AWS Control Tower

Transcript

1. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Amazon Confidential and Trademark Dennis Kieselhorst Sr. Solutions Architect AWS Control Tower

2. Agenda • Motivation - Why a multi-account strategy/ landing zone?

   • AWS Control Tower value proposition • A landing zone, the AWS Landing Zone solution and AWS Control Tower • AWS Control Tower – Enable, Provision, Operate • Demo • Q&A

3. Why one AWS account isn’t enough Billing Many teams Security

   / compliance controls Business process Isolation

4. Isolation with IAM and VPC in one account? “Gray” boundaries

   Complicated and messy over time Difficult to track resources People stepping on each other AWS Account

5. Customers are faced with… Many design decisions The need to

   configure multiple accounts & services Establishing a security baseline & governance

6. You need a “landing zone” • A configured, secure, scalable,

   multi-account (multiple resource containers) AWS environment based on AWS best practices • A starting point for net new development and experimentation • A starting point for migrating applications • An environment that allows for iteration and extension over time H

7. Balancing the needs of builders and central cloud IT Builders:

   Stay agile Innovate with the speed and agility of AWS Cloud IT: Establish governance Govern at scale with central controls

8. Business agility and governance control Governance — Agility — Self-service

   access Experiment fast Respond quickly to change

9. landing zone, AWS Landing Zone, AWS Control Tower landing zone:

   • Secure pre-configured environment for your AWS presence • Scalable and flexible • Enables agility and innovation AWS Landing Zone Solution: • Implementation of a landing zone based on multi-account strategy guidance AWS Control Tower: • AWS Service version of AWS Landing Zone

10. — Provision — Operate AWS Control Tower: Easiest way to

    set up and govern AWS at scale — Enable Business agility + governance control

11. — Provision — Operate AWS Control Tower: Enable for governance

    at scale — Enable Business agility + governance control

12. Enable governance Enable Set up an AWS landing zone Establish

    guardrails Automate compliant account provisioning Centralize identity and access Manage continuously

13. Set up an AWS landing zone Master account AWS Control

    Tower AWS Organizations AWS Single Sign-On Stack sets AWS Service Catalog Log archive account Aggregate AWS CloudTrail and AWS Config logs Account baseline Audit account Security cross- account roles Account baseline Provisioned accounts Network baseline Account baseline Security notifications Core OU Custom OU AWS SSO directory

14. Multi-account architecture • Baseline Organizations setup: • Core OU: AWS

    Control Tower baseline accounts (cannot change) • Custom OU: Your provisioned accounts Master account Organizations Log archive account Audit account Provisioned accounts Core OU Custom OU

15. Demo

16. Starter AWS multi-account framework AWS Cloud AWS Organizations Foundational Organizational

    Units (OUs) Security (Core OU) Infrastructure Δ Shared Services Δ Network Additional OUs

17. Starter AWS multi-account framework AWS Cloud AWS Organizations Foundational Organizational

    Units (OUs) Security (Core OU) Infrastructure Δ Log Archive Δ Security Tooling Δ Shared Services Δ Network Additional OUs Control Tower deploys these automatically

18. High-level OU structure AWS Cloud AWS Organizations Master Foundational Organizational

    Units (OU) Additional OU Infrastructure Δ Shared Services Δ Network Security (Core OU)

19. Recommended AWS multi-account framework AWS Cloud AWS Organizations Master Foundational

    Organizational Units (OU) Infrastructure Δ Shared Services Δ Network Additional OU Security (Core OU)

20. Centralize identity and access • AWS SSO provides default directory

    for identity • Preconfigured groups and permission sets • Option to integrate with your managed or on-premises Active Directory (AD) using AWS Managed Microsoft AD • How to integrate with Okta: https://tinyurl.com/y3226978

21. Service Control Policies (SCPs) • Enables you to control which

    AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • SCPs are: Invisible to all users in the child account, including root Applied to all users in the child account, including root • Permission: intersection between the SCP and IAM permissions IAM policy simulator is SCP aware

22. Disable Service APIs you Won’t be Using { "Version": "2012-10-17",

    "Statement": [ { "Effect": "Deny", "Action": ”<Insert unwanted service prefix here>:*", "Resource": "*" } ] } NotAction (Optional) List the AWS actions exempt from the SCP. Used in place of the Action element. Resource List the AWS resources the SCP applies to. Condition (Optional) Specify conditions for when the statement is in effect.

23. Organizational Units • Grouping of AWS Accounts • Service Control

    Polices (SCP) to the groups • Use permission grouping (NOT corporate structure) How likely is the group to need a set of similar policies?

24. Establish guardrails • Preventive: prevents policy violations using SCPs •

    Detective: detect policy violations using AWS Config rules • A guardrail can be: mandatory, strongly recommended, or elective • Guardrails apply to organizational units (OUs) and all child accounts (new and existing) Organizational units Accounts Enable Enable Output Output Output Organizational units Accounts Preventive guardrail Granular AWS policies SCP Detective/remediable guardrails Granular AWS policies AWS Config rules Always compliant Non- compliant Compliant

25. Guardrail examples Goal/Category Example IAM Require MFA for root user

    Data security Disallow public read access to Amazon S3 buckets Disallow public access to Amazon RDS database instances Network Disallow internet connection via Remote Desktop Protocol (RDP) Disallow internet connection through SSH Audit logs Enable AWS CloudTrail and AWS Config Monitoring Disallow policy changes to log archive AWS Control Tower setup Disallow changes to IAM roles set up by AWS Control Tower Operations Disallow EBS volumes that are unattached to an EC2 instance

26. — Provision — Operate AWS Service Catalog: Secure self-service provisioning

    — Enable Business agility + governance control

27. Automate compliant account provisioning • Standardized account provisioning • Automatic

    enforcement of guardrails • Configurable network settings Account factory Network baseline Network CIDR Network regions OU Account baseline AWS Service Catalog AWS Service Catalog product New AWS account Network baseline Account baseline Guardrails Provision

28. Enable secure self-service provisioning • Create best-practices templates with AWS

    CloudFormation or Terraform for commonly used products (Amazon EMR, Amazon EC2, etc.) • Create AWS Service Catalog products in the master AWS Control Tower account • Distribute products via Organizations to all of your AWS Control Tower managed accounts

29. — Provision — Operate AWS Control Tower: Easiest way to

    set up and govern at scale — Enable Business agility + governance control

30. Operate with agility + control Operate Dashboard Continuous visibility into

    your multi-account environment Act Take operational action on resources Audit Audit resource configurations, user access, and policy enforcement Monitor Monitor resources and workloads

31. Demo

32. We thought we did this…

33. But…

34. AWS services that enable agility + governance AWS Control Tower

    AWS Organizations AWS Service Catalog AWS Well-Architected Tool AWS Budgets AWS License Manager AWS Marketplace (Private Marketplace) AWS CloudTrail AWS Config AWS Security Hub Amazon CloudWatch

35. AWS Control Tower capabilities • Framework for creating and baselining

    a multi-account environment using AWS Organizations • Initial multi-account structure including security, audit, & shared service requirements • An account vending machine that enables automated deployment of additional accounts with a set of managed and monitored security baselines • A management console that shows compliance status of accounts • The ability to apply AWS best practice guardrails and Blueprints to accounts at account creation • The ability to detect and report on any drift / changes that have occurred that deviate from initial configuration options Account Management • User account access managed through AWS SSO federation • Integration options with other 3rd party SSO providers • Cross-account roles enable centralized management Identity & Access Management • Multiple accounts enable separation of duties • Initial account security and AWS Config rules baseline • Network baseline Security & Governance

36. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Confidential and Trademark Thank you! Dennis Kieselhorst, Sr. Solutions Architect [email protected] Feedback form: https://amzn.to/35cfKWx