AWS Landing Zone

Transcript

1. Getting Started with AWS Landing Zones The key to manage

   and govern AWS accounts at scale Will Chalmers (he/him) Solutions Architect

2. • The path to multiple AWS accounts • Where does

   a landing zone fit in? • AWS Multi-Account Strategy • Control Tower & Organizations Agenda

3. The path to multiple accounts

4. None

5. Security / Resource Boundary API Limits / throttling Billing Separation

6. Where does a Landing Zone fit in?

7. Multi Account Structure

8. You Need … Orchestration Framework

9. You need a ‘Landing Zone’ • A configured, secure, scalable,

   multi-account AWS environment based on AWS Frameworks and best practices. • A starting point for new clients/projects/migrations/development & experimentation • An environment that allows for iteration and expansion over time

10. A well-architected Landing Zone

11. Introducing AWS Control Tower A self-service solutions to automate the

    setup of AWS multi-account environments

12. Benefits

13. AWS Organizations Provides tools to centrally govern and manage AWS

    Accounts • Quickly scale by creating accounts and allocate resources • Customize environments by applying governance policies • Secure and audit environments • Manage costs and identify cost-saving measures

14. Benefits

15. Dashboard for oversight

16. Guardrail examples Guardrail Type Requirement Enable MFA for the Root

    User Detective Strongly Recommended Disallow public read access to S3 Detective Strongly Recommended Enable AWS Config in All Available Regions Preventive Mandatory Disallow Policy Changes to Log Archive Preventive Mandatory Integrate CloudTrail Events with CloudWatch Logs Preventive Mandatory Disallow Amazon S3 Buckets That Are Not Versioning Enabled Detective Elective Disallow Delete Actions on Amazon S3 Buckets Without MFA Detective Elective

17. Account Creation

18. Thank you! Q&A