Whether it is per business unit or per application, many AWS customers use multiple accounts to meet their infrastructure isolation, separation of duties, and billing requirements. In this session, learn about the considerations, limitations, and security patterns of building a multi-account strategy. Get insight into topics such as thought pattern, identity federation, cross-account roles, consolidated logging, and account governance. Finally, see an enterprise-ready landing zone framework and the background needed to implement an AWS Landing Zone using AWS Control Tower and AWS Organizations.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Security and governance with AWS
Control Tower and AWS Organizations
Ryan Malecky
Senior Solutions Architect
Amazon Web Services
S E C 2 0 4

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Agenda
An enterprise-ready landing zone framework
Action plan and checklist
AWS Control Tower overview

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Old world IT
Bob – IT and security guy Developers

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Old world IT: Scale
More Bobs More developers

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The cloud makes this easier!
Same Bobs More developers!

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
One account: Isolation with AWS Identity and Access
Management (IAM) and Amazon Virtual Private Cloud
(Amazon VPC)
Gray boundaries
Complicated and messy over time
Difficult to track resources
People stepping on each other
Everything

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Separate developer account
Still can’t track resources or spend
Still have isolation and blast radius concerns
Developers are still stepping on each other
Bob now has to manage IAM and VPCs here too
Development Production

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The problem
On-premises posture for the cloud
Inheriting ideas from data center days
Management and Operations don’t trust developers with full access
Developers want to work—really!
DevOps is a great idea
Doesn’t work when Operations is in the way

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
A new solution: We need the following
• Access to AWS services without barriers
• Ability to fail fast without collateral damage
• Smaller blast radius
• Operations team → Cloud architects
• Everyone able to influence digital transformation
• Costs and resources tracked to individuals and teams
• Optimized code for AWS

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Where do we start? With developer accounts
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Where do we start? With team accounts
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team or
group
Team or
group
Team or
group
Team or
group
Team or
group
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Where do we start? With Operations accounts
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team or
group
Team or
group
Team or
group
Team or
group
Team or
group
Production Staging Development
and UAT
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Where do we start? With shared services
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team or
group
Team or
group
Team or
group
Team or
group
Team or
group
Production Staging Development
and UATCore shared
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What are core shared accounts?
Security
Shared services Log archive
Network
Core shared

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Shared by tier
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team or
group
Team or
group
Team or
group
Team or
group
Team or
group
Production Staging Development
and UATCore shared
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team shared
Development
shared

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Shared by tier
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team or
group
Team or
group
Team or
group
Team or
group
Team or
group
Production Staging Development
and UAT
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DevelopDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Core shared
Team core
shared
Development
core shared

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
A different approach
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team Dev Team Dev Team Dev Team Dev Team Dev
Core shared
Team core
shared
Development
core shared
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team Stg Team Stg Team Stg Team Stg Team Stg
Team Prod Team Prod Team Prod Team Prod Team Prod
Production
Development
and UAT
Staging
Production core
shared
Staging
core shared

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Your own additions
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
DeveloperDeveloper DeveloperDeveloper DeveloperDeveloperDeveloper DeveloperDeveloper Developer
Team Dev Team Dev Team Dev Team Dev Team Dev
Team Stg Team Stg Team Stg Team Stg Team Stg
Team Prod Team Prod Team Prod Team Prod Team Prod
Production
Development
and UAT
Staging
PersonalPersonal PersonalPersonal PersonalPersonalPersonal PersonalPersonal Personal
PersonalPersonal PersonalPersonal PersonalPersonalPersonal PersonalPersonal Personal
Personal
shared
Development
core shared
Staging
core shared
Production core
shared

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS account
Security and resource
boundary
API limits and
throttling
Billing
separation

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why one account isn’t enough
Billing
Many teams
Security and
compliance controls
Business
process
Isolation

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Goals
Guardrails NOT blockers Auditable Flexible
Automated Scalable Self-service

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Account security considerations
Baseline requirements
Lock
Enable
Define
Federate
Establish
Identify

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What accounts should you create?
Security Shared services Billing
Development ProductionSandbox OtherPre-production
AWS Organizations account
Log archive Network

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Organizations Master
• No connection to
data center
• Service control
policies (SCPs)
• Consolidated billing
• Volume discount
• Minimal resources
• Limited access
• Restricted Organizations
role!
Organizations master
Network path
Data
center

25. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SCP: Stop CloudTrail from being disabled
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": ”cloudtrail:StopLogging",
"Resource": "*"
}
]
}

26. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SCP: No Internet gateway for Amazon VPC
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:AttachInternetGateway”,
“ec2:CreateInternetGateway”,
“ec2:AttachEgressOnlyInternetGateway”,
“ec2:CreateVpcPeeringConnection”,
“ec2:AcceptVpcPeeringConnection"
],
"Resource": "*"
}
]

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Core accounts
• Foundational
• Building blocks
• Once per
organization
• Their own
development
lifecycle
(development, QA,
production)
Core accounts
Organizations master
Network path
Data
center

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Log archive account
• Versioned Amazon
Simple Storage Service
(Amazon S3) bucket
• Restricted
• Multi-factor authentication
(MFA) delete
• CloudTrail logs
• Security logs
• Single source of truth
• Alarm on user login
• Limited access
Core accounts
Organizations master
Log archive
Network path
Data
center

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network path
Security account
• Optional
data center
connectivity
• Security tools
and auditing
• GuardDuty master
• Cross-account
read/write
(automated tooling)
• Limited access
Core accounts
Organizations master
Log archiveSecurity
Data
center

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network path
Shared services account
• Connection to
data center
• DNS
• LDAP and Active Directory
• Shared services VPC
• Deployment tools
• Golden Amazon Machine Image
(AMI)
• Pipeline
• Scanning infrastructure
• Inactive instances
• Improper tags
• Snapshot lifecycle
• Monitoring
• Limited access
Security
Core accounts
Organizations master
Log archive
Shared
services
Data
center

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network path
Network account
• Management by
network team
• Networking
services
• AWS Direct
Connect
• Limited access
Security
Core accounts
Organizations master
Shared
services
Log archive
Network
Data
center

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network path
Developer sandbox
• No connection to
data center
• Innovation space
• Fixed spending
limit
• Autonomy
• Experimentation
Security
Core accounts
Organizations master
Shared
services
Network
Log archive
Developer
sandbox
Developer accounts
Data
center

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network path
Team or group accounts
• Based on level of
needed isolation
• Match your
development
lifecycle
• Think small
Developer
sandbox
Security
Core accounts
Organizations master
Shared
services
Network
Log archive
Developer accounts
Team or group accounts
Data
center

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network path
Development
• Quick development
and iteration
• Collaboration
space
• Stage of software
development
lifecycle (SDLC)
Developer
sandbox
Team or group accounts
Security
Core accounts
Organizations master
Shared
services
Network
Log archive
Developer accounts
Development
Data
center

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network path
Pre-production
• Connection to data
center
• Similarity to
production
• Staging
• Testing
• Automated
deployment
Developer
sandbox
Development
Team or group accounts
Security
Core accounts
Organizations master
Shared
services
Network
Log archive
Developer accounts
Pre-production
Data
center

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network path
Production
• Connection to data
center
• Production
applications
• Promotion from
pre-production
• Limited access
• Automated
deployments
Developer
sandbox
Development Pre-production
Team or group accounts
Security
Core accounts
Organizations master
Shared
services
Network
Log archive
Developer accounts
Production
Data
center

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network path
Team shared services
• Organic growth
• Sharing to the team
• Product-specific
common services
• Data lake
• Common tooling
• Common services
Developer
sandbox
Development Pre-production
Team or group accounts
Security
Core accounts
Organizations master
Shared
services
Network
Log archive Production
Developer accounts
Team shared
services
Data
center

38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Innovation pipeline
Developer
accounts
Developer accounts
PoC
Developer
accounts
Developer accounts
Development
Pre-production
Team or group accounts
Production
Shared
services
PoC
New initiatives
Experimentation
Innovation

39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Special exception
Flexibility
Regulation and compliance
Additional isolation and security controls (PCI)

40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-account approach
Developer
sandbox
Development Pre-production
Team or group accounts
Security
Core accounts
Organizations master
Shared
services
Network
Log archive Production
Team shared
services
Developer accounts
Organizations: Account management
Log archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: AWS Direct Connect
Developer sandbox: Experiments, learning
Development: Development
Pre-production: Staging
Production: Production
Team shared services: Team shared services,
data lake
Network path
Data
center

41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Team: Billing tools
• Reduced access to
Organizations
account
• Billing reports
• Usage metrics and
reporting
• Usage
optimizations and
Reserved Instance
(RI) management
Developer
sandbox
Development Pre-production
Billing tools team accounts
Security
Core accounts
Organizations master
Shared
services
Network
Log archive Production
Developer accounts
Network path
Data
center

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Team: Internal audit
• Regulatory
compliance
• Read-only access
to needed logs
• Limited access
• re:Invent 2018
ENT315: Automate
& Audit Cloud
Governance &
Compliance in Your
Landing ZoneDeveloper
sandbox
Development Pre-production
Internal audit team accounts
Security
Core accounts
Organizations master
Shared
services
Network
Log archive Production
Developer accounts
Network path
Data
center

43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Team: Amazing new product
• Match your
development
lifecycle
• Think small
Developer
sandbox
Development Pre-production
Amazing new product team accounts
Security
Core accounts
Organizations master
Shared
services
Network
Log archive Production
Developer accounts
Network path
Data
center

44. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-account approach
Developer
sandbox
Development Pre-production
Team or group accounts
Security
Core accounts
Organizations
Shared
services
Network
Log archive Production
Team shared
services
Developer accounts
Organizations: Account management
Log archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: AWS Direct Connect
Developer sandbox: Experiments, learning
Development: Development
Pre-production: Staging
Production: Production
Team shared services: Team shared services,
data lake
Network path
Data
center

46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
QA and staging for the landing zone
Developer
sandbox
Development Pre-production
Team or group accounts
Security
Core accounts
Organizations master
Shared
services
Network
Log archive Production
Team shared
services
Developer accounts
Test landing zone changes
Another landing zone
Network path
Data
center

47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Forensics
Developer
sandbox
Development Pre-production
Team or group accounts
Security
Core accounts
Organizations master
Shared
services
Network
Log archive Production
Team shared
services
Developer accounts
Isolated forensics area
Nearly invisible
Landing zone with a twist
Network path
Data
center

48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Next steps
• Define tagging strategy
• Define automation strategy
• Create Organizations master account
• Create log archive account
• Create security account
• Create shared services account
• Create developer sandbox accounts

49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Action plan
Create Organizations master account
• Create temporary Amazon S3 bucket for CloudTrail
logs
• Enable CloudTrail locally
• Enable Organizations full feature
Create log archive account
• Create buckets for security logs (CloudTrail, AWS
Config)
• Enable MFA delete and versioning
• Define limited access bucket policy
• Add SCP to prevent s3:delete
• Backfill: Enable CloudTrail in Organizations master
account to send logs to log archive account
• Backfill: Copy CloudTrail logs for actions that
happened between Organizations master creation
and log archive
Create security account
• Backfill: Cross-account roles with trust to security account for
Organizations master and log archive
• Read-only role
• Read/write role (fewer permissions for assumption)
• <CommonCheckList>
• Create security tooling and AWS Lambda functions for security
checks
Create shared services account
• <CommonCheckList>
• Connect via AWS Direct Connect/VPN to data center
• Launch common services (directory services and limit
monitoring)
Create AWS network account
• Order your AWS Direct Connect
• <CommonCheckList>

50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Common checklist
• Secure root credentials
• MFA
• One-time password (OTP)
• Universal 2nd Factor (U2F) could make this easier for
management
https://aws.amazon.com/blogs/security/how-to-create-
and-manage-users-within-aws-sso/
• Complex password
• Establish rotation policy
• Link to Organizations master account if not already a
member
• Use group email and phone as the contact info
• Enable CloudTrail in all Regions, send to log archive
account
• Enable GuardDuty in all Regions
• Operationalize the findings from security account as
GuardDuty master
• Enable AWS Config, send to log archive account
• Enable appropriate AWS Config rules
• Amazon S3 bucket encryptions
• Amazon S3 world read/write
• Amazon EBS encryption (and others)
• Create read-only cross-account security role
• Create read/write cross-account security role
• Create VPC (non-overlapping IP space)
• Enable federation in account
http://federationworkshopreinvent2016.s3-website-us-
east-1.amazonaws.com/
• Define roles and access policies
• Peer or AWS PrivateLink VPC with shared services
• Add a policy for prefix naming conditions to every
account—e.g., deny access to Lambda functions that
start with security*
• Review CIS AWS Foundations Benchmark, and leverage
as appropriate

51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The AWS Landing Zone solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS best
practices and
recommendations
Initial security
and governance controls
Baseline accounts
and account
vending machine
Automated
deployment

52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Landing Zone structure: Basic
AWS Organizations
Shared services Log archive Security
Organizations account
Account provisioning
Account access (SSO)
Shared services account
Active Directory
Log analytics
Log archive
Security logs
Security account
Audit, break-glass
Parameter
store

53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Account vending machine
• Account vending machine (AWS Service
Catalog)
• Account creation factory
• User interface to create new accounts
• Account baseline versioning
• Launch constraints
• Creation and update of AWS account
• Application of account baseline stack
sets
• Creation of network baseline
• Application of account SCP
AWS
Service
Catalog
Account
vending
machine
Organizations
Security
AWS
Log archive
AWS
Shared services
AWS
AWS
New AWS

54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Next steps
• Define tagging strategy
• Define automation strategy
• Create Organizations master account
• Create log archive account
• Create security account
• Create shared services account
• Create developer sandbox accounts

55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Action plan
Create Organizations master account
• Create temporary Amazon S3 bucket for CloudTrail
logs
• Enable CloudTrail locally
• Enable Organizations full feature
Create log archive account
• Create buckets for security logs (CloudTrail, AWS
Config)
• Enable MFA delete and versioning
• Define limited access bucket policy
• Add SCP to prevent s3:delete
• Backfill: Enable CloudTrail in Organizations master
account to send logs to log archive account
• Backfill: Copy CloudTrail logs for actions that
happened between Organizations master creation
and log archive
Create security account
• Backfill: cross-account roles with trust to security account for
Organizations master and log archive
• Read-only role
• Read/write role (fewer permissions for assumption)
• <CommonCheckList>
• Create security tooling and AWS Lambda functions for security
checks
Create shared services account
• <CommonCheckList>
• Connect via AWS Direct Connect/VPN to data center
• Launch common services (directory services and limit
monitoring)
Create AWS network account
• Order your AWS Direct Connect
• <CommonCheckList>

56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Common checklist
• Secure root credentials
• MFA
• OTP
• U2F could make this easier for management
https://aws.amazon.com/blogs/security/how-to-create-
and-manage-users-within-aws-sso/
• Complex password
• Establish rotation policy
• Link to Organizations master account if not already a
member
• Use group email and phone as the contact info
• Enable CloudTrail in all Regions, send to log archive
account
• Enable GuardDuty in all Regions
• Operationalize the findings from security account as
GuardDuty master
• Enable AWS Config, send to log archive account
• Enable appropriate AWS Config rules
• Amazon S3 bucket encryptions
• Amazon S3 world read/write
• Amazon EBS encryption (and others)
• Create read-only cross-account security role
• Create read/write cross-account security role
• Create VPC (non-overlapping IP space)
• Enable federation into account
http://federationworkshopreinvent2016.s3-website-us-
east-1.amazonaws.com/
• Define roles and access policies
• Peer or AWS PrivateLink VPC with shared services
• Add a policy for prefix naming conditions to every
account—e.g., deny access to Lambda functions that
start with security*
• Review CIS AWS Foundations Benchmark, and leverage
as appropriate

57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Policy
enforcement
AWS Landing
Zone
Policy
deployment
Notification Remediation
Account metadata: Owner, function, policies,
BU, SDLC, cost center, etc.
Production
• Encrypt Amazon EBS
• No internet gateway (IGW)
• Guardrail “x”
QA
• Encrypt Amazon EBS
• Guardrail “x”
• Guardrail “y”
Policy “p”
• Encrypt Amazon EBS
• No IGW
• Guardrail “y”
Putting it all together

58. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Introducing AWS Control Tower:
Consistent and simple multi-account management
Automated AWS setup
Launch an automated
landing zone with best-
practices blueprints
Policy enforcement
Pre-packaged guardrails to
enforce policies or detect
violations
Dashboard for oversight
Continuous visibility
into workload compliance
with controls

60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Key features and benefits
Account setup
Automated, secure, and scalable
landing zone
Multi-account management using
Organizations
Central logging and multi-account
configuration consistency
Built-in best practices
Multi-account preventive and
detective guardrails
Easy-to-use dashboard and
notifications
Curated rules in plain EnglishAccount provisioning wizard
Guardrails
Landing
zone

61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Control Tower: Building blocks
AWS Control Tower
Account management Guardrail enforcement
AWS Security Hub
Landing zone
AWS Landing Zone AWS Organizations

62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Control Tower’s automated landing zone
AWS Control Tower master account
AWS Control Tower
✓ AWS Organizations with master
and pre-created accounts for
central log archive and cross-
account audit
✓ Pre-configured directory and SSO
using AWS SSO (with Active
Directory custom option)
✓ Centralized monitoring and alerts
using AWS Config, CloudTrail, and
Amazon CloudWatch

63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Account factory
• Account factory for controls
on account provisioning
• Pre-approved account baselines
with VPC options
• Pre-approved configuration options
• End-user configuration and
provisioning through AWS
Service Catalog
• Create and update AWS
accounts under
organizational units

64. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Q&A
Which should I use: AWS Organizations, AWS Landing Zone, or
AWS Control Tower?

66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Q&A
Can I migrate from AWS Landing Zone to AWS Control Tower?

67. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Q&A
I need feature X, but AWS Control Tower doesn’t support it. What
should I do?

68. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ryan Malecky
rmalecky@amazon.com