Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[JAWS PANKRATION]Will AWS Control Tower take aw...

Yuta Kimi
November 20, 2021

[JAWS PANKRATION]Will AWS Control Tower take away my jobs as multi account administrator? (Control Towerはマルチアカウント管理者の仕事を奪ってくれるのか?)

JAWS PANKRATION 2021 (2021/11/20) 登壇資料。
「AWS Control Tower は私のマルチアカウント管理者の仕事を奪ってくれるのか?」と題して、Control Towerの主要機能とマルチアカウント管理者の主要業務を比較しています。自社やお客さまのマルチアカウント環境構築・運用を推進してきた実績を元にまとめています。マルチアカウント管理はビジネス上の差別化につながらない重労働であり、奪ってもらえるとハッピーだと思います。Control Towerはそのような夢のサービスなのか...!?

Yuta Kimi

November 20, 2021
Tweet

More Decks by Yuta Kimi

Other Decks in Technology

Transcript

  1. Will AWS Control Tower take away my jobs as multi-account

    administrator ? @JAWS PANKRATION 2021
  2. Copyright© Nomura Research Institute, Ltd. All rights reserved. Yuta Kimi

    Nomura Research Institute, Ltd. Well-Architected Review & improvements Multi-account strategy & administration Serverless Design
  3. My Answer 2 Will AWS Control Tower take away my

    jobs as multi-account administrator ? No But… Control Tower moves forward the starting line of multi-account administrator
  4. Today’s Goal 3 Jobs of Multi-account administrator vs. Functions of

    AWS Control Tower  What are the jobs of multi-account administrator ?  Among them, what will Control Tower work ?  Sharing tips for jobs that Control Tower doesn’t cover
  5. Why do we separate AWS accounts ? 4 To give

    developers freedom * The most important thing I think
  6. Case 1: Workloads in a single account 5 Developers (System

    A) System A Developers (System B) System B Developers (System C) System C \You changed our resources !!/ \After your change, my system became strange !!/ Administrators That’s enough!! We operate everything! Make requests with Excel sheet ! Out of Control… In an account, boundary is ambiguous no matter how you try
  7. Case 2: Workloads are separated by accounts 6 Separated accounts

    can give developers freedom Developers (System A) System A Developers (System B) System B Developers (System C) System C Accounts are hard boundary Peaceful ! Administrators We can delegate permissions. “In your account”, free to develop ! Multiple accounts in your organization →Multi-account administrator
  8. Please take away my administrator jobs… 7 Main jobs of

    multi-account administrator are… Undifferentiated Heavy Lifting
  9. What’s multi-account administrator ? 8 Responsible for accelerating AWS Well-Architected

    Design AWS Well-Architected Framework (W-A) * Operational Excellence Security Reliability Performance Efficiency Cost Optimization Providing and Maintaining accounts including Well-Architected baseline * W-A: Architectural and operational best practices in AWS
  10. What’s multi-account administrator ? 9 “Most” multi-account administrators are responsible

    for… Operational Excellence Security Reliability Performance Efficiency Cost Optimization Providing accounts Listing who is owner of the account Incident and knowledge management Preparing deployment pipeline Providing blueprints Multi-account strategy and organizing accounts User ID management Maintaining and monitoring security guardrail security guardrail Central logging for audit logs Providing audit environment Configuring security services Security event response Service quota management Providing redundant network Aggregating AWS health events Providing monitoring template / central monitoring Data Backup management Maintaining network Providing monitoring template Analyzing what services / resources are used Recommending what services / resources are used Informing service updates Allocating cost to project Monitoring and analyzing cost Analyzing resources utilization Checking unused resources/accounts Buying Savings Plans in bulk and share in the organization Informing service updates Which jobs will Control Tower take away ?
  11. Which jobs will Control Tower take away ? 10 Operational

    Excellence Security Reliability Performance Efficiency Cost Optimization Providing accounts Listing who is owner of the account Incident and knowledge management Preparing deployment pipeline Providing blueprints Multi-account strategy and organizing accounts User ID management Maintaining and monitoring security guardrail security guardrail Central logging for audit logs Providing audit environment Configuring security services Security event response Service quota management Providing redundant network Aggregating AWS health events Providing monitoring template / central monitoring Data Backup management Maintaining network Providing monitoring template Analyzing what services / resources are used Recommending what services / resources are used Informing service updates Allocating cost to project Monitoring and analyzing cost Analyzing resources utilization Checking unused resources/accounts Buying Savings Plans in bulk and share in the organization Informing service updates Target of Control Tower is security pillar Covered by Control Tower Security is Job Zero. →Control Tower moves forward the starting line of the administrators
  12. Functions of Control Tower 11 Control Tower integrates several managed

    services Organizations 1 Organizing multiple accounts 2 Single sign-on to multi-account 3 Central logging for audit logs Single Sign-On CloudTrail Config 5 Dashboard for compliance status 6 Providing audit account 7 Creating accounts with baseline setting Config Rules Org. SCP Config aggregator 4 Providing basic security guardrail Config aggregator Role Service Catalog
  13. Functions of Control Tower 12 Control Tower integrates several managed

    services Organizations 1 Organizing multiple accounts 2 Single sign-on to multi-account 3 Central logging for audit logs Single Sign-On CloudTrail Config 5 Dashboard for compliance status 6 Providing audit account Config Rules Org. SCP Config aggregator 4 Providing basic security guardrail Config aggregator Role [Related session] 22:20~22:40 Takao Hojo No more Excel Forms! Easily create an AWS account with Account Factory 7 Creating accounts with baseline setting Service Catalog
  14. Focusing on the jobs that Control Tower doesn’t cover 13

    Operational Excellence Security Reliability Performance Efficiency Cost Optimization Providing accounts Listing who is owner of the account Incident and knowledge management Preparing deployment pipeline Providing blueprints Multi-account strategy and organizing accounts User ID management Maintaining and monitoring security guardrail security guardrail Central logging for audit logs Providing audit environment Configuring security services Security event response Service quota management Providing redundant network Aggregating AWS health events Providing monitoring template / central monitoring Data Backup management Maintaining network Providing monitoring template Analyzing what services / resources are used Recommending what services / resources are used Informing service updates Allocating cost to project Monitoring and analyzing cost Analyzing resources utilization Checking unused resources/accounts Buying Savings Plans in bulk and share in the organization Informing service updates Best 3 additional implementations I recommend Covered by Control Tower I selected the ones that are easy to implement
  15. Aggregating AWS health events 14 Let’s click “Enable organizational view”

    now * No additional cost * + You should implement notification You can confirm all affected resources in your organization
  16. Analyzing resource utilization 15 Enable following 2 services with AWS

    Organizations * No additional cost (In case of S3 Storage Lens with free metric) Compute Optimizer Analyzing historical compute utilization and recommending optimal resources S3 Storage Lens Visualizing S3 usage and activity trends, and recommending to improve cost-efficiency
  17. Compute Optimizer with AWS Organizations 16 Click “Opt in” with

    “All member accounts…” * No additional cost You can confirm over/under provisioned compute resources in your organization
  18. S3 Storage Lens with AWS Organizations 17 Create dashboard including

    all accounts in your organization * No additional cost (In case of free metric) You can confirm utilization metric of the buckets in your organization. [Point] Identify buckets holding large amounts of data in standard storage class
  19. Configuring security services 18 Auto configuring security services to all

    new accounts. At least, I highly recommend following 3 services * Require additional cost Security Hub Security checks for AWS recourses and aggregating security alerts GuardDuty Threat Detection for account and some resources IAM Access Analyzer Identifying resources that are shared with an external entity
  20. Configuring security services 19 Management account Security account account_1 Security

    Hub GuardDuty Access Analyzer (Organization) Auto-enable ON Auto-enable ON Delegate the services administrator account_2 Auto enabled when account created Aggregating Security Findings Auto enabled when account created In the security account (delegated the services administrator),  Security Hub & GuardDuty : Set Auto-enable to “ON”  Access Analyzer : Create analyzer with the organization as the zone Checking all accounts
  21. Thank you ! 20 Multi-account administrator is responsible for accelerating

    AWS Well-Architected Design 1 Control Tower moves forward the starting line of multi-account administrator 2 Sharing the Best 3 additional implementations I recommend 3