© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deploy and Govern at Scale with
AWS Control Tower
Juan Manuel Gomez
Solutions Architect – Public Sector UK
AWS
Dan Miller
Infrastructure Engineer
University of York

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
What’s a landing zone and an AWS Landing Zone?
Implementing a landing zone
AWS Landing Zone
AWS Control Tower
University of York’s landing zone journey
AWS Landing Zone or AWS Control Tower?

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What do customers want to do on AWS?
Focus on what
differentiates
Ideation to
instantiation
Secure and
compliant
environment

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What do customers need to achieve?
Meets the
organization’s
security and auditing
requirements
Ready to support
highly available and
scalable workloads
Configurable to
support evolving
business
requirements

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
You need a “landing zone”
H
• A configured, secure, scalable, multi-account AWS
environment based on AWS best practices
• A starting point for net new development and
experimentation
• A starting point for migrating applications
• An environment that allows for iteration and extension over
time

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone vs. landing zone
landing zone:
• Secure pre-configured environment for your AWS presence
• Scalable and flexible
• Enables agility and innovation
AWS Landing Zone:
• Implementation of a landing zone based on multi-account strategy
guidance
AWS Control Tower:
• AWS Service version of AWS Landing Zone

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security/resource
boundary API limits/throttling
Billing separation
AWS account // best isolation boundary

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account models
One account
1,000s of
accounts

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why one account isn’t enough
Billing
Many teams
Security / compliance
controls
Business process
Isolation

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Guardrails NOT blockers Auditable Flexible
Automated Scalable Self-service
Goals

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account security considerations
Baseline Requirements
Lock
Enable
Define
Federate
Establish
Identify

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What accounts should I create?
Security Shared Services Billing
Dev ProdSandbox OtherPre-Prod
Organizations Account
Log Archive Network

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account approach
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Network Path
Developer Accounts Data Center
Orgs: Account management
Log Archive: Security logs
Security: Security tools, AWS Config rules
Shared Services: Directory, limit monitoring
Network: AWS Direct Connect
Dev sandbox: Experiments, learning
Dev: Development
Pre-prod: Staging
Prod: Production
Team SS: Team Shared Services, Data lake

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Landing Zone solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS best
practices and
recommendations
Initial security
and governance
controls
Baseline accounts
and account
vending machine
Automated
deployment

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone structure - basic
AWS Organizations
Shared Services Log Archive Security
Organizations Account
• Account Provisioning
• Account Access (SSO)
Shared Services Account
• Active Directory
• Log Analytics
Log Archive
• Security Logs
Security Account
• Audit / Break-glass
Parameter
store

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account Vending Machine
AWS
Service Catalog
Account Vending Machine (AWS Service
Catalog)
• Account creation factory
• User Interface to create new accounts
• Account baseline versioning
• Launch constraints
Creates/updates AWS account
Apply account baseline stack sets
Create network baseline
Apply account security control policy
Account Vending
Machine
AWS
Organizations
Security
AW
S
Log Archive
AW
S
Shared Services
AW
S
AW
S
New AWS

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Balancing the needs of builders and central
cloud IT
Builders:
Stay agile
Innovate with the speed and
agility of AWS
Cloud IT:
Establish governance
Govern at scale with
central controls

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Business agility and governance control
Governance
—
Agility
—
Self-service access
Experiment fast
Respond quickly
to change

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
—
Provision
—
Operate
AWS Control Tower: Easiest way to set up and
govern AWS at scale
—
Enable
Business agility + governance control

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enable
Enable for governance at scale

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enable governance Enable
Set up an AWS
landing zone
Establish
guardrails
Automate compliant
account provisioning
Centralize identity
and access
Manage
continuously

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Set up an AWS landing zone
• Landing zone - a preconfigured, secure,
scalable, multi-account AWS environment
based on best practice blueprints
• Multi-account management using AWS
Organizations
• Identity and federated access management
using AWS SSO
• Centralized log archive using AWS CloudTrail
and AWS Config
• Cross-account audit access using AWS SSO
and AWS IAM
• End user account provisioning through AWS
Service Catalog
• Centralized monitoring and notifications using
Amazon CloudWatch and Amazon SNS
Master account
AWS Control Tower AWS Organizations AWS Single
Sign-On
Stack
sets
AWS Service
Catalog
Log archive
account
Aggregate
AWS CloudTrail
and AWS Config
logs
Account
baseline
Audit account
Security cross-
account roles
Account
baseline
Provisioned
accounts
Network
baseline
Account
baseline
Amazon
CloudWatch
aggregator
Security
notifications
Core
OU
Custom
OU
AWS SSO
directory

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account architecture
• Master account: designation of your
existing account to create a new
organization. Also your master payer
account
• Organization consists of 2 OUs with
pre-configured accounts -
o Core OU: AWS Control Tower-created
accounts, i.e., Audit account and Log archive
account
o Custom OU: Your provisioned accounts
Master account
AWS Organizations
Log
archive
account
Audit
account
Provisioned
accounts
Core
OU
Custom
OU

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralize identity and access
• AWS SSO provides default directory for identity
• AWS SSO also enables federated access management across all
accounts in your organization
• Preconfigured groups (e.g., AWS Control Tower administrators,
auditors, AWS Service Catalog end users)
• Preconfigured permission sets (e.g., admin, read-only, write)

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish guardrails
• Guardrails are preconfigured governance rules
for security, compliance, and operations
• Expressed in plain English to provide
abstraction over granular AWS policies
• Preventive guardrails: prevent policy violations
through enforcement; implemented using AWS
CloudFormation and SCPs
• Detective guardrails: detect policy violations
and alert in the dashboard; implemented using
AWS Config rules
• Mandatory and strongly recommended
guardrails for prescriptive guidance
• Easy selection and enablement on
organizational units
Organizational
units
Accounts
Enable
Enable
Output
Output
Output
Organizational
units
Accounts
Preventive guardrail
Granular AWS
policies
SCP
Detective/remediable
guardrails
Granular
AWS policies
AWS Config
rules
Always
compliant
Compliant
Non-
compliant

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Guardrail examples
Goal/category Example
IAM security Require MFA for root user
Data security Disallow public read access to Amazon S3 buckets
Network security Disallow internet connection via Remote Desktop Protocol (RDP)
Audit logs Enable AWS CloudTrail and AWS Config
Monitoring Enable AWS CloudTrail integration with Amazon CloudWatch
Encryption Ensure encryption of Amazon EBS volumes attached to Amazon EC2 instances
Drift Disallow changes to AWS Config rules set up by AWS Control Tower

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate compliant account provisioning
• Built-in account factory
provides a template to
standardize account
provisioning
• Configurable network settings
(e.g., subnets, IP addresses)
• Automatic enforcement of
account baselines and
guardrails
• Published to AWS Service
Catalog
Account factory
Network
baseline
Network
CIDR
Network
regions
OU Account
baseline
AWS Service
Catalog
AWS Service
Catalog product
New AWS account
Network
baseline
Account
baseline
Guardrails

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
—
Provision
—
Operate
AWS Control Tower: Easiest way to set up and
govern at scale
—
Enable
Business agility + governance control

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Self-service account provisioning in AWS Service
Catalog
Users can configure and provision AWS accounts and resources without
needing full privileges to AWS services (e.g., Amazon EC2, Amazon RDS)
3 2
1

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
—
Provision
—
Operate
AWS Control Tower: Easiest way to set up and
govern at scale
—
Enable
Business agility + governance control

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Operate with agility + control Operate
Dashboard
Continuous visibility into
your multi-account
environment
Act
Take operational
action on resources
Audit
Audit resource
configurations, user access,
and policy enforcement
Monitor
Monitor resources
and workloads

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dashboard
for
oversight

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pricing and availability
US East (N. Virginia), US
East (Ohio), US West
(Oregon), and EU (Ireland

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why use AWS Control Tower?
Set up a best-practices AWS environment in a few clicks

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Summary of key features

Dan Miller
Multi-account AWS environments at scale
Systems & Infrastructure Engineer
University of York

Who we are…
• University of York
• Campus in North Yorkshire, United Kingdom
• Research intensive University
• Over 30 academic departments
• Over 18,000 students from 140+ countries
• Over 3,000 staff members

Key points to note
• BitBucket and BitBucket Pipelines are used to store & deploy code
• CloudFormation written in YAML for core infrastructure
• SAM (& CloudFormation) / CDK for application infrastructure
• Hybrid approach with some data still stored on campus servers*
* for now

Our old, monolithic structure

Why this didn’t work for us…
• A single development account is a hindrance
• A desire to centralise our AWS offering within IT Services
• Creating new accounts didn’t scale well
• Blast radius was too wide

Landing Zone Benefits
• Quick and easy way to create multiple accounts
• Achieve a desired state for each account upon provision
• Easy management of accounts through Organizational Units
• Configuration flexibility for ops teams
• Security and auditing baseline

Organizational Units
• Sandbox
• IT Services
• Departmental
• Research
• Quarantine

Sandbox Infrastructure
• Allows a user access to their own isolated environment
• Promotes experimentation, adoption and upskill
• Fully automated provisioning process (<5 minutes)
• Prevents using other accounts for testing
• Centralised billing & cost monitoring

Authentication Infrastructure
• Shibboleth Single Sign-On
• Allows existing University credentials to be used
• Duo Multi-Factor Authentication (2FA)
• SAML based authentication
• Configured via Identity Providers under IAM
• Entirely automated provisioning as a baseline

Authentication Infrastructure
(Login Screen)

Provisioning Infrastructure
• Service Catalog to create accounts
• Leverage extensive AWS APIs to streamline the process
• Call back to internal authentication APIs to make the account known
• Sends account welcome emails through Simple Email Service

• Account Type
• Region
• Username
• Shibboleth Authentication Stack
• VPC Type
• Workorder (for internal billing)
Provisioning Infrastructure

Campus Connectivity
• Uses the AWS Transit Gateway service
• Direct AWS VPN connectivity to a “shared services” account
• Allows us to share a single VPN Gateway to multiple accounts
• Reduces cost and allows easier traffic monitoring

• GuardRails to monitor compliance in the environment
• AWS Config
• Old pricing model was too costly with multiple accounts
• “Pay as you go” AWS Config pricing reduces costs
• Cloud Custodian
• Free, open source & uses AWS APIs
Compliance

Internal Tooling
• Serverless Ruby application
• Lambda, DynamoDB, ElastiCache, ACM, Cognito & ELB
• Background lambdas for task processing
• Not designed to replace AWS functionality, but assist

Authentication Management
Overview
* illustrative data

* illustrative data
AWS Account Management
Overview

* illustrative data
Billing & Cost Management
Overview

* illustrative data
Compliance Management
Overview

* illustrative data
Compliance Management
Rule Hits

* illustrative data
Compliance Management
non-compliant services

* illustrative data
Compliance Management
raw service view

The future for York
• Continue innovating with serverless architecture
• Further expand our AWS offering within the University
• Lessen the hybrid restrictions we currently have
• Increase automation around accounts & deployments

Thank you!
dan.miller@york.ac.uk
@danmilleruk

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone vs. AWS Control Tower
• AWS Cloudformation deployment
• Fully customizable/owned by
customer
• Most regions supported
• Complete flexibility on account
structure
• Complex requiring significant
expertise
• Managed service by AWS
• Fixed blueprints and guardrails
• Four regions at launch
• Two non-configurable core
accounts, no SS, no Amazon
VPC in core
• Self service guided deployment
configurable through GUI

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone to AWS Control Tower?
Is there a migration path from AWS Landing Zone to AWS Control
Tower?
Yes, in the near future, you will be able to migrate your existing accounts
created with the AWS Landing Zone solution to AWS Control Tower. The
migration path will occur in several phases to ensure compatibility between
Control Tower and your AWS Landing Zone solution starting with ability to
deploy Control Tower to an existing Organizations, followed by enabling
custom guardrails and custom blueprints for Control Tower.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Which one should I choose?
• Review AWS Control Tower and its capabilities. Does it meet what you need? CT
• Are you willing to start with fresh new environment? CT
• Are you willing to grow with the service? CT
• Do you have a team that can take on the complexity of managing the AWS Landing
Zone Solution? If Not, CT
• Do you have an existing landing zone that meets your current needs and exceeds CT’s
feature set? Evaluate CT, but may need to wait
• Do you need full customization and full control over every aspect of the landing zone?
Use ALZ

Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Juan Manuel Gomez
Jgrcmz@amazon.co.uk
Dan Miller
dan.miller@york.ac.uk