Mais conteúdo relacionado Semelhante a Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent 2018 (20) Mais de Amazon Web Services (20) Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automated Solution for Deploying
AWS Landing Zone
G P S W S 4 0 7
Jim Huang
Partner Solutions Architect
AWS
Lalit Grover
Solutions Builder
AWS
Hitendra Nishar
Solutions Builder
AWS
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Register for workshop
http://lz-workshop.us-west-2.elasticbeanstalk.com
Workshop materials, login password will be sent via email
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Why do you need a landing zone
Understand the AWS Landing Zone design and automation
Demo & Lab 1: Tour of AWS Landing Zone deployment and functions
Demo & Lab 2: Creating a new AWS account via the AWS Account Vending
Machine (AVM)
Demo & Lab 3: Extending the Landing Zone via the Landing Zone add-on feature
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customers are faced with
Many
design decisions
Need to configure
multiple accounts
& services
Establish
security baseline
& governance
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why one account isn’t enough
Billing
Many teams
Security/compliance
controls
Business process
Isolation
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account approach
Developer
sandbox
Dev Pre-Prod
Team/group accounts
Security
Core accounts
AWS Organizations
Shared
services
Network
Log archive Prod
Team shared
services
Developer accounts Data center
Orgs: Account management
Log Archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: AWS Direct Connect
Dev sandbox: Experiments, learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team shared services, data lake
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account approach
Developer
sandbox
Dev Pre-Prod
Team/group accounts
Security
Core accounts
AWS Organizations
Shared
services
Network
Log archive Prod
Team shared
services
Developer accounts Data center
Orgs: Account management
Log Archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: AWS Direct Connect
Dev sandbox: Experiments, learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team shared services, data lake
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account approach
Developer
sandbox
Dev Pre-Prod
Team/group accounts
Security
Core accounts
AWS Organizations
Shared
services
Network
Log archive Prod
Team shared
services
Developer accounts Data center
Orgs: Account management
Log Archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: AWS Direct Connect
Dev sandbox: Experiments, learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team shared services, data lake
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Landing Zone solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS best
practices and
recommendations
Initial security
and governance
controls
Baseline accounts
and AWS Account
Vending Machine
Automated
deployment
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What you get with the AWS Landing Zone
Framework for creating and baselining a multi-account environment
Initial multi-account structure that includes security, audit, and shared
service requirements
An AWS Account Vending Machine that enables automated deployment
of additional accounts with a set of security baselines
Account management
User account access managed through AWS Single Sign-On federation
Cross-account roles enable centralized management
Identity & access management
Initial account security and AWS Config rules baseline
Amazon GuardDuty enabled in all regions
Network baseline
Security & governance
Add on to your AWS Landing Zone deploymentSolution extensibility
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone structure – Basic
AWS Organizations
Shared services Log archive Security
AWS Organizations
account
• Account provisioning
• Account access (AWS SSO)
Shared services account
• Active directory
• Log analytics
Log archive
• Security logs
Security account
• Audit/break-glass
Parameter
store
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone structure – With optional add-ons
AWS Organizations
Shared services Log archive Security
Organizations account
• Account provisioning
• Account access (AWS SSO)
Shared services account
• Active directory
• Log analytics
Log archive
• Security logs
Security account
• Audit/break-glass
Parameter
store
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account baseline
AWS CloudTrail – CloudTrail to local and log archive Amazon Simple Storage
Service (Amazon S3) bucket
AWS Config – Configuration data forward to log archive Amazon S3 bucket
AWS Config rules – Resource security rules (EBS encryption, and more)
Amazon GuardDuty – Associate member to GuardDuty Master
AWS Identity and Access Management (IAM) roles and policies – Security
admin and read-only roles
IAM password policy – Password complexity required
Notifications – CloudTrail API activity alarm
Amazon Virtual Private Cloud (Amazon VPC) infrastructure – Options for
multi-AZ, multi-subnet
Account
AWS CloudFormation
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Landing Zone pipeline
Source Validate/Build/Test
Deploy core
account structure
Deploy core
resources
Deploy AWS Service
Catalog
portfolio/products
Deploy baseline
resources
Launch AVM for core
accounts
AWS CodePipeline
AWS
Organizations
AWS account
baseline StackSets
Logging Security
credentials
AWS Service
Catalog
AWS CloudFormation
StackSets
AWS Service
Catalog
Core
Amazon S3
bucket
Vended
accounts
AWS
CloudFormation
templates
Manifest fileLanding
Zone zip file
AWS CodeBuild
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key solution components
AWS Landing Zone infrastructure as code
• Configuration templates define: core account structure, service control policies,
service baseline resources, AWS Service Catalog portfolios/products.
• Enable developers to change or extend the Landing Zone implementation.
Implementation with AWS CloudFormation templates & StackSets
• Out-of-the-box example Landing Zone implementation to get started quickly.
Includes core accounts for security, log audit, and shared services.
Deployment orchestration with AWS CodePipeline and AWS Step Functions
• Enable CI/CD; control event sequencing and synchronization
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key solution components (cont.)
Account baseline
• Provide guardrail for preventive control, detective control, and remediation
• Applied to different Organizations units and accounts
The AWS Account Vending Machine
• Allow user to create new accounts through AWS Service Catalog
• New accounts baselined automatically
Add-on to your AWS Landing Zone deployment
• Extend to add-on optional capabilities through AWS Service Catalog
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• To prohibit or restrict user access from disabling or deleting the baseline
controls, for example, SCP to prevent deleting or disabling
CloudTrail/AWS Config
Preventive controls
• To monitor the resources for compliance and alert when the resource go out
of compliance, for example, AWS Config rules to monitor Amazon S3 server-
side encryption for all S3 buckets created in an account
Detective controls
• To take corrective action to remediate the out of compliance resources and
bring them back to compliance state, for example, SSM document triggered
from AWS Config rule to enable Amazon S3 server-side encryption for out-of-
compliance S3 bucket
Remediation
Landing Zone – Control types (guardrail types)
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introduction to the AWS Landing Zone’s add-
on products for AWS SSO
• AWS managed Microsoft Active Directory in
the shared services account
• AD connector in the master account
• AWS SSO configured with permission sets
• AD users log in from AWS SSO URL to access
the Landing Zone accounts
Access via AWS SSO
AWS
SSO
endpoint
AWS
Organizations
account
users
us-east-1
AWS Directory
Connector
Shared services
account
AWS Managed
AD
eu-west-1
Amazon VPC
peering
Federated access
to AWS accounts
All regions
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Landing Zone deployment
StackSets that implement account baseline
Effect of enabled ConfigRules
Multi-account structure under organizations
Logging and aggregation in Log Archive account
Demo 1 (by presenter)
Review of GuardDuty Setup and run-time status
Lab 1 (by attendees with Lab 1 Guide)
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Account Vending Machine (AVM)
An AWS Service Catalog product that allows
customers to create new AWS accounts in
Organizational Units (OUs) preconfigured with
an account security baseline and a predefined
network
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account Vending Machine architecture
AWS
Service Catalog
Account Vending Machine (AWS Service Catalog)
• Account creation UI
• Account baseline versioning
• Launch constraints
Creates/updates AWS account
Apply account baseline stack sets
Create network baseline
Apply account security control policy
Account Vending
Machine
AWS
Organizations
Security
Log archive
Shared services New AWS
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo 2 (by presenter)
Access the new AWS account via AWS SSO
Review account baseline in AWS CloudFormation console
Examine Config Rule status
Lab 2 (by attendees with Lab 2 Guide)
Launch AVM from Service Catalog Console in the master account
Verify Service Control Policy baseline
View StackSets that created the new AWS account
Configure AWS SSO to access the new AWS account
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Easily add new optional services into your existing AWS Landing Zone
deployment
These add-on services enable:
• Partners, ISVs to build and share new solutions with customers
• Customers to create new solutions to add onto their own deployment
Easily add on to your implementation
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Two AWS Landing Zone add-ons available today
• AWS active directory and remote-desktop gateway and
active directory connector for AWS SSO
• Centralized logging solution
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer bucket
Master AWS Landing Zone
configuration zip file
Partner add-on
configuration zip file
ISV add-on
configuration zip filePartner bucket ISV Bucket
Customer bucket Customer bucket
Add-on
deployment
workflow
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Launch add-on product
In combination with AWS managed
services and Amazon Elasticsearch
Service, this solution offers customers a
highly available, turnkey environment
to begin logging and analyzing their
AWS environment and applications.
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Landing Zone pipeline
Source Validate/Build/Test
Deploy core
account structure
and policies
Deploy core
resources
Deploy Service Catalog
portfolio/products
Deploy baseline
resources
Launch AVM for core
accounts
AWS
Organizations AWS account
baseline stack sets
AWS Service
Catalog
Core
StackSets
AWS Service
Catalog
Landing Zone
zip file
AWS CodeBuild
Organizations/
SCP state
machine
State machine
trigger
Lambda
Stack set
state
machine
Service
Catalog state
machine
Stack set
state
machine
Launch AVM
state
machine
AWS Landing Zone Master
Configuration
AWS CodeBuild
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
All other
accounts
Shared Services
account
AWS Organizations account
AWS Landing Zone
Master Configuration
“CoreResource“ Stage
“LaunchAVM”
Stage
1
23
Centralized logging add-on deployment flow
AWS Step
Functions
AWS Step
Functions
AWS CodePipelineLanding
Zone zip
file
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Back to demo
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits of the AWS Landing Zone
Automated Scalable Self-service
Guardrails
not blockers
Auditable Flexible
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone track: (search: awslandingzone)
Architecture:
SEC303: Architecting Security & Governance Across Your AWS Landing Zone (Session)
ENT315: Automate & Audit Cloud Governance & Compliance in Your Landing Zone (Session)
Implementation:
ENT350: AWS Landing Zone Deep Dive (Chalk Talk)
SEC349: Governance at Scale (Chalk Talk)
ENT318: Landing Zone Design: What to Do When Your Company Splits in Half (Session)
Workshops (First three are same content):
ENT351: Enterprise Governance: Build Your AWS Landing Zone (Workshop)
SEC315: Enterprise Governance and Security—Build Your AWS Landing Zone (Workshop)
GPSWS407A: Automated Solution for Deploying AWS Landing Zone (Workshop/Partners)
SEC334: Operational Excellence for Identity & Access Management (Workshop)
Summary/feedback:
SEC360: AWS Landing Zone Strategies (Chalk Talk)
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
40. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Jim Huang, Partner Solutions Architect, AWS
jimhuan@amazon.com
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.