Getting Started with AWS Landing Zones The key to manage and govern AWS accounts at scale Will Chalmers (he/him) Solutions Architect

• The path to multiple AWS accounts • Where does a landing zone fit in? • AWS Multi-Account Strategy • Control Tower & Organizations Agenda

The path to multiple accounts

No content

Security / Resource Boundary API Limits / throttling Billing Separation

Where does a Landing Zone fit in?

Multi Account Structure

You Need … Orchestration Framework

You need a ‘Landing Zone’ • A configured, secure, scalable, multi-account AWS environment based on AWS Frameworks and best practices. • A starting point for new clients/projects/migrations/development & experimentation • An environment that allows for iteration and expansion over time

A well-architected Landing Zone

Introducing AWS Control Tower A self-service solutions to automate the setup of AWS multi-account environments

Benefits

AWS Organizations Provides tools to centrally govern and manage AWS Accounts • Quickly scale by creating accounts and allocate resources • Customize environments by applying governance policies • Secure and audit environments • Manage costs and identify cost-saving measures

Benefits

Dashboard for oversight

Guardrail examples Guardrail Type Requirement Enable MFA for the Root User Detective Strongly Recommended Disallow public read access to S3 Detective Strongly Recommended Enable AWS Config in All Available Regions Preventive Mandatory Disallow Policy Changes to Log Archive Preventive Mandatory Integrate CloudTrail Events with CloudWatch Logs Preventive Mandatory Disallow Amazon S3 Buckets That Are Not Versioning Enabled Detective Elective Disallow Delete Actions on Amazon S3 Buckets Without MFA Detective Elective

Account Creation

Thank you! Q&A