In this session, we discuss how to deploy a scalable environment that considers the AWS account structure, security services, network architecture, and user access. We present an overview of the AWS Landing Zone solution, an automated solution for setting up a robust and flexible AWS environment designed from the collective experience of AWS and our customers. The AWS Landing Zone helps automate the setup of a flexible account structure, security baseline, network structure, and user access based on best practices. Future growth is facilitated by an account vending machine component that simplifies the creation of additional accounts. Learn how the AWS Landing Zone can ensure that you start your AWS journey with the right foundation. We encourage you to attend the full AWS Landing Zone track, including SEC303. Search for #awslandingzone in the session catalog.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone Deep Dive
Hitendra Nishar
Solutions Builder
AWS
E N T 3 5 0
Lalit Grover
Solutions Builder
AWS
Brandon Bouier
Solutions Architect
AWS
Sherry Fairbank
Business Development
AWS

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to expect in this session
Chalk Talks are intended to be highly interactive.
There will be a ~15 minute presentation, followed by a ~45 minute
Q&A session.
The goal is to foster a technical discussion around real-world
architecture challenges.

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
So that we can tailor our discussion…
Please raise your hand if you:
Are familiar with the AWS multi-account strategy
Are familiar with the AWS Landing Zone solution
Have the following number of AWS accounts:
1 to 5 6 to 10 10 to 100 100+

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What do customers want to do on AWS?
focus on what
differentiates
ideation to
instantiation
secure and compliant
environment

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What do customers want to do on AWS?
meets the organization’s
security and auditing
requirements
ready to support
highly available and
scalable workloads
configurable to
support evolving
business requirements

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customers are faced with …
many
design decisions
the need to configure
multiple accounts &
services
establishing
a security baseline &
governance

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account security considerations
Baseline Requirements
Lock
Enable
Define
Federate
Establish
Identify

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network architecture considerations
AWS Services in
Your VPC
VPC Endpoints for
Amazon S3
DNS in-VPC with
Amazon Route 53
Logging VPC Traffic
with VPC Flow Logs
VPC VPC VPC VPC

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account approach
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations
Shared
Services
Network
Log Archive Prod
Team Shared
Services
Developer Accounts Data Center
Orgs: Account management
Logging: Centralized logs
Security: AWS config rules, security tools
Shared services: Directory, DNS, limit
monitoring
Billing Tooling: Cost monitoring
Sandbox: Experiments
Dev: Development
Pre-Prod: Staging
Prod: Production

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
You need a “Landing Zone”
• A configured, secure, scalable, multi-account AWS environment
based on AWS best practices
• A starting point for net new development and experimentation
• A starting point for customers’ application migration journey
• An environment that allows for iteration and extension over time
H

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Landing Zone solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS best
practices and
recommendations
Initial security
and governance
controls
Baseline accounts
and account
vending machine
Automated
deployment

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What you get with the AWS Landing Zone
• Framework for creating and baselining a multi-account environment
• Initial multi-account structure including security, audit, & shared service requirements
• An account vending machine that enables automated deployment of additional
accounts with a set of security baselines
Account Management
• User account access managed through AWS SSO federation
• Cross-account roles enable centralized management
Identity &
Access Management
• Multiple accounts enable separation of duties
• Initial account security and AWS Config rules baseline
• Network baseline
Security & Governance

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone structure - basic
AWS Organizations
Shared Services Log Archive Security
Organizations Account
• Account Provisioning
• Account Access (SSO)
Shared Services Account
• Active Directory
• Log Analytics
Log Archive
• Security Logs
Security Account
• Audit / Break-glass
Parameter
store

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone structure – with optional Add-Ons
AWS Organizations
Shared Services Log Archive Security
Organizations Account
• Account Provisioning
• Account Access (SSO)
Shared Services Account
• Active Directory
• Log Analytics
Log Archive
• Security Logs
Security Account
• Audit / Break-glass
Parameter
store

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account Vending Machine
AWS
Service Catalog
Account Vending Machine (AWS Service Catalog)
• Account creation UI
• Account baseline versioning
• Launch constraints
Creates/updates AWS account
Apply account baseline stack sets
Create network baseline
Apply account security control policy
Account Vending
Machine
AWS
Organizations
Security
AWS
Log Archive
AWS
Shared Services
AWS
AWS
New AWS

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Easily add on to your implementation
These Add-On services enable:
• Partners, ISVs to build and share new solutions with customers
• Customers to create new solutions to add onto their own deployment
Add-Ons available today:
• AWS Active Directory
• Active Directory Connector for SSO
• Centralized Logging Solution

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Frequently Asked Questions
• How do I get access to the AWS Landing Zone?
• How much does the solution cost?
• How long does it take to deploy the solution?
• Can we customize the solution (i.e., with logging, AD, etc.)
• In which regions is the solution available?
• Where can we learn more?
• I have an existing AWS account, can I bring that into the solution?

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Request AWS follow up
https://bit.ly/2Cv6Qsq

21. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sherry Fairbank
shefai@amazon.com

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone Track: search: awslandingzone
Architecture:
SEC303: Architecting Security & Governance across your AWS Landing Zone (Session)
ENT315: Automate & Audit Cloud Governance & Compliance in Your Landing Zone (Session)
Implementation:
ENT350: AWS Landing Zone Deep Dive (Chalk Talk)
SEC349: Governance at Scale (Chalk Talk)
ENT318: Landing Zone Design: What to Do When Your Company Splits in Half (Session)
Workshops (First three are same content):
ENT351: Enterprise Governance: Build Your AWS Landing Zone (Workshop)
SEC315: Enterprise Governance and Security - Build Your AWS Landing Zone (Workshop)
GPSWS407A: Automated Solution for Deploying AWS Landing Zone (Workshop/Partners)
SEC334: Operational Excellence for Identity & Access Management (Workshop)
Summary/Feedback:
SEC360: AWS Landing Zone Strategies (Chalk Talk)

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Learn More
Web page explains solution
benefits and structure
30-minute webcast overview
Link to form to have AWS follow
up to help you with solution
www.aws.amazon.com/answers/aws-landing-zone

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone pricing
No additional charge for the AWS Landing Zone solution.
Customers are responsible for the charges of the underlying
services (e.g., AWS Config, AWS CloudTrail, etc.).
Cost for the basic solution: ~$200 / month
Monthly cost for optional add-ons:
• Centralized logging solution: <$400
• Directory Connector: <$50
• AWS Managed AD plus Remote Desktop Gateway: ~$300