https://www.istockphoto.com/photo/eggs-gm145831917-5551969
Inconsistency starts to rear its head. Different groups are doing things differently
Resulting in a big ball of Spaghetti.
What you are lacking is the feeling of Control.
We don’t want to be in the way of making progress, but we have to be in Control of what is being deployed.
The Concept of a Landing Zone does just that.
Landing Zones are a culmination of AWS Best practices that have been identified over the years in our work with customers.
Identify and define the Patterns and Standards that you want to build to. This will drive consistency as well as help you to define the Preventative and Corresponding Detective/Responsive controls you have in place for your Organization's Security & Compliance Directives.
Defining and building your Governance posture into your infrastructure allows you to strike the balance of Speed/Agilty/Autonomy but with the must have Guardrails in place. When you provision a new account, VPC, application, what are your must haves? This will change over time, so incorporate those lessons learned into your evolving baseline.
Treating your infrastructure and associate baseline as version code allows you to consistently maintain your quality and governance standards. Adopting Automation into your Change/Configuration methods is critical. AWS provides some powerful capabilities in this area, but yours may work just fine as well.
Core Accounts
Organizations Master account: AWS Organizations enabled with governance over three additional Core Accounts - Security, Shared Services, Logging.
Security account: The Security account creates auditor (read-only) and administrator (full-access) cross-account roles from a Security account to all AWS Landing Zone managed accounts. The intent of these roles is to be used by security and compliance team operational tooling to audit (such as hosting custom AWS Config Rule lambda functions) or perform automated security operations (such as perform automated remediation actions). As a result, we strongly recommend that this account be restricted to authorized security and compliance personnel, and their related security or audit tools.
Shared services account: a core shared services account will be created for hosting landing zone infrastructure dependencies.
Log archive account: a dedicated account for securely storing logs for archiving and forensic activities
Service Catalog enabled as 'Account Vending Machine' with a Minimally Secured Account product already configured and ready to deploy
Account Security
AWS CloudTrail with remote trail logging to the an S3 bucket in the central logging account
AWS Config and configuring configuration logging to an S3 bucket in the central logging account
Provision security account audit and administrative access (Admin and Read Only roles in Security account and execution roles in all other accounts)
Configure account security SNS notifications
Amazon GuardDuty Master to view and manage Amazon GuardDuty findings from security and their member accounts
Network Security
Deletes the default VPC in all regions
Logging
Centralized location for log storage
Data Security
Enables Config Rules for monitoring EBS volume encryption
Organizations Account:
Option for Directory Connector Add-On
Amazon Elasticsearch Service integration
Kibana-based log reporting and analysis
AWS CloudTrail
Amazon VPC Flow Logs
Amazon CloudWatch Logs (Apache web server, Common Log Format, Space Delimited, JSON
Account Security
Option for Microsoft AD Add-On
Option for Centralized Logging Add-On
That icon is stacksets
Organizations Account:
Option for Directory Connector Add-On
Amazon Elasticsearch Service integration
Kibana-based log reporting and analysis
AWS CloudTrail
Amazon VPC Flow Logs
Amazon CloudWatch Logs (Apache web server, Common Log Format, Space Delimited, JSON
Account Security
Option for Microsoft AD Add-On
Option for Centralized Logging Add-On
AWS CloudFormation enables you to create and provision AWS infrastructure deployments in a predictable, repeatable, and automated fashion. You can create templates for the service or application architectures you want and then have AWS CloudFormation use those templates for quick and reliable provisioning of the services or applications (called “stacks”). When you use AWS CloudFormation, you work with templates and stacks.
An AWS CloudFormation template is a JSON text file used to describe the AWS resources and their properties in your infrastructure. For example, in a template, you can describe an Amazon EC2 instance, such as the instance type, the AMI ID, block device mappings, and its Amazon EC2 key pair name. You use these templates to create a stack. A stack is a collection of AWS resources that has been created from a template. You may provision (create) a stack numerous times.
When a stack is provisioned, the AWS resources specified by its template are created. Any AWS usage changes incurred from using these services will start accruing as they are created as part of the AWS CloudFormation stack. When a stack is deleted, the resources associated with the stack are deleted. The order of deletion is determined by AWS CloudFormation; you do not have direct control over what gets deleted when.
Private Image Build enables customers to build and run private custom Amazon Machine Images (AMIs) that combine their “gold images” with installable packages provided by AWS Marketplace software vendors. This helps customers comply with their own specific IT policies and server hardening requirements while still taking advantage of all the conveniences of AWS Marketplace, including consolidated AWS billing, AWS Marketplace pricing and licensing models, and rapid, automated deployment