Effective AWS Account Strategy using AWS Organizations

Slide 1

Slide 1 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORG301: Effective AWS Account Strategy using AWS Organizations Steve Teo Director of Cloud Security Engineering, Horangi Cyber Security www.linkedin.com/in/steveteo

Slide 2

Slide 2 text

Slide 3

Slide 3 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Steve “Potay” Teo • Director of Cloud Security Engineering @ Horangi • CloudDevSecOps Fanatic • 4 years+ working on AWS • AWS Areas of Interests: • AWS Multi-Account Architectures • Cloud Security • Totally uncertified and proud :P

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Background ● Previous Work ○ Migrated Legacy Setup of 2 AWS Accounts to 40+ AWS Accounts ■ March 2017: https://speakerdeck.com/stevepotayteo/a-multi-aws-account- story ○ Worked on Enterprise AWS Account & VPC Architecture and Strategy ■ September 2018: https://speakerdeck.com/stevepotayteo/architecting- around-multiple-aws-accounts ● Hobby - Continual research into scaling of AWS Multi-Accounts and VPCs

Slide 9

Slide 9 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda ● What are AWS Accounts ● Why should you adopt a Multi-Account Strategy ● Introduction to AWS Organizations ● Security, Management and Governance Features

Slide 10

Slide 10 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions ● How many of you are Cloud Administrators and responsible for your company’s AWS Account(s)? ● How many accounts does your company have? ● How many of you are already using AWS Organizations?

Slide 11

Slide 11 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is an AWS Account? ● Resource Containment ○ Resources Boundary ○ Limits ● Security Boundary ○ AWS User Access Security ○ Data ● Financial Responsibility ○ Billing and Financial ○ Reserved Instances AWS Cloud

Slide 12

Slide 12 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account != VPC ● A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud ● VPCs == Network containment != AWS Resource Account Security != AWS User Account Security VPC

Slide 13

Slide 13 text

Slide 14

Slide 14 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why should you adopt a Multi-Account Strategy? ● Grouping of resources ● Limit Blast Radius in case of Unauthorized Access ● Improve your security posture with logical boundaries ● Easier to manage user access to different resources

Slide 15

Slide 15 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Separate by Business / Dev Team ● "Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure.” – Melvin Conway ● Need for isolation among workloads ● Financial isolation - showback / chargeback ● Easily broken when prone to organization changes

Slide 16

Slide 16 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Separate by Platform / Service / System / Application ● Wide-grained – Platform / Service ● Fine-grained – System / Application ● Splitting it too fine-grained might not make sense at all ● Eg. 1 AWS account just for 1 EC2? ○ Container optimization?

Slide 17

Slide 17 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Separate by Environment ● By default you get ○ network / data containment ○ user access security ● Orthogonal to other ways of separation ● Eg. Sandbox / Non-Prod / Prod / DR ● Eg. DEV / SIT / QA / STG / PROD / DR

Slide 18

Slide 18 text

Slide 19

Slide 19 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Other Ways ● PCI / HIPAA (Regulated vs Non-regulated) ● AWS Service Limits / API Rate Limits ● Service Tiering (eg. Tier 1, Tier 2 services)

Slide 20

Slide 20 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Special Accounts ● Organization Master / Billing Account ● Infrastructure Services (eg. Tools, DNS, AD) ● Landing Zone (Bastion) account ● Direct Connect (For provisioning of DX) ● Sec Logging Account ● Security Account ● Transit Account for hybrid connectivity ● Backup Vault (for DR) Security Logs Account

Slide 21

Slide 21 text

Slide 22

Slide 22 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key Features ● Manage and define your organization and accounts ● Control access and permissions ● Audit, monitor, and secure your environment for compliance ● Share resources across accounts ● Centrally manage costs and billing

Slide 23

Slide 23 text

Slide 24

Slide 24 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Migrating from consolidated billing ● You are already using AWS Organizations ● Migrate to use advanced governance and management capabilities. ● Every invited account must approve enabling all features by accepting the request! ● Seamless transition, no outage https://docs.aws.amazon.com/organizations/latest/userg uide/orgs_manage_org_support-all-features.html

Slide 25

Slide 25 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Services that integrate with AWS Organizations ● IAM ● Artifact ● CloudTrail ● CloudWatch Events ● Config ● Control Tower ● Directory Service ● Firewall Manager ● License Manager ● Resource Access Manager ● Service Catalog ● Service Quota ● Single Sign-On

Slide 26

Slide 26 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key Concepts and Terms ● * Master AWS Account ○ Account used to create and manage the organization ○ Payer account ● Root ○ The parent container for all the accounts for your organization. ● Organization Unit (OU) ○ A container for accounts within a root. ● Service Control Policy ○ A policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. * Master AWS Account

Slide 27

Slide 27 text

Slide 28

Slide 28 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Manage and define your organization and accounts ● Create new AWS Accounts from console or programmatically ● Group accounts into OU for management ● Manage Service Quotas for new accounts ● Tag AWS Accounts

Slide 29

Slide 29 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prod Audit Group accounts into OU for management AWS Accounts Organizational unit SCP My AWS Organization Root Application Services Infrastructure Security Non-Prod Developers Non-Prod Prod Cowboys Trusted Master Account

Slide 30

Slide 30 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service Quotas ● Central management and visibility of AWS service quotas only for the current account ● Simplify quota requests for new accounts in AWS Organizations https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-service-quotas- view-and-manage-quotas-for-aws-services-from-one-location/

Slide 31

Slide 31 text

Slide 32

Slide 32 text

Slide 33

Slide 33 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service Control Policies ● Service Control Policies != IAM Policies ● Specify the maximum permissions for an organization, organizational unit (OU), or account ● SCP does not affect the master account ● SCPs affect all users and roles in attached accounts, including the root user. Test all policies before using them!

Slide 34

Slide 34 text

Slide 35

Slide 35 text

Slide 36

Slide 36 text

Slide 37

Slide 37 text

Slide 38

Slide 38 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Determining Whether a Request Is Allowed or Denied Within an Account https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Slide 39

Slide 39 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SCP Examples: Approved AWS Regions { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllOutsideSingapore", "Effect": "Deny", "NotAction": [ "iam:*", "organizations:*", "route53:*", "budgets:*", "waf:*", "cloudfront:*", "globalaccelerator:*", "importexport:*", "support:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "ap-southeast-1" ] } } } ] }

Slide 40

Slide 40 text

Slide 41

Slide 41 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SCP Examples: Amazon EC2 Instance Types { "Version": "2012-10-17", "Statement": [ { "Sid": "RequireApprovedInstanceType", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "ForAnyValue:StringNotLike": { "ec2:InstanceType": [ "*.nano", "*.small", "*.micro", "*.medium", "*.large" ] } } } ] }

Slide 42

Slide 42 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SCP Examples: Prevent Accounts from Leaving the Organisation { "Version": "2012-10-17", "Statement": [ { "Sid": "Blacklist certain actions", "Effect": "Deny", "Action": "organizations:LeaveOrganization", "Resource": "*" } ] }

Slide 43

Slide 43 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Other SCP Use Cases ● Deny the use of service(s) for Compliance Reasons ● Prevent users from disabling AWS CloudTrail ● Prevent users from disabling AWS Config or deleting Config Rules ● Do not allow EC2 / RDS Termination in Production Account ● Prevent changes to IAM Roles ● Prevent Root User Usage ● See more examples at https://docs.aws.amazon.com/organizations/latest/userguide/orgs_man age_policies_example-scps.html#example_scp_1

Slide 44

Slide 44 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Applying SCPs to the Organization AWS Accounts Organizational unit SCP My AWS Organization Root Application Services Infrastructure Security Non-Prod Prod Audit Developers Non-Prod Prod Cowboys Trusted Master Account

Slide 45

Slide 45 text

Slide 46

Slide 46 text

Slide 47

Slide 47 text

Slide 48

Slide 48 text

Slide 49

Slide 49 text

Slide 50

Slide 50 text

Slide 51

Slide 51 text

Slide 52

Slide 52 text

Slide 53

Slide 53 text

Slide 54

Slide 54 text

Slide 55

Slide 55 text

Slide 56

Slide 56 text

Slide 57

Slide 57 text

Slide 58

Slide 58 text

Slide 59

Slide 59 text

Slide 60

Slide 60 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config ● Centrally create, update, and delete AWS Config rules across all accounts in your organization. ● Deploy a common set of AWS Config rules across all accounts and specify accounts where AWS Config rules should not be created. ● Use the APIs from the master account in AWS Organizations to enforce governance by ensuring that the underlying AWS Config rules are not modifiable by your organization’s member accounts.

Slide 61

Slide 61 text

Slide 62

Slide 62 text

Slide 63

Slide 63 text

Slide 64

Slide 64 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary ● Go for a reasonable multi-account strategy, but don’t go bananas! ● Any company (big or small) with more than 1 AWS account can benefit from AWS Organization ● Use Service Control Policies to enforce strong guardrails about the operating model of your Cloud Environment ● More and more AWS Services will be integrated with Organizations