Slide 1

Slide 1 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Dennis Kieselhorst Sr. Solutions Architect AWS Control Tower AWS Cloud-Umgebungen einfach und sicher verwalten

Slide 2

Slide 2 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Motivation - Why a multi-account strategy/ landing zone? • AWS Control Tower value proposition • A landing zone, the AWS Landing Zone solution and AWS Control Tower • AWS Control Tower – Enable, Provision, Operate • Demo • Recently released features • Q&A Agenda

Slide 3

Slide 3 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. We thought we did this…

Slide 4

Slide 4 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. But…

Slide 5

Slide 5 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why one AWS account isn’t enough Billing Many teams Security / compliance controls Business process Isolation

Slide 6

Slide 6 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolation with IAM and VPC in one account? “Gray” boundaries Complicated and messy over time Difficult to track resources People stepping on each other AWS Account

Slide 7

Slide 7 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customers are faced with… Many design decisions The need to configure multiple accounts & services Establishing a security baseline & governance

Slide 8

Slide 8 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Balancing the needs of builders and central cloud IT Builders: Stay agile Innovate with the speed and agility of AWS Cloud IT: Establish governance Govern at scale with central controls

Slide 9

Slide 9 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. More innovation, greater agility, with control Experiment Be productive Empower distributed teams Self-service access Respond quickly to change Agility Enable Provision Operate Secure & Compliant Operations & Spend Management Governance Don’t choose between Agility or Control You need and want both

Slide 10

Slide 10 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Provision Operate AWS management and governance services Enable BUSINESS AGILITY + GOVERNANCE CONTROL AWS Control Tower AWS Organizations AWS Budgets AWS License Manager AWS Well- Architected Tool AWS OpsWorks AWS CloudFormation AWS Service Catalog AWS Marketplace AWS Cost Explorer Amazon CloudWatch AWS Cost and Usage Report AWS CloudTrail AWS Systems Manager AWS Config

Slide 11

Slide 11 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern AWS at scale — Enable Business agility + governance control

Slide 12

Slide 12 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why use AWS Control Tower? Set up a best-practices AWS environment in a few clicks

Slide 13

Slide 13 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is a “landing zone” • A configured, secure, scalable, multi-account (multiple resource containers) AWS environment based on AWS best practices • A starting point for net new development and experimentation • A starting point for migrating applications • An environment that allows for iteration and extension over time H

Slide 14

Slide 14 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. landing zone, AWS Landing Zone, AWS Control Tower landing zone: • Secure pre-configured environment for your AWS presence • Scalable and flexible • Enables agility and innovation AWS Landing Zone Solution: • Implementation of a landing zone based on multi-account strategy guidance • Customers get code that they will need to manage & maintain • Solution will no longer receive updates by EOY 2020 AWS Control Tower: • AWS Managed Service version of AWS Landing Zone H

Slide 15

Slide 15 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Landing Zones – how we got here 2006-2020+ 2018 Q4 2018 Q2 2019 2020+ Customer Hand Crafted Tried and True – not simple AWS Landing Zone V1 AWS Landing Zone V2.x and AWS Control Tower Announced AWS Control Tower Launched ALZ Reference Architecture for AWS Control Tower

Slide 16

Slide 16 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable governance Enable Set up an AWS landing zone Establish guardrails Automate compliant account provisioning Centralize identity and access Manage continuously

Slide 17

Slide 17 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Set up an AWS landing zone • Landing zone - a preconfigured, secure, scalable, multi-account AWS environment based on best practice blueprints • Multi-account management using AWS Organizations • Identity and federated access management using AWS SSO • Centralized log archive using AWS CloudTrail and AWS Config • Cross-account audit access using AWS SSO and AWS IAM • End user account provisioning through AWS Service Catalog • Centralized monitoring and notifications using Amazon CloudWatch and Amazon SNS Master account AWS Control Tower AWS Organizations AWS Single Sign-On Stack sets AWS Service Catalog Log archive account Aggregate AWS CloudTrail and AWS Config logs Account baseline Audit account Security cross- account roles Account baseline Provisioned accounts Network baseline Account baseline Amazon CloudWatch aggregator Security notifications Core OU Custom OU AWS SSO directory

Slide 18

Slide 18 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account architecture • Master account: designation of your existing account to create a new organization. Also your master payer account • Organization consists of 2 OUs with pre-configured accounts - o Core OU: AWS Control Tower-created accounts, i.e., Audit account and Log archive account o Custom OU: Your provisioned accounts Master account AWS Organizations Log archive account Audit account Provisioned accounts Core OU Custom OU

Slide 19

Slide 19 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo

Slide 20

Slide 20 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Centralize identity and access • AWS SSO provides default directory for identity • AWS SSO also enables federated access management across all accounts in your organization • Preconfigured groups (e.g., AWS Control Tower administrators, auditors, AWS Service Catalog end users) • Preconfigured permission sets (e.g., admin, read-only, write)

Slide 21

Slide 21 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Establish guardrails • Guardrails are preconfigured governance rules for security, compliance, and operations • Expressed in plain English to provide abstraction over granular AWS policies • Preventive guardrails: prevent policy violations through enforcement; implemented using AWS CloudFormation and SCPs • Detective guardrails: detect policy violations and alert in the dashboard; implemented using AWS Config rules • Mandatory and strongly recommended guardrails for prescriptive guidance • Easy selection and enablement on organizational units Organizational units Accounts Enable Enable Output Output Output Organizational units Accounts Preventive guardrail Granular AWS policies SCP Detective/remediable guardrails Granular AWS policies AWS Config rules Always compliant Compliant Non- compliant

Slide 22

Slide 22 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • SCPs are: Invisible to all users in the child account, including root Applied to all users in the child account, including root • Permission: intersection between the SCP and IAM permissions IAM policy simulator is SCP aware

Slide 23

Slide 23 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Disable Service APIs you Won’t be Using { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": ”:*", "Resource": "*" } ] } NotAction (Optional) List the AWS actions exempt from the SCP. Used in place of the Action element. Resource List the AWS resources the SCP applies to. Condition (Optional) Specify conditions for when the statement is in effect.

Slide 24

Slide 24 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Organizational Units • Grouping of AWS Accounts • Service Control Polices (SCP) to the groups • Use permission grouping (NOT corporate structure) How likely is the group to need a set of similar policies?

Slide 25

Slide 25 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Guardrail examples Goal/category Example IAM security Require MFA for root user Data security Disallow public read access to Amazon S3 buckets Network security Disallow internet connection via Remote Desktop Protocol (RDP) Audit logs Enable AWS CloudTrail and AWS Config Monitoring Enable AWS CloudTrail integration with Amazon CloudWatch Encryption Ensure encryption of Amazon EBS volumes attached to Amazon EC2 instances Drift Disallow changes to AWS Config rules set up by AWS Control Tower

Slide 26

Slide 26 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate compliant account provisioning • Built-in account factory provides a template to standardize account provisioning • Configurable network settings (e.g., subnets, IP addresses) • Automatic enforcement of account baselines and guardrails • Published to AWS Service Catalog Account factory Network baseline Network CIDR Network regions OU Account baseline AWS Service Catalog AWS Service Catalog product New AWS account Network baseline Account baseline Guardrails

Slide 27

Slide 27 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate Automate secure self-service provisioning at scale — Enable Business agility and governance control

Slide 28

Slide 28 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudFormation concepts Template JSON or YAML Change set Stack

Slide 29

Slide 29 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudFormation StackSets Template StackSets Stack Stack Stack Stack

Slide 30

Slide 30 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable self-service with AWS Service Catalog 2 1 T h e pi ct ur e c a nʼ t b e di s pl ay e d.

Slide 31

Slide 31 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate governance at scale 1 2 3 T h e pi ct ur e c a nʼ t b e di s pl ay e d.

Slide 32

Slide 32 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. End Users Organizations Curation Compliance Standardization Agility Self-service Time to market Speed Security Service catalogs enable organizations to deploy and manage infrastructure and applications that reflect the organization’s security and operational policies Benefits of governance at scale

Slide 33

Slide 33 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enabling self-service via AWS & ITSM Tools Users browse and request AWS services Administrators procure, publish, and govern AWS services Operators monitor and manage AWS services AWS Marketplace AWS Service Catalog AWS Cloud Amazon EC2 Amazon Simple Storage Service Amazon WorkSpaces Amazon SageMaker Amazon RDS Amazon EMR AWS IoT Core 1 2 3 Jira Service Desk

Slide 34

Slide 34 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Starter AWS multi-account framework AWS Cloud AWS Organizations Foundational Organizational Units (OUs) Infrastructure Security Δ Shared Services Δ Network Additional OUs

Slide 35

Slide 35 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Starter AWS multi-account framework AWS Cloud AWS Organizations Foundational Organizational Units (OUs) Infrastructure Security Δ Shared Services Δ Network Δ Log Archive Δ Security Tooling Additional OUs Control Tower deploys these automatically

Slide 36

Slide 36 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS multi-account framework AWS Cloud AWS Organizations Master Foundational Organizational Units (OUs) Infrastructure Security Δ Shared Services Δ Network Additional OUs

Slide 37

Slide 37 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. How to customize AWS CT today? https://aws.amazon.com/solutions/customizations-for-aws-control-tower/

Slide 38

Slide 38 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lifecycle Events • CreateManagedAccount • UpdateManagedAccount • EnableGuardrail • DisableGuardrail • SetupLandingZone • UpdateLandingZone • RegisterOrganizationalUnit • DeregisterOrganizationalUnit

Slide 39

Slide 39 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. — Provision — Operate AWS Control Tower: Easiest way to set up and govern at scale — Enable Business agility + governance control

Slide 40

Slide 40 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Operate with agility + control Operate Dashboard Continuous visibility into your multi-account environment Act Take operational action on resources Audit Audit resource configurations, user access, and policy enforcement Monitor Monitor resources and workloads

Slide 41

Slide 41 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo

Slide 42

Slide 42 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Upcoming Features Schedule a roadmap session (under NDA)

Slide 43

Slide 43 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS services that enable agility + governance AWS Control Tower AWS Organizations AWS Service Catalog AWS Well-Architected Tool AWS Budgets AWS License Manager AWS Marketplace (Private Marketplace) AWS CloudTrail AWS Config AWS Security Hub Amazon CloudWatch

Slide 44

Slide 44 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Control Tower capabilities • Framework for creating and baselining a multi-account environment using AWS Organizations • Initial multi-account structure including security, audit, & shared service requirements • An account vending machine that enables automated deployment of additional accounts with a set of managed and monitored security baselines • A management console that shows compliance status of accounts • The ability to apply AWS best practice guardrails and Blueprints to accounts at account creation • The ability to detect and report on any drift/changes that have occurred that deviate from initial configuration options • User account access managed through AWS SSO federation • Integration options with other 3rd party SSO providers (PING/OKTA, Azure AD – native support) • Cross-account roles enable centralized management • Multiple accounts enable separation of duties • Initial account security and AWS Config rules baseline • Network baseline Account Management Identity & Access Management Security & Governance

Slide 45

Slide 45 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Summary of key features

Slide 46

Slide 46 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Pricing and availability US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland

Slide 47

Slide 47 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. How do I get started? AWS Control Tower labs: https://controltower.aws-management.tools AWS Control Tower blogs: • Guardrail Mitigation: https://tinyurl.com/y56dsalz • Self-Service Provisioning: https://tinyurl.com/y3fk3fpk • Migrating workloads with AWS Control Tower and CloudEndure: https://tinyurl.com/CTMigrate Getting started (re:Inforce 2019): https://tinyurl.com/y2gtzf9c How-to videos (Management & Governance): https://tinyurl.com/y3yeohkm

Slide 48

Slide 48 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! Dennis Kieselhorst, Sr. Solutions Architect [email protected] Feedback form: https://amzn.to/35cfKWx