Wednesday, September 5, 2018

AWS - Amazon Landing Zones



Laungh Faster using AWS Landin Zones.

  • Build
  • Move Fast
  • Stay Secure
  • Many Design  decisions
  • Need to configure multiple accounts & services.
  • Must establish security baseline & governance.
  • Secure & compliant  -  Meets the organization's security and auditing requirements.
  • Scalable & Resilient  -  ready to support highly available and scalable workloads.
  • Adaptable & Flexible  - Configurable to support evolving business requirements.


What is a Landing Zone ?


  • A configured, secure, scalable, multi-account AWS environment based on AWS best practices.
  • A starting point for net new development and experimentation.
  • A starting point for customers application migration journey.
  • An environment that allows for iteration and extension  over time.

Baseline Requierments.

  • Lock  - AWS Account Credential Management
  • Enable  - AWS Cloud Trail
  • Define  - Map Enterprise Roles and permissions
  • Federate   - Use Identity Solutions.
  • Establish  - Infosec Cross Account Roles.
  • Identify - Actions and Conditions to Enforce Governance.

Network Architecture Considerations

  • AWS Services in your VPC
  • VPC Endpoints for Amazon S3
  • DNS in-VPC with Amazon Route 53
  • Logging VPC Traffic with VPC Flow Logs.
AWS Organizations master

  • No connection to DC
  • Service control policies
  • Consolidated billing
  • Volume discount
  • minimal resources
  • Limited access
  • Limit Orgs role !
Logging Account

  • Versioned Amazon S3 bucket  ( Restricted MFA delete)
  • Cloud Train Logs
  • Security Logs
  • Single source of truth
  • Limited access.
Security Account

  • Optional Data Center Connectivity.
  • Security Tools and audit.
  • Cross-account read/write
  • Limited access -  AWS Cloud Train  & AWS config.
Shared Services Account
  • Connected to DC.
  • LDAP/Active Directory.
  • Shared Services VPC.
  • Deployment tools ( Golden AMI Pipeline)
  • Scanning infrastructure ( Inactive instances, improper tags, Snapshot lifecycle).
  • Monitoring
  • Limited Access.
Developer Sandbox Accounts
  • No connection to DC
  • Innovation space
  • Fixed Spending limit
  • Autonomous
  • Experimentation
  • Develop and iterate quickly
  • Collaboration space
  • Stage of SDLC
Pre-Prod Accounts
  • Connected to DC
  • Production-like
  • Staging
  • QA
  • Automated Deployments.
Production Account
  • Connected to DC
  • Prod applications
  • Promoted from pre-prod
  • Limited Access
Multi-Account approach
  • Orgs :  Account management
  • Logging - Centralized logs
  • Security - AWS config Rules, security tools
  • Shared Services - Directory , DNS, limit monitoring
  • Billing Tooling :  Cost monitoring
  • Sandbox :  Experiments
  • Dev - Development
  • Pre-Prod :  Staging
  • Prod :  Production

Introducing the AWS Landing Zone solution
  • An automated, easy-to-deploy solution to help you set up new AWS environments and get started with running secure and scalable workloads on AWS.
  • Based on AWS best practices and recomendations.
  • Initial security and governance controls.
  • Baseline accounts and account vending machine.
  • Automated deployment.
What you get with the AWS Landing Zone.
  • Account Management
  • Identity & Access Management
  • Security & Governance
AWS Landing Zone components.
  • Initialization Template  - Easily deploy the AWS Landing Zone
  • Multi-Account implementation starting point  -  Out-of-the-box Landing Zone implementation to get started quickly.
  • Landing Zone  update and configuration pipeline  - Easily modify and extend the Landing Zone to grow with your Organization out-of-thebox implementation to get you started as well.

CloudFormation Template
  • Creates Landing Zone deployment and configuration update pipeline.
  • creates a customized AWS Landing Zone implementation package in your account.
  • optionally deploys your customized AWS Landing Zone automatically.
Multi Account implementation
  • Organizations account
  • Account Provisioning
  • Account Access(SSO)
  • Shared Services account
  • Active Directory
  • Log Analytics
  • Logging account :  CloudTrail/Config logs
  • Security Account :  Audit/Break-glass
Account Vending Machine implementation
  • Account Vending Machine(AWS Service Catalog)
    • Account creation UI
    • Account Baseline Versioning
    • Launch constraints
  • Creates/Updates AWS account
  • Apply account baseline stack sets.
  • Create Network Baseline
  • Apply account Security Control Policy
Account Baseline
  • AWS Cloud Trail -  Central Amazon S3 bucket and local AWS cloudWatch Logs.
  • AWS Config -  7 Config Rules(EBS/RDS/S3 encryption, IAM password policy, root MFA, S3 public read/write permissions)
  • IAM Password policy 
  • Amazon VPC  - Delete default VPC, (optional)create VPC.
Centralized Logging
  • Amazon Elasticsearch Service Integration.
  • Kibana-based log reporting and analysis.
    • AWS cloudTrail
    • Amazon VPC Flow Logs.
    • Amazon CloudWatchLogs(Apache Web Server, Common Log Format, Space Demilited)

Deployment  & Configuration  update PIPELINE




      Summary  - Benefits of AWS Automated Landing Zone

      • Automated
      • Scalable
      • Self-service
      • Guardrails NOT Blockers
      • No additional charges for AWS Landing Zone solution.

      Options for Operating your Landing Zone



      To learn more



          at

          No comments:

          Post a Comment

          Subscribe to: Post Comments (Atom)

          Hyderabad Trip - Best Places to visit

           Best Places to Visit  in Hyderabad 1.        1. Golconda Fort Maps Link :   https://www.google.com/maps/dir/Aparna+Serene+Park,+Masj...