AWS Control Tower (AWS Usergroup Hannover)

© 2020, Amazon Web Services, Inc. or its Affiliates. Dennis
Kieselhorst Sr. Solutions Architect AWS Control Tower AWS Cloud-Umgebungen einfach und sicher verwalten

© 2020, Amazon Web Services, Inc. or its affiliates. All
rights reserved. • Motivation - Why a multi-account strategy/ landing zone? • AWS Control Tower value proposition • A landing zone, the AWS Landing Zone solution and AWS Control Tower • AWS Control Tower – Enable, Provision, Operate • Demo • Recently released features • Q&A Agenda

rights reserved. We thought we did this…

rights reserved. But…

rights reserved. Why one AWS account isn’t enough Billing Many teams Security / compliance controls Business process Isolation

rights reserved. Isolation with IAM and VPC in one account? “Gray” boundaries Complicated and messy over time Difficult to track resources People stepping on each other AWS Account

rights reserved. Customers are faced with… Many design decisions The need to configure multiple accounts & services Establishing a security baseline & governance

rights reserved. Balancing the needs of builders and central cloud IT Builders: Stay agile Innovate with the speed and agility of AWS Cloud IT: Establish governance Govern at scale with central controls

rights reserved. More innovation, greater agility, with control Experiment Be productive Empower distributed teams Self-service access Respond quickly to change Agility Enable Provision Operate Secure & Compliant Operations & Spend Management Governance Don’t choose between Agility or Control You need and want both

rights reserved. Provision Operate AWS management and governance services Enable BUSINESS AGILITY + GOVERNANCE CONTROL AWS Control Tower AWS Organizations AWS Budgets AWS License Manager AWS Well- Architected Tool AWS OpsWorks AWS CloudFormation AWS Service Catalog AWS Marketplace AWS Cost Explorer Amazon CloudWatch AWS Cost and Usage Report AWS CloudTrail AWS Systems Manager AWS Config

rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern AWS at scale — Enable Business agility + governance control

rights reserved. Why use AWS Control Tower? Set up a best-practices AWS environment in a few clicks

rights reserved. What is a “landing zone” • A configured, secure, scalable, multi-account (multiple resource containers) AWS environment based on AWS best practices • A starting point for net new development and experimentation • A starting point for migrating applications • An environment that allows for iteration and extension over time H

rights reserved. landing zone, AWS Landing Zone, AWS Control Tower landing zone: • Secure pre-configured environment for your AWS presence • Scalable and flexible • Enables agility and innovation AWS Landing Zone Solution: • Implementation of a landing zone based on multi-account strategy guidance • Customers get code that they will need to manage & maintain • Solution will no longer receive updates by EOY 2020 AWS Control Tower: • AWS Managed Service version of AWS Landing Zone H

rights reserved. Landing Zones – how we got here 2006-2020+ 2018 Q4 2018 Q2 2019 2020+ Customer Hand Crafted Tried and True – not simple AWS Landing Zone V1 AWS Landing Zone V2.x and AWS Control Tower Announced AWS Control Tower Launched ALZ Reference Architecture for AWS Control Tower

rights reserved. Enable governance Enable Set up an AWS landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously

rights reserved. Set up an AWS landing zone • Landing zone - a preconfigured, secure, scalable, multi-account AWS environment based on best practice blueprints • Multi-account management using AWS Organizations • Identity and federated access management using AWS SSO • Centralized log archive using AWS CloudTrail and AWS Config • Cross-account audit access using AWS SSO and AWS IAM • End user account provisioning through AWS Service Catalog • Centralized monitoring and notifications using Amazon CloudWatch and Amazon SNS Master account AWS Control Tower AWS Organizations AWS Single Sign-On Stack sets AWS Service Catalog Log archive account Aggregate AWS CloudTrail and AWS Config logs Account baseline Audit account Security cross- account roles Account baseline Provisioned accounts Network baseline Account baseline Amazon CloudWatch aggregator Security notifications Core OU Custom OU AWS SSO directory

rights reserved. Multi-account architecture • Master account: designation of your existing account to create a new organization. Also your master payer account • Organization consists of 2 OUs with pre-configured accounts - o Core OU: AWS Control Tower-created accounts, i.e., Audit account and Log archive account o Custom OU: Your provisioned accounts Master account AWS Organizations Log archive account Audit account Provisioned accounts Core OU Custom OU

rights reserved. Demo

rights reserved. Centralize identity and access • AWS SSO provides default directory for identity • AWS SSO also enables federated access management across all accounts in your organization • Preconfigured groups (e.g., AWS Control Tower administrators, auditors, AWS Service Catalog end users) • Preconfigured permission sets (e.g., admin, read-only, write)

rights reserved. Establish guardrails • Guardrails are preconfigured governance rules for security, compliance, and operations • Expressed in plain English to provide abstraction over granular AWS policies • Preventive guardrails: prevent policy violations through enforcement; implemented using AWS CloudFormation and SCPs • Detective guardrails: detect policy violations and alert in the dashboard; implemented using AWS Config rules • Mandatory and strongly recommended guardrails for prescriptive guidance • Easy selection and enablement on organizational units Organizational units Accounts Enable Enable Output Output Output Organizational units Accounts Preventive guardrail Granular AWS policies SCP Detective/remediable guardrails Granular AWS policies AWS Config rules Always compliant Compliant Non- compliant

rights reserved. Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • SCPs are: Invisible to all users in the child account, including root Applied to all users in the child account, including root • Permission: intersection between the SCP and IAM permissions IAM policy simulator is SCP aware

rights reserved. Disable Service APIs you Won’t be Using { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": ”<Insert unwanted service prefix here>:*", "Resource": "*" } ] } NotAction (Optional) List the AWS actions exempt from the SCP. Used in place of the Action element. Resource List the AWS resources the SCP applies to. Condition (Optional) Specify conditions for when the statement is in effect.

rights reserved. Organizational Units • Grouping of AWS Accounts • Service Control Polices (SCP) to the groups • Use permission grouping (NOT corporate structure) How likely is the group to need a set of similar policies?

rights reserved. Guardrail examples Goal/category Example IAM security Require MFA for root user Data security Disallow public read access to Amazon S3 buckets Network security Disallow internet connection via Remote Desktop Protocol (RDP) Audit logs Enable AWS CloudTrail and AWS Config Monitoring Enable AWS CloudTrail integration with Amazon CloudWatch Encryption Ensure encryption of Amazon EBS volumes attached to Amazon EC2 instances Drift Disallow changes to AWS Config rules set up by AWS Control Tower

rights reserved. Automate compliant account provisioning • Built-in account factory provides a template to standardize account provisioning • Configurable network settings (e.g., subnets, IP addresses) • Automatic enforcement of account baselines and guardrails • Published to AWS Service Catalog Account factory Network baseline Network CIDR Network regions OU Account baseline AWS Service Catalog AWS Service Catalog product New AWS account Network baseline Account baseline Guardrails

rights reserved. — Provision — Operate Automate secure self-service provisioning at scale — Enable Business agility and governance control

rights reserved. AWS CloudFormation concepts Template JSON or YAML Change set Stack

rights reserved. AWS CloudFormation StackSets Template StackSets Stack Stack Stack Stack

rights reserved. Enable self-service with AWS Service Catalog 2 1 T h e pi ct ur e c a nʼ t b e di s pl ay e d.

rights reserved. Automate governance at scale 1 2 3 T h e pi ct ur e c a nʼ t b e di s pl ay e d.

rights reserved. End Users Organizations Curation Compliance Standardization Agility Self-service Time to market Speed Security Service catalogs enable organizations to deploy and manage infrastructure and applications that reflect the organization’s security and operational policies Benefits of governance at scale

rights reserved. Enabling self-service via AWS & ITSM Tools Users browse and request AWS services Administrators procure, publish, and govern AWS services Operators monitor and manage AWS services AWS Marketplace AWS Service Catalog AWS Cloud Amazon EC2 Amazon Simple Storage Service Amazon WorkSpaces Amazon SageMaker Amazon RDS Amazon EMR AWS IoT Core 1 2 3 Jira Service Desk

rights reserved. Starter AWS multi-account framework AWS Cloud AWS Organizations Foundational Organizational Units (OUs) Infrastructure Security Δ Shared Services Δ Network Additional OUs

rights reserved. Starter AWS multi-account framework AWS Cloud AWS Organizations Foundational Organizational Units (OUs) Infrastructure Security Δ Shared Services Δ Network Δ Log Archive Δ Security Tooling Additional OUs Control Tower deploys these automatically

rights reserved. AWS multi-account framework AWS Cloud AWS Organizations Master Foundational Organizational Units (OUs) Infrastructure Security Δ Shared Services Δ Network Additional OUs

rights reserved. How to customize AWS CT today? https://aws.amazon.com/solutions/customizations-for-aws-control-tower/

rights reserved. Lifecycle Events • CreateManagedAccount • UpdateManagedAccount • EnableGuardrail • DisableGuardrail • SetupLandingZone • UpdateLandingZone • RegisterOrganizationalUnit • DeregisterOrganizationalUnit

rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern at scale — Enable Business agility + governance control

rights reserved. Operate with agility + control Operate Dashboard Continuous visibility into your multi-account environment Act Take operational action on resources Audit Audit resource configurations, user access, and policy enforcement Monitor Monitor resources and workloads

rights reserved. Demo

rights reserved. Upcoming Features Schedule a roadmap session (under NDA)

rights reserved. AWS services that enable agility + governance AWS Control Tower AWS Organizations AWS Service Catalog AWS Well-Architected Tool AWS Budgets AWS License Manager AWS Marketplace (Private Marketplace) AWS CloudTrail AWS Config AWS Security Hub Amazon CloudWatch

rights reserved. AWS Control Tower capabilities • Framework for creating and baselining a multi-account environment using AWS Organizations • Initial multi-account structure including security, audit, & shared service requirements • An account vending machine that enables automated deployment of additional accounts with a set of managed and monitored security baselines • A management console that shows compliance status of accounts • The ability to apply AWS best practice guardrails and Blueprints to accounts at account creation • The ability to detect and report on any drift/changes that have occurred that deviate from initial configuration options • User account access managed through AWS SSO federation • Integration options with other 3rd party SSO providers (PING/OKTA, Azure AD – native support) • Cross-account roles enable centralized management • Multiple accounts enable separation of duties • Initial account security and AWS Config rules baseline • Network baseline Account Management Identity & Access Management Security & Governance

rights reserved. Summary of key features

rights reserved. Pricing and availability US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland

rights reserved. How do I get started? AWS Control Tower labs: https://controltower.aws-management.tools AWS Control Tower blogs: • Guardrail Mitigation: https://tinyurl.com/y56dsalz • Self-Service Provisioning: https://tinyurl.com/y3fk3fpk • Migrating workloads with AWS Control Tower and CloudEndure: https://tinyurl.com/CTMigrate Getting started (re:Inforce 2019): https://tinyurl.com/y2gtzf9c How-to videos (Management & Governance): https://tinyurl.com/y3yeohkm

rights reserved. Thank you! Dennis Kieselhorst, Sr. Solutions Architect [email protected] Feedback form: https://amzn.to/35cfKWx

AWS Control Tower (AWS Usergroup Hannover)

AWS Control Tower (AWS Usergroup Hannover)

More Decks by Dennis Kieselhorst

Other Decks in Technology

Featured

Transcript