AWS Control Tower for Compliance, Governance, and taming your cloud estate

Slide 1

Slide 1 text

AWS CONTROL TOWER FOR COMPLIANCE, GOVERNANCE AND TAMING YOUR CLOUD ESTATE_

Slide 2

Slide 2 text

PART 1 WHAT IS CONTROL TOWER?_

Slide 3

Slide 3 text

Photo by Natalie Rhea on Unsplash

Slide 4

Slide 4 text

WHY GO MULTI-ACCOUNT?_ Security SaaS tenant isolation Blast radius reduction Developer productivity Avoiding service limits Ease of cost attribution

Slide 5

Slide 5 text

Desired outcome: An account structure that isolates cloud operations, unrelated workloads, and environments into separate accounts, increasing security across the cloud infrastructure. AWS Well-Architected framework, SEC01-BP01 “

Slide 6

Slide 6 text

MULTI ACCOUNTS_ Netflix: > 3,000 Lyft: “hundreds” McDonald’s: >2,500

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

2006 2009 2017 2019 2023 AMAZON SQS GA The first AWS service goes live AWS MANAGEMENT CONSOLE GA Web GUI for managing the AWS platform AWS ORGANIZATIONS GA Policy based management AWS CONTROL TOWER GA Manage multiple accounts at scale TODAY

Slide 9

Slide 9 text

MULTI-ACCOUNT GOVERNANCE CONCERNS_

Slide 10

Slide 10 text

SaaS: Multi-tenancy SMB/Enterprise: Corporate Governance MULTI-ACCOUNT GOVERNANCE CONCERNS_

Slide 11

Slide 11 text

SECURITY CONCERNS_ Who can access which resources? Is public access locked down? What activity is logged? Who can read/write log data? Is encryption at rest enforced? Is encryption in transit enforced? Where are we storing confidential information?

Slide 12

Slide 12 text

LEGAL CONCERNS_ In which legal jurisdiction is data stored and processed? Are we following all relevant local legislation? Are we meeting our contractual commitments to customers?

Slide 13

Slide 13 text

COST CONCERNS_ Are we paying too much for our cloud resources? Are we generating waste, paying for unused resources? Can we avoid accidentally generating a large bill? Which department is responsible for which part of the bill? How do costs divide out across SaaS tenants?

Slide 14

Slide 14 text

STAFFING CONCERNS_ Who’s responsible for operating which account? How do I contact the right team when something goes wrong? Do we have enough people to run this platform?

Slide 15

Slide 15 text

PRODUCTIVITY CONCERNS_ How can we manage all this complexity, without slowing down? How can product teams maintain autonomy over their platform whilst conforming to local policy?

Slide 16

Slide 16 text

Photo by Jacopo Maia on Unsplash

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

Photo by Pascal Meier on Unsplash

Slide 20

Slide 20 text

LANDING ZONE_ A well-architected, self-service multi-account AWS environment providing: Account & network structure Identity & access services Security baseline and guardrails Cost guardrails Centralised management Logging and monitoring Account/application blueprints

Slide 21

Slide 21 text

The purpose of a platform team is to enable stream-aligned teams to deliver work with substantial autonomy. The stream-aligned team maintains full ownership of building, running, and fixing their application in production. The platform team provides internal services to reduce the cognitive load that would be required from stream-aligned teams to develop these underlying services. Matthew Skelton, Manuel Pais Team Topologies “

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

JUST IMAGINE_

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

AWS CONTROL TOWER MAKES IT EASIER TO BUILD A LANDING ZONE_

Slide 26

Slide 26 text

AWS Control Tower AWS Organizations AWS Config Amazon GuardDuty AWS Identity and Access Management AWS Security Hub AWS IAM Identity Center AWS Service Catalog AWS Budgets AWS CloudTrail Amazon Inspector

Slide 27

Slide 27 text

Sandbox OU Security OU logs ﬂow Management account AWS Control Tower AWS IAM Identity Center AWS Service Catalog (Account Factory) Log Archive account Audit account Example account AWS CloudFormation StackSets AWS Organizations AWS Conﬁg Logs Baseline Baseline Baseline VPC

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

WHAT’S A SERVICE CONTROL POLICY?_ Similar to an IAM policy Applies to OUs Sets limits on actions Also affects the root account!

Slide 31

Slide 31 text

SCP USE CASES_ Deny access to whole regions Prevent disabling of CloudTrail logs or GuardDuty Deny provision of expensive resources Prevent unencrypted object uploads to S3 Enforce a resource tagging policy

Slide 32

Slide 32 text

DESIGN DECISIONS_ What OUs do I need? What additional service accounts do I need? Do I want to delegate some services to other accounts? What security controls should I deploy? Should I hook up my IAM accounts with my external IdP? How will I determine what budgets to set in my accounts? What’s a good resource tagging strategy to enforce? Do I have existing accounts to migrate under the new Organization?

Slide 33

Slide 33 text

BE AWARE_ Not available in every region. IAM Identity Center and Control Tower must be deployed in the same region Installation can’t be fully automated* Best practice is to start with a fresh root account. There are costs to consider.

Slide 34

Slide 34 text

WHAT DOES IT COST?_ AWS Control Tower itself is a free AWS service The tools it provisions can incur cost: AWS Config rules can be surprisingly expensive S3 costs for log archive storage

Slide 35

Slide 35 text

HOW LONG DOES IT TAKE?_ Enabling Control Tower can be done pretty quickly. Choosing and defining security controls can be time consuming. Conforming existing accounts needs to be done carefully.

Slide 36

Slide 36 text

PART 2 INTEGRATING CONTROL TOWER_

Slide 37

Slide 37 text

INTEGRATION TYPES_ Integrate other AWS services Extend your landing zone Integrate with external services

Slide 38

Slide 38 text

ACCOUNT CUSTOMISATION_ Uses AWS Service Catalog LZ provides a baseline You can add your own blueprints

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

WHEN TO USE THIS?_ ACCOUNT BASELINE FARGATE BLUEPRINT LAMBDA BLUEPRINT SERVICE A TEST SERVICE A PROD SERVICE B TEST SERVICE B PROD

Slide 41

Slide 41 text

WHEN TO USE THIS?_ ACCOUNT BASELINE FARGATE BLUEPRINT SAAS TENANT 1 SAAS TENANT 2 SAAS TENANT 3 SAAS TENANT 4

Slide 42

Slide 42 text

CUSTOMIZATIONS FOR CONTROL TOWER (CfCT)_ Run customisations when new accounts are created. Orchestrated by AWS CodePipeline Executed using CloudFormation StackSets Low cost Serverless components

Slide 43

Slide 43 text

LIFECYCLE EVENTS_ CreateManagedAccount UpdateManagedAccount EnableGuardrail DisableGuardrail SetupLandingZone UpdateLandingZone RegisterOrganizationalUnit DeregisterOrganizationalUnit PrecheckOrganizationalUnit

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

USE CfCT TO DEPLOY_ Monitoring and alerts AWS GuardDuty config Additional SCPs CloudWatch cross account console Budgets

Slide 46

Slide 46 text

INTEGRATE WITH SLACK OR TEAMS_

Slide 47

Slide 47 text

No content

Slide 48

Slide 48 text

CLOUDFORMATION VS TERRAFORM (PULUMI, CDK, ETC)_

Slide 49

Slide 49 text

BASELINE Deployed to all accounts Limited variation between accounts Managed by privileged users Administered by a platform team Slow rate of change WORKLOAD Deployed to subset of accounts Managed by application team High rate of change/deployment More complex

Slide 50

Slide 50 text

BASELINE USING CLOUDFORMATION_ StackSets are region and multi- account aware Native support: no bootstrapping no additional infrastructure

Slide 51

Slide 51 text

USE ANYTHING FOR WORKLOADS_ Teams can choose their own IAC tooling to suit them Platform should make it easy for them to use their choice of tool.

Slide 52

Slide 52 text

INTEGRATE WITH TERRAFORM CLOUD_

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

WHAT ABOUT ACCOUNT FACTORY FOR TERRAFORM?_

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

AFT DOWNSIDES_ Requires costly “serverful” infrastructure Makes Terraform feed like CloudFormation 😱 Slow feedback loops Not very ergonomic

Slide 57

Slide 57 text

INTEGRATE WITH YOUR IdP_

Slide 58

Slide 58 text

WHY INTEGRATE YOUR IdP?_ Central user management Increased security Comply with regulations Integrate with device management (e.g. Kolide)

Slide 59

Slide 59 text

SUPPORTED IdPs_ Azure AD Cyberark Google Workspace JumpCloud Okta OneLogin PingIdentity

Slide 60

Slide 60 text

PART 3 CONTROL TOWER FOR COMPLIANCE_

Slide 61

Slide 61 text

ISO/IEC 27001 Defines requirements for an ISMS Non-prescriptive Risk based approach

Slide 62

Slide 62 text

WHY DO WE NEED ISO 27001?_

Slide 63

Slide 63 text

SUPPLIER QUESTIONNAIRES_

Slide 64

Slide 64 text

WITH COMPLIANCE_ Questionnaires are easier to answer …or avoided altogether Sales cycle is shorter Close bigger deals Reduce operational risks

Slide 65

Slide 65 text

TWO PARTS_ ISO 27001 Mandatory ISMS Requirements ISO 27002 Optional Annex A Controls

Slide 66

Slide 66 text

No content

Slide 67

Slide 67 text

No content

Slide 68

Slide 68 text

SECURITY CONTROLS_ Preventive (Service Control Policies) Detective (AWS Config Rules) Proactive (AWS CloudFormation Hooks)

Slide 69

Slide 69 text

No content

Slide 70

Slide 70 text

No content

Slide 71

Slide 71 text

IMPLEMENTING ANNEX A CONTROLS ON AWS_

Slide 72

Slide 72 text

8.15 LOGGING_ To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. “

Slide 73

Slide 73 text

8.15 LOGGING DEPENDENCIES_ 5.25 Assessment and decision on info sec events 5.28 Collection of evidence 5.37 Privacy & protection of PII 8.10 Information deletion 8.11 Data masking 8.16 Monitoring activities 8.17 Synchronised time sources 8.25 Use of cryptography

Slide 74

Slide 74 text

8.15 LOGGING GUIDELINES_ Log structure & types of events to log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention requirements Sensitive data in logs is protected Log analytics & anomalous behaviour detection

Slide 75

Slide 75 text

No content

Slide 76

Slide 76 text

8.15 LOGGING GUIDELINES_ Log structure & types of events to log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection

Slide 77

Slide 77 text

No content

Slide 78

Slide 78 text

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudtrail:StopLogging", "cloudtrail:DeleteTrail" ], "Resource": "*", "Effect": "Deny" } ] }

Slide 79

Slide 79 text

8.15 LOGGING GUIDELINES_ Log structure & types of events to log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection

Slide 80

Slide 80 text

No content

Slide 81

Slide 81 text

8.15 LOGGING GUIDELINES_ Log structure & types of events to log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection

Slide 82

Slide 82 text

Slide 83

Slide 83 text

Workload OU Security OU Infrastructure OU Non-prod OU Prod OU Developer Sandbox OU logs ﬂow network path Transitional OU Policy Staging OU Suspended OU Amazon Athena Backup vault Backup snapshots Management account Log Archive account Audit account Shared Services account Backups account Security Tooling account Bob's sandbox account Alice's sandbox account Test account Staging account Production account AWS Control Tower AWS Organizations AWS Conﬁg AWS IAM Identity Center Logs Baseline Baseline Baseline Baseline Baseline Baseline Baseline Baseline AWS Chatbot AWS Backup Amazon GuardDuty Admin AWS Budgets AWS Budgets VPC VPC Baseline VPC Baseline VPC

Slide 84

Slide 84 text

MANAGEMENT ACCOUNT

Slide 85

Slide 85 text

SECURITY OU

Slide 86

Slide 86 text

INFRASTRUCTURE OU

Slide 87

Slide 87 text

WORKLOAD OU

Slide 88

Slide 88 text

DEVELOPER SANDBOX OU

Slide 89

Slide 89 text

OTHER OUs

Slide 90

Slide 90 text

COMPLIANCE APPROACH_ Perform a security risk assessment Score and prioritise those risks Identify controls from the standard that you wish to adopt. Map these controls to those available in AWS Control Tower Roll these out

Slide 91

Slide 91 text

WRAPPING UP_

Slide 92

Slide 92 text

SOME TAKEAWAYS_ Control Tower: complex but powerful Get the most out of it by integrating with other things Great for governance across all types of business A key part of any compliance story

Slide 93

Slide 93 text

No content