SlideShare a Scribd company logo

AWS Control Tower Setup and Features

Download as PPTX, PDF
Gerald Bachlmayr
Gerald Bachlmayr

AWS Control Tower presentation at the DevSecOps meetup on 22n April 2020 - by Gerald Bachlmayr & Marwan Kansoh

Software
1 of 20
AWS Control Tower
2 Agenda 01 | Quick introduction 02 | Why do you need a Landing Zone 03 | AWS Control Tower 04 | Pricing & Features 05 | Lessons Learnt 06 | Questions
3 Gerald Bachlmayr ● Technical Principal - Contino ● AWS Ambassador ● Cloud Native Advocate Lorem Ipsum ● Technical Principal - Contino ● Advocate - All things AWS/DevOps/Security ● Proud father of 2 Marwan Kansoh Introduction Intro Why LZ/AWS P&F Lessons Q&A
Governance, Compliance Security, Connectivity Account Management Costs Operational Efficiencies 4 Why Do We Need a Landing Zone Intro Why LZ/AWS P&F Lessons Q&A
Landing Zone in AWS → Control Tower 5 Control Tower (CT) gives you all those common Landing Zone capabilities out-of-the-box and AWS manages upgrades for you. Intro Why LZ/AWS P&F Lessons Q&A
Control Tower - Overview Those are the key features CT gives you: Landing Zone ● Multi-account setup - with OUs (org. units) ● SSO enabled ● Centralised logging Account Factory ● Standardised provisioning ● Pre-approved configurations ● Self-service Guardrails ● Preventive ● Detective ● Mandatory & Optional Dashboards ● Number of accounts and OUs ● Guardrails ● List of noncompliant resources 6 Intro Why LZ/AWS P&F Lessons Q&A
Setup steps The setup process is simple and AWS gives you some guidance on what you shouldn’t do: Steps: ● Master Account ○ First email address ● Logon & select region ● Two email addresses: ○ Log archive account ○ Audit account ● ~ 1 hour 7 AWS Guidance: ● Do not modify or delete: ○ Resources created by CT ○ IAM resources created by CT ● Managed with CT - not AWS Organizations ○ Create, invite, move accounts ○ Create, move OU (org units) ○ Delete OU: → you won’t be able to provision a new account to this OU with CT Account Factory Intro Why LZ/AWS P&F Lessons Q&A not managed by CT
Setup Process - CloudFormation Resources There is not much to see during the setup process - one CloudFormation stack. 8 Intro Why LZ/AWS P&F Lessons Q&A
Setup Process - CloudFormation Stack Sets There is not much to see during the setup process - one CloudFormation stack. 9 Intro Why LZ/AWS P&F Lessons Q&A
Setup Complete After the setup you can see the Control Tower Dashboard: 10 Intro Why LZ/AWS P&F Lessons Q&A
Pricing 11 Intro Why LZ/AWS P&F Lessons Q&A Guidelines: ● No additional charge to use AWS Control Tower ● You are charged for services setup by CT - e.g.: ○ Service Catalog ○ AWS Config Rules ● Included for free: ○ Mandatory preventive guardrails → global ○ 2 mandatory detective guardrails → regions where CT is available Price Example: ● 10 accounts, 15 resource per account in 4 regions ● 5 strongly recommended detective guardrails → invoking 5,000 rule evaluations/m ● Each resource → 20 config. state changes/m Feature Price (USD) 1 Account Factory portfolio $ 5/month Mandatory preventive Guardrails $ 0 (free) 2 mandatory detective guardrails $ 0 (free) AWS Config - 12,000 config items $36/month AWS Config - 25,000 rule eval. $25/month AWS Config - initial recording $12 - one off $66/m
Features: Account Factory 12 Intro Why LZ/AWS P&F Lessons Q&A Enables cloud administrators and AWS SSO end users to provision accounts in your landing zone. Some features: ● Account life-cycle: ○ Open ○ Update → different OU ○ Close ● Modify CIDR ranges ● Provision CIDR range ● Internet access for new accounts
Compliance Introduction 13 AWS Control Tower is well-architected by default and helps establish compliant environments with OC, PCI, FedRAMP, HIPAA with ease. Compliance is established at an OU. Intro Why LZ/AWS P&F Lessons Q&A
Features: Guard Rails 14 There are 3 different levels of guard rails guidance. ● Mandatory (Enforced - cannot be turned off) ● Recommended (strongly) ● Optional (Elective) Guard rails behaviours either prevent or detect actions. Example of mandatory guard rails are: ● Prevention guard rails offer an explicit denyallow to certain actions, example: ○ Disallow deletion of log archive ○ Enable encryption at rest for log archive ● Detective guard rails offer ○ Disallow public read access to log archive Intro Why LZ/AWS P&F Lessons Q&A
Features: Dashboards 15 CT’s Dashboard is a high level single pane offering compliance and governance visibility: ● Current environment summary ● Enabled controls ● Non-compliant resources ● Enrolled accounts in the organisation ● Guard rails available Intro Why LZ/AWS P&F Lessons Q&A
Features: SSO 16 SSO is automatically enabled. Allows single touch login to accounts or applications: ● Configurable identity source (such as Active Directory) ● Enforceable MFA ● Automatic provisioning ● AWS SSO integrated applications ● Customisable URL Intro Why LZ/AWS P&F Lessons Q&A
Features: Audit & Logging 17 Intro Why LZ/AWS P&F Lessons Q&A By default, 2 accounts are created (separate to the Master account). Those are Audit and Logging. ● Audit account ○ This account is used to audit all information made available by Control Tower in the environment. This information is also accessible programmatically. ● Log archive account ○ This account is used to access all the logging information for all the managed accounts within managed OUs in the landing zone. We are looking at testing the ability to deploy Kinesis Firehose in the Logging account to push logs to a SIEM solution.
Lessons Learnt 18 ● Consider ‘nuking’ the account before attempting to uninstall Control Tower ● Account Factory provides only /16 CIDRs ● Control Tower does NOT provision: ○ Transit Gateway ○ Egress Gateway ○ NAT gateway ○ Shared account (networking) ● Integration with Security Hub and Network Manager not yet tested ● Nested OUs ○ Not displayed in console ○ Only available as code ● Updating account emails is difficult (random errors) ● Root user and IAM administrators can bypass guard rails (by design) Intro Why LZ/AWS P&F Lessons Q&A
Any Questions? Intro Why LZ/AWS P&F Lessons Q&A
Thank You

Recommended

Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials DayAmazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019Amazon Web Services
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 

Recommended

Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials DayAmazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019Amazon Web Services
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
AWS Control Tower introduces Terraform account provisioning and customization
AWS Control Tower introduces Terraform account provisioning and customizationAWS Control Tower introduces Terraform account provisioning and customization
AWS Control Tower introduces Terraform account provisioning and customizationDhaval Soni
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Amazon Web Services
 
Introduction to AWS Cost Management
Introduction to AWS Cost ManagementIntroduction to AWS Cost Management
Introduction to AWS Cost ManagementAmazon Web Services
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Amazon Web Services
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Amazon Web Services
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMSRicardo Schmidt
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentationTATA LILIAN SHULIKA
 
Architecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesArchitecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesAmazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인Amazon Web Services Korea
 
Cloud Economics
Cloud EconomicsCloud Economics
Cloud EconomicsAmazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trailzekeLabs Technologies
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing ZoneAmazon Web Services
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWSAmazon Web Services
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...Amazon Web Services
 
Friends Don't Let Friends Build Landing Zones
Friends Don't Let Friends Build Landing ZonesFriends Don't Let Friends Build Landing Zones
Friends Don't Let Friends Build Landing ZonesGerald Bachlmayr
 
Aws user group #04 landing zones
Aws user group #04 landing zonesAws user group #04 landing zones
Aws user group #04 landing zonesPolarSeven Pty Ltd
 

More Related Content

What's hot

AWS Control Tower introduces Terraform account provisioning and customization
AWS Control Tower introduces Terraform account provisioning and customizationAWS Control Tower introduces Terraform account provisioning and customization
AWS Control Tower introduces Terraform account provisioning and customizationDhaval Soni
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Amazon Web Services
 
Introduction to AWS Cost Management
Introduction to AWS Cost ManagementIntroduction to AWS Cost Management
Introduction to AWS Cost ManagementAmazon Web Services
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Amazon Web Services
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentationTATA LILIAN SHULIKA
 
Architecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesArchitecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesAmazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인Amazon Web Services Korea
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...Amazon Web Services
 

What's hot (20)

AWS Control Tower introduces Terraform account provisioning and customization
AWS Control Tower introduces Terraform account provisioning and customizationAWS Control Tower introduces Terraform account provisioning and customization
AWS Control Tower introduces Terraform account provisioning and customization
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
 
Introduction to AWS Cost Management
Introduction to AWS Cost ManagementIntroduction to AWS Cost Management
Introduction to AWS Cost Management
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMS
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 
AWS Cloud organizations presentation
AWS Cloud organizations presentationAWS Cloud organizations presentation
AWS Cloud organizations presentation
 
Architecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesArchitecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-Practices
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
 
Cloud Economics
Cloud EconomicsCloud Economics
Cloud Economics
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
 

Similar to AWS Control Tower Setup and Features

Friends Don't Let Friends Build Landing Zones
Friends Don't Let Friends Build Landing ZonesFriends Don't Let Friends Build Landing Zones
Friends Don't Let Friends Build Landing ZonesGerald Bachlmayr
 
Aws user group #04 landing zones
Aws user group #04 landing zonesAws user group #04 landing zones
Aws user group #04 landing zonesPolarSeven Pty Ltd
 
004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptxnitinscribd
 
Aws bills and how a tester can help reduce them
Aws bills and how a tester can help reduce themAws bills and how a tester can help reduce them
Aws bills and how a tester can help reduce themJet Liu
 
Aws organizations
Aws organizationsAws organizations
Aws organizationsOlaf Conijn
 
AWS CSA Associate 07-07
AWS CSA Associate 07-07AWS CSA Associate 07-07
AWS CSA Associate 07-07Heitor Vital
 
Cloud Cost Governance Automation - How to get started & building continuous ...
Cloud Cost Governance Automation - How to get started & building continuous ...Cloud Cost Governance Automation - How to get started & building continuous ...
Cloud Cost Governance Automation - How to get started & building continuous ...Gerald Bachlmayr
 
Cloud Cost Governance Automation - How to get started & building continuous ...
Cloud Cost Governance Automation - How to get started & building continuous ...Cloud Cost Governance Automation - How to get started & building continuous ...
Cloud Cost Governance Automation - How to get started & building continuous ...Gerald Bachlmayr
 
Openshift service broker and catalog ocp-meetup july 2018
Openshift service broker and catalog ocp-meetup july 2018Openshift service broker and catalog ocp-meetup july 2018
Openshift service broker and catalog ocp-meetup july 2018Michael Calizo
 
Accelerating YourBusiness with Security
Accelerating YourBusiness with SecurityAccelerating YourBusiness with Security
Accelerating YourBusiness with SecurityAmazon Web Services
 
Writing and deploying serverless python applications
Writing and deploying serverless python applicationsWriting and deploying serverless python applications
Writing and deploying serverless python applicationsCesar Cardenas Desales
 
Building Linked Data Platform with AWS
Building Linked Data Platform with AWSBuilding Linked Data Platform with AWS
Building Linked Data Platform with AWSEugeneMorozov
 
Aws cost optimization: lessons learned, strategies, tips and tools
Aws cost optimization: lessons learned, strategies, tips and toolsAws cost optimization: lessons learned, strategies, tips and tools
Aws cost optimization: lessons learned, strategies, tips and toolsFelipe
 
Training AWS: Module 9 - CloudWatch
Training AWS: Module 9 - CloudWatchTraining AWS: Module 9 - CloudWatch
Training AWS: Module 9 - CloudWatchBùi Quang Lâm
 
AWS Observability Made Simple
AWS Observability Made SimpleAWS Observability Made Simple
AWS Observability Made SimpleLuciano Mammino
 
AWS CSA Associate 03-07
AWS CSA Associate 03-07AWS CSA Associate 03-07
AWS CSA Associate 03-07Heitor Vital
 
AWS Meetup CGN 11/2021
AWS Meetup CGN 11/2021AWS Meetup CGN 11/2021
AWS Meetup CGN 11/2021Theo Pack
 
Cloud Architecture best practices
Cloud Architecture best practicesCloud Architecture best practices
Cloud Architecture best practicesOmid Vahdaty
 
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...Xiaoman DONG
 

Similar to AWS Control Tower Setup and Features (20)

Friends Don't Let Friends Build Landing Zones
Friends Don't Let Friends Build Landing ZonesFriends Don't Let Friends Build Landing Zones
Friends Don't Let Friends Build Landing Zones
 
Aws user group #04 landing zones
Aws user group #04 landing zonesAws user group #04 landing zones
Aws user group #04 landing zones
 
004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx
 
Aws bills and how a tester can help reduce them
Aws bills and how a tester can help reduce themAws bills and how a tester can help reduce them
Aws bills and how a tester can help reduce them
 
Aws organizations
Aws organizationsAws organizations
Aws organizations
 
AWS CSA Associate 07-07
AWS CSA Associate 07-07AWS CSA Associate 07-07
AWS CSA Associate 07-07
 
Cloud Cost Governance Automation - How to get started & building continuous ...
Cloud Cost Governance Automation - How to get started & building continuous ...Cloud Cost Governance Automation - How to get started & building continuous ...
Cloud Cost Governance Automation - How to get started & building continuous ...
 
Cloud Cost Governance Automation - How to get started & building continuous ...
Cloud Cost Governance Automation - How to get started & building continuous ...Cloud Cost Governance Automation - How to get started & building continuous ...
Cloud Cost Governance Automation - How to get started & building continuous ...
 
Openshift service broker and catalog ocp-meetup july 2018
Openshift service broker and catalog ocp-meetup july 2018Openshift service broker and catalog ocp-meetup july 2018
Openshift service broker and catalog ocp-meetup july 2018
 
Accelerating YourBusiness with Security
Accelerating YourBusiness with SecurityAccelerating YourBusiness with Security
Accelerating YourBusiness with Security
 
Writing and deploying serverless python applications
Writing and deploying serverless python applicationsWriting and deploying serverless python applications
Writing and deploying serverless python applications
 
Building Linked Data Platform with AWS
Building Linked Data Platform with AWSBuilding Linked Data Platform with AWS
Building Linked Data Platform with AWS
 
Aws cost optimization: lessons learned, strategies, tips and tools
Aws cost optimization: lessons learned, strategies, tips and toolsAws cost optimization: lessons learned, strategies, tips and tools
Aws cost optimization: lessons learned, strategies, tips and tools
 
Training AWS: Module 9 - CloudWatch
Training AWS: Module 9 - CloudWatchTraining AWS: Module 9 - CloudWatch
Training AWS: Module 9 - CloudWatch
 
AWS Observability Made Simple
AWS Observability Made SimpleAWS Observability Made Simple
AWS Observability Made Simple
 
Treinamento AWS - 3a Parte
Treinamento AWS - 3a ParteTreinamento AWS - 3a Parte
Treinamento AWS - 3a Parte
 
AWS CSA Associate 03-07
AWS CSA Associate 03-07AWS CSA Associate 03-07
AWS CSA Associate 03-07
 
AWS Meetup CGN 11/2021
AWS Meetup CGN 11/2021AWS Meetup CGN 11/2021
AWS Meetup CGN 11/2021
 
Cloud Architecture best practices
Cloud Architecture best practicesCloud Architecture best practices
Cloud Architecture best practices
 
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
 

Recently uploaded

SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencessuser9e7c64
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsJean Silva
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 

Recently uploaded (20)

SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero results
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 

AWS Control Tower Setup and Features

  • 2. 2 Agenda 01 | Quick introduction 02 | Why do you need a Landing Zone 03 | AWS Control Tower 04 | Pricing & Features 05 | Lessons Learnt 06 | Questions
  • 3. 3 Gerald Bachlmayr ● Technical Principal - Contino ● AWS Ambassador ● Cloud Native Advocate Lorem Ipsum ● Technical Principal - Contino ● Advocate - All things AWS/DevOps/Security ● Proud father of 2 Marwan Kansoh Introduction Intro Why LZ/AWS P&F Lessons Q&A
  • 5. Landing Zone in AWS → Control Tower 5 Control Tower (CT) gives you all those common Landing Zone capabilities out-of-the-box and AWS manages upgrades for you. Intro Why LZ/AWS P&F Lessons Q&A
  • 6. Control Tower - Overview Those are the key features CT gives you: Landing Zone ● Multi-account setup - with OUs (org. units) ● SSO enabled ● Centralised logging Account Factory ● Standardised provisioning ● Pre-approved configurations ● Self-service Guardrails ● Preventive ● Detective ● Mandatory & Optional Dashboards ● Number of accounts and OUs ● Guardrails ● List of noncompliant resources 6 Intro Why LZ/AWS P&F Lessons Q&A
  • 7. Setup steps The setup process is simple and AWS gives you some guidance on what you shouldn’t do: Steps: ● Master Account ○ First email address ● Logon & select region ● Two email addresses: ○ Log archive account ○ Audit account ● ~ 1 hour 7 AWS Guidance: ● Do not modify or delete: ○ Resources created by CT ○ IAM resources created by CT ● Managed with CT - not AWS Organizations ○ Create, invite, move accounts ○ Create, move OU (org units) ○ Delete OU: → you won’t be able to provision a new account to this OU with CT Account Factory Intro Why LZ/AWS P&F Lessons Q&A not managed by CT
  • 8. Setup Process - CloudFormation Resources There is not much to see during the setup process - one CloudFormation stack. 8 Intro Why LZ/AWS P&F Lessons Q&A
  • 9. Setup Process - CloudFormation Stack Sets There is not much to see during the setup process - one CloudFormation stack. 9 Intro Why LZ/AWS P&F Lessons Q&A
  • 10. Setup Complete After the setup you can see the Control Tower Dashboard: 10 Intro Why LZ/AWS P&F Lessons Q&A
  • 11. Pricing 11 Intro Why LZ/AWS P&F Lessons Q&A Guidelines: ● No additional charge to use AWS Control Tower ● You are charged for services setup by CT - e.g.: ○ Service Catalog ○ AWS Config Rules ● Included for free: ○ Mandatory preventive guardrails → global ○ 2 mandatory detective guardrails → regions where CT is available Price Example: ● 10 accounts, 15 resource per account in 4 regions ● 5 strongly recommended detective guardrails → invoking 5,000 rule evaluations/m ● Each resource → 20 config. state changes/m Feature Price (USD) 1 Account Factory portfolio $ 5/month Mandatory preventive Guardrails $ 0 (free) 2 mandatory detective guardrails $ 0 (free) AWS Config - 12,000 config items $36/month AWS Config - 25,000 rule eval. $25/month AWS Config - initial recording $12 - one off $66/m
  • 12. Features: Account Factory 12 Intro Why LZ/AWS P&F Lessons Q&A Enables cloud administrators and AWS SSO end users to provision accounts in your landing zone. Some features: ● Account life-cycle: ○ Open ○ Update → different OU ○ Close ● Modify CIDR ranges ● Provision CIDR range ● Internet access for new accounts
  • 13. Compliance Introduction 13 AWS Control Tower is well-architected by default and helps establish compliant environments with OC, PCI, FedRAMP, HIPAA with ease. Compliance is established at an OU. Intro Why LZ/AWS P&F Lessons Q&A
  • 14. Features: Guard Rails 14 There are 3 different levels of guard rails guidance. ● Mandatory (Enforced - cannot be turned off) ● Recommended (strongly) ● Optional (Elective) Guard rails behaviours either prevent or detect actions. Example of mandatory guard rails are: ● Prevention guard rails offer an explicit denyallow to certain actions, example: ○ Disallow deletion of log archive ○ Enable encryption at rest for log archive ● Detective guard rails offer ○ Disallow public read access to log archive Intro Why LZ/AWS P&F Lessons Q&A
  • 15. Features: Dashboards 15 CT’s Dashboard is a high level single pane offering compliance and governance visibility: ● Current environment summary ● Enabled controls ● Non-compliant resources ● Enrolled accounts in the organisation ● Guard rails available Intro Why LZ/AWS P&F Lessons Q&A
  • 16. Features: SSO 16 SSO is automatically enabled. Allows single touch login to accounts or applications: ● Configurable identity source (such as Active Directory) ● Enforceable MFA ● Automatic provisioning ● AWS SSO integrated applications ● Customisable URL Intro Why LZ/AWS P&F Lessons Q&A
  • 17. Features: Audit & Logging 17 Intro Why LZ/AWS P&F Lessons Q&A By default, 2 accounts are created (separate to the Master account). Those are Audit and Logging. ● Audit account ○ This account is used to audit all information made available by Control Tower in the environment. This information is also accessible programmatically. ● Log archive account ○ This account is used to access all the logging information for all the managed accounts within managed OUs in the landing zone. We are looking at testing the ability to deploy Kinesis Firehose in the Logging account to push logs to a SIEM solution.
  • 18. Lessons Learnt 18 ● Consider ‘nuking’ the account before attempting to uninstall Control Tower ● Account Factory provides only /16 CIDRs ● Control Tower does NOT provision: ○ Transit Gateway ○ Egress Gateway ○ NAT gateway ○ Shared account (networking) ● Integration with Security Hub and Network Manager not yet tested ● Nested OUs ○ Not displayed in console ○ Only available as code ● Updating account emails is difficult (random errors) ● Root user and IAM administrators can bypass guard rails (by design) Intro Why LZ/AWS P&F Lessons Q&A
  • 19. Any Questions? Intro Why LZ/AWS P&F Lessons Q&A