Beruflich Dokumente
Kultur Dokumente
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building a Landing Zone can be challenging
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
You need a Landing Zone that is …
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is a Landing Zone?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Account Security Considerations
Baseline Requirements
Lock Federate
AWS Account Credential
Use Identity Solutions
Management (“Root Account”)
Enable Establish
AWS CloudTrail InfoSec Cross Account Roles
Define Identify
Map Enterprise Roles and Actions and Conditions to
Permissions Enforce Governance
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network Architecture considerations
AWS Services in VPC Endpoints for DNS in-VPC with Logging VPC Traffic
Your VPC Amazon S3 Amazon Route 53 with VPC Flow Logs
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Organizations master
No connection to DC
AWS Organizations Account
Consolidated billing
Volume discount
Minimal resources
Data Center
Limited access
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Logging Account
AWS Organizations Account
Versioned Amazon S3
Core Accounts bucket
Restricted
MFA delete
Security logs
Limited access
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Account
Optional data center
AWS Organizations Account
connectivity
Core Accounts
Cross-account read/write
Logging
Limited access
Data Center
AWS AWS
CloudTrail Config
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared Services Account
Connected to DC
AWS Organizations Account
Security
Shared Services VPC
Deployment tools
Logging
Golden AMI
Pipeline
Scanning infrastructure
Network Shared
Services Inactive instances
Data Center Improper tags
Snapshot lifecycle
Monitoring
Limited access
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Developer Sandbox Accounts
AWS Organizations Account
No connection to DC
Core Accounts
Innovation space
Security Billing
Tooling
Developer
Sandbox
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
BU/ Product/ Resource Accounts
AWS Organizations Account
Based on level of needed
Core Accounts BU/Product/Resource Accounts isolation
Billing
Security
Tooling Match your development
lifecycle
Internal Logging
Audit
Network Shared
Services
Data Center
Developer Accounts
Developer
Sandbox
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dev Accounts
AWS Organizations Account
Develop and iterate
Core Accounts BU/Product/Resource Accounts quickly
Billing
Security
Tooling Collaboration space
Network Shared
Services
Data Center
Developer Accounts
Developer
Sandbox
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pre-Prod Accounts
AWS Organizations Master
Connected to DC
Core Accounts BU/Product/Resource Accounts
Production-like
Security Billing
Tooling
Staging
Internal Logging
Audit
Dev Pre-Prod QA
Shared
Network
Services Automated deployments
Data Center
Developer Accounts
Developer
Sandbox
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Production Accounts
AWS Organizations Account
Connected to DC
Core Accounts BU/Product/Resource Accounts
Production applications
Security Billing
Tooling
Prod
Promoted from Pre-Prod
Internal Logging
Audit
Dev Pre-Prod Limited access
Network Shared
Services
Data Center
Developer Accounts
Developer
Sandbox
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multi-Account Approach
AWS Organizations Account Orgs: Account management
Core Accounts BU/Product/Resource Accounts Logging: Centralized logs
Billing
Security: AWS Config Rules, security
Security
Tooling tools
Sandbox Prod
Shared
Shared services: Directory, DNS,
Internal Logging Services limit monitoring
Audit
Pre-Prod
Dev Billing Tooling: Cost monitoring
Developer Accounts
Data Center Dev: Development
Pre-Prod: Staging
Developer Prod: Production
Sandbox
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing the AWS Landing Zone solution
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What you get with the AWS Landing Zone
• Framework for creating and baselining a multi-account environment
• Example initial multi-account structure based on common security,
Account Management audit, and shared service requirements.
• An account vending machine which enables automated deployment
of additional accounts with a set of security baselines
Identity & Access • User account access managed through AWS SSO federation
Management
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone components
Initialization Template
• Easily modify and extend the Landing Zone to grow with your Organization
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Initialization Template
CloudFormation Template
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multi-Account implementation
AWS Organizations account
Organizations account:
Amazon S3 bucket AW S
Account Provisioning
(manifest file) CodePipeline AWS AWS
Organizations SSO
Account Access (SSO)
Shared Services account:
Core OU
Stacksets AWS
Service Catalog
AWS SSM
Active Directory
Log Analytics
Logging account:
Account Baseline AWS Microsoft Account Baseline Security Cross-
AD
Account Baseline Aggregate CloudTrail
and Config Logs
Account Roles CloudTrail/Config logs
Security account:
Network Log
Baseline Reporting
•
AWS Service Account Vending AWS
Catalog Machine Organizations Account Vending Machine (AWS Service
Catalog)
• Account creation UI
Core OU • Account Baseline Versioning
Security Roles • Launch Constraints
•
Security Account
Creates/Updates AWS Account
•
Account Baseline
Audit Bucket Apply Account Baseline stack sets
•
Logging Account
Create Network Baseline
Network Baseline
Shared
• Apply account Security Control Policy
Network
Shared Services Account New AWS Account
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Account baseline
AWS CloudTrail
• Central Amazon S3 bucket and local AWS CloudWatch Logs
AWS Config
• 7 Config Rules (EBS/RDS/S3 encryption, IAM password policy, root MFA, S3
public read/write permissions)
Amazon VPC
• Delete default VPC, (optional) create VPC
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Optional product(s)
Centralized Logging
• AWS CloudTrail
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deployment and configuration update pipeline
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of the AWS Automated Landing Zone
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone pricing and availability
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Options for operating your Landing Zone
Well-Operated State Paths to a Well-Operated State
Working backwards Self Managed AWS Managed via AMS
• Certification Program
Running lean teams + Partner
• Third Party Audit
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Learn More
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.