Whether it is per business unit or per application, many AWS customers use multiple accounts to meet their infrastructure isolation, separation of duties, and billing requirements to establish their AWS Landing Zone. In this session, we cover considerations, limitations, and security patterns when building a multi-account strategy. We explore topics such as thought pattern, identity federation, cross-account roles, consolidated logging, and account governance. We conclude by presenting an enterprise-ready landing zone framework and providing the background needed to implement an AWS Landing Zone.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Architecting security and governance
across your AWS Landing Zone
Leo Zhadanovsky
Principal Solutions Architect
AWS
S E C 3 0 1

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Agenda
An enterprise-ready Landing Zone framework
BP’s Landing Zone journey
Action plan and checklist

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Last year

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Once upon a time… (continued)
0
10
20
30
40
50
60
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Sales
Red Riding
Hood

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Old-world IT
Bob – IT/security guy Developers

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Old-world IT: Scale
More Bobs More developers

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The cloud will make this easier!
Same Bobs More developers!

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
One account, isolation with AWS Identity and Access
Management (IAM) and Amazon Virtual Private Cloud
(Amazon VPC)
“Gray” boundaries
Complicated and messy over time
Difficult to track resources
People stepping on one another
Everything

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Separate developer account
Still can’t track resources or spend
Still have isolation and blast-radius concerns
Developers still stepping on one another
Bob now has to manage IAM and VPCs, here, too
Dev Production

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The problem
On-premises posture for the cloud
Inheriting ideas from datacenter days
Management and Ops don’t trust Dev with full access
Developers want to work—Really!
DevOps is a great idea
Doesn’t work when Ops is in the way

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
A new solution—we need:
Access to AWS services without barriers
Ability to fail fast without collateral damage
Smaller blast radius
Operations team → Cloud architects
Everyone able to influence digital transformation
Costs and resources tracked to individuals and teams
Optimize code for AWS

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Where do I start? Developer accounts
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Where Do I Start? Team accounts
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team/Group Team/Group Team/Group Team/Group Team/Group
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Where Do I Start? Ops accounts
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team/Group Team/Group Team/Group Team/Group Team/Group
Production Staging Dev/UAT
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Where do I start? Shared services
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team/Group Team/Group Team/Group Team/Group Team/Group
Production Staging Dev/UAT
Core/Shared
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What are core shared accounts?
Security
Shared services Log archive
Network
Core/Shared

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Shared by tier
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team/Group Team/Group Team/Group Team/Group Team/Group
Production Staging Dev/UAT
Core/Shared
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team Shared
Dev Shared

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Shared by tier
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team/Group Team/Group Team/Group Team/Group Team/Group
Production Staging Dev/UAT
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Core/Shared
Team
Core/Shared
Dev
Core/Shared

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
A different approach
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team Dev Team Dev Team Dev Team Dev Team Dev
Core/Shared
Team
Core/Shared
Dev
Core/Shared
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team Stg Team Stg Team Stg Team Stg Team Stg
Team Prod Team Prod Team Prod Team Prod Team ProdProduction
Dev/UAT
Staging
Production
Core/Shared
Staging
Core/Shared

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Your own additions
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team Dev Team Dev Team Dev Team Dev Team Dev
Team Stg Team Stg Team Stg Team Stg Team Stg
Team Prod Team Prod Team Prod Team Prod Team ProdProduction
Dev/UAT
Staging
PersonalPersonal PersonalPersonal PersonalPersonalPersonal PersonalPersonal Personal
PersonalPersonal PersonalPersonal PersonalPersonalPersonal PersonalPersonal Personal
Personal
Shared
Dev
Core/Shared
Staging
Core/Shared
Production
Core/Shared

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS account
Security/Resource
Boundary
API
Limits/Throttling
Billing Separation

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why one account isn’t enough
Billing
Many teams
Security/compliance
controls
Business process
Isolation

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Goals
Guardrails NOT Blockers Auditable Flexible
Automated Scalable Self-service

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Account security considerations
Baseline requirements
Lock
Enable
Define
Federate
Establish
Identify

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What accounts should I create?
Security Shared services Billing
Dev ProductionSandbox OtherPreproduction
Organizations account
Log archive Network

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Organizations Master
AWS Organizations Master
Network path
Datacenter
No connection to datacenter
Service control policies
Consolidated billing
Volume discount
Minimal resources
Limited access
Restrict Orgs role!

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
SCP: Stop CloudTrail from being disabled
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": ”cloudtrail:StopLogging",
"Resource": "*"
}
]
}

28. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SCP: No internet gateway for Amazon VPC
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:AttachInternetGateway”,
“ec2:CreateInternetGateway”,
“ec2:AttachEgressOnlyInternetGateway”,
“ec2:CreateVpcPeeringConnection”,
“ec2:AcceptVpcPeeringConnection"
],
"Resource": "*"
}
]

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Core accounts
Core accounts
AWS Organizations Master
Network path
Datacenter
Foundational
Building blocks
Once per organization
Have their own development
life cycle (Dev/QA/Prod)

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Log archive account
Core accounts
AWS Organizations Master
Log archive
Network path
Datacenter
Versioned Amazon S3 bucket
Restricted
MFA delete
CloudTrail logs
Security logs
Single source of truth
Alarm on user login
Limited access

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Security account
Core accounts
AWS Organizations Master
Log archive
Network path
Datacenter
Optional datacenter
connectivity
Security tools and audit
GuardDuty Master
Cross-account read/write
Automated Tooling
Limited access
Security

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Shared services account
Security
Core accounts
AWS Organizations Master
Log archive
Network path
Datacenter
Connected to datacenter
DNS
LDAP/Active Directory
Shared Services VPC
Deployment tools
Golden AMI
Pipeline
Scanning infrastructure
Inactive instances
Improper tags
Snapshot life cycle
Monitoring
Limited access
Shared
services

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network account
Security
Core accounts
AWS Organizations Master
Shared
services
Log archive
Network path
Datacenter
Managed by network
team
Networking services
AWS Direct Connect
Limited access
Network

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Developer sandbox
Security
Core accounts
AWS Organizations Master
Shared
services
Network
Log archive
Network path
No connection to
datacenter
Innovation space
Fixed spending limit
Autonomous
Experimentation
Developer
sandbox
Developer accounts

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Team/group accounts
Developer
sandbox
Security
Core accounts
AWS Organizations Master
Shared
services
Network
Log archive
Network path
Developer accounts Datacenter
Based on level of needed
isolation
Match your development
life cycle
Think small
Team/Group accounts

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Dev
Developer
sandbox
Team/Group accounts
Security
Core accounts
AWS Organizations Master
Shared
services
Network
Log archive
Network path
Developer accounts Datacenter
Develop and iterate
quickly
Collaboration space
Stage of SDLCDev

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Preproduction
Developer
sandbox
Dev
Team/Group accounts
Security
Core accounts
AWS Organizations Master
Shared
services
Network
Log archive
Network path
Developer accounts Datacenter
Connected to datacenter
Production-like
Staging
Testing
Automated deployment
Preproduction

38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Production
Developer
sandbox
Dev Preproduction
Team/Group accounts
Security
Core accounts
AWS Organizations Master
Shared
services
Network
Log archive
Network path
Developer accounts Datacenter
Connected to datacenter
Production applications
Promoted from
preproduction
Limited access
Automated deployments
Production

39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Team shared services
Developer
sandbox
Dev Preproduction
Team/Group accounts
Security
Core accounts
AWS Organizations Master
Shared
services
Network
Log archive Production
Network path
Developer accounts Datacenter
Grows organically
Shared to the team
Product-specific common
services
Data lake
Common tooling
Common services
Team shared
services

40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Innovation pipeline
Developer
accounts
Developer accounts
PoC
Developer
accounts
Developer accounts
Dev
Preproduction
Team/Group accounts
Production
Shared
services
PoC
New initiatives
Experimentation
Innovation

41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Special/exception
Be flexible
Regulatory/compliance
Additional isolation/security controls (PCI)

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-account approach
Developer
sandbox
Dev Preproduction
Team/Group accounts
Security
Core accounts
AWS Organizations Master
Shared
services
Network
Log archive Production
Team shared
services
Network path
Developer accounts Datacenter
Orgs: Account management
Log Archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, learning
Dev: Development
Preproduction: Staging
Production: Production
Team SS: Team shared services, data lake

43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Team: Billing tools
Developer
sandbox
Dev Preproduction
Billing Tools Team accounts
Security
Core accounts
AWS Organizations Master
Shared
services
Network
Log archive Production
Network path
Developer accounts Datacenter
Reduces access to
Organizations account
Billing reports
Usage metrics and reporting
Usage optimizations and RI
management

44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Team: Internal audit
Developer
sandbox
Dev Preproduction
Internal Audit Team accounts
Security
Core accounts
AWS Organizations Master
Shared
services
Network
Log archive Production
Network path
Developer accounts Datacenter
Regulatory compliance
Read-only access to needed
logs
Limited access
ENT315: Automate and Audit
Cloud Governance and
Compliance in your Landing
Zone

45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Team: Amazing new product
Developer
sandbox
Dev Preproduction
Amazing New Product Team accounts
Security
Core accounts
AWS Organizations Master
Shared
services
Network
Log archive Production
Network path
Developer accounts Datacenter
Match your development
life cycle
Think small

46. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-account approach
Developer
sandbox
Dev Preproduction
Team/Group accounts
Security
Core accounts
AWS Organizations
Shared
services
Network
Log archive Production
Team shared
services
Network path
Developer accounts Datacenter
Orgs: Account management
Log archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct connect
Dev sandbox: Experiments, learning
Dev: Development
Preproduction: Staging
Production: Production
Team SS: Team shared services, data lake

48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
QA/Staging for the Landing Zone
Developer
sandbox
Dev Preproduction
Team/Group accounts
Security
Core accounts
AWS Organizations Master
Shared
services
Network
Log archive Production
Team shared
services
Network path
Developer accounts Datacenter
Test Landing Zone changes
Another Landing Zone

49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Forensics
Developer
sandbox
Dev Preproduction
Team/Group accounts
Security
Core accounts
AWS Organizations Master
Shared
services
Network
Log archive Production
Team shared
services
Network path
Developer accounts Datacenter
Isolated forensics area
Nearly invisible
Landing Zone with a twist

50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Next steps
Define tagging strategy
Define automation strategy
Create Organizations Master account
Create log archive account
Create security account
Create shared services account
Create developer sandbox account(s)

51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Action plan
Create Organizations Master account
• Create temporary Amazon S3 bucket for CloudTrail logs
• Enable CloudTrail locally
• Enable organizations full feature
Create log archive account
• Create bucket(s) for security logs (CloudTrail, AWS Config)
• Enable MFA delete
• Enable versioning
• Define limited access bucket policy
• Add SCP to prevent Amazon S3:delete
• Backfill: Enable CloudTrail in organizations master account
to send logs to log archive account
• Backfill: Copy CloudTrail logs for actions that happened
between Organizations Master creation and log archive
Create security account
• Backfill: Cross-account roles with trust to security account for
organizations master and log archive
• Read-only role
• Read/write role (fewer permissions for assumption)
• <CommonCheckList>
• Create security tooling/Lambda functions for security checks
Create shared services account
• <CommonCheckList>
• Connect via DX/VPN to datacenter
• Launch common services
• Directory services
• Limit monitoring
Create AWS Network account
• Order your Direct Connect
• <CommonCheckList>

52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Common checklist
• Secure Root credentials
MFA
• OTP
• U2F could make this easier for managing them
• https://aws.amazon.com/blogs/security/how-to-
create-and-manage-users-within-aws-sso/
• Complex password
• Establish rotation policy
• Link to Organizations Master account if not already a
member
• Use group email/phone as the contact info
• Enable CloudTrail in all regions, send to log archive
account
• Enable GuardDuty in all regions.
• Security account as GuardDuty master
• Operationalize the findings
• Enable AWS Config, send to log archive account
• Enable appropriate AWS Config rules
• Amazon S3 bucket encryptions
• Amazon S3 world read/write
• Amazon EBS encryption, etc...
• Create read-only cross-account security role
• Create read/write cross-account security role
• Create VPC (non-overlapping IP space)
• Enable federation into account
• http://federationworkshopreinvent2016.s3-website-us-
east-1.amazonaws.com/
• Define roles and access policies
• Peer/Privatelink VPC with Shared Services
• Add a policy for prefix naming conditions to every
account—For example, deny access to Lambda functions
that start with “security*”
• Review CIS Foundations Benchmark and leverage as
appropriate

53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The AWS Landing Zone solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS best
practices and
recommendations
Initial security
and governance controls
Baseline accounts
and account
vending machine
Automated
deployment

54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Landing Zone structure: Basic
AWS Organizations
Shared Services Log Archive Security
Organizations Account
• Account provisioning
• Account access (SSO)
Shared services account
• Active Directory
• Log analytics
Log archive
• Security logs
Security account
• Audit/Break-glass
Parameter
store

55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Account vending machine
AWS
service catalog
Account vending machine (AWS service catalog)
• Account creation factory
• User Interface to create new accounts
• Account baseline versioning
• Launch constraints
Creates/updates AWS account
Apply account baseline stack sets
Create network baseline
Apply account security control policy
Account vending
machine
AWS
Organizations
Security
AWS
Log archive
AWS
Shared services
AWS
AWS
New AWS

56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Next steps
Define tagging strategy
Define automation strategy
Create Organizations Master account
Create Log Archive account
Create Security account
Create Shared Services account
Create developer sandbox account(s)

57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Action Plan
Create Organizations Master account
• Create temporary Amazon S3 bucket for CloudTrail logs
• Enable CloudTrail locally
• Enable organizations full feature
Create Log Archive account
• Create bucket(s) for security logs (CloudTrail, AWS Config)
• Enable MFA delete
• Enable versioning
• Define limited access bucket policy
• Add SCP to prevent Amazon S3:delete
• Backfill: Enable CloudTrail in organizations master account
to send logs to log archive account
• Backfill: Copy CloudTrail logs for actions that happened
between Organizations Master creation and log archive
Create Security account
• Backfill: cross-account roles with trust to security account for
organizations master and log archive
• Read-only role
• Read/Write role (fewer permissions for assumption)
• <CommonCheckList>
• Create security tooling/Lambda functions for security checks
Create Shared Services account
• <CommonCheckList>
• Connect via DX/VPN to datacenter
• Launch common services
• Directory services
• Limit monitoring
Create AWS Network account
• Order your Direct Connect
• <CommonCheckList>

58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Common Checklist
• Secure root credentials
MFA
• OTP
• U2F could make this easier for managing them
• https://aws.amazon.com/blogs/security/how-to-
create-and-manage-users-within-aws-sso/
• Complex password
• Establish rotation policy
• Link to Organizations Master account if not already a
member
• Use group email/phone as the contact info
• Enable CloudTrail in all regions, send to Log Archive
account
• Enable GuardDuty in all regions.
• Security Account as GuardDuty master
• Operationalize the findings
• Enable AWS Config, send to log archive account
• Enable appropriate AWS Config rules
• Amazon S3 bucket encryptions
• Amazon S3 world read/write
• Amazon EBS encryption etc...
• Create read-only cross-account Security role
• Create read/write cross-account Security role
• Create VPC (non-overlapping IP space)
• Enable federation into account
• http://federationworkshopreinvent2016.s3-website-us-
east-1.amazonaws.com/
• Define roles and access policies
• Peer/Privatelink VPC with shared services
• Add a policy for prefix naming conditions to every
account—For example, deny access to Lambda functions
that start with “security*”
• Review CIS Foundations Benchmark and leverage as
appropriate

59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Putting it all together
Policy
enforcement
AWS Landing
Zone
Policy
deployment
Notification Remediation
Account metadata: Owner, Function,
Policies, BU, SDLC, Cost Center, etc.
Prod
• Encrypt EBS
• No IGW
• Guardrail “x”
QA
• Encrypt EBS
• Guardrail “x”
• Guardrail “y”
Policy “p”
• Encrypt EBS
• No IGW
• Guardrail “y”

60. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Control Tower
Set up and govern a secured, compliant, multi-account AWS environment

61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Introducing AWS Control Tower (preview)
Consistentandsimplemulti-account management
Automated AWS setup
Launch an automated
Landing Zone with best-
practices blueprints
Policy enforcement
Prepackaged guardrails to
enforce policies or detect
violations
Dashboard for oversight
Continuous visibility into
workload compliance with
controls

62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Key Features and Benefits
Account Setup
Automated, secure, and scalable
Landing Zone
Multi-account management using
AWS Organizations
Central logging and multi-account
configuration consistency
Built-in best practices
Multi-account preventive and
detective guardrails
Easy to use dashboard and
notifications
Curated rules in plain EnglishAccount provisioning wizard
Guardrails
Landing
Zone

63. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Leo Zhadanovsky
@leozh