AWS Landing Zone Security Governance

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ArchitectingSecurity &Governance
across yourAWS LandingZone
Sam Elmalak
Solutions Architect
Amazon Web Services
S E C 3 0 3
David Ninnis
Senior Enterprise Architect, Cloud
BP

Agenda
An enterprise-ready landing zone framework
BP’s landing zone journey
Action plan & checklist

LastYear

Once upon atime…(Continued)
0
10
20
30
40
50
60
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Sales
Red Riding
Hood

OldWorld IT
Bob – IT/security guy Developers

OldWorld IT -Scale
More Bobs More developers

Thecloud willmakethiseasier!
Same Bobs More developers!

One account, IsolationwithIAMandVPC
“Gray” boundaries
Complicated and messy over time
Difficult to track resources
People stepping on each other
Everything

Separatedeveloper account
Still can’t track resources or spend
Still have isolation and blast radius concerns
Developers still stepping on each other
Bob now has to manage IAM and VPCs, here too
Dev Prod

Theproblem
On-premises posture for the cloud
Inheriting ideas from datacenter days
Management and Ops don’t trust dev with full access
Developers want to work – Really!
DevOps is a great idea
Doesn’t work when Ops is in the way

A NewSolution –Weneed
Access to AWS services without barriers
Ability to fail fast without collateral damage
Smaller blast-radius
Operations team  Cloud architects
Everyone able to influence digital transformation
Costs and resources tracked to individuals and teams
Optimize code for AWS

WhereDo IStart? Developer accounts
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer

WhereDo IStart?Teamaccounts
Team/Group Team/Group Team/Group Team/Group Team/Group

WhereDo IStart?Ops accounts
Production Staging Dev/UAT

WhereDo IStart?Shared services
Core/Shared

Whatare core sharedaccounts?
Security
Shared Services Log Archive
Network
Core/Shared

Sharedby tier
Core/Shared
Team Shared
Dev Shared

Sharedby tier
Core/Shared
Team
Core/Shared
Dev
Core/Shared

Adifferent approach
Team Dev Team Dev Team Dev Team Dev Team Dev
Core/Shared
Team
Core/Shared
Dev
Core/Shared
DeveloDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team Stg Team Stg Team Stg Team Stg Team Stg
Team Prod Team Prod Team Prod Team Prod Team ProdProduction
Dev/UAT
Staging
Prod
Core/Shared
Staging
Core/Shared

Your own additions
Team Dev Team Dev Team Dev Team Dev Team Dev
Team Stg Team Stg Team Stg Team Stg Team Stg
Team Prod Team Prod Team Prod Team Prod Team ProdProduction
Dev/UAT
Staging
PersonalPersonal PersonalPersonal PersonalPersonalPersonal PersonalPersonal Personal
PersonalPersonal PersonalPersonal PersonalPersonalPersonal PersonalPersonal Personal
Personal
Shared
Dev
Core/Shared
Staging
Core/Shared
Prod
Core/Shared

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security/Resource
Boundary API Limits/Throttling
Billing Separation
AWS Account

Why one account isn’t enough
Billing
Many Teams
Security / Compliance
Controls
Business Process
Isolation

Guardrails NOT
Blockers
Auditable Flexible
Automated Scalable Self-service
Goals

Account securityconsiderations
Baseline Requirements
Lock
Enable
Define
Federate
Establish
Identify

What accounts should I create?
Security Shared Services Billing
Dev ProdSandbox OtherPre-Prod
Organizations Account
Log Archive Network

AWSOrganizations Master
AWS Organizations Master
Network Path
Data Center
No connection to DC
Service control policies
Consolidated billing
Volume discount
Minimal resources
Limited access
Restrict Orgs role!

SCP:StopCloudTrailfrombeing disabled
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": ”cloudtrail:StopLogging",
"Resource": "*"
}
]
}

SCP:NointernetgatewayforAmazonVirtualPrivate
Cloud (AmazonVPC)"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:AttachInternetGateway”,
“ec2:CreateInternetGateway”,
“ec2:AttachEgressOnlyInternetGateway”,
“ec2:CreateVpcPeeringConnection”,
“ec2:AcceptVpcPeeringConnection"
],
"Resource": "*"
}
]

Coreaccounts
Core Accounts
Network Path
Data Center
Foundational
Building Blocks
Once per organization
Have their own development
life cycle (dev/qa/prod)

Log archiveaccount
Core Accounts
Log Archive
Network Path
Data Center
Versioned Amazon S3 bucket
Restricted
MFA delete
CloudTrail logs
Security logs
Single source of truth
Alarm on user login
Limited access

Securityaccount
Core Accounts
Log Archive
Network Path
Data Center
Optional data center
connectivity
Security tools and audit
GuardDuty Master
Cross-account read/write
Automated Tooling
Limited access
Security

Sharedservicesaccount
Security
Core Accounts
Log Archive
Network Path
Data Center
Connected to DC
DNS
LDAP/Active Directory
Shared Services VPC
Deployment tools
Golden AMI
Pipeline
Scanning infrastructure
Inactive instances
Improper tags
Snapshot lifecycle
Monitoring
Limited access
Shared
Services

Networkaccount
Security
Core Accounts
Shared
Services
Log Archive
Network Path
Data Center
Managed by network
team
Networking services
AWS Direct Connect
Limited access
Network

Developer sandbox
Security
Core Accounts
Shared
Services
Network
Log Archive
Network Path
No connection to DC
Innovation space
Fixed spending limit
Autonomous
ExperimentationDeveloper
Sandbox
Developer Accounts

Team/group accounts
Developer
Sandbox
Security
Core Accounts
Shared
Services
Network
Log Archive
Network Path
Developer Accounts Data Center
Based on level of needed
isolation
Match your development
lifecycle
Think Small
Team/Group Accounts

Dev
Developer
Sandbox
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive
Network Path
Develop and iterate
quickly
Collaboration space
Stage of SDLC
Dev

Pre-production
Developer
Sandbox
Dev
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive
Network Path
Connected to DC
Production-like
Staging
Testing
Automated Deployment
Pre-Prod

Production
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive
Network Path
Connected to DC
Production applications
Promoted from Pre-Prod
Limited access
Automated Deployments
Prod

Teamsharedservices
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive Prod
Network Path
Grows organically
Shared to the team
Product-specific common
services
Data lake
Common tooling
Common services
Team Shared
Services

Innovation pipeline
Developer
Accounts
Developer Accounts
PoC
Developer
Accounts
Developer Accounts
Dev
Pre-Prod
Team/Group Accounts
Prod
Shared
Services
PoC
New initiatives
Experimentation
Innovation

Special/exception
Be flexible
Regulatory/compliance
Additional isolation/security controls (PCI)

Multi-account approach
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Network Path
Orgs: Account management
Log Archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data
Lake

Team:Billingtools
Developer
Sandbox
Dev Pre-Prod
Billing Tools Team Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive Prod
Network Path
Reduces access to
Organizations account
Billing reports
Usage metrics and
reporting
Usage optimizations and
RI management

Team:Internalaudit
Developer
Sandbox
Dev Pre-Prod
Internal Audit Team Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive Prod
Network Path
Regulatory compliance
Read-only access to
needed logs
Limited access
ENT315: Automate and
Audit Cloud Governance
and Compliance in your
Landing Zone

Team:Amazing newproduct
Developer
Sandbox
Dev Pre-Prod
Amazing New Product Team Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive Prod
Network Path
Match your development
lifecycle
Think Small

BP’s journey
David Ninnis
Senior Enterprise Architect, Cloud

We areBP
OIG301: A quantum leap transformation to make BP’s global network cloud first

OurAWS journey

Our 2016 LandingZone
Dev
Pre-Prod
Resource AccountsCore Accounts
Master Payer Account
Billing
Network
Internal Audit
Data Center
Logs
Prod
Master: Consolidated billing
Logs: Security logs
Enterprise Shared Services:
Directory, DNS, Patching, and more
Billing Tooling: Cost management
Dev: Development
Pre-Prod: Staging
Prod: Production
DB: Database as a Service
Shared
Services
Network Path
DB

Along cametheusers
More access
More services
“Special” accounts
In-line policy management
Self service
Tag-based/resource level
Does IaaS well

IteratingtheLZ

New/improvedservicessince2016
AWS Organizations
CreateAccount
{
"AccountName": "string",
"Email": "string",
"IamUserAccessToBilling": "string",
"RoleName": "string"
}
MoveAccount
{
"AccountId": "string",
"DestinationParentId": "string",
"SourceParentId": "string"
}

{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect": “Deny",
"Action": [
"ec2:AcceptVpcPeeringConnection",
"ec2:CreateVpcPeeringConnection",
"ec2:DeleteVpcPeeringConnection"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "eu-west-1"
}
}
}
]
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect": “Allow",
"Action": [
"ec2:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "eu-west
}
}
}
]

TheAWS LandingZone solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS best
practices and
recommendations
Initial security
and governance
controls
Baseline accounts
and account
vending machine
Automated
deployment

Here’swhereweare now
Took the core of the Landing Zone Solution
Created a metadata store in Amazon DynamoDB
Extended Landing Zone to call existing capability for RBAC and networking
Re-used our core accounts

NewLandingZone
Developer
Sandbox
Dev Pre-Prod
Spoke Accounts
Security
Hub Accounts
AWS Organizations
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Network Path
Sandbox Spoke Accounts Data Center
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake
DB: Database as a Service
DB

End toend requestworkflow
1. New Account
SNOW Form
2. Form data used
to create initial
record on
DynamoDB Table
3. Service Catalog
Vending Machine
Account Product
Creation Invoked
4. Provisioning of
Security & Logging
Baseline with
Stacksets
201. Stackset
Creation Error
Notified to
Developers / Ops
5. Provisioning of
RBAC Roles and
SSO Providers
6. Provisioning of
Networking
(including Peering)
101. SNOW
Integration Error
with AWS APIs
notified to SNOW
Team
7. Account
Provisioning
Notifications
8. DS is notified of
new Spoke
account
9. DS provisions
additional controls
10. SNOW is
notified of new
Spoke account
being provisioned
11. SNOW rescan
DynamoDB table
and syncs back
metadata to
SNOW CMDB
12. SNOW
provisions AD
groups for the new
Account
102. SNOW
Incident Created
202. HS Dev
Team Incident
Created
13. Email to end
user informing of
account
provisioning
501. DS Complete
502. SNOW
Complete
301. DS Internal
Error notified to
DS
302. DS Internal
Incident Created
103. AWS Post
Provisioning Error
notified to SNOW
Team
102. SNOW
Incident Created
203. Post
Provisiong
Notification error
notified to
Developers / Ops
202. HS Dev
Team Incident
Created
503. AWS Account
Provisioning
Complete
Error
Error
SNS
Topic
Error
Error
SNS
Topic
Error
Error

End toend requestworkflow
Process
AWS Account Submission Email
AWS Account Creation
AWS Account Status
AWS Account AD
AWS Account AAD Sync
AWS Account Completion Email

Securityand governance outcomes
Amazon WorkSpaces

Eventgovernance

Eventgovernance
=

In closing
We’ve got this far
It’s not perfect
It helps us to get out of the way
We will keep listening to our users and evolving
AWS will keep evolving

Multi-account approach
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Network Path
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake

QA/Staging for thelanding zone
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Network Path
Test Landing Zone
changes
Another Landing Zone

Forensics
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Network Path
Isolated Forensics area
Nearly Invisible
Landing Zone with a twist

Nextsteps
Define tagging strategy
Define automation strategy
Create Organizations Master account
Create Log Archive account
Create Security account
Create Shared Services account
Create Developer Sandbox account(s)

Action plan
• Create temporary s3 bucket for CloudTrail logs
• Enable CloudTrail locally
• Enable organizations full feature
• Create bucket(s) for security logs (CloudTrail, AWS
Config)
• Enable MFA delete
• Enable versioning
• Define limited access bucket policy
• Add SCP to prevent s3:delete
• Backfill: Enable CloudTrail in organizations master
account to send logs to Log Archive account
• Backfill: Copy CloudTrail logs for actions that happened
between Organizations Master creation and log archive
• Backfill: Cross-account roles with trust to security account
for organizations master and log archive
• Read-only role
• Read/Write role (fewer permissions for assumption)
• <CommonCheckList>
• Create security tooling/Lambda functions for security checks
• Connect via DX/VPN to DC
• Launch common services
• Directory services
• Limit monitoring
Create AWS Network account
• Order your Direct Connect

Common checklist
• Secure Root credentials
MFA
• OTP
• U2F could make this easier for managing them
• https://aws.amazon.com/blogs/security/how-to-
create-and-manage-users-within-aws-sso/
• Complex password
• Establish rotation policy
• Link to Organizations Master account if not already
a member
• Use group email/phone as the contact info
• Enable CloudTrail in all regions, send to Log
Archive account
• Enable GuardDuty in all regions.
• Security Account as GuardDuty master
• Operationalize the findings
• Enable AWS Config, send to Log Archive account
• Enable appropriate AWS Config rules
• s3 bucket encryptions
• s3 world read/write
• ebs encryption etc...
• Create read-only cross-account Security role
• Create read/write cross-account Security role
• Create VPC (non-overlapping IP space)
• Enable federation into account
• http://federationworkshopreinvent2016.s3-website-
us-east-1.amazonaws.com/
• Define roles and access policies
• Peer/Privatelink VPC with Shared Services
• Add a policy for prefix naming conditions to every
account—For example, deny access to Lambda
functions that start with “security*”
• Review CIS Foundations Benchmark and leverage as
appropriate

AWS LandingZone structure -Basic
AWS Organizations
Shared Services Log Archive Security
Organizations Account
• Account Provisioning
• Account Access (SSO)
Shared Services Account
• Active Directory
• Log Analytics
Log Archive
• Security Logs
Security Account
• Audit / Break-glass
Parameter
store

Account vending machine
AWS
Service Catalog
Account Vending Machine (AWS Service
Catalog)
• Account creation factory
• User Interface to create new accounts
• Account baseline versioning
• Launch constraints
Creates/updates AWS account
Apply account baseline stack sets
Create network baseline
Apply account security control policy
Account Vending
Machine
AWS
Organizations
Security
AW
S
Log Archive
AW
S
Shared Services
AW
S
AW
S
New AWS

Action Plan
• Create temporary s3 bucket for CloudTrail logs
• Enable CloudTrail locally
• Enable organizations full feature
• Create bucket(s) for security logs (CloudTrail, AWS
Config)
• Enable MFA delete
• Enable versioning
• Define limited access bucket policy
• Add SCP to prevent s3:delete
• Backfill: Enable CloudTrail in organizations master
account to send logs to Log Archive account
• Backfill: Copy CloudTrail logs for actions that happened
between Organizations Master creation and log archive
• Backfill: cross-account roles with trust to security account for
organizations master and log archive
• Read-only role
• Read/Write role (fewer permissions for assumption)
• Create security tooling/Lambda functions for security checks
• Connect via DX/VPN to DC
• Launch common services
• Directory services
• Limit monitoring
Create AWS Network account
• Order your Direct Connect

CommonChecklist
• Secure Root credentials
MFA
• OTP
• U2F could make this easier for managing them
• https://aws.amazon.com/blogs/security/how-to-
create-and-manage-users-within-aws-sso/
• Complex password
• Establish rotation policy
• Link to Organizations Master account if not already
a member
• Use group email/phone as the contact info
• Enable CloudTrail in all regions, send to Log
Archive account
• Enable GuardDuty in all regions.
• Security Account as GuardDuty master
• Operationalize the findings
• Enable AWS Config, send to Log Archive account
• Enable appropriate AWS Config rules
• s3 bucket encryptions
• s3 world read/write
• ebs encryption etc...
• Create read-only cross-account Security role
• Create read/write cross-account Security role
• Create VPC (non-overlapping IP space)
• Enable federation into account
• http://federationworkshopreinvent2016.s3-website-
us-east-1.amazonaws.com/
• Define roles and access policies
• Peer/Privatelink VPC with Shared Services
• Add a policy for prefix naming conditions to every
account—For example, deny access to Lambda
functions that start with “security*”
• Review CIS Foundations Benchmark and leverage as
appropriate

PuttingitAllTogether
Policy
Enforcement
AWS Landing
Zone
Policy
Deployment
Notification Remediation
Account Metadata: Owner, Function,
Policies, BU, SDLC, Cost Center etc…
Prod
• Encrypt EBS
• No IGW
• Guardrail “x”
QA
• Encrypt EBS
• Guardrail “x”
• Guardrail “y”
Policy “p”
• Encrypt EBS
• No IGW
• Guardrail “y”

AWS LandingZone track: search:awslandingzone
Architecture:
SEC303: Architecting Security & Governance across your AWS Landing Zone (Session)
ENT315: Automate & Audit Cloud Governance & Compliance in Your Landing Zone (Session)
Implementation:
ENT350: AWS Landing Zone Deep Dive (Chalk Talk)
SEC349: Governance at Scale (Chalk Talk)
ENT318: Landing Zone Design: What to Do When Your Company Splits in Half (Session)
Workshops (First three are same content):
ENT351: Enterprise Governance: Build Your AWS Landing Zone (Workshop)
SEC315: Enterprise Governance and Security - Build Your AWS Landing Zone (Workshop)
GPSWS407A: Automated Solution for Deploying AWS Landing Zone (Workshop/Partners)
SEC334: Operational Excellence for Identity & Access Management (Workshop)
Summary/Feedback:
SEC360: AWS Landing Zone Strategies (Chalk Talk)

Thank you!
Sam Elmalak
@SamElmalak
David Ninnis

AWS Landing Zone Security Governance

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AWS Landing Zone Security Governance

Similar to AWS Landing Zone Security Governance (20)

More from Amazon Web Services

More from Amazon Web Services (20)

AWS Landing Zone Security Governance