • AWS Config • Old pricing model was too costly with multiple accounts • “Pay as you go” AWS Config pricing reduces costs • Cloud Custodian • Free, open source & uses AWS APIs Compliance
Internal Tooling • Serverless Ruby application • Lambda, DynamoDB, ElastiCache, ACM, Cognito & ELB • Background lambdas for task processing • Not designed to replace AWS functionality, but assist
Authentication Management Overview * illustrative data
* illustrative data AWS Account Management Overview
* illustrative data Billing & Cost Management Overview
* illustrative data Compliance Management Overview
* illustrative data Compliance Management Rule Hits
* illustrative data Compliance Management non-compliant services
* illustrative data Compliance Management raw service view
The future for York • Continue innovating with serverless architecture • Further expand our AWS offering within the University • Lessen the hybrid restrictions we currently have • Increase automation around accounts & deployments
Thank you! dan.miller@york.ac.uk @danmilleruk
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone vs. AWS Control Tower • AWS Cloudformation deployment • Fully customizable/owned by customer • Most regions supported • Complete flexibility on account structure • Complex requiring significant expertise • Managed service by AWS • Fixed blueprints and guardrails • Four regions at launch • Two non-configurable core accounts, no SS, no Amazon VPC in core • Self service guided deployment configurable through GUI
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone to AWS Control Tower? Is there a migration path from AWS Landing Zone to AWS Control Tower? Yes, in the near future, you will be able to migrate your existing accounts created with the AWS Landing Zone solution to AWS Control Tower. The migration path will occur in several phases to ensure compatibility between Control Tower and your AWS Landing Zone solution starting with ability to deploy Control Tower to an existing Organizations, followed by enabling custom guardrails and custom blueprints for Control Tower.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Which one should I choose? • Review AWS Control Tower and its capabilities. Does it meet what you need? CT • Are you willing to start with fresh new environment? CT • Are you willing to grow with the service? CT • Do you have a team that can take on the complexity of managing the AWS Landing Zone Solution? If Not, CT • Do you have an existing landing zone that meets your current needs and exceeds CT’s feature set? Evaluate CT, but may need to wait • Do you need full customization and full control over every aspect of the landing zone? Use ALZ
Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Juan Manuel Gomez Jgrcmz@amazon.co.uk Dan Miller dan.miller@york.ac.uk

Recommandé

AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
CloudHesive
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
Amazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Amazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
Amazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Amazon Web Services
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
Amazon Web Services
 

Recommandé

AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
CloudHesive
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
Amazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Amazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
Amazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Amazon Web Services
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
Amazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Amazon Web Services
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Amazon Web Services
 
Security and governance with AWS Control Tower and AWS Organizations - SEC204...
Security and governance with AWS Control Tower and AWS Organizations - SEC204...Security and governance with AWS Control Tower and AWS Organizations - SEC204...
Security and governance with AWS Control Tower and AWS Organizations - SEC204...
Amazon Web Services
 
Aws landing zone
Aws landing zoneAws landing zone
Aws landing zone
Igor Ivanovic
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Cloud Migration Workshop
Cloud Migration WorkshopCloud Migration Workshop
Cloud Migration Workshop
Amazon Web Services
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
Aws VPC
Aws VPCAws VPC
Aws VPC
Abhishek Amralkar
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
Amazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Deep Dive on Amazon S3
Deep Dive on Amazon S3Deep Dive on Amazon S3
Deep Dive on Amazon S3
Amazon Web Services
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
Amazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
Amazon Web Services
 
Introduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web Services Introduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web Services
Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Amazon Web Services
 
Control your cloud environment with AWS management tools
Control your cloud environment with AWS management toolsControl your cloud environment with AWS management tools
Control your cloud environment with AWS management tools
Amazon Web Services
 

Contenu connexe

Tendances

Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Amazon Web Services
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Amazon Web Services
 

Tendances (20)

Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
 
Security and governance with AWS Control Tower and AWS Organizations - SEC204...
Security and governance with AWS Control Tower and AWS Organizations - SEC204...Security and governance with AWS Control Tower and AWS Organizations - SEC204...
Security and governance with AWS Control Tower and AWS Organizations - SEC204...
 
Aws landing zone
Aws landing zoneAws landing zone
Aws landing zone
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Cloud Migration Workshop
Cloud Migration WorkshopCloud Migration Workshop
Cloud Migration Workshop
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Aws VPC
Aws VPCAws VPC
Aws VPC
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Deep Dive on Amazon S3
Deep Dive on Amazon S3Deep Dive on Amazon S3
Deep Dive on Amazon S3
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
 
Introduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web Services Introduction to Cloud Computing with Amazon Web Services
Introduction to Cloud Computing with Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 

Similaire à Deploy and Govern at Scale with AWS Control Tower

Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Amazon Web Services
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Amazon Web Services
 
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Amazon Web Services
 
AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...
AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...
AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...
AWS Summits
 

Similaire à Deploy and Govern at Scale with AWS Control Tower (20)

Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
 
Control your cloud environment with AWS management tools
Control your cloud environment with AWS management toolsControl your cloud environment with AWS management tools
Control your cloud environment with AWS management tools
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
 
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
 
Landing Zone: Como ter certeza que sua Fundação está preparada
Landing Zone: Como ter certeza que sua Fundação está preparadaLanding Zone: Como ter certeza que sua Fundação está preparada
Landing Zone: Como ter certeza que sua Fundação está preparada
 
AWS Initiate - Landing Zone: Como saber se sua base está preparada
AWS Initiate - Landing Zone: Como saber se sua base está preparadaAWS Initiate - Landing Zone: Como saber se sua base está preparada
AWS Initiate - Landing Zone: Como saber se sua base está preparada
 
Architecting security and governance across your AWS environment
Architecting security and governance across your AWS environmentArchitecting security and governance across your AWS environment
Architecting security and governance across your AWS environment
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWS
 
Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overview
 
AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...
AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...
AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...
 
Immersion Day - Well Architected Workshop - June 2019
Immersion Day - Well Architected Workshop - June 2019Immersion Day - Well Architected Workshop - June 2019
Immersion Day - Well Architected Workshop - June 2019
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
 
AWS Security By Design
AWS Security By DesignAWS Security By Design
AWS Security By Design
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 
AWS identity services - Enabling & securing your cloud journey - SEC202 - San...
AWS identity services - Enabling & securing your cloud journey - SEC202 - San...AWS identity services - Enabling & securing your cloud journey - SEC202 - San...
AWS identity services - Enabling & securing your cloud journey - SEC202 - San...
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Deploy and Govern at Scale with AWS Control Tower

  • 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy and Govern at Scale with AWS Control Tower Juan Manuel Gomez Solutions Architect – Public Sector UK AWS Dan Miller Infrastructure Engineer University of York
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda What’s a landing zone and an AWS Landing Zone? Implementing a landing zone AWS Landing Zone AWS Control Tower University of York’s landing zone journey AWS Landing Zone or AWS Control Tower?
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What do customers want to do on AWS? Focus on what differentiates Ideation to instantiation Secure and compliant environment
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What do customers need to achieve? Meets the organization’s security and auditing requirements Ready to support highly available and scalable workloads Configurable to support evolving business requirements
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. You need a “landing zone” H • A configured, secure, scalable, multi-account AWS environment based on AWS best practices • A starting point for net new development and experimentation • A starting point for migrating applications • An environment that allows for iteration and extension over time
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone vs. landing zone landing zone: • Secure pre-configured environment for your AWS presence • Scalable and flexible • Enables agility and innovation AWS Landing Zone: • Implementation of a landing zone based on multi-account strategy guidance AWS Control Tower: • AWS Service version of AWS Landing Zone
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security/resource boundary API limits/throttling Billing separation AWS account // best isolation boundary
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account models One account 1,000s of accounts
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why one account isn’t enough Billing Many teams Security / compliance controls Business process Isolation
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Guardrails NOT blockers Auditable Flexible Automated Scalable Self-service Goals
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account security considerations Baseline Requirements Lock Enable Define Federate Establish Identify
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What accounts should I create? Security Shared Services Billing Dev ProdSandbox OtherPre-Prod Organizations Account Log Archive Network
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Network Path Developer Accounts Data Center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared Services: Directory, limit monitoring Network: AWS Direct Connect Dev sandbox: Experiments, learning Dev: Development Pre-prod: Staging Prod: Production Team SS: Team Shared Services, Data lake
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and account vending machine Automated deployment
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure - basic AWS Organizations Shared Services Log Archive Security Organizations Account • Account Provisioning • Account Access (SSO) Shared Services Account • Active Directory • Log Analytics Log Archive • Security Logs Security Account • Audit / Break-glass Parameter store
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Vending Machine AWS Service Catalog Account Vending Machine (AWS Service Catalog) • Account creation factory • User Interface to create new accounts • Account baseline versioning • Launch constraints Creates/updates AWS account Apply account baseline stack sets Create network baseline Apply account security control policy Account Vending Machine AWS Organizations Security AW S Log Archive AW S Shared Services AW S AW S New AWS
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Balancing the needs of builders and central cloud IT Builders: Stay agile Innovate with the speed and agility of AWS Cloud IT: Establish governance Govern at scale with central controls
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Business agility and governance control Governance — Agility — Self-service access Experiment fast Respond quickly to change
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern AWS at scale — Enable Business agility + governance control
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable Enable for governance at scale
  • 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable governance Enable Set up an AWS landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Set up an AWS landing zone • Landing zone - a preconfigured, secure, scalable, multi-account AWS environment based on best practice blueprints • Multi-account management using AWS Organizations • Identity and federated access management using AWS SSO • Centralized log archive using AWS CloudTrail and AWS Config • Cross-account audit access using AWS SSO and AWS IAM • End user account provisioning through AWS Service Catalog • Centralized monitoring and notifications using Amazon CloudWatch and Amazon SNS Master account AWS Control Tower AWS Organizations AWS Single Sign-On Stack sets AWS Service Catalog Log archive account Aggregate AWS CloudTrail and AWS Config logs Account baseline Audit account Security cross- account roles Account baseline Provisioned accounts Network baseline Account baseline Amazon CloudWatch aggregator Security notifications Core OU Custom OU AWS SSO directory
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account architecture • Master account: designation of your existing account to create a new organization. Also your master payer account • Organization consists of 2 OUs with pre-configured accounts - o Core OU: AWS Control Tower-created accounts, i.e., Audit account and Log archive account o Custom OU: Your provisioned accounts Master account AWS Organizations Log archive account Audit account Provisioned accounts Core OU Custom OU
  • 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Centralize identity and access • AWS SSO provides default directory for identity • AWS SSO also enables federated access management across all accounts in your organization • Preconfigured groups (e.g., AWS Control Tower administrators, auditors, AWS Service Catalog end users) • Preconfigured permission sets (e.g., admin, read-only, write)
  • 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Establish guardrails • Guardrails are preconfigured governance rules for security, compliance, and operations • Expressed in plain English to provide abstraction over granular AWS policies • Preventive guardrails: prevent policy violations through enforcement; implemented using AWS CloudFormation and SCPs • Detective guardrails: detect policy violations and alert in the dashboard; implemented using AWS Config rules • Mandatory and strongly recommended guardrails for prescriptive guidance • Easy selection and enablement on organizational units Organizational units Accounts Enable Enable Output Output Output Organizational units Accounts Preventive guardrail Granular AWS policies SCP Detective/remediable guardrails Granular AWS policies AWS Config rules Always compliant Compliant Non- compliant
  • 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Guardrail examples Goal/category Example IAM security Require MFA for root user Data security Disallow public read access to Amazon S3 buckets Network security Disallow internet connection via Remote Desktop Protocol (RDP) Audit logs Enable AWS CloudTrail and AWS Config Monitoring Enable AWS CloudTrail integration with Amazon CloudWatch Encryption Ensure encryption of Amazon EBS volumes attached to Amazon EC2 instances Drift Disallow changes to AWS Config rules set up by AWS Control Tower
  • 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate compliant account provisioning • Built-in account factory provides a template to standardize account provisioning • Configurable network settings (e.g., subnets, IP addresses) • Automatic enforcement of account baselines and guardrails • Published to AWS Service Catalog Account factory Network baseline Network CIDR Network regions OU Account baseline AWS Service Catalog AWS Service Catalog product New AWS account Network baseline Account baseline Guardrails
  • 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern at scale — Enable Business agility + governance control
  • 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Self-service account provisioning in AWS Service Catalog Users can configure and provision AWS accounts and resources without needing full privileges to AWS services (e.g., Amazon EC2, Amazon RDS) 3 2 1
  • 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern at scale — Enable Business agility + governance control
  • 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Operate with agility + control Operate Dashboard Continuous visibility into your multi-account environment Act Take operational action on resources Audit Audit resource configurations, user access, and policy enforcement Monitor Monitor resources and workloads
  • 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dashboard for oversight
  • 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Pricing and availability US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland
  • 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why use AWS Control Tower? Set up a best-practices AWS environment in a few clicks
  • 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Summary of key features
  • 38. Dan Miller Multi-account AWS environments at scale Systems & Infrastructure Engineer University of York
  • 39. Who we are… • University of York • Campus in North Yorkshire, United Kingdom • Research intensive University • Over 30 academic departments • Over 18,000 students from 140+ countries • Over 3,000 staff members
  • 40. Key points to note • BitBucket and BitBucket Pipelines are used to store & deploy code • CloudFormation written in YAML for core infrastructure • SAM (& CloudFormation) / CDK for application infrastructure • Hybrid approach with some data still stored on campus servers* * for now
  • 41. Our old, monolithic structure
  • 42. Why this didn’t work for us… • A single development account is a hindrance • A desire to centralise our AWS offering within IT Services • Creating new accounts didn’t scale well • Blast radius was too wide
  • 43. Landing Zone Benefits • Quick and easy way to create multiple accounts • Achieve a desired state for each account upon provision • Easy management of accounts through Organizational Units • Configuration flexibility for ops teams • Security and auditing baseline
  • 44. Organizational Units • Sandbox • IT Services • Departmental • Research • Quarantine
  • 45. Sandbox Infrastructure • Allows a user access to their own isolated environment • Promotes experimentation, adoption and upskill • Fully automated provisioning process (<5 minutes) • Prevents using other accounts for testing • Centralised billing & cost monitoring
  • 46. Authentication Infrastructure • Shibboleth Single Sign-On • Allows existing University credentials to be used • Duo Multi-Factor Authentication (2FA) • SAML based authentication • Configured via Identity Providers under IAM • Entirely automated provisioning as a baseline
  • 48. Provisioning Infrastructure • Service Catalog to create accounts • Leverage extensive AWS APIs to streamline the process • Call back to internal authentication APIs to make the account known • Sends account welcome emails through Simple Email Service
  • 49. • Account Type • Region • Username • Shibboleth Authentication Stack • VPC Type • Workorder (for internal billing) Provisioning Infrastructure
  • 50. Campus Connectivity • Uses the AWS Transit Gateway service • Direct AWS VPN connectivity to a “shared services” account • Allows us to share a single VPN Gateway to multiple accounts • Reduces cost and allows easier traffic monitoring
  • 51. • GuardRails to monitor compliance in the environment • AWS Config • Old pricing model was too costly with multiple accounts • “Pay as you go” AWS Config pricing reduces costs • Cloud Custodian • Free, open source & uses AWS APIs Compliance
  • 52. Internal Tooling • Serverless Ruby application • Lambda, DynamoDB, ElastiCache, ACM, Cognito & ELB • Background lambdas for task processing • Not designed to replace AWS functionality, but assist
  • 54. * illustrative data AWS Account Management Overview
  • 55. * illustrative data Billing & Cost Management Overview
  • 56. * illustrative data Compliance Management Overview
  • 57. * illustrative data Compliance Management Rule Hits
  • 58. * illustrative data Compliance Management non-compliant services
  • 59. * illustrative data Compliance Management raw service view
  • 60. The future for York • Continue innovating with serverless architecture • Further expand our AWS offering within the University • Lessen the hybrid restrictions we currently have • Increase automation around accounts & deployments
  • 62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone vs. AWS Control Tower • AWS Cloudformation deployment • Fully customizable/owned by customer • Most regions supported • Complete flexibility on account structure • Complex requiring significant expertise • Managed service by AWS • Fixed blueprints and guardrails • Four regions at launch • Two non-configurable core accounts, no SS, no Amazon VPC in core • Self service guided deployment configurable through GUI
  • 64. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone to AWS Control Tower? Is there a migration path from AWS Landing Zone to AWS Control Tower? Yes, in the near future, you will be able to migrate your existing accounts created with the AWS Landing Zone solution to AWS Control Tower. The migration path will occur in several phases to ensure compatibility between Control Tower and your AWS Landing Zone solution starting with ability to deploy Control Tower to an existing Organizations, followed by enabling custom guardrails and custom blueprints for Control Tower.
  • 65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Which one should I choose? • Review AWS Control Tower and its capabilities. Does it meet what you need? CT • Are you willing to start with fresh new environment? CT • Are you willing to grow with the service? CT • Do you have a team that can take on the complexity of managing the AWS Landing Zone Solution? If Not, CT • Do you have an existing landing zone that meets your current needs and exceeds CT’s feature set? Evaluate CT, but may need to wait • Do you need full customization and full control over every aspect of the landing zone? Use ALZ
  • 66. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Juan Manuel Gomez Jgrcmz@amazon.co.uk Dan Miller dan.miller@york.ac.uk