[JAWS PANKRATION]Will AWS Control Tower take away my jobs as multi account administrator? （Control Towerはマルチアカウント管理者の仕事を奪ってくれるのか？）

Transcript

1. Will AWS Control Tower take away my jobs
   as multi-account administrator ?
   @JAWS PANKRATION 2021
   

   View Slide

2. Copyright© Nomura Research Institute, Ltd. All rights reserved.
   Yuta Kimi
   Nomura Research Institute, Ltd.
   Well-Architected Review & improvements
   Multi-account strategy & administration
   Serverless Design
   

   View Slide

3. My Answer
   2
   Will AWS Control Tower take away my jobs
   as multi-account administrator ?
   No
   But… Control Tower moves forward the starting line
   of multi-account administrator
   

   View Slide

4. Today’s Goal
   3
   Jobs of
   Multi-account administrator
   vs.
   Functions of
   AWS Control Tower
    What are the jobs of multi-account administrator ?
    Among them, what will Control Tower work ?
    Sharing tips for jobs that Control Tower doesn’t cover
   

   View Slide

5. Why do we separate AWS accounts ?
   4
   To give developers freedom
   * The most important thing I think
   

   View Slide

6. Case 1: Workloads in a single account
   5
   Developers
   (System A)
   System A
   Developers
   (System B)
   System B
   Developers
   (System C)
   System C
   ＼You changed our resources !!／
   ＼After your change, my system became strange !!／
   Administrators
   That’s enough!! We operate everything!
   Make requests with Excel sheet !
   Out of Control…
   In an account, boundary is ambiguous no matter how you try
   

   View Slide

7. Case 2: Workloads are separated by accounts
   6
   Separated accounts can give developers freedom
   Developers
   (System A)
   System A
   Developers
   (System B)
   System B
   Developers
   (System C)
   System C
   Accounts are
   hard boundary
   Peaceful !
   Administrators
   We can delegate permissions.
   “In your account”, free to develop !
   Multiple accounts in your organization
   →Multi-account administrator
   

   View Slide

8. Please take away my administrator jobs…
   7
   Main jobs of multi-account administrator are…
   Undifferentiated Heavy Lifting
   

   View Slide

9. What’s multi-account administrator ?
   8
   Responsible for accelerating AWS Well-Architected Design
   AWS Well-Architected Framework (W-A) *
   Operational
   Excellence
   Security Reliability
   Performance
   Efficiency
   Cost
   Optimization
   Providing and Maintaining accounts including Well-Architected baseline
   * W-A: Architectural and operational best practices in AWS
   

   View Slide

10. What’s multi-account administrator ?
    9
    “Most” multi-account administrators are responsible for…
    Operational Excellence Security Reliability Performance Efficiency Cost Optimization
    Providing accounts
    Listing who is owner of
    the account
    Incident and knowledge
    management
    Preparing deployment
    pipeline
    Providing blueprints
    Multi-account strategy
    and organizing accounts
    User ID management
    Maintaining and
    monitoring security
    guardrail
    security guardrail
    Central logging for audit
    logs
    Providing audit
    environment
    Configuring security
    services
    Security event response
    Service quota
    management
    Providing redundant
    network
    Aggregating AWS health
    events
    Providing monitoring
    template / central
    monitoring
    Data Backup
    management
    Maintaining network
    Providing monitoring
    template
    Analyzing what services
    / resources are used
    Recommending what
    services / resources are
    used
    Informing service
    updates
    Allocating cost to project
    Monitoring and
    analyzing cost
    Analyzing resources
    utilization
    Checking unused
    resources/accounts
    Buying Savings Plans in
    bulk and share in the
    organization
    Informing service
    updates
    Which jobs will Control Tower take away ?
    

    View Slide

11. Which jobs will Control Tower take away ?
    10
    Operational Excellence Security Reliability Performance Efficiency Cost Optimization
    Providing accounts
    Listing who is owner of
    the account
    Incident and knowledge
    management
    Preparing deployment
    pipeline
    Providing blueprints
    Multi-account strategy
    and organizing accounts
    User ID management
    Maintaining and
    monitoring security
    guardrail
    security guardrail
    Central logging for audit
    logs
    Providing audit
    environment
    Configuring security
    services
    Security event response
    Service quota
    management
    Providing redundant
    network
    Aggregating AWS
    health events
    Providing monitoring
    template / central
    monitoring
    Data Backup
    management
    Maintaining network
    Providing monitoring
    template
    Analyzing what services
    / resources are used
    Recommending what
    services / resources are
    used
    Informing service
    updates
    Allocating cost to project
    Monitoring and
    analyzing cost
    Analyzing resources
    utilization
    Checking unused
    resources/accounts
    Buying Savings Plans in
    bulk and share in the
    organization
    Informing service
    updates
    Target of Control Tower is security pillar
    Covered by
    Control Tower
    Security is Job Zero.
    →Control Tower moves forward
    the starting line of the administrators
    

    View Slide

12. Functions of Control Tower
    11
    Control Tower integrates several managed services
    Organizations
    1 Organizing
    multiple accounts
    2 Single sign-on to
    multi-account
    3 Central logging for
    audit logs
    Single Sign-On CloudTrail Config
    5 Dashboard for
    compliance status
    6 Providing audit
    account
    7 Creating accounts
    with baseline setting
    Config Rules
    Org. SCP
    Config aggregator
    4 Providing basic
    security guardrail
    Config aggregator Role Service Catalog
    

    View Slide

13. Functions of Control Tower
    12
    Control Tower integrates several managed services
    Organizations
    1 Organizing
    multiple accounts
    2 Single sign-on to
    multi-account
    3 Central logging for
    audit logs
    Single Sign-On CloudTrail Config
    5 Dashboard for
    compliance status
    6 Providing audit
    account
    Config Rules
    Org. SCP
    Config aggregator
    4 Providing basic
    security guardrail
    Config aggregator Role
    [Related session]
    22:20~22:40 Takao Hojo
    No more Excel Forms! Easily create
    an AWS account with Account Factory
    7 Creating accounts
    with baseline setting
    Service Catalog
    

    View Slide

14. Focusing on the jobs that Control Tower doesn’t cover
    13
    Operational Excellence Security Reliability Performance Efficiency Cost Optimization
    Providing accounts
    Listing who is owner of
    the account
    Incident and knowledge
    management
    Preparing deployment
    pipeline
    Providing blueprints
    Multi-account strategy and
    organizing accounts
    User ID management
    Maintaining and monitoring
    security guardrail
    security guardrail
    Central logging for audit
    logs
    Providing audit
    environment
    Configuring security
    services
    Security event response
    Service quota
    management
    Providing redundant
    network
    Aggregating AWS
    health events
    Providing monitoring
    template / central
    monitoring
    Data Backup
    management
    Maintaining network
    Providing monitoring
    template
    Analyzing what services
    / resources are used
    Recommending what
    services / resources are
    used
    Informing service
    updates
    Allocating cost to project
    Monitoring and
    analyzing cost
    Analyzing resources
    utilization
    Checking unused
    resources/accounts
    Buying Savings Plans in
    bulk and share in the
    organization
    Informing service
    updates
    Best 3 additional implementations I recommend
    Covered by
    Control Tower
    I selected the ones that are easy to implement
    

    View Slide

15. Aggregating AWS health events
    14
    Let’s click “Enable organizational view” now
    * No additional cost * + You should implement notification
    You can confirm all affected resources in your organization
    

    View Slide

16. Analyzing resource utilization
    15
    Enable following 2 services with AWS Organizations
    * No additional cost (In case of S3 Storage Lens with free metric)
    Compute Optimizer
    Analyzing historical compute
    utilization and recommending
    optimal resources
    S3 Storage Lens
    Visualizing S3 usage and activity
    trends, and recommending to
    improve cost-efficiency
    

    View Slide

17. Compute Optimizer with AWS Organizations
    16
    Click “Opt in” with “All member accounts…”
    * No additional cost
    You can confirm over/under provisioned compute
    resources in your organization
    

    View Slide

18. S3 Storage Lens with AWS Organizations
    17
    Create dashboard including all accounts in your organization
    * No additional cost (In case of free metric)
    You can confirm utilization metric of the buckets
    in your organization.
    [Point] Identify buckets holding large amounts
    of data in standard storage class
    

    View Slide

19. Configuring security services
    18
    Auto configuring security services to all new accounts.
    At least, I highly recommend following 3 services
    * Require additional cost
    Security Hub
    Security checks for AWS recourses
    and aggregating security alerts
    GuardDuty
    Threat Detection for
    account and some resources
    IAM Access Analyzer
    Identifying resources that are
    shared with an external entity
    

    View Slide

20. Configuring security services
    19
    Management account
    Security account account_1
    Security Hub
    GuardDuty Access Analyzer
    (Organization)
    Auto-enable
    ON
    Auto-enable
    ON
    Delegate the services
    administrator
    account_2
    Auto enabled
    when account created
    Aggregating Security Findings
    Auto enabled
    when account created
    In the security account (delegated the services administrator),
     Security Hub & GuardDuty : Set Auto-enable to “ON”
     Access Analyzer : Create analyzer with the organization as the zone
    Checking
    all accounts
    

    View Slide

21. Thank you !
    20
    Multi-account administrator is responsible for
    accelerating AWS Well-Architected Design
    1
    Control Tower moves forward the starting line
    of multi-account administrator
    2
    Sharing the Best 3 additional implementations I recommend
    3
    

    View Slide