AWS Landing Zone - Architecting Security and Governance.pptx

AkeshPatil 706 views 36 slides Jul 01, 2024
Slide 1
Slide 1 of 36
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36

About This Presentation

This slide deck provides an overview of the AWS Landing Zone, which is a well-architected, multi-account AWS environment designed to be scalable and secure. It serves as a starting point for organizations to quickly launch and deploy workloads and applications on AWS.

The deck explains the key comp...

Size: 7.91 MB
Language: en
Added: Jul 01, 2024
Slides: 36 pages

Slide Content

AWS Landing Zone Accelerate Growth on Cloud

Akesh Patil Sr. Cloud Architect AWS APN Ambassador & AWS Community Builder Speaker 2

Table of Content Single Account vs Multi-Account Need of AWS Landing Zone? What is Landing Zone AWS Control Tower Landing Zone Objectives 1 2 3 4 5 Benefits of Landing Zone 7 AWS Landing Zone Walkthrough 8 How Landing Zone works with Well Architected Framework 6

4 What do customers want to do on AWS? Build Move Fast Stay Secure

5 Customers need an environment that is Secure & compliant Meets the organization’s security and auditing requirements Scalable & resilient Ready to support highly available and scalable workloads Adaptable & flexible Configurable to support evolving business requirements

6 Why? Many Teams Billing Security and Compliance Control Business Process Isolation

7 Customer Need Resource Container AWS account VMs Databases Caches Queues Users Roles Security/Resource Boundary Security/Resource Boundary

8 Isolation with IAM and VPC in one account? Gray boundaries Complicated and messy overtime Difficult to track resources People stepping on each other

9 Need of multiple AWS accounts? Governance considerations for multi-account environments

10 Need of multiple AWS accounts? Technical considerations for multi-account environments

11 Orchestration Framework Account Management Notification Policy Deployment Policy Enforcement Remediation Guardrail A Guardrail B Guardrail A Guardrail Z Guardrail X Guardrail Z

12 Capabilities of Orchestration Framework Billing Management Resource Isolation Identity & Access Management Immutable Security Logs Shared Infrastructure Support Dev Lifecycle Central Network Connectivity Security Tooling

13 AWS Landing Zone (LZ) - Overview An AWS landing zone is a well-architected, multi-account AWS environment that is scalable and secure. This is a starting point from which your organization can quickly launch and deploy workloads and applications with confidence in your security and infrastructure environment. AWS Control Tower is an AWS Service which offers the simplest way to set up and govern an AWS multi-account Landing zone environment with AWS best practices. AWS Landing Zone helps to follow AWS Well Architected principles to achieve: High Performance Secured Systems Resilient Architecture Cost Optimization Considerations Multi-account Architecture Identity & Access Management Governance Data security Network design Logging

AWS Landing Zone Objectives CONTINUOUS IMPROVEMENT Establish the adoption of best practices in security & compliance – strategic risk-based security and compliance management framework Best Practices Adoption 8 Preventive & detective guardrails and preconfigured governance rules for security, compliance, and operations ​ Develop Governance Framework & Policies 4 Centralized view of compliance across AWS infrastructure with AWS SCP Centralized Compliance 6 Best practices adoption in security through Centralized identity and access management with AWS Single Sign on (SSO) Identity & Access Management 7 Better cost control along with Higher & Improved efficiencies through attribution of costs at the business unit and region level Cost Attributions & Control 3 AWS Account structure addressing needs of multiple business units and geographies Account structure 1 Streamlining AWS environment in terms of standardization, security and operational efficiency Streamlining through Standardization 5 Varying level of capabilities and infrastructure maturity across business units Tech & Infra Maturity 2 The AWS Landing Zone helps you achieve the following Technical goals & objectives in alignment with that of Business Objectives of the organization at the end of this engagement:

Setup and operate your multi-account AWS environment with prescriptive controls designed to accelerate your cloud journey.   Orchestrates multiple AWS services on your behalf while maintaining the security and compliance needs of your new or existing organization. Benefits Set up a well-architected, multi-account environment in under 30 minutes. Automate the creation of AWS accounts with built-in governance. Enforce best practices, standards, and regulatory requirements with preconfigured controls. AWS Control Tower

Organization Units (OUs) Grouping of AWS accounts Service control policies (SCP) to the groups Use permission grouping Root OU Core OU Infrastructure OU Workload OU Non-Prod OU Prod OU

Guardrails Guardrails are preconfigured governance rules for security, compliance and operations Preventive Guardrails : Prevent policy violations through enforcement, implemented using AWS Cloudformation and SCPs Detective Guardrails : Detect policy violations and alert in the dashboard; implemented using AWS Config Rules Mandatory and Strongly Recommended Guardrails are prescriptive Easy Selection and enablement on organization units

Infrastructure Protection Data Protection AWS Identity & Access Management (IAM) AWS Identity Center AWS Organization AWS Directory Service Amazon Cognito AWS Security Hub Amazon Guard Duty Amazon Inspector Amazon CloudWatch AWS Config AWS CloudTrail VPC Flow Logs AWS Firewall Manager AWS Shield AWS WAF Amazon VPC AWS PrivateLink AWS Systems Manager Amazon Macie AWS Key Management Service (KMS) AWS CloudHSM AWS Certificate Manager AWS Secrets Manager AWS VPN Server-Side Encryption AWS Security Foundational Services Identity & Access Management Detection Infrastructure Protection Data Protection

AWS IAM Identity Center Successor to AWS Single Sign-on Provides default directory for identity Portal to access multiple accounts and user applications with Single Sign-On Integrated with AWS Console and AWS Command Line Interface (AWS CLI) Free Service Preconfigured groups (e.g. AWS Control Tower administrators, auditors, AWS Service Catalogue end users) Preconfigured permission sets (e.g. admin, read-only, write) You choose your identity provider AD On-Prem Okta, OneLogin, Azure AD, PingIdentity Internal Repository

AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. What CloudTrail can do Logs and retain account activity related to actions across your AWS account. Actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services 90-day retention, by default and >90 days logs to be pushed to S3 buckets AWS CloudTrail Auditing Service

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. What Config can do Config continuously monitors and records AWS resource configurations. Helps to check compliance against desired Config rules. Assess how a change to a resource configuration would affect other resources, which minimizes the impact of change-related incidents. Alerts can be setup when unwanted config changes are made. Config logs are sent to an S3 bucket AWS Config

An intelligent threat detection service which continuously monitor  environment to detect potential security threats What GuardDuty can do Amazon GuardDuty identifies unusual activity within AWS accounts, analyzes the security relevance of the activity, and gives the context in which it was invoked. Mitigate threats early by initiating automated responses. Quickly and easily scale threat detection across your environment. Analyzes AWS account and workload event data found in AWS CloudTrail, VPC Flow Logs, and DNS Logs. Amazon GuardDuty Threat Detection

Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. What Inspector can do Automatically assesses applications for vulnerabilities and compliance issues Inspect EC2, Lambda, Containers for vulnerabilities Provides detailed findings and prioritized recommendations, allowing you to take action to address any security concerns. Amazon Inspector Vulnerability Management

AWS Security Hub is a cloud security posture management service(CSPM) that performs security best practice checks, aggregates alerts, and enables automated remediation. What Security Hub can do Automate security best practice checks against security controls , aggregate security alerts into a single place and format, and understand your overall security posture across all of your AWS accounts. Provides you with a detailed view of your security state and helps check your environment against security standards and best practices. You can use cross-Region aggregation to aggregate findings, insights, Collect findings from security services such as Intrusion detection findings from Amazon GuardDuty Vulnerability scans from Amazon Inspector Sensitive data identification findings from Amazon Macie AWS Security Hub Cloud Security Posture Management

OU Structure

Audit Account

Log Archive Account

Networking Account

AWS Landing Zone – Reference Architecture The Landing Zone helps you achieve the following Technical goals & objectives in alignment with that of Business Objectives of the organization at the end of this engagement:

30 How landing zones work for a Well-Architected Framework Effectively manage your AWS accounts by creating, grouping and organizing accounts. Standardize account baselines to meet the different controls, networking and other configurations based on the account’s intended use. Centralized billing across multiple accounts using consolidated billing 1

31 How landing zones work for a Well-Architected Framework For sharing services and connecting accounts, an established networking configuration can be created using a dedicated account for networking. Configure routing between multiple accounts within a landing zone, on-premise networks and the internet 2

32 How landing zones work for a Well-Architected Framework Centrally manage users and permissions across accounts in the landing zone. Provide access for users across multiple accounts with different permission policies based off on role, account and more. 3

33 How landing zones work for a Well-Architected Framework Establish a security baseline for accounts within in the landing zone. Create controls to enforce security and audit account configurations. User AWS security services to meet organizational requirements for security. 4

34 How landing zones work for a Well-Architected Framework Send logs to a centralized logging account to monitor account actions and security of the environment as a single source of truth 5

35 Benefits – AWS Landing Zone The AWS Landing Zone with AWS Control Tower servi ce helps you achieve following benefits aligned with the overall business goals and objectives of the organization at the end of this engagement through various ways: 1. 2. 3. 4 . 5. 6. Consistent & Scalable Infrastructure Enables you define & enforce best practices, policies, & configurations consistently across your cloud infrastructure. Cost Optimization Implement cost optimization strategies & practices thereby effectively monitor & control costs across multiple accounts with visibility into spending patterns Account Isolation and Resource Sharing Different AWS accounts can be created to separate workloads, environments, or business units, ensuring secure & controlled access while enabling resource sharing. Security and Compliance Security controls, such as identity & access management, network segmentation, encryption, & logging across accounts ensuring compliance. Operational Excellence Provides a centralized view of the cloud infra, account usage, & resource dependencies allowing organizations to monitor & manage their cloud environment effectively. Automation and Provisioning Accelerates the deployment of new projects, applications, or environments while maintaining control and governance
Tags
aws aws landing zone
Categories
Technology Design Business
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 706
  • Slides 36
  • Age 519 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
Know for Certain 21
Know for Certain
DaveSinNM
21 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views
View More in This Category