More Related Content
Similar to AWS Accounts@Scale Using AWS Landing Zone_AWSPSSummit_Singapore
Similar to AWS Accounts@Scale Using AWS Landing Zone_AWSPSSummit_Singapore (20)
More from Amazon Web Services
More from Amazon Web Services (20)
AWS Accounts@Scale Using AWS Landing Zone_AWSPSSummit_Singapore
- 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Steve Sofian
Solutions Architect, Amazon Web Services
AWS Accounts@Scale
Using AWS Landing Zone
- 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Session Agenda
Defining the Problem
Landing Zone Overview
Components of a Landing Zone
Wrap Up, Next Steps
- 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Account
Security/Resource
Boundary
API
Limits/Throttling
Billing Separation
- 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account Models
One
Account
1,000s of
Accounts
- 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why One Isn’t Enough
Many Teams Isolation
Security Controls Business Process
Billing
- 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multiple Accounts
• Complete security and
resources isolation
• Smaller blast radius
• Simplified billing per
account
Pros
• Aggregation/Distribution
• Setup and operation
overhead
• More complex security
policies across accounts
Cons
- 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What Problem Are We Solving?
- 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Control
What is it that we need?
- 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals
Guardrails NOT Blockers Auditable Flexible
Automated Scalable Self-service
- 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is a Landing Zone?
H
• AWS best practices
• AWS account structure
• Patterns based
• Standards defined
• Adaptable foundation
• Governance guardrails
• Automation driven
• Versioned infrastructure
- 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Components of Landing Zone
- 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account
Structure
Network
Design
Identity /
Access
Components of Landing Zone
Security /
Visibility
Shared
Services
Automation
/ Change
- 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account
Structure
Network
Design
Identity /
Access
Components of Landing Zone
Security /
Visibility
Shared
Services
Automation
/ Change
- 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security/Resource
Boundary
Limits Billing
Separation
AWS Account
- 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why One Isn’t Enough
Many Teams Isolation
Security Controls Business Process
Billing
- 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Organizations
Organizational
Hierarchy
Security
Policy
Billing
Visibility
Automation
Driven
- 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DEV
PROD
INFOSEC
LOG
Shared SVC
Network
Sample Account Structure
- 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account
Structure
Network
Design
Identity /
Access
Components of Landing Zone
Security /
Visibility
Shared
Services
Automation
/ Change
- 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM Roles
Federation
IAM Users
Managed Policies
KMS Keys
Job/Function Based, Cross Account
Leverage existing Directory, Map Roles
Limit Use, Rotate Keys, Securely Stored, MFA
AWS Managed to start, Limit Inline policies
CMK Per Service
Identity & Access Foundation
- 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account
Structure
Network
Design
Identity /
Access
Components of Landing Zone
Security /
Visibility
Shared
Services
Automation
/ Change
- 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-AZ
Public vs.
Private Ingress/
Egress
points
VPC Design
- 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network Paths
- 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account
Structure
Network
Design
Identity /
Access
Components of Landing Zone
Security /
Visibility
Shared
Services
Automation
/ Change
- 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Log Analysis
CloudWatch Events
AWS Config
Rules
Amazon
GuardDuty
AWS
Config
Amazon VPC
Flow Logs
CloudTrail
Data Gathering Analysis / Enforcement
Access Logs
Continuous Compliance
- 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account
Structure
Network
Design
Identity /
Access
Components of Landing Zone
Security /
Visibility
Shared
Services
Automation
/ Change
- 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Directory Code
Repo
Monitoring AMI / EC2
Management
Common Shared Services
- 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account
Structure
Network
Design
Identity /
Access
Components of Landing Zone
Security /
Visibility
Shared
Services
Automation
/ Change
- 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudFormation StackSets
Automation & Change Management
Service
Catalog
Pipeline
- 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Next Steps
• Engage with your AWS Account Team
• Leverage the APN
• Check out new the AWS Landing Zone solution
• https://aws.amazon.com/answers/aws-landing-zone/
- 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You