cloud security for everyone · development: only allow t3 instances all accounts: prevent disable...

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Cloud security for everyone: Multi-account strategy

S E C 1 1

Byron Pogson

Solutions Architect

Amazon Web Services

Gavin Orlicki

CTO

tic:toc

Alan McLeod

CTO

FYI Docs

Pepper as a Service (the other PaaS)

Our architecture today

AWS Cloud

Development

Test

Production

Security Logs

Security Tools

Build Tools

Improvements

Desired outcomes

Development: only allow T3 instances

All accounts: Prevent disable on logging

First stepsMaster

AWS OrganizationsAWS Identity and Access

Management

Service Control

Policy

Legacy

Development

Test

Production

Security logs

Security tools

Build tools

AWS Single Sign-On

Desired outcomes

Security account

Security

Security Logs

Security

AWS CloudTrail

Amazon GuardDutyAWS Security Hub

Legacy

Development

Test

Production

Build Tools

Master


ManagementAWS Single Sign-On

Desired outcomes

Shared accounts

Developer

Security

Build tools

ToolsSecurity

Legacy

Development

Test

Production

Operations

Master



Security Logs AWS CloudTrail


Desired outcomes

Workload accounts

Development

Operations

Security

Build tools

Development

ToolsSecurity

Test

Test

Production

Production

Developer

Master





Desired outcomes

Baselines

New account

Security

Baseline

Security roles AWS Security Hub

New account


Master



New account





Starting from scratch

Gavin Orlicki

S E C 1 1

CTO

tic:toc

A Fintech that delivers financial SaaS products to help lending organisations better service their customers with smarter and faster financial validation.

Project team consisting of 12 members across 2 squads:

• 8 developers

• 4 testers

• Enterprise architect

Existing architecture:

Application architecture:

AWS Lambda

Amazon API Gateway AWS WAF

Amazon Simple Storage

Service

Amazon DynamoDB Amazon RDS

Amazon CognitoAmazon CloudFront

Master


Management

Security Logs

Build tools

Shared services

AWS CloudTrail Amazon GuardDuty AWS Security Hub

XAI - Stage

Dev/Test

Analytics

Bunker

Prod

Analytics

XAI - Dev XAI - UAT

XAI - Prod


Starting from scratch

Gavin Orlicki

S E C 1 1

CTO

tic:toc


Migrating from a single account

Alan Mcleod

S E C 1 1

CTO

FYI Docs

@alanmcleod

The world’s most automated document

management platform

Document

AutomationEmail management CRM

Document Workflow

Search and retrieval

Task management

Job management

Client collaboration

Process automation

FYI Docs – previous architectureAWS

Development

Security Logs

Build tools

AWS Identity and Access

Management

AWS CloudTrail Amazon GuardDuty

Pre-Prod

ProductionAmazon Simple Email

Service

FYI Docs – multi-account strategyMaster

Development

Security Logs

Build tools

Development

Shared services


Management

AWS CloudTrail Amazon GuardDuty

Pre-Prod

Pre-prod

Production

Production

Development

original (legacy)

Amazon Simple Email

Service


Migrating from a single account

Alan Mcleod

S E C 1 1

CTO

FYI Docs

@alanmcleod

Possible future accounts

Approaches

AWS Control Tower

VS

AWS

CloudFormation

AWS

Organizations

AWS Identity and

Access Management

AWS

Security Hub

Build your own

Quick steps to security success

https://bit.ly/3gDSGWA

https://bit.ly/3gDSGWA

Thank you!


Byron Pogson

[email protected]@BrainwaveFactor

Gavin Orlicki

[email protected]

Alan McLeod

[email protected]@alanmcleod

cloud security for everyone · development: only allow t3 instances all accounts: prevent disable...

Documents