With customers migrating workloads to AWS, we are starting to see a need for the creation of a prescribed landing zone, which uses native AWS capabilities and meets or exceeds customers' security and compliance objectives. In this session, we will describe an AWS landing zone and explain features for account structuring, user configuration, provisioning, networking and operation automation. The Migration Landing Zone solution is based on AWS native capabilities such as AWS Service Catalog, AWS Identity and Access Management, AWS Config Rules, AWS CloudTrail and AWS Lambda. We will provide an overview of AWS Service Catalog and how it be used to provide self-service infrastructure to applications users, including various options for automation. After this session you will be able to configure an AWS landing zone for successful large scale application migrations.
Speaker: Koen Biggelaar, Senior Manager, Solutions Architecture, Amazon Web Services and Mahmoud ElZayet
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
1. Koen vd Biggelaar - Sr Mgr AWS Solutions Architecture
Mahmoud ElZayet – Solutions Builder
Tuesday 31st October 2017
Simplify & Standardise Your Migration to
AWS with a Migration Landing Zone
LONDON
2. Planning a Migration?
Key Questions to consider
How do we configure
our AWS
environment
What are best practices
for Security and
Compliance
How do we build a
Cloud Operating
Model
How do we
develop a
business case
What types of
migration will we use
What is our
application portfolio
What are our key
drivers
Which partners are
we going to use ?
3. What is an AWS Landing Zone?
- A baseline secure multi-account AWS environment
configured based on best practices
- A starting point for your application migration journey
- An environment that allows for iteration & extension
over time
H
7. Landing Zone Journey
Domains Direct
Connect
Start Accounts
End User
Interaction
AutomationService
Catalog
Central
Services
Migrate
Iterate
Operate &
Optimise
Logging Config Access Identities Federation
Network Security
Identity &
Access
Operational
Automation
What’s
Next ?
Imaging
8. Infrastructure
Request
Current State
Typical Enterprise Situation
Governance
&
Service
Management
Central IT
Lines of
Business
Provisioning
Characteristics
• Lead times ~days to weeks
• Service catalogue of components
• Often process-heavy service
management
9. Agility versus Control
How to choose?
We want agility,
so we can
innovate in our
business
I need control,
so I can protect
our business
Business & Business IT Central IT?
10. Monitor
&
Respond
Landing Zone
Templates
Policy &
Best Practices
Landscape
Management
Current State
Opportunity to achieve Agility and Control
Automation
Lines of
Business
Central IT Opportunities
• Lead times in minutes
• Service catalogue of
landscapes
• Automated service
management
13. Account Structure
• Don’t overdo on Day One
• Use separate accounts for:
Security and
Compliance Isolation
(production non-prod,
logging)
Cost Allocation Resource Management
and Ownership
16. Manage Multiple Accounts
CloudFormation StackSets
Stack Set
Payer / Adminstrator
Account
Template
Region
Stack
Target
Account: A
Stack
Target
Account: B
Account C Account D Account E …
Region
Stack
Target
Account: A
Stack
Target
Account: B
Account C Account D Account E …
17. Manage Multiple Accounts
AWS Organizations
Root
OU
OU OUOU
Stack Set
Stack Set
Account B Account C
Account A
Lookup
Deploy
19. Individual VPC Patterns
ü Hybrid 2-tier (public and private)
ü Internal-only
ü Internet-only
ü Hybrid 3-tier
(Presentation/Application/Data)
AWS Quick Start:
Scalable VPC
PCI DSS
21. ü Can create multiple VPCs within the same or
different region/account
ü Do not require full connectivity between all of their
VPCs
ü Central shared services VPC
ü Multiple VPCs that need access to shared resources
but do not each other
ü Require fewer than 100 peering connections per
VPC
§§§§§§§§§§§
§§§§§§§§§§§
§§§§§§§§§§§
§§§§§§§§§§§
§§§§§§§§§§§
§§§§§§§§§§§
§§§§§§§§§§§
§§§§§§§§§§§
§§
Multi-VPC Partially Meshed
VPC Peering
AWS Answers:
How do I share a single VPN connection with multiple VPCs?
26. Log everything centrally for analysis
Centralised logging makes it easy for
security teams to consolidate AWS
logs and analyze them to detect
incidents
VPC subnet
Amazon
EC2
Flow Logs
AWS
CloudTrail
Amazon S3
Amazon
CloudWatch
AWS Lambda
Amazon
Elasticsearch
Service
You can do this by simply using:
• Amazon ElasticSearch Service
• CloudTrail logs
• VPC flow logs
• EC2 server logs
• AWS Config logsLog Transform Search
AWS Answers:
How can I implement a centralized logging solution on AWS?
What are the native AWS security-logging capabilities?
27. Choose how to start your compute
Private images or import your current ones
Launch
instance
EC2
AMI catalogue Running instance Your instance
Hardening and configuration
Audit and logging
Vulnerability management
Malware and IPS
Whitelisting and integrity
User administration
Operating system
Configure
instance
Configure your environment as you like
Options to create or import your own ‘gold’ images
1. Import existing VMs to AWS
2. Procure partner AMI from AWS Marketplace
3. Create and save your own custom images
4. Bootstrapping a base AMI
AWS Marketplace:
CIS Hardened AMIs
AWS Devops Blog:
How to Create an AMI Builder with AWS CodeBuild
and HashiCorp Packer
29. You get to control who can do what in your AWS environment when and
from where
Fine-grained control of your AWS cloud with multi-factor authentication
Integrate with your existing corporate directory and provide SSO to
your customers. Support for SAML 2.0 (like your existing Active Directory)
and OpenID compatible Identity Providers (IdPs).
You can use AWS managed policies, policies for typical job functions
or customer-generated policies using the policy generator and test
with the policy simulator
AWS account
owner
Identity and Access Management
Control access and segregate duties everywhere
30. Corporate Data Center
Browser interface
Identity
Store
Identity and Access Management
Identity Federation
AD Group
Identity and
authentication
Mapping to specific
IAM role with
access policy
Access to AWS
31. Select an Identity Federation Option
• Cross-Account Roles with IAM
• Cross-Account Roles with AWS Directory Service
• SAML Federation
• Custom Identity Broker
32. Example: Cross-Account Roles with
AWS Directory Service
AWS Answers:
How do I manage multiple AWS accounts for security purposes?
§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§
§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§
§§§§
switch role
AWS Directory
Service
users
Shared-services account Sub-accounts (Billing,
Security, Application)
• Users and groups are managed in one account (Shared-services) using
AWS Directory Service
• IAM roles in every account is used for fine-grained authorization
• Can be integrated with on-premises user directory for authentication
34. Agility and Control
AWS Service Catalog and Marketplace
DevelopersOrganizations
Standardise
Control
Govern
Agility
Self-Service
Time to Market
…allows organizations to create and manage catalogs of
IT services and software on AWS
35. Key Features
Tag Enforcement
Portfolio Level IAM access
Denial of end-user access to
underlying services
Constraint CloudFormation
Parameters
Share Portfolios
Version & Re-use Products
API, CLI, Console
AWS Marketplace to AWS Service
Catalog Copy
37. Tagged
EC2
instances
for one or
more AWS
accounts
IAM cross
account roles
controls
access to
AWS accounts
Scheduler
role
Scheduler
configuration
table
Instance state
table
EC2 Instance
information
CloudWatch
Logs
CloudWatch
Metrics
CloudWatch rule
triggers Scheduler
Scheduler
Lambda
function
CloudFormation
scheduler
stack
EC2 instance scheduler
A single template
deploys all solution
components
AWS Answers:
How do I automatically start and stop
my Amazon EC2 instances?/
38. Logging
Buckets
Centralised
Logging
Analytics
Cost
Optimization
Monitor
Security
Account
What have we built so far?
High-level Architecture
Shared Services
Account
Billing
Account
Stack Set Admin Account
Stack Sets
Stand Alone Templates
Scalable
VPC Quick
Start
Cross
Account
Manager
VPC Flow &
Instance Logs
CloudTrail, Config
& IAM Baseline
CAM Sub-
Account
Application
Accounts
Ops
Automator/
Instance
Scheduler
40. Managing to the Portfolio Value
Portfolio Tier Requirements
Operations
Model
Approx.
%
Portfolio*
IT Spend
Against
Portfolio
Differentiators
High rate of change & innovation;
Possibly business-critical, but not
always
DevOps 15%
60% - 70%
Table Stakes
Business-critical, but low rate of
change. Needs high availability,
maximum reliability, and durable DR
Automated
Efficiency
25%
Commodity
COTS & commodity, minimal risk,
low change, standard downtime &
reliability requirements
Automated-
Traditional
60% 30% - 40%
*estimated numbers
Provided Under NDA
41. Increasing Levels of Effort with Increasing Levels of Return
Mass
migration
Re-platform /
Refactor
Re-architectMaturity Maturity
Running Multi-Modal Migrations
Value
Automation
Mass
Migration
Capex to
Opex
Cost Out
Facilities
Closure
Consistent
Operations
Traditional Operations+
Operational
Transition
Cloud
Capable
Applications
Capex to
Opex
Nascent
Services
Cloud COE
Managed
Services
Automated Operations
Cloud
Aware
Applications
Serverless
Compute
Continuous
Integration
Disruptive
Technolog
y
Maximum
Efficiency
Advanced
Architecture
Development and
Operations
42. Sprint 1
Executing Multi-Modal Migrations
Program
Brown
Green
Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6 Sprint 7
Deploy
Landing Zone
Extend, Integrate and Manage Landing Zone
Migration Business Case
Discovery Prep Discovery
Pipeline Generation
Migration Patterns Creation
Discovery
Greenfield Migrations
Innovation
Re-Factor
Re-Host
Complex App (single sprint)
43. Key Take-Aways
• Configuring your AWS environment matching your operations
and migration needs, is a key step in your cloud journey
• Maximise automation, including cost optimization (i.e. resize
instances, on-off schedules)
• Check aws.amazon.com/answers for guidance and packaged
solutions helping you to build your own Landing Zone
• Be agile for your Migrations, not everything can be planned
upfront
H
45. Landing Zone Resources (1/3)
Title Link
Cost Optimization Monitor https://aws.amazon.com/answers/account-management/cost-optimization-
monitor/
Scalable VPC Quick Start https://docs.aws.amazon.com/quickstart/latest/vpc/
PCI DSS Quick Start https://aws.amazon.com/quickstart/architecture/accelerator-pci/
How do I connect multiple VPCs in a
single AWS Region?
https://aws.amazon.com/answers/networking/aws-single-region-multi-vpc-
connectivity/
How do I share a single VPN connection
with multiple VPCs?
https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-
connection-sharing/
How do I build a global transit network on
AWS?
https://aws.amazon.com/answers/networking/aws-global-transit-network/
Microsoft Active Directory https://aws.amazon.com/quickstart/architecture/active-directory-ds/
How do I ensure I set up my AWS account
securely?
https://aws.amazon.com/answers/security/aws-secure-account-setup/
How do I setup AWS Identity and Account
Management (IAM) for my organization?
https://aws.amazon.com/answers/security/aws-iam-in-practice/
46. Landing Zone Resources (2/3)
Title Link
Compliance Quick Start https://github.com/aws-quickstart/quickstart-compliance-common
CIS Security Benchmark https://github.com/awslabs/aws-security-benchmark
Security Blog: Announcing Industry Best
Practices for Securing AWS Resources
https://aws.amazon.com/blogs/security/announcing-industry-best-practices-
for-securing-aws-resources/
UK-OFFICIAL Compliance Quick Start https://aws.amazon.com/quickstart/architecture/accelerator-uk-official/
How can I implement a centralized logging
solution on AWS?
https://aws.amazon.com/answers/logging/centralized-logging/
What are the native AWS security-logging
capabilities?
https://aws.amazon.com/answers/logging/aws-native-security-logging-
capabilities/
CIS Hardened AMIs https://aws.amazon.com/marketplace/seller-profile?id=6b3b0dc2-c6f4-487b-
8f29-9edba5f39eed
How to Create an AMI Builder with AWS
CodeBuild and HashiCorp Packer
https://aws.amazon.com/blogs/devops/how-to-create-an-ami-builder-with-aws-
codebuild-and-hashicorp-packer/
How should I manage multiple AWS
accounts for security purposes?
https://aws.amazon.com/answers/account-management/aws-multi-account-
security-strategy/
47. Landing Zone Resources (3/3)
Title Link
User Access Management Module http://www.awslandingzone.com/modules/landing-zone-user-access.pptx
How do I monitor the cross-region
replication of my Amazon S3 objects?
https://aws.amazon.com/answers/infrastructure-management/crr-monitor/
AWS Ops Automator https://github.com/awslabs/aws-ops-automator
DynamoDB Continuous Backup Utility https://github.com/awslabs/dynamodb-continuous-backup
How do I automatically start and stop my
Amazon EC2 instances?
https://aws.amazon.com/answers/infrastructure-management/ec2-scheduler/
How do I receive notifications as I
approach AWS service limits?
https://aws.amazon.com/answers/account-management/limit-monitor/
48. Deck Guidelines
Fonts, sizes, colors, and layouts are all pre-built in this
template.
Color palette
Please do not use gradients, shadows, or outlines on shape elements.
Limit color use for chart graphics to grayscale plus one accent color.