AWS Cloud-Umgebungen einfach und sicher verwalten mit AWS Control Tower (IT-Tage)

© 2020, Amazon Web Services, Inc. or its Affiliates.
Dennis Kieselhorst
Sr. Solutions Architect
AWS Control Tower
AWS Cloud-Umgebungen einfach und sicher
verwalten

View Slide

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Motivation - Why a multi-account strategy/ landing zone?
• AWS Control Tower value proposition
• A landing zone, the AWS Landing Zone solution and AWS Control
Tower
• AWS Control Tower – Enable, Provision, Operate
• Demo
• Q&A
Agenda

View Slide

We thought we did this…

View Slide

But…

View Slide

Why one AWS account isn’t enough
Billing
Many teams
Security / compliance
controls
Business process
Isolation

View Slide

Isolation with IAM and VPC in one account?
“Gray” boundaries
Complicated and messy over time
Difficult to track resources
People stepping on each other
AWS Account

View Slide

Customers are faced with…
Many
design decisions
The need to configure
multiple accounts &
services
Establishing
a security baseline &
governance

View Slide

Balancing the needs of builders and central cloud IT
Builders:
Stay agile
Innovate with the speed and
agility of AWS
Cloud IT:
Establish governance
Govern at scale with
central controls

View Slide

More innovation, greater agility, with control
Experiment
Be productive
Empower distributed
teams
Self-service access
Respond quickly
to change
Agility
Enable
Provision
Operate
Secure & Compliant
Operations & Spend
Management
Governance
Don’t choose between
Agility or Control
You need and want
both

View Slide

Provision
Operate
AWS management and governance services
Enable
BUSINESS AGILITY + GOVERNANCE CONTROL
AWS
Control Tower
AWS
Organizations
AWS
Budgets
AWS
License Manager
AWS Well-
Architected Tool
AWS
OpsWorks
AWS
CloudFormation
AWS
Service Catalog
AWS
Marketplace
AWS
Cost Explorer
Amazon
CloudWatch
AWS Cost and
Usage Report
AWS
CloudTrail
AWS Systems
Manager
AWS
Config

View Slide

—
Provision
—
Operate
AWS Control Tower: Easiest way to set up and govern
AWS at scale
—
Enable
Business agility + governance control

View Slide

Why use AWS Control Tower?
Set up a best-practices AWS environment in a few clicks

View Slide

What is a “landing zone”
• A configured, secure, scalable, multi-account (multiple resource
containers) AWS environment based on AWS best practices
• A starting point for net new development and
experimentation
• A starting point for migrating applications
• An environment that allows for iteration and extension over time
H

View Slide

landing zone, AWS Landing Zone, AWS Control Tower
landing zone:
• Secure pre-configured environment for your AWS presence
• Scalable and flexible
• Enables agility and innovation
AWS Landing Zone Solution:
• Implementation of a landing zone based on multi-account strategy guidance
• Customers get code that they will need to manage & maintain
• Solution will no longer receive updates by EOY 2020
AWS Control Tower:
• AWS Managed Service version of AWS Landing Zone
H

View Slide

Landing Zones – how we got here
2006-2020+
2018
Q4 2018
Q2 2019
2020+
Customer Hand
Crafted
Tried and True – not
simple
AWS Landing
Zone V1
AWS Landing
Zone V2.x and
AWS Control
Tower
Announced
AWS Control
Tower Launched
ALZ Reference
Architecture for
AWS Control
Tower

View Slide

Enable governance Enable
Set up an AWS
landing zone
Establish
guardrails
Automate compliant
account provisioning
Centralize identity
and access
Manage
continuously

View Slide

Set up an AWS landing zone
• Landing zone - a preconfigured, secure,
scalable, multi-account AWS environment
based on best practice blueprints
• Multi-account management using AWS
Organizations
• Identity and federated access management
using AWS SSO
• Centralized log archive using AWS CloudTrail
and AWS Config
• Cross-account audit access using AWS SSO
and AWS IAM
• End user account provisioning through AWS
Service Catalog
• Centralized monitoring and notifications
using Amazon CloudWatch and Amazon SNS
Master account
AWS Control Tower AWS Organizations AWS Single
Sign-On
Stack
sets
AWS Service
Catalog
Log archive
account
Aggregate
AWS CloudTrail
and AWS
Config logs
Account
baseline
Audit account
Security cross-
account roles
Account
baseline
Provisioned
accounts
Network
baseline
Account
baseline
Amazon
CloudWatch
aggregator
Security
notifications
Core OU Custom OU AWS SSO
directory

View Slide

Multi-account architecture
• Master account: designation of your
existing account to create a new
organization. Also your master payer
account
• Organization consists of 2 OUs with
pre-configured accounts -
o Core OU: AWS Control Tower-created
accounts, i.e., Audit account and Log archive
account
o Custom OU: Your provisioned accounts
Master account
AWS Organizations
Log
archive
account
Audit
account
Provisioned
accounts
Core OU Custom OU

View Slide

Demo

View Slide

Centralize identity and access
• AWS SSO provides default directory for identity
• AWS SSO also enables federated access management across all
accounts in your organization
• Preconfigured groups (e.g., AWS Control Tower administrators,
auditors, AWS Service Catalog end users)
• Preconfigured permission sets (e.g., admin, read-only, write)

View Slide

Establish guardrails
• Guardrails are preconfigured governance
rules for security, compliance, and operations
• Expressed in plain English to provide
abstraction over granular AWS policies
• Preventive guardrails: prevent policy
violations through enforcement;
implemented using AWS CloudFormation and
SCPs
• Detective guardrails: detect policy violations
and alert in the dashboard; implemented
using AWS Config rules
• Mandatory and strongly recommended
guardrails for prescriptive guidance
• Easy selection and enablement on
organizational units
Organizational
units
Accounts
Enable
Enable
Output
Output
Output
Organizational
units
Accounts
Preventive guardrail
Granular AWS
policies
SCP
Detective/remediable
guardrails
Granular
AWS policies
AWS Config
rules
Always
compliant
Compliant
Non-
compliant

View Slide

Service Control Policies (SCPs)
• Enables you to control which AWS service APIs are accessible
- Define the list of APIs that are allowed – whitelisting
- Define the list of APIs that must be blocked – blacklisting
• SCPs are:
Invisible to all users in the child account, including root
Applied to all users in the child account, including root
• Permission:
intersection between the SCP and IAM permissions
IAM policy simulator is SCP aware

View Slide

Disable Service APIs you Won’t be Using
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": ”:*",
"Resource": "*"
}
]
}
NotAction
(Optional) List the AWS actions exempt from the SCP. Used in place of
the Action element.
Resource List the AWS resources the SCP applies to.
Condition (Optional) Specify conditions for when the statement is in effect.

View Slide

Organizational Units
• Grouping of AWS Accounts
• Service Control Polices (SCP) to the groups
• Use permission grouping (NOT corporate structure)
How likely is the group to need a set of similar policies?

View Slide

Guardrail examples
Goal/category Example
IAM security Require MFA for root user
Data security Disallow public read access to Amazon S3 buckets
Network security Disallow internet connection via Remote Desktop Protocol (RDP)
Audit logs Enable AWS CloudTrail and AWS Config
Monitoring Enable AWS CloudTrail integration with Amazon CloudWatch
Encryption Ensure encryption of Amazon EBS volumes attached to Amazon EC2 instances
Drift Disallow changes to AWS Config rules set up by AWS Control Tower

View Slide

Automate compliant account provisioning
• Built-in account factory
provides a template to
standardize account
provisioning
• Configurable network settings
(e.g., subnets, IP addresses)
• Automatic enforcement of
account baselines and
guardrails
• Published to AWS Service
Catalog
Account factory
Network
baseline
Network
CIDR
Network
regions
OU Account
baseline
AWS Service
Catalog
AWS Service
Catalog product
New AWS account
Network
baseline
Account
baseline
Guardrails

View Slide

—
Provision
—
Operate
Automate secure self-service provisioning at scale
—
Enable
Business agility and governance control

View Slide

AWS CloudFormation concepts
Template
JSON or YAML
Change set
Stack

View Slide

AWS CloudFormation StackSets
Template StackSets
Stack
Stack
Stack Stack

View Slide

Enable self-service with AWS Service Catalog
2
1

View Slide

Automate governance at scale
1
2 3

View Slide

End Users
Organizations
Curation
Compliance
Standardization
Agility
Self-service
Time to market
Speed
Security
Service catalogs enable organizations to deploy
and manage infrastructure and applications that
reflect the organization’s security and operational
policies
Benefits of governance at scale

View Slide

Enabling self-service via AWS & ITSM Tools
Users browse and
request AWS services
Administrators procure,
publish, and govern AWS
services
Operators monitor and
manage AWS services
AWS
Marketplace
AWS Service
Catalog
AWS Cloud
Amazon
EC2
Amazon Simple
Storage Service
Amazon
WorkSpaces
Amazon
SageMaker
Amazon
RDS
Amazon
EMR
AWS IoT
Core
1 2 3
Jira Service Desk

View Slide

Starter AWS multi-account framework
AWS Cloud
AWS Organizations
Foundational Organizational Units (OUs)
Infrastructure Security
Δ Shared Services
Δ Network
Additional OUs

View Slide

Starter AWS multi-account framework
AWS Cloud
AWS Organizations
Δ Shared Services
Δ Network
Δ Log Archive
Δ Security Tooling
Additional OUs
Control Tower deploys these automatically

View Slide

AWS multi-account framework
AWS Cloud
AWS Organizations
Master
Δ Shared Services
Δ Network
Additional OUs

View Slide

How to customize AWS CT today?
https://aws.amazon.com/solutions/customizations-for-aws-control-tower/

View Slide

Lifecycle Events
• CreateManagedAccount
• UpdateManagedAccount
• EnableGuardrail
• DisableGuardrail
• SetupLandingZone
• UpdateLandingZone
• RegisterOrganizationalUnit
• DeregisterOrganizationalUnit

View Slide

—
Provision
—
Operate
AWS Control Tower: Easiest way to set up and govern
at scale
—
Enable
Business agility + governance control

View Slide

Operate with agility + control Operate
Dashboard
Continuous visibility into
your multi-account
environment
Act
Take operational
action on resources
Audit
Audit resource
configurations, user access,
and policy enforcement
Monitor
Monitor resources
and workloads

View Slide

Demo

View Slide

Upcoming Features
Schedule a roadmap session (under NDA)

View Slide

AWS services that enable agility + governance
AWS Control Tower
AWS Organizations
AWS Service Catalog
AWS Well-Architected Tool
AWS Budgets
AWS License Manager
AWS Marketplace (Private Marketplace)
AWS CloudTrail
AWS Config
AWS Security Hub
Amazon CloudWatch

View Slide

AWS Control Tower capabilities
• Framework for creating and baselining a multi-account environment using AWS Organizations
• Initial multi-account structure including security, audit, & shared service requirements
• An account vending machine that enables automated deployment of additional accounts with a
set of managed and monitored security baselines
• A management console that shows compliance status of accounts
• The ability to apply AWS best practice guardrails and Blueprints to accounts at account creation
• The ability to detect and report on any drift/changes that have occurred that deviate from initial
configuration options
• User account access managed through AWS SSO federation
• Integration options with other 3rd party SSO providers (PING/OKTA, Azure AD – native support)
• Cross-account roles enable centralized management
• Multiple accounts enable separation of duties
• Initial account security and AWS Config rules baseline
• Network baseline
Account
Management
Identity &
Access
Management
Security &
Governance

View Slide

Summary of key features

View Slide

Pricing and availability
(Canada, N.
Virginia & Ohio, Oregon),
APAC (Sydney, Singapore)
and EU (Ireland

View Slide

How do I get started?
AWS Control Tower labs: https://controltower.aws-management.tools
Attend an AWS Control Tower Activation Day – held regionally / time zone
based - contact account team
Getting started: https://tinyurl.com/y2gtzf9c
How-to videos (Management & Governance): https://tinyurl.com/y3yeohkm

View Slide

Thank you!
Dennis Kieselhorst, Sr. Solutions Architect
[email protected]
Feedback form: https://amzn.to/35cfKWx

View Slide

AWS Cloud-Umgebungen einfach und sicher verwalten mit AWS Control Tower (IT-Tage)

AWS Cloud-Umgebungen einfach und sicher verwalten mit AWS Control Tower (IT-Tage)

Dennis Kieselhorst

More Decks by Dennis Kieselhorst

Other Decks in Technology

Featured

Transcript