More Related Content Similar to Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Invent 2018 (20) More from Amazon Web Services (20) Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Building your own Landing Zone
E N T 3 5 1 - R
Brandon Bouier
Solutions Architect
Amazon Web Services
Wallace Printz
Solutions Architect
Amazon Web Services
Lon Miller
Solutions Architect
Amazon Web Services
Workshop registration:
http://lz-workshop.us-west-2.elasticbeanstalk.com/
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Register for Workshop
http://lz-workshop.us-west-2.elasticbeanstalk.com
Workshop materials, login password will be sent via email
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Why do you need a Landing Zone?
Understand the AWS Landing Zone Design
Demo 1: Tour of AWS Landing Zone deployment and functions
Demo 2: Creating a new AWS Account via the Account Vending Machine
Demo 3: Extending the AWS Landing Zone via the Landing Zone Add-On
feature
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customers are faced with
Many
design decisions
Need to configure
multiple accounts
& services
Establish
security baseline
& governance
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why one account isn’t enough
Billing
Many Teams
Security / Compliance
Controls
Business Process
Isolation
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account approach
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Developer Accounts Data Center
Orgs: Account management
Log Archive: Security logs
Security: security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account approach
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Developer Accounts Data Center
Orgs: Account management
Log Archive: Security logs
Security: security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account approach
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Developer Accounts Data Center
Orgs: Account management
Log Archive: Security logs
Security: security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Landing Zone solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS best
practices and
recommendations
Initial security
and governance
controls
Baseline accounts
and account
vending machine
Automated
deployment
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What you get with the AWS Landing Zone
Framework for creating and baselining a multi-account
environment
Initial multi-account structure that includes security, audit, and
shared service requirements
An account vending machine that enables automated deployment
of additional accounts with a set of security baselines
Account Management
User account access managed through AWS SSO federation
Cross-account roles enable centralized management
Identity & Access Management
Initial account security and AWS Config rules baseline
Network baseline
Security & Governance
Add on to your AWS Landing Zone deploymentSolution Extensibility
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone structure – default deployment
AWS Organizations
Shared Services Log Archive Security
Organizations Account
• Account Provisioning
• Account Access (SSO)
Shared Services Account
• Active Directory
• Log Analytics
Log Archive
• Security Logs
Security Account
• Audit / Break-glass
Parameter
store
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone structure – with optional Add-Ons
AWS Organizations
Shared Services Log Archive Security
Log Archive
• Security Logs
Security Account
• Audit / Break-glass
Parameter
store
Organizations Account
• Account Provisioning
• Account Access (SSO)
Shared Services Account
• Active Directory
• Log Analytics
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account Baseline AWS CloudTrail – CloudTrail to local and log archive S3 bucket
AWS Config – Configuration data forward to log archive S3
bucket
AWS Config rules – Resource security rules (Amazon EBS
encryption, etc.)
GuardDuty – Associate member to GuardDuty Master
IAM roles and policies – Security Admin and Read-only roles
IAM password policy – Password complexity required
Notifications – CloudTrail API activity alarm
VPC infrastructure – Options for Multi-AZ, multi-subnet
Account
AWS
CloudFormation
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Landing Zone Pipeline
Source Validate/Build/Test
Deploy Core
Account Structure
Deploy Core
Resources
Deploy Service Catalog
Portfolio/Products
Deploy Baseline
Resources
Launch AVM for Core
accounts
AWS
Organizations
AWS Account
Baseline StackSets
Logging Security
credentials
AWS Service
Catalog
StackSet AWS Service
Catalog
Core
Amazon S3
bucket
Vended
Accounts
AWS
CloudFormation
templates
Manifest fileLanding
Zone Zip File
AWS CodeBuild
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key Solution Components
Configure AWS Landing Zone infrastructure as code
• Configuration templates define: Core account structure, Service Control Policies,
network and security baselines, AWS Service Catalog portfolios/products
• Enable developers to change or extend the AWS Landing Zone implementation
Implementation with AWS CloudFormation templates & StackSets
• Out-of-the-box example AWS Landing Zone implementation to get started quickly.
Includes core accounts for security, log audit, and shared services.
Deployment orchestration with AWS CodePipeline and AWS Step Functions
• Enable CI/CD; control event sequencing and synchronization
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key Solution Components (cont.)
Account baseline
• Provide guardrails for preventive control, detective control, and remediation
• Applied to specified Organizational Units and accounts
The Account Vending Machine
• Allow user to create new accounts through Service Catalog
• New accounts baselined automatically
Add-On to your AWS Landing Zone deployment
• Extend with optional add-on capabilities through Service Catalog
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• To prohibit or restrict user access from disabling or deleting the baseline
controls e.g. SCP to prevent deleting or disabling CloudTrail/AWS Config
Preventive Controls
• To monitor the resources for compliance and alert when the resource go out
of compliance e.g. AWS Config rules to monitor Amazon S3 server-side
encryption for all S3 buckets created in an account
Detective Controls
• To take corrective action to remediate the out of compliance resources and
bring them back to compliance state e.g. SSM document triggered from AWS
Config rule to enable Amazon S3 server-side encryption for out-of-
compliance S3 bucket
Remediation
AWS Landing Zone – Control Types (Guardrails)
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS
SSO
Endpoint
AWS
Organizations
Account
users
us-east-1
AWS Directory
Connector
Shared Services
Account
AWS Managed
AD
eu-west-1
VPC
Peering
Federated Access
to AWS accounts
All Regions
Introduction to the Landing Zone’s Add-On
products for Single Sign On (SSO)
• AWS Managed Microsoft Active Directory in the
Shared Services account
• AD Connector in the Master account
• AWS SSO configured with Permission Sets
• AD users login from SSO URL to access the
Landing Zone accounts
Attendee LZ access via SSO
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Landing Zone deployment
Stacksets that implement Account Baseline
Effect of enabled ConfigRules
Multi-account structure under Organizations
Logging and aggregation in Log Archive account
Demo 1 (by presenter)
Review of GuardDuty Setup and run-time status
Lab 1 (by attendees with Lab 1 Guide)
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Account Vending Machine (AVM)
An AWS Service Catalog Product, which
creates new AWS accounts in Organizational
Units (OUs), preconfigured with an account
security baseline and a predefined networkAWS Service Catalog
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account Vending Machine (AVM) Architecture
AWS
Service Catalog
Account Vending Machine (AWS Service Catalog)
• Account creation UI
• Account baseline versioning
• Launch constraints
Creates/updates AWS account
Apply account baseline stack sets
Create network baseline
Apply account security control policy
Account Vending
Machine
AWS
Organizations
Security
Log Archive
Shared Services New AWS
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo 2 (by presenter)
Access the new AWS account via SSO
Review account baseline in CloudFormation console
Examine Config Rule status
Lab 2 (by attendees with Lab 2 Guide)
Launch AVM from Service Catalog Console in the master account
Verify Service Control Policy baseline
View StackSet that created the new AWS account
Configure SSO to access the new AWS account
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Easily add new optional services into your existing AWS Landing Zone
deployment
These Add-On products enable:
• Partners, ISVs to build and share their solutions with customers
• Customers to create new solutions to extend their own deployment
Add on to your AWS Landing Zone
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Two AWS Landing Zone add-ons available today
• AWS Active Directory with Remote-Desktop Gateway,
and Active Directory Connector for SSO
• Centralized logging solution
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer Bucket
Master AWS Landing Zone
Configuration Zip File
Partner Add-On
Configuration Zip File
ISV Add-On
Configuration Zip FilePartner Bucket ISV Bucket
Customer Bucket Customer Bucket
Add-On
Deployment
Workflow
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Launch Add-On Product
In combination with AWS managed
services and Amazon Elasticsearch, this
solution offers customers a highly
available, turnkey environment to begin
logging and analyzing their AWS
environment and applications.
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Landing Zone Pipeline
Source Validate/Build/Test
Deploy Core
Account Structure
and Policies
Deploy Core
Resources
Deploy Service Catalog
Portfolio/Products
Deploy Baseline
Resources
Launch AVM for Core
accounts
AWS
Organizations AWS Account
Baseline StackSets
AWS Service
Catalog
Core
StackSet
AWS Service
Catalog
Landing Zone
Zip File
AWS CodeBuild
Organizations /
SCP State
Machine
State Machine
Trigger
Lambda
StackSet
State
Machine
Service
Catalog State
Machine
StackSet
State
Machine
Launch AVM
State
Machine
AWS Landing Zone Master
Configuration
AWS
CodeBuild
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
All other
accounts
Shared Services
Account
AWS Organizations master account
AWS Landing Zone
Master Configuration
“CoreResource“
Stage
“LaunchAVM”
Stage
1
23
Centralized Logging Add-On Deployment Flow
AWS Step
Functions
AWS Step
Functions
AWS CodePipelineLanding
Zone Zip
File
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Back to demo
AWS
CodePipeline
AWS
CloudFormation
AWS Step
Functions
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits of the AWS Landing Zone
Automated Scalable Self-Service
Guardrails
not blockers
Auditable Flexible
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone Track: search: “awslandingzone”
Architecture:
SEC303: Architecting Security & Governance across your AWS Landing Zone (Session)
ENT315: Automate & Audit Cloud Governance & Compliance in Your Landing Zone (Session)
Implementation:
ENT350: AWS Landing Zone Deep Dive (Chalk Talk)
SEC349: Governance at Scale (Chalk Talk)
ENT318: Landing Zone Design: What to Do When Your Company Splits in Half (Session)
Workshops (First three are same content):
ENT351: Enterprise Governance: Build Your AWS Landing Zone (Workshop)
SEC315: Enterprise Governance and Security - Build Your AWS Landing Zone (Workshop)
GPSWS407A: Automated Solution for Deploying AWS Landing Zone (Workshop/Partners)
SEC334: Operational Excellence for Identity & Access Management (Workshop)
Summary/Feedback:
SEC360: AWS Landing Zone Strategies (Chalk Talk)
42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
43. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone Workshop Team
alzws@amazon.com
44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key things you should know
• The solution sets up new environments, it does not modify existing
environments
• Both new and mature customers can use the solution
• This is an AWS Partner/Professional Services deployable solution, not
a service
• It is available now and designed to be used for production
deployments
• The solution was designed to scale
47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Accounts
• New Master account:
• The solution requires a new Organizations Master
• Existing accounts:
• The solution does not currently support the importing of existing accounts
• Use cases for mature customers:
• Set up a new environment for a new team/ business unit
• Learn if there are things they want to build into their existing environments
• Create a scalable environment if they are running into limits with their current AWS
environment set up
• Customization / Integration:
• If customers want modifications or integration of AWS Landing Zone into existing
environments, engage AWS Professional Services / Partners
48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone pricing
No additional charge for the AWS Landing Zone solution.
Customers are responsible for the charges of the underlying
services (e.g., AWS Config Service, AWS CloudTrail, etc.).
Cost for the basic solution: ~$200 / month
Monthly cost for optional add-ons:
• Centralized logging solution: <$400
• Directory Connector: <$50
• AWS Managed AD plus Remote Desktop Gateway: ~$300