[JAWS PANKRATION]Will AWS Control Tower take away my jobs as multi account administrator? （Control Towerはマルチアカウント管理者の仕事を奪ってくれるのか？）

Transcript

1. Will AWS Control Tower take away my jobs as multi-account

   administrator ? @JAWS PANKRATION 2021

2. Copyright© Nomura Research Institute, Ltd. All rights reserved. Yuta Kimi

   Nomura Research Institute, Ltd. Well-Architected Review & improvements Multi-account strategy & administration Serverless Design

3. My Answer 2 Will AWS Control Tower take away my

   jobs as multi-account administrator ? No But… Control Tower moves forward the starting line of multi-account administrator

4. Today’s Goal 3 Jobs of Multi-account administrator vs. Functions of

   AWS Control Tower  What are the jobs of multi-account administrator ?  Among them, what will Control Tower work ?  Sharing tips for jobs that Control Tower doesn’t cover

5. Why do we separate AWS accounts ? 4 To give

   developers freedom * The most important thing I think

6. Case 1: Workloads in a single account 5 Developers (System

   A) System A Developers (System B) System B Developers (System C) System C ＼You changed our resources !!／ ＼After your change, my system became strange !!／ Administrators That’s enough!! We operate everything! Make requests with Excel sheet ! Out of Control… In an account, boundary is ambiguous no matter how you try

7. Case 2: Workloads are separated by accounts 6 Separated accounts

   can give developers freedom Developers (System A) System A Developers (System B) System B Developers (System C) System C Accounts are hard boundary Peaceful ! Administrators We can delegate permissions. “In your account”, free to develop ! Multiple accounts in your organization →Multi-account administrator

8. Please take away my administrator jobs… 7 Main jobs of

   multi-account administrator are… Undifferentiated Heavy Lifting

9. What’s multi-account administrator ? 8 Responsible for accelerating AWS Well-Architected

   Design AWS Well-Architected Framework (W-A) * Operational Excellence Security Reliability Performance Efficiency Cost Optimization Providing and Maintaining accounts including Well-Architected baseline * W-A: Architectural and operational best practices in AWS

10. What’s multi-account administrator ? 9 “Most” multi-account administrators are responsible

    for… Operational Excellence Security Reliability Performance Efficiency Cost Optimization Providing accounts Listing who is owner of the account Incident and knowledge management Preparing deployment pipeline Providing blueprints Multi-account strategy and organizing accounts User ID management Maintaining and monitoring security guardrail security guardrail Central logging for audit logs Providing audit environment Configuring security services Security event response Service quota management Providing redundant network Aggregating AWS health events Providing monitoring template / central monitoring Data Backup management Maintaining network Providing monitoring template Analyzing what services / resources are used Recommending what services / resources are used Informing service updates Allocating cost to project Monitoring and analyzing cost Analyzing resources utilization Checking unused resources/accounts Buying Savings Plans in bulk and share in the organization Informing service updates Which jobs will Control Tower take away ?

11. Which jobs will Control Tower take away ? 10 Operational

    Excellence Security Reliability Performance Efficiency Cost Optimization Providing accounts Listing who is owner of the account Incident and knowledge management Preparing deployment pipeline Providing blueprints Multi-account strategy and organizing accounts User ID management Maintaining and monitoring security guardrail security guardrail Central logging for audit logs Providing audit environment Configuring security services Security event response Service quota management Providing redundant network Aggregating AWS health events Providing monitoring template / central monitoring Data Backup management Maintaining network Providing monitoring template Analyzing what services / resources are used Recommending what services / resources are used Informing service updates Allocating cost to project Monitoring and analyzing cost Analyzing resources utilization Checking unused resources/accounts Buying Savings Plans in bulk and share in the organization Informing service updates Target of Control Tower is security pillar Covered by Control Tower Security is Job Zero. →Control Tower moves forward the starting line of the administrators

12. Functions of Control Tower 11 Control Tower integrates several managed

    services Organizations 1 Organizing multiple accounts 2 Single sign-on to multi-account 3 Central logging for audit logs Single Sign-On CloudTrail Config 5 Dashboard for compliance status 6 Providing audit account 7 Creating accounts with baseline setting Config Rules Org. SCP Config aggregator 4 Providing basic security guardrail Config aggregator Role Service Catalog

13. Functions of Control Tower 12 Control Tower integrates several managed

    services Organizations 1 Organizing multiple accounts 2 Single sign-on to multi-account 3 Central logging for audit logs Single Sign-On CloudTrail Config 5 Dashboard for compliance status 6 Providing audit account Config Rules Org. SCP Config aggregator 4 Providing basic security guardrail Config aggregator Role [Related session] 22:20~22:40 Takao Hojo No more Excel Forms! Easily create an AWS account with Account Factory 7 Creating accounts with baseline setting Service Catalog

14. Focusing on the jobs that Control Tower doesn’t cover 13

    Operational Excellence Security Reliability Performance Efficiency Cost Optimization Providing accounts Listing who is owner of the account Incident and knowledge management Preparing deployment pipeline Providing blueprints Multi-account strategy and organizing accounts User ID management Maintaining and monitoring security guardrail security guardrail Central logging for audit logs Providing audit environment Configuring security services Security event response Service quota management Providing redundant network Aggregating AWS health events Providing monitoring template / central monitoring Data Backup management Maintaining network Providing monitoring template Analyzing what services / resources are used Recommending what services / resources are used Informing service updates Allocating cost to project Monitoring and analyzing cost Analyzing resources utilization Checking unused resources/accounts Buying Savings Plans in bulk and share in the organization Informing service updates Best 3 additional implementations I recommend Covered by Control Tower I selected the ones that are easy to implement

15. Aggregating AWS health events 14 Let’s click “Enable organizational view”

    now * No additional cost * + You should implement notification You can confirm all affected resources in your organization

16. Analyzing resource utilization 15 Enable following 2 services with AWS

    Organizations * No additional cost (In case of S3 Storage Lens with free metric) Compute Optimizer Analyzing historical compute utilization and recommending optimal resources S3 Storage Lens Visualizing S3 usage and activity trends, and recommending to improve cost-efficiency

17. Compute Optimizer with AWS Organizations 16 Click “Opt in” with

    “All member accounts…” * No additional cost You can confirm over/under provisioned compute resources in your organization

18. S3 Storage Lens with AWS Organizations 17 Create dashboard including

    all accounts in your organization * No additional cost (In case of free metric) You can confirm utilization metric of the buckets in your organization. [Point] Identify buckets holding large amounts of data in standard storage class

19. Configuring security services 18 Auto configuring security services to all

    new accounts. At least, I highly recommend following 3 services * Require additional cost Security Hub Security checks for AWS recourses and aggregating security alerts GuardDuty Threat Detection for account and some resources IAM Access Analyzer Identifying resources that are shared with an external entity

20. Configuring security services 19 Management account Security account account_1 Security

    Hub GuardDuty Access Analyzer (Organization) Auto-enable ON Auto-enable ON Delegate the services administrator account_2 Auto enabled when account created Aggregating Security Findings Auto enabled when account created In the security account (delegated the services administrator),  Security Hub & GuardDuty : Set Auto-enable to “ON”  Access Analyzer : Create analyzer with the organization as the zone Checking all accounts

21. Thank you ! 20 Multi-account administrator is responsible for accelerating

    AWS Well-Architected Design 1 Control Tower moves forward the starting line of multi-account administrator 2 Sharing the Best 3 additional implementations I recommend 3