© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Dennis Kieselhorst Sr. Solutions Architect AWS Control Tower 

Agenda • Motivation - Why a multi-account strategy/ landing zone? • AWS Control Tower value proposition • A landing zone, the AWS Landing Zone solution and AWS Control Tower • AWS Control Tower – Enable, Provision, Operate • Demo • Q&A 

Why one AWS account isn’t enough Billing Many teams Security / compliance controls Business process Isolation 

Isolation with IAM and VPC in one account? “Gray” boundaries Complicated and messy over time Difficult to track resources People stepping on each other AWS Account 

Customers are faced with… Many design decisions The need to configure multiple accounts & services Establishing a security baseline & governance 

You need a “landing zone” • A configured, secure, scalable, multi-account (multiple resource containers) AWS environment based on AWS best practices • A starting point for net new development and experimentation • A starting point for migrating applications • An environment that allows for iteration and extension over time H 

Balancing the needs of builders and central cloud IT Builders: Stay agile Innovate with the speed and agility of AWS Cloud IT: Establish governance Govern at scale with central controls 

Business agility and governance control Governance — Agility — Self-service access Experiment fast Respond quickly to change 

landing zone, AWS Landing Zone, AWS Control Tower landing zone: • Secure pre-configured environment for your AWS presence • Scalable and flexible • Enables agility and innovation AWS Landing Zone Solution: • Implementation of a landing zone based on multi-account strategy guidance AWS Control Tower: • AWS Service version of AWS Landing Zone 

— Provision — Operate AWS Control Tower: Easiest way to set up and govern AWS at scale — Enable Business agility + governance control 

— Provision — Operate AWS Control Tower: Enable for governance at scale — Enable Business agility + governance control 

Enable governance Enable Set up an AWS landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously 

Set up an AWS landing zone Master account AWS Control Tower AWS Organizations AWS Single Sign-On Stack sets AWS Service Catalog Log archive account Aggregate AWS CloudTrail and AWS Config logs Account baseline Audit account Security cross- account roles Account baseline Provisioned accounts Network baseline Account baseline Security notifications Core OU Custom OU AWS SSO directory 

Multi-account architecture • Baseline Organizations setup: • Core OU: AWS Control Tower baseline accounts (cannot change) • Custom OU: Your provisioned accounts Master account Organizations Log archive account Audit account Provisioned accounts Core OU Custom OU 

Demo 

Starter AWS multi-account framework AWS Cloud AWS Organizations Foundational Organizational Units (OUs) Security (Core OU) Infrastructure Δ Shared Services Δ Network Additional OUs 

Starter AWS multi-account framework AWS Cloud AWS Organizations Foundational Organizational Units (OUs) Security (Core OU) Infrastructure Δ Log Archive Δ Security Tooling Δ Shared Services Δ Network Additional OUs Control Tower deploys these automatically 

High-level OU structure AWS Cloud AWS Organizations Master Foundational Organizational Units (OU) Additional OU Infrastructure Δ Shared Services Δ Network Security (Core OU) 

Recommended AWS multi-account framework AWS Cloud AWS Organizations Master Foundational Organizational Units (OU) Infrastructure Δ Shared Services Δ Network Additional OU Security (Core OU) 

Centralize identity and access • AWS SSO provides default directory for identity • Preconfigured groups and permission sets • Option to integrate with your managed or on-premises Active Directory (AD) using AWS Managed Microsoft AD • How to integrate with Okta: https://tinyurl.com/y3226978 

Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • SCPs are: Invisible to all users in the child account, including root Applied to all users in the child account, including root • Permission: intersection between the SCP and IAM permissions IAM policy simulator is SCP aware 

Disable Service APIs you Won’t be Using { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": ”:*", "Resource": "*" } ] } NotAction (Optional) List the AWS actions exempt from the SCP. Used in place of the Action element. Resource List the AWS resources the SCP applies to. Condition (Optional) Specify conditions for when the statement is in effect. 

Organizational Units • Grouping of AWS Accounts • Service Control Polices (SCP) to the groups • Use permission grouping (NOT corporate structure) How likely is the group to need a set of similar policies? 

Establish guardrails • Preventive: prevents policy violations using SCPs • Detective: detect policy violations using AWS Config rules • A guardrail can be: mandatory, strongly recommended, or elective • Guardrails apply to organizational units (OUs) and all child accounts (new and existing) Organizational units Accounts Enable Enable Output Output Output Organizational units Accounts Preventive guardrail Granular AWS policies SCP Detective/remediable guardrails Granular AWS policies AWS Config rules Always compliant Non- compliant Compliant 

Guardrail examples Goal/Category Example IAM Require MFA for root user Data security Disallow public read access to Amazon S3 buckets Disallow public access to Amazon RDS database instances Network Disallow internet connection via Remote Desktop Protocol (RDP) Disallow internet connection through SSH Audit logs Enable AWS CloudTrail and AWS Config Monitoring Disallow policy changes to log archive AWS Control Tower setup Disallow changes to IAM roles set up by AWS Control Tower Operations Disallow EBS volumes that are unattached to an EC2 instance 

— Provision — Operate AWS Service Catalog: Secure self-service provisioning — Enable Business agility + governance control 

Automate compliant account provisioning • Standardized account provisioning • Automatic enforcement of guardrails • Configurable network settings Account factory Network baseline Network CIDR Network regions OU Account baseline AWS Service Catalog AWS Service Catalog product New AWS account Network baseline Account baseline Guardrails Provision 

Enable secure self-service provisioning • Create best-practices templates with AWS CloudFormation or Terraform for commonly used products (Amazon EMR, Amazon EC2, etc.) • Create AWS Service Catalog products in the master AWS Control Tower account • Distribute products via Organizations to all of your AWS Control Tower managed accounts 

— Provision — Operate AWS Control Tower: Easiest way to set up and govern at scale — Enable Business agility + governance control 

Operate with agility + control Operate Dashboard Continuous visibility into your multi-account environment Act Take operational action on resources Audit Audit resource configurations, user access, and policy enforcement Monitor Monitor resources and workloads 

Demo 

We thought we did this… 

But… 

AWS services that enable agility + governance AWS Control Tower AWS Organizations AWS Service Catalog AWS Well-Architected Tool AWS Budgets AWS License Manager AWS Marketplace (Private Marketplace) AWS CloudTrail AWS Config AWS Security Hub Amazon CloudWatch 

AWS Control Tower capabilities • Framework for creating and baselining a multi-account environment using AWS Organizations • Initial multi-account structure including security, audit, & shared service requirements • An account vending machine that enables automated deployment of additional accounts with a set of managed and monitored security baselines • A management console that shows compliance status of accounts • The ability to apply AWS best practice guardrails and Blueprints to accounts at account creation • The ability to detect and report on any drift / changes that have occurred that deviate from initial configuration options Account Management • User account access managed through AWS SSO federation • Integration options with other 3rd party SSO providers • Cross-account roles enable centralized management Identity & Access Management • Multiple accounts enable separation of duties • Initial account security and AWS Config rules baseline • Network baseline Security & Governance 

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Thank you! Dennis Kieselhorst, Sr. Solutions Architect [email protected] Feedback form: https://amzn.to/35cfKWx