Security and governance with aws control tower and aws organizations

1© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved | 1© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved |
Digital Transformation Day
Kuwait
Multi Account Structure and Governance
Securely build landing zone with AWS Control Tower
Ahmed Gouda
Solutions Architect, AWS
16 December 2019
/ahmedgouda
@AskGouda

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
An enterprise-ready landing zone framework
Action plan and checklist
AWS Control Tower overview

Old world IT
Bob – IT and security guy Developers

Old world IT: Scale
More Bobs More developers

The cloud makes this easier!
Same Bobs More developers!

One account: Isolation with AWS Identity and Access
Management (IAM) and Amazon Virtual Private Cloud
(Amazon VPC)
Gray boundaries
Complicated and messy over time
Difficult to track resources
People stepping on each other
Everything

Separate developer account
Still can’t track resources or spend
Still have isolation and blast radius concerns
Developers are still stepping on each other
Bob now has to manage IAM and VPCs here too
Development Production

The problem
On-premises posture for the cloud
Inheriting ideas from data center days
Management and Operations don’t trust developers with full access
Developers want to work—really!
DevOps is a great idea
Doesn’t work when Operations is in the way

A new solution: We need the following
• Access to AWS services without barriers
• Ability to fail fast without collateral damage
• Smaller blast radius
• Operations team  Cloud architects
• Everyone able to influence digital transformation
• Costs and resources tracked to individuals and teams
• Optimized code for AWS

Where do we start? With developer accounts
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer

Where do we start? With team accounts
Team or
group
Team or
group
Team or
group
Team or
group
Team or
group

Where do we start? With Operations accounts
Team or
group
Team or
group
Team or
group
Team or
group
Team or
group
Production Staging Development
and UAT

Where do we start? With shared services
Team or
group
Team or
group
Team or
group
Team or
group
Team or
group
and UATCore shared

What are core shared accounts?
Security
Shared services Log archive
Network
Core shared

Shared by tier
Team or
group
Team or
group
Team or
group
Team or
group
Team or
group
and UATCore shared
Team shared
Development
shared

Shared by tier
Team or
group
Team or
group
Team or
group
Team or
group
Team or
group
and UAT
Core shared
Team core
shared
Development
core shared

A different approach
Team Dev Team Dev Team Dev Team Dev Team Dev
Core shared
Team core
shared
Development
core shared
DeveloDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team Stg Team Stg Team Stg Team Stg Team Stg
Team Prod Team Prod Team Prod Team Prod Team Prod
Production
Development
and UAT
Staging
Production
core shared
Staging
core shared

Your own additions
Team Dev Team Dev Team Dev Team Dev Team Dev
Team Stg Team Stg Team Stg Team Stg Team Stg
Team Prod Team Prod Team Prod Team Prod Team Prod
Production
Development
and UAT
Staging
PersonalPersonal PersonalPersonal PersonalPersonalPersonal PersonalPersonal Personal
PersonalPersonal PersonalPersonal PersonalPersonalPersonal PersonalPersonal Personal
Personal
shared
Development
core shared
Staging
core shared
Production
core shared

AWS account
Security and
resource boundary
API limits and
throttling
Billing
separation

Why one account isn’t enough
Billing
Many teams
Security and
compliance controls
Business
process
Isolation

Goals
Guardrails NOT blockers Auditable Flexible
Automated Scalable Self-service

Account security considerations
Baseline requirements
Lock
Enable
Define
Federate
Establish
Identify

What accounts should you create?
Security Shared services Billing
Development ProductionSandbox OtherPre-production
AWS Organizations account
Log archive Network

AWS Organizations Master
• No connection to
data center
• Service control
policies (SCPs)
• Consolidated billing
• Volume discount
• Minimal resources
• Limited access
• Restricted
Organizations role!
Organizations master
Network path
Data
center

SCP: Stop CloudTrail from being disabled
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": ”cloudtrail:StopLogging",
"Resource": "*"
}
]
}

SCP: No Internet gateway for Amazon VPC
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:AttachInternetGateway”,
“ec2:CreateInternetGateway”,
“ec2:AttachEgressOnlyInternetGateway”,
“ec2:CreateVpcPeeringConnection”,
“ec2:AcceptVpcPeeringConnection"
],
"Resource": "*"
}
]

Core accounts
• Foundational
• Building blocks
• Once per
organization
• Their own
development
lifecycle
(development,
QA, production)
Core accounts
Network path
Data
center

Log archive account
• Versioned Amazon
Simple Storage
Service (Amazon S3)
bucket
• Restricted
• Multi-factor
authentication (MFA)
delete
• CloudTrail logs
• Security logs
• Single source of
truth
• Alarm on user login
• Limited access
Core accounts
Log archive
Network path
Data
center

Network path
Security account
• Optional
data center
connectivity
• Security tools
and auditing
• GuardDuty master
• Cross-account
read/write
(automated
tooling)
• Limited access
Core accounts
Log archiveSecurity
Data
center

Network path
Shared services account
• Connection to
data center
• DNS
• LDAP and Active
Directory
• Shared services VPC
• Deployment tools
• Golden Amazon Machine
Image (AMI)
• Pipeline
• Scanning infrastructure
• Inactive instances
• Improper tags
• Snapshot lifecycle
• Monitoring
• Limited access
Security
Core accounts
Log archive
Shared
services
Data
center

Network path
Network account
• Management by
network team
• Networking
services
• AWS Direct
Connect
• Limited access
Security
Core accounts
Shared
services
Log archive
Network
Data
center

Network path
Developer sandbox
• No connection to
data center
• Innovation space
• Fixed spending
limit
• Autonomy
• Experimentation
Security
Core accounts
Shared
services
Network
Log archive
Developer
sandbox
Developer accounts
Data
center

Network path
Team or group accounts
• Based on level of
needed isolation
• Match your
development
lifecycle
• Think small
Developer
sandbox
Security
Core accounts
Shared
services
Network
Log archive
Developer accounts
Data
center

Network path
Development
• Quick
development
and iteration
• Collaboration
space
• Stage of
software
development
lifecycle (SDLC)
Developer
sandbox
Security
Core accounts
Shared
services
Network
Log archive
Developer accounts
Development
Data
center

Network path
Pre-production
• Connection to
data center
• Similarity to
production
• Staging
• Testing
• Automated
deployment
Developer
sandbox
Development
Security
Core accounts
Shared
services
Network
Log archive
Developer accounts
Pre-production
Data
center

Network path
Production
• Connection to
data center
• Production
applications
• Promotion from
pre-production
• Limited access
• Automated
deployments
Developer
sandbox
Development Pre-production
Security
Core accounts
Shared
services
Network
Log archive
Developer accounts
Production
Data
center

Network path
Team shared services
• Organic growth
• Sharing to the
team
• Product-specific
common services
• Data lake
• Common tooling
• Common services
Developer
sandbox
Security
Core accounts
Shared
services
Network
Log archive Production
Developer accounts
Team shared
services
Data
center

Innovation pipeline
Developer
accounts
Developer accounts
PoC
Developer
accounts
Developer accounts
Development
Pre-production
Production
Shared
services
PoC
New initiatives
Experimentation
Innovation

Special exception
Flexibility
Regulation and compliance
Additional isolation and security controls (PCI)

Multi-account approach
Developer
sandbox
Security
Core accounts
Shared
services
Network
Team shared
services
Developer accounts
Organizations: Account management
Log archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: AWS Direct Connect
Developer sandbox: Experiments, learning
Development: Development
Pre-production: Staging
Production: Production
Team shared services: Team shared
services, data lake
Network path
Data
center

Team: Billing tools
• Reduced access
to Organizations
account
• Billing reports
• Usage metrics
and reporting
• Usage
optimizations
and Reserved
Instance (RI)
managementDeveloper
sandbox
Billing tools team accounts
Security
Core accounts
Shared
services
Network
Developer accounts
Network path
Data
center

Team: Internal audit
• Regulatory
compliance
• Read-only access
to needed logs
• Limited access
• re:Invent 2018
ENT315:
Automate &
Audit Cloud
Governance &
Compliance in
Your Landing
Zone
Developer
sandbox
Internal audit team accounts
Security
Core accounts
Shared
services
Network
Developer accounts
Network path
Data
center

Team: Amazing new product
• Match your
development
lifecycle
• Think small
Developer
sandbox
Amazing new product team accounts
Security
Core accounts
Shared
services
Network
Developer accounts
Network path
Data
center

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. 45© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved |
Kuwait
Summary

Multi-account approach
Developer
sandbox
Security
Core accounts
Organizations
Shared
services
Network
Team shared
services
Developer accounts
Organizations: Account management
Log archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: AWS Direct Connect
Developer sandbox: Experiments, learning
Development: Development
Pre-production: Staging
Production: Production
Team shared services: Team shared
services, data lake
Network path
Data
center

QA and staging for the landing zone
Developer
sandbox
Security
Core accounts
Shared
services
Network
Team shared
services
Developer accounts
Test landing zone
changes
Another landing zone
Network path
Data
center

Forensics
Developer
sandbox
Security
Core accounts
Shared
services
Network
Team shared
services
Developer accounts
Isolated forensics area
Nearly invisible
Landing zone with a twist
Network path
Data
center

Next steps
• Define tagging strategy
• Define automation strategy
• Create Organizations master account
• Create log archive account
• Create security account
• Create shared services account
• Create developer sandbox accounts

Action plan
Create Organizations master account
• Create temporary Amazon S3 bucket for
CloudTrail logs
• Enable CloudTrail locally
• Enable Organizations full feature
Create log archive account
• Create buckets for security logs (CloudTrail,
AWS Config)
• Enable MFA delete and versioning
• Define limited access bucket policy
• Add SCP to prevent s3:delete
• Backfill: Enable CloudTrail in Organizations
master account to send logs to log archive
account
• Backfill: Copy CloudTrail logs for actions that
happened between Organizations master
creation and log archive
Create security account
• Backfill: Cross-account roles with trust to security account
for Organizations master and log archive
• Read-only role
• Read/write role (fewer permissions for assumption)
• <CommonCheckList>
• Create security tooling and AWS Lambda functions for
security checks
Create shared services account
• Connect via AWS Direct Connect/VPN to data center
• Launch common services (directory services and limit
monitoring)
Create AWS network account
• Order your AWS Direct Connect

Common checklist
• Secure root credentials
• MFA
• One-time password (OTP)
• Universal 2nd Factor (U2F) could make this easier
for management
https://aws.amazon.com/blogs/security/how-to-
create-and-manage-users-within-aws-sso/
• Complex password
• Establish rotation policy
• Link to Organizations master account if not
already a member
• Use group email and phone as the contact info
• Enable CloudTrail in all Regions, send to log
archive account
• Enable GuardDuty in all Regions
• Operationalize the findings from security account
as GuardDuty master
• Enable AWS Config, send to log archive account
• Enable appropriate AWS Config rules
• Amazon S3 bucket encryptions
• Amazon S3 world read/write
• Amazon EBS encryption (and others)
• Create read-only cross-account security role
• Create read/write cross-account security role
• Create VPC (non-overlapping IP space)
• Enable federation in account
http://federationworkshopreinvent2016.s3-
website-us-east-1.amazonaws.com/
• Define roles and access policies
• Peer or AWS PrivateLink VPC with shared services
• Add a policy for prefix naming conditions to every
account—e.g., deny access to Lambda functions
that start with security*
• Review CIS AWS Foundations Benchmark, and
leverage as appropriate

The AWS Landing Zone solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS best
practices and
recommendations
Initial security
and governance
controls
Baseline accounts
and account
vending machine
Automated
deployment

AWS Landing Zone structure: Basic
AWS Organizations
Shared services Log archive Security
Organizations account
Account provisioning
Account access (SSO)
Shared services account
Active Directory
Log analytics
Log archive
Security logs
Security account
Audit, break-glass
Parameter
store

Account vending machine
• Account vending machine (AWS
Service Catalog)
• Account creation factory
• User interface to create new accounts
• Account baseline versioning
• Launch constraints
• Creation and update of AWS account
• Application of account baseline
stack sets
• Creation of network baseline
• Application of account SCP
AWS
Service
Catalog
Account
vending
machine
Organizations
Security
AWS
Log archive
AWS
Shared services
AWS
AWS
New AWS

Action plan
Create Organizations master account
• Create temporary Amazon S3 bucket for
CloudTrail logs
• Enable CloudTrail locally
• Enable Organizations full feature
Create log archive account
• Create buckets for security logs (CloudTrail,
AWS Config)
• Enable MFA delete and versioning
• Define limited access bucket policy
• Add SCP to prevent s3:delete
• Backfill: Enable CloudTrail in Organizations
master account to send logs to log archive
account
• Backfill: Copy CloudTrail logs for actions that
happened between Organizations master
creation and log archive
Create security account
• Backfill: cross-account roles with trust to security account
for Organizations master and log archive
• Read-only role
• Read/write role (fewer permissions for assumption)
• Create security tooling and AWS Lambda functions for
security checks
Create shared services account
• Connect via AWS Direct Connect/VPN to data center
• Launch common services (directory services and limit
monitoring)
Create AWS network account
• Order your AWS Direct Connect

Common checklist
• Secure root credentials
• MFA
• OTP
• U2F could make this easier for management
https://aws.amazon.com/blogs/security/how-to-
create-and-manage-users-within-aws-sso/
• Complex password
• Establish rotation policy
• Link to Organizations master account if not
already a member
• Use group email and phone as the contact info
• Enable CloudTrail in all Regions, send to log
archive account
• Enable GuardDuty in all Regions
• Operationalize the findings from security account
as GuardDuty master
• Enable AWS Config, send to log archive account
• Enable appropriate AWS Config rules
• Amazon S3 bucket encryptions
• Amazon S3 world read/write
• Amazon EBS encryption (and others)
• Create read-only cross-account security role
• Create read/write cross-account security role
• Create VPC (non-overlapping IP space)
• Enable federation into account
http://federationworkshopreinvent2016.s3-
website-us-east-1.amazonaws.com/
• Define roles and access policies
• Peer or AWS PrivateLink VPC with shared services
• Add a policy for prefix naming conditions to every
account—e.g., deny access to Lambda functions
that start with security*
• Review CIS AWS Foundations Benchmark, and
leverage as appropriate

Policy
enforcement
AWS Landing
Zone
Policy
deployment
Notification Remediation
Account metadata: Owner, function,
policies, BU, SDLC, cost center, etc.
Production
• Encrypt Amazon EBS
• No internet gateway
(IGW)
• Guardrail “x”
QA
• Encrypt Amazon
EBS
• Guardrail “x”
• Guardrail “y”
Policy “p”
• Encrypt Amazon
EBS
• No IGW
• Guardrail “y”
Putting it all together

Kuwait
AWS Control Tower: Set up and govern a
secure, compliant multi-account AWS
environment

Introducing AWS Control Tower:
Consistent and simple multi-account management
Automated AWS setup
Launch an automated
landing zone with best-
practices blueprints
Policy enforcement
Pre-packaged guardrails
to enforce policies or
detect violations
Dashboard for oversight
Continuous visibility
into workload compliance
with controls

Key features and benefits
Account setup
Automated, secure, and scalable
landing zone
Multi-account management
using Organizations
Central logging and multi-account
configuration consistency
Built-in best practices
Multi-account preventive and
detective guardrails
Easy-to-use dashboard and
notifications
Curated rules in plain EnglishAccount provisioning wizard
Guardrails
Landing
zone

AWS Control Tower: Building blocks
AWS Control Tower
Account management Guardrail enforcement
AWS Security Hub
Landing
zone
AWS Landing Zone AWS Organizations

AWS Control Tower’s automated landing zone
AWS Control Tower master account
AWS Control Tower
 AWS Organizations with
master and pre-created
accounts for central log archive
and cross-account audit
 Pre-configured directory and
SSO using AWS SSO (with
Active Directory custom
option)
 Centralized monitoring and
alerts using AWS Config,
CloudTrail, and Amazon
CloudWatch

Account factory
• Account factory for
controls on account
provisioning
• Pre-approved account baselines
with VPC options
• Pre-approved configuration
options
• End-user configuration
and provisioning through
AWS Service Catalog
• Create and update AWS
accounts under
organizational units

Kuwait
Demo

Security and governance with aws control tower and aws organizations

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Security and governance with aws control tower and aws organizations

Ähnlich wie Security and governance with aws control tower and aws organizations (20)

Mehr von Reham Maher El-Safarini

Mehr von Reham Maher El-Safarini (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Security and governance with aws control tower and aws organizations