Aws landing zone
1 like1,110 views
The document outlines best practices for implementing an AWS Landing Zone in a multi-account environment, emphasizing the need for scalability, flexibility, security, and compliance. It discusses various account types such as security, development, and production accounts, as well as essential configurations like multi-factor authentication and centralized logging. Additionally, it details recommended account models, security considerations, and automated provisioning through AWS Organizations.
Aws landing zone
- 1. AWS Landing Zone – Best practices for Multi- account environment Igor Ivanovic
- 2. 47° 40′ Why the AWS Landing Zone ? Custumers are faced with many design decisions, multiple accounts & services, security baseline & governance and they need environment that is: Scalable & Resilient ready to support highly available and scalable workloads Adaptable & Flexible configurable to support envolving business requirements Secure & Compliant meets the organisation security and auditing requirements
- 3. 47° 40′ Account Models 1000s of AccountsOne Account 100s of Accounts Typically organisation start with one account and as your organisation / teams are growing you end up with multi-account environment.
- 4. 47° 40′ Why one account is not enough ? Many Teams Billing Identification Business ProcessIsolation Security & Compliance Controls
- 5. 47° 40′ Goals Automated FlexibleScalable Self-service Auditable
- 6. 47° 40′ Account security considerations ? Federation Use Identity Solutions AWS Directory Service Enable AWS CloudTrail MFA Lock On Root Account Establish Cross Account Roles Define Map Enterprise Roles and Permissions Identify Actions and Conditions to Enforce Governance
- 7. 47° 40′ What Accounts Should I Create ? Organizations Account Logging Security Network Shared Services Billing OUs Sandbox Dev Pre-Prod Prod Other
- 8. 47° 40′ AWS Organizations Master • No connection to Data Center • Service control policies • Consolidated billing • Volume discount • Minimal resources • Limited access • Restrict Organization Role • MFA Enabled • CloudTrail Enabled • Service control policies: • No Internet Gateway for VPC • Stop CloudTrail from being disabled
- 9. 47° 40′ Log Archive • Versioned S3 Bucket • Define limited access bucket policy • MFA Delete • Add SCP to prevent s3:delete • CloudTrail Logs • Send logs from master all regions • AWS Config Logs • Security Logs • Alarm On User Login
- 10. 47° 40′ Network account • Networking services • AWS Direct Connect • Managed by network team • Forward flow logs • Limited access
- 11. 47° 40′ Shared Services • Connected to DC • Active Directory / LDAP • DNS • Shared Services VPC • Deployment Tools • Pipelines • Golden AMI • Monitoring • ECE or ECK • Grafana • Influxdb • Scanning Infrastructure • Inactive instances • Tags
- 12. 47° 40′ Security Account • GuardDuty Master • AWS Config Rules • Security Tools • Cross Account Automated Tooling • Limited Access • Optional data center connectivity
- 13. 47° 40′ Developer Sandbox • Experimenting & Testing Account • Fixed Spending Limit • Forward All Logs To Log Archive • No connection to DC
- 14. 47° 40′ Development Accounts • Develop and iterate quickly • Based on level of needed isolation • Match your development lifecycle • Collaboration space • Stage of development life cycle • Automated deployments • Forward all logs
- 15. 47° 40′ Pre-production Accounts • Based on level of needed isolation • Production like accounts • Staging • Testing • Automated deployment • Connected to DC • Forward all logs
- 16. 47° 40′ Production Accounts • Based on level of needed isolation • Production applications • Promoted from pre-prod • Automated deployments • Limited Access • Forward all logs
- 17. 47° 40′ Team Shared Accounts • Based on level of needed isolation • Shared to team • Product specific common services • Data lake • Forward all logs
- 18. 47° 40′ Multi Account Approach Orgs: Account management Log Archive: Audit, Security Logs Security: Tools, AWS Config Rules Shared Services: Directory, Monitoring Network: Direct Connect Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Productions Team Shared: Data Lake, Services
- 19. 47° 40′ Common account check list • MFA enabled on root user • Create read only cross-account role • Create read/write cross-account role • Integrate SSO with accounts with MFA • Define common roles and access policies (network, operational, billing, read- only) • Enable federation • Enable CloudTrail in all regions – send logs to Log Archive account • Enable GuardDuty in all regions • Security Account is GuardDuty master • Enable AWS Config – send logs to Log Archive account • VPC Peering with Shared Services
- 20. AWS Landing Zone – Design Considerations & Example Implementations
- 21. 47° 40′ Core Accounts AWS Organizations - Automated Provisioning Network Account - Interconnect Shared Services Account Security Account Log Archive Account
- 22. 47° 40′ AWS Organizations – Automated Provisioning
- 23. 47° 40′ AWS Organizations Account is used to host all of assets as part of AWS Landing Zone. • Account Baselines and Baseline Modules are specified uploaded/deployed to s3 bucket of provisioning master account and from there you can deploy modules to newly created account with specific configuration • All accounts should be under Core OU and each team, department should have own OU • All accounts should be integrated with SSO and roles mapped to OU / Department / Business Domain / Team • If your Organization uses Active Directory you can use Directory connector Add-On
- 24. 47° 40′ Networking Account - Interconnect
- 25. 47° 40′ Networking Account - Interconnect • Connection to DC only via Interconnect account to control network and forward flow logs to Log Archive • Isolate networks Production, Pre-Production, Development • While network partitioning keep in mind to use VPC Sharing in same region instead of Transit gateway to save costs - virtually it’s same network • Use VPC Peering only when needed to avoid Complexity and limitation
- 26. 47° 40′ Shared Services Account
- 27. 47° 40′ Shared Services Account shared services baseline is applied to this account which contains • Centralized Logging solution • Centralized Monitoring solution • Centralized Build / Pipeline solution • Centralized Developer tools – Jira, Bitbucket, Jenkins, Artifactory etc. • DNS • Addon Active Directory connector
- 28. 47° 40′ Security Account security baseline is applied to this account which contains • Security notifications via SNS Topic – configures AWS CloudfWatch alarms and events to send a notification on root account, login, console sign- in/authentication failures, root account access, log archive access • GuardDuty Master – manage findings from all accounts • Cross Acount roles – configure audit and emergency security administrative access to AWS accounts from security account.
- 29. 47° 40′ Log Archive Account logging baseline is applied which contains: • S3 Bucket for central logging • Aggregate CloudTrail and Config Logs – account configuration log files are stored centrally in S3 bucket on logging account
- 30. 47° 40′ Network Baseline (Master/Client) Components • Master: • Delete default VPC in all regions • One VPC per network environment (Prod, Dev, Pre-Prod) 3 private/public subnets one per AZ • Enable Resource Share • Client: • Delete default VPC in all regions • Send Invite request to master (Prod, Dev or Pre-Prod) network depends on client environment
- 31. 47° 40′ Security Baseline Components • CloudTrail should do remote logging, all trail logs should be stored in same s3 bucket on logging account • Enable log file bucket encryption and integrity checking • Enable AWS Config and configuration logging to logging account • Enable complex password requirements for IAM • Enable Config rules - encryption required for RDS, S3, EBS, root MFA, insecure Security Group configurations, S3 public read / write permissions, IAM password policy • Configure account security notifications via SNS • Setup GaurdDuty Member • Make sure all logs / log groups are forwarded to central logging system