speeding up your migration with an automated landing zone · 2018-10-31 · learned lessons a 100%...

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Speeding up your migration with an automated Landing ZoneOctober 2018

Antonio Delgado – AWS Senior Solutions Architect

@awscloud_es@antoniodelgado

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

What do customers want to do on AWS?

focus on what

differentiates

ideation to

instantiation

secure and compliant

environment


Building a Landing Zone can be challenging

Many

design decisions

Need to configure

multiple accounts

& services

Must establish

security baseline

& governance


You need a Landing Zone that is …

meets the organization’s

security and auditing

requirements

ready to support highly

available and scalable

workloads

configurable to

support evolving business

requirements


What is a Landing Zone?

H

• A configured, secure, scalable, multi-account AWS environmentbased on AWS best practices

• A starting point for net new development and experimentation

• A starting point for customers’ application migration journey

• An environment that allows for iteration and extension over time


Account Security Considerations

Lock

AWS Account Credential

Management (“Root Account”)

Enable

AWS CloudTrail

Define

Map Enterprise Roles and

Permissions

Federate

Use Identity Solutions

Establish

InfoSec Cross Account Roles

Identify

Actions and Conditions to

Enforce Governance

Baseline Requirements


Network Architecture considerations

AWS Services in Your VPC

VPC Endpoints for Amazon S3

DNS in-VPC with Amazon Route 53

Logging VPC Traffic with VPC Flow Logs


AWS Organizations masterAWS Organizations Account

Data Center

No connection to DC

Service control policies

Consolidated billing

Volume discount

Minimal resources

Limited access

Limit Orgs role!


Logging Account

Core Accounts

AWS Organizations Account

Data Center

Logging

Versioned Amazon S3 bucket

RestrictedMFA delete

CloudTrail logs

Security logs

Single source of truth

Limited access


Security Account

Core Accounts


Data Center

Optional data center connectivity

Security tools and audit

Cross-account read/write

Limited access

AWSCloudTrail

AWSConfig

Logging

Security


Shared Services Account

Security

Core Accounts


Network

Data Center

Connected to DC

LDAP/Active Directory

Shared Services VPC

Deployment toolsGolden AMIPipeline

Scanning infrastructureInactive instancesImproper tagsSnapshot lifecycle

Monitoring

Limited access

Logging

SharedServices


Developer Sandbox Accounts

Security

Core Accounts


Billing Tooling

SharedServices

Network

Internal Audit

Data Center

Logging

No connection to DC

Innovation space

Fixed spending limit

Autonomous

Experimentation

Developer Accounts

DeveloperSandbox


BU/ Product/ Resource Accounts

DeveloperSandbox

Developer Accounts

Security

Core Accounts


Billing Tooling

SharedServices

Network

Internal Audit

Data Center

Logging

Based on level of needed isolation

Match your development lifecycle

BU/Product/Resource Accounts


Dev Accounts

DeveloperSandbox

Developer Accounts

Security

Core Accounts


Billing Tooling

SharedServices

Network

Internal Audit

Data Center

Logging

Develop and iterate quickly

Collaboration space

Stage of SDLC


Dev


Pre-Prod Accounts

DeveloperSandbox

Dev


Developer Accounts

Security

Core Accounts

AWS Organizations Master

Billing Tooling

SharedServices

Network

Internal Audit

Data Center

Logging

Connected to DC

Production-like

Staging

QA

Automated deployments

Pre-Prod


Production Accounts

DeveloperSandbox

Dev Pre-Prod


Developer Accounts

Security

Core Accounts


Billing Tooling

SharedServices

Network

Internal Audit

Data Center

Logging

Connected to DC

Production applications

Promoted from Pre-Prod

Limited access

Prod


Multi-Account Approach

DeveloperSandbox

Dev Pre-Prod


Developer Accounts

Security

Core Accounts


Billing Tooling

SharedServices

Sandbox

Networking

Internal Audit

Data Center

Logging

Prod

SharedServices

Orgs: Account management

Logging: Centralized logs

Security: AWS Config Rules, security tools

Shared services: Directory, DNS, limit monitoring

Billing Tooling: Cost monitoring

Sandbox: Experiments

Dev: Development

Pre-Prod: Staging

Prod: Production


Introducing the AWS Landing Zone solution

An automated, easy-to-deploy solution to help you set up new AWS environments

and get started with running secure and scalable workloads on AWS

Based on AWS best

practices and

recommendations

Initial security and

governance controls

Baseline accounts

and account

vending machine

Automated

deployment


What you get with the AWS Landing Zone

• Framework for creating and baselining a multi-account environment

• Example initial multi-account structure based on common security,

audit, and shared service requirements.

• An account vending machine which enables automated deployment

of additional accounts with a set of security baselines

Account Management

• User account access managed through AWS SSO federationIdentity & Access

Management

• Multiple accounts and defining cross account-roles allow implementation

of separation of duties across all accounts

• Initial account security and AWS Config rules baseline

• Network baseline

Security & Governance


AWS Landing Zone components

Initialization Template

• Easily deploy the AWS Landing Zone

Multi-Account implementation starting point

• Out-of-the-box Landing Zone implementation to get started quickly

Landing Zone update and configuration pipeline

• Easily modify and extend the Landing Zone to grow with your Organization


Multi-Account implementation

Organizations account:

Account Provisioning

Account Access (SSO)

Shared Services account:

Active Directory

Log Analytics

Logging account:

CloudTrail/Config logs

Security account:

Audit/Break-glass

AWSOrganizations

AWS SSMAWSService Catalog

Core OU

SharedServices account Logging account Security account

AWS Organizations account

Network Baseline

Account Baseline Account BaselineAccount Baseline Security Cross-

Account RolesAWS Microsoft

ADAggregate CloudTrail

and Config Logs

Log Reporting

Amazon S3 bucket (manifest file)

AW SCodePipeline

Stacksets

AWSSSO


AWS Service Catalog

Account VendingMachine

New AWS Account

Network Baseline

Account Baseline

AWSOrganizations

OUCore

Security Account

Security Roles

Logging Account

Audit Bucket

Shared Services Account

Shared

Network

Account Vending Machine implementation

• Account Vending Machine (AWS Service Catalog)

• Account creation UI

• Account Baseline Versioning

• Launch Constraints

• Creates/Updates AWS Account

• Apply Account Baseline stack sets

• Create Network Baseline

• Apply account Security Control Policy


AWS CloudTrail

• Central Amazon S3 bucket and local AWS CloudWatch Logs

AWS Config

• 7 Config Rules (EBS/RDS/S3 encryption, IAM password policy, root MFA, S3

public read/write permissions)

IAM Password Policy

• User password change, password complexity/reuse/age/minimum length

Amazon VPC

• Delete default VPC, (optional) create VPC

Account baseline


Centralized Logging

• Amazon Elasticsearch Service integration

• Kibana-based log reporting and analysis

• AWS CloudTrail

• Amazon VPC Flow Logs

• Amazon CloudWatch Logs (Apache web server, Common Log Format,

Space Delimited, JSON)

Optional product(s)


Benefits of the AWS Automated Landing Zone

Automated Scalable Self-Service

Guardrails

NOT Blockers

Auditable Flexible

DXC Proprietary and Confidential October 30, 2018

Why a DXC Iberia AWS Landing Zone?

Jorge Pestaña

DXC Iberia Landing Zone Initiative Sponsor

October 30, 2018 31DXC Proprietary and Confidential

Our Journey to the AWS Landing ZoneJuan Alvarez Ferrando

DXC Iberia AWS Landing Zone Architect


Roadmap

Conception

•Sponsor/Owner

•Delegation model

•Use Cases

•Relationship Model

•Cost Distribution

•Refine Requirements

•Efficient

•Automated

•Managed

•Scalable

•Secure

Organization

•Governance

•Architecture/Security

•Financial Management

•Operation

•Account owners

•Account architects

Construction

•Methodology

•Tools

•Skills

•Solutions

Operation

•Re-skill Support Team

•Adapt ITSM

•Segregate Duties

•Ops Procedures


Achieved Results

✓Service Governance, Account level cost management and automated budget control. Account provision agreement terms and relationship model.

✓Reusable Baseline Architecture and Solutions to provision accounts under operational and security management (network, events, access, permissions, configuration control, backup)

✓<24h Time to Provision “ready to use” environments with all foundation infrastructure in three possible service levels

✓Operation and support of all the LZ solutions as Software Defined Infrastructure under defined architecture, methodology and tools

✓Lightweight support


Bronze Silver Gold

Account Onboarding

VPN Access

Multi Account Networking

Managed AD

Event Monitoring – Collect & Analyze

Event Monitoring – Real Time Dashboard

Event Monitoring – GuardDuty Dashboard

Cost Control - Instance Scheduler

Cost Control - Orphan Storage Control

Backup Management

Managed Bastions

Billing Reports/Budget Control

Solution Catalog by Service Level


Learned Lessons

A 100% SDI and automated LZ pays back

It is a software project, use software project ways

Be open but consistent on tools and languages

Have an IAM fencing and delegation model

Design solutions that are fit for your T-Shirt sizes

Include operation requirements in the solution design

Leverage AWS Managed Services

DXC Proprietary and Confidential

Thank you.

speeding up your migration with an automated landing zone · 2018-10-31 · learned lessons a 100%...

Documents