Launch Faster using

AWS Landing Zones

Sam Elmalak, Solutions Architect

Steve Morad, Manager Solutions Builders
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What do customers want to do on AWS?

ideation to secure and compliant

focus on what
instantiation environment
differentiates

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building a Landing Zone can be challenging

Many Need to configure Must establish

design decisions multiple accounts security baseline
& services & governance

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
You need a Landing Zone that is …

meets the organization’s ready to support highly configurable to

security and auditing available and scalable support evolving business
requirements workloads requirements

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is a Landing Zone?

• A configured, secure, scalable, multi-account AWS environment

based on AWS best practices

• A starting point for net new development and experimentation

H
• A starting point for customers’ application migration journey

• An environment that allows for iteration and extension over time

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Account Security Considerations

Baseline Requirements

Lock Federate
AWS Account Credential
Use Identity Solutions
Management (“Root Account”)

Enable Establish
AWS CloudTrail InfoSec Cross Account Roles

Define Identify
Map Enterprise Roles and Actions and Conditions to
Permissions Enforce Governance

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network Architecture considerations

AWS Services in VPC Endpoints for DNS in-VPC with Logging VPC Traffic
Your VPC Amazon S3 Amazon Route 53 with VPC Flow Logs

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 AWS Organizations master
No connection to DC
AWS Organizations Account

Service control policies

Consolidated billing

Volume discount

Minimal resources
Data Center
Limited access

Limit Orgs role!

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Logging Account
AWS Organizations Account
Versioned Amazon S3
Core Accounts bucket
Restricted
MFA delete

Logging CloudTrail logs

Security logs

Data Center Single source of truth

Limited access

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Security Account
Optional data center
AWS Organizations Account
connectivity
Core Accounts

Security tools and audit

Security

Cross-account read/write
Logging

Limited access

Data Center

AWS AWS
CloudTrail Config

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Shared Services Account
Connected to DC
AWS Organizations Account

Core Accounts LDAP/Active Directory

Security
Shared Services VPC
Deployment tools
Logging
Golden AMI
Pipeline
Scanning infrastructure
Network Shared
Services Inactive instances
Data Center Improper tags
Snapshot lifecycle
Monitoring
Limited access
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Developer Sandbox Accounts
AWS Organizations Account
No connection to DC
Core Accounts

Innovation space
Security Billing
Tooling

Fixed spending limit

Internal Logging
Audit
Autonomous
Shared
Network
Services Experimentation
Data Center
Developer Accounts

Developer
Sandbox

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 BU/ Product/ Resource Accounts
AWS Organizations Account
Based on level of needed
Core Accounts BU/Product/Resource Accounts isolation
Billing
Security
Tooling Match your development
lifecycle
Internal Logging
Audit

Network Shared
Services

Data Center
Developer Accounts

Developer
Sandbox

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Dev Accounts
AWS Organizations Account
Develop and iterate
Core Accounts BU/Product/Resource Accounts quickly
Billing
Security
Tooling Collaboration space

Internal Logging Stage of SDLC

Audit
Dev

Network Shared
Services

Data Center
Developer Accounts

Developer
Sandbox

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Pre-Prod Accounts
AWS Organizations Master
Connected to DC
Core Accounts BU/Product/Resource Accounts

Production-like
Security Billing
Tooling

Staging
Internal Logging
Audit
Dev Pre-Prod QA
Shared
Network
Services Automated deployments
Data Center
Developer Accounts

Developer
Sandbox

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Production Accounts
AWS Organizations Account
Connected to DC
Core Accounts BU/Product/Resource Accounts

Production applications
Security Billing
Tooling
Prod
Promoted from Pre-Prod
Internal Logging
Audit
Dev Pre-Prod Limited access

Network Shared
Services

Data Center
Developer Accounts

Developer
Sandbox

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Multi-Account Approach
AWS Organizations Account Orgs: Account management
Core Accounts BU/Product/Resource Accounts Logging: Centralized logs

Billing
Security: AWS Config Rules, security
Security
Tooling tools
Sandbox Prod

Shared
Shared services: Directory, DNS,
Internal Logging Services limit monitoring
Audit
Pre-Prod
Dev Billing Tooling: Cost monitoring

Networking Shared Sandbox: Experiments

Services

Developer Accounts
Data Center Dev: Development
Pre-Prod: Staging
Developer Prod: Production
Sandbox

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing the AWS Landing Zone solution

An automated, easy-to-deploy solution to help you set up new AWS environments

and get started with running secure and scalable workloads on AWS

Based on AWS best Initial security and Baseline accounts Automated

practices and governance controls and account deployment
recommendations vending machine

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What you get with the AWS Landing Zone
• Framework for creating and baselining a multi-account environment
• Example initial multi-account structure based on common security,
Account Management audit, and shared service requirements.
• An account vending machine which enables automated deployment
of additional accounts with a set of security baselines

Identity & Access • User account access managed through AWS SSO federation
Management

• Multiple accounts and defining cross account-roles allow implementation

of separation of duties across all accounts
Security & Governance
• Initial account security and AWS Config rules baseline
• Network baseline

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone components

Initialization Template

• Easily deploy the AWS Landing Zone

Multi-Account implementation starting point

• Out-of-the-box Landing Zone implementation to get started quickly

Landing Zone update and configuration pipeline

• Easily modify and extend the Landing Zone to grow with your Organization

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Initialization Template

CloudFormation Template

• Creates Landing Zone deployment and configuration update pipeline

• Creates a customized AWS Landing Zone implementation package in your

account

• Optionally deploys your customized AWS Landing Zone automatically

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multi-Account implementation
AWS Organizations account
Organizations account:

Amazon S3 bucket AW S
Account Provisioning
(manifest file) CodePipeline AWS AWS
Organizations SSO
Account Access (SSO)
Shared Services account:
Core OU
Stacksets AWS
Service Catalog
AWS SSM
Active Directory
Log Analytics
Logging account:
Account Baseline AWS Microsoft Account Baseline Security Cross-
AD
Account Baseline Aggregate CloudTrail
and Config Logs
Account Roles CloudTrail/Config logs
Security account:
Network Log
Baseline Reporting

SharedServices account Logging account Security account

Audit/Break-glass
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Account Vending Machine implementation

•
AWS Service Account Vending AWS
Catalog Machine Organizations Account Vending Machine (AWS Service
Catalog)
• Account creation UI
Core OU • Account Baseline Versioning
Security Roles • Launch Constraints
•
Security Account
Creates/Updates AWS Account
•
Account Baseline
Audit Bucket Apply Account Baseline stack sets
•
Logging Account
Create Network Baseline
Network Baseline

Shared
• Apply account Security Control Policy
Network
Shared Services Account New AWS Account

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Account baseline

AWS CloudTrail
• Central Amazon S3 bucket and local AWS CloudWatch Logs

AWS Config
• 7 Config Rules (EBS/RDS/S3 encryption, IAM password policy, root MFA, S3
public read/write permissions)

IAM Password Policy

• User password change, password complexity/reuse/age/minimum length

Amazon VPC
• Delete default VPC, (optional) create VPC

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Optional product(s)

Centralized Logging

• Amazon Elasticsearch Service integration

• Kibana-based log reporting and analysis

• AWS CloudTrail

• Amazon VPC Flow Logs

• Amazon CloudWatch Logs (Apache web server, Common Log Format,

Space Delimited, JSON)

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deployment and configuration update pipeline

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of the AWS Automated Landing Zone

Automated Scalable Self-Service

Guardrails Auditable Flexible

NOT Blockers

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone pricing and availability

• No additional charge for the AWS Landing Zone solution

• Customer responsible for charges for services deployed

(e.g., Amazon S3, AWS Config Service, AWS CloudTrail, etc.)

• Can be deployed in any region that has the underlying

services available

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Options for operating your Landing Zone
Well-Operated State Paths to a Well-Operated State
Working backwards Self Managed AWS Managed via AMS

• Service Catalog • Month to Month

Operating like code
• Modeling and Provisioning • AWS Out of the Box

• Automation and Operations • Curated Services & Management Tools

Designing for failure
• Monitoring and Logging • Infrastructure Ops, Security & Compliance

Embracing enterprise DevOps

Partner/MSP Managed AWS Managed + Partner/MSP Managed

Applying guardrails not barriers
• 100+ Partners

• Certification Program
Running lean teams + Partner
• Third Party Audit

Automating everything • End-to-End Services

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Learn More

To learn more, please talk with your account team or visit:

aws.amazon.com/answers/aws-landing-zone

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Thank you

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.