LandingZoneAccelerator FirstCallDeck

Landing Zone Accelerator on AWS
[First Name] [Last Name]

[Title]
November 2022
© 2022, Amazon Web Services, Inc. or its Affiliates.

Agenda
• Security and Compliance Solutions

• Landing Zone Accelerator on AWS Overview
• Solution Highlights and Benefits
• Features and Design
• How to Get Started
professional
services
Compliance requirements
ü Personnel ü System management & monitoring

ü Incident response ü Log management & monitoring
ü Boundary protection ü Compute and storage
ü Identity and access control ü Networking
ü Disaster recovery ü Virtualization
ü Configuration management ü Data center
ü Highly available architecture
professional
services
Customers need better visibility and security to
optimize their next-gen cloud applications
Increase operational efficiency for

your cloud-based workloads and
applications
Improve visibility Enhance security

posture
professional
services 4
AWS security, identity, and compliance solutions
Identity & access Infrastructure Data Incident

Detection Compliance
management protection protection response
AWS Identity & AWS Security Hub AWS Firewall Amazon Macie Amazon Detective AWS Artifact
Access Management Manager
(IAM) Amazon GuardDuty AWS Key Management CloudEndure DR AWS Audit Manager
AWS Network Service (KMS)
AWS Single Sign-On Amazon Inspector Firewall AWS Config Rules
AWS CloudHSM
AWS Organizations Amazon CloudWatch AWS Shield AWS Lambda
AWS Certificate Manager
AWS Directory AWS Config AWS WAF – Web
Service application firewall AWS Secrets Manager
AWS CloudTrail
Amazon Cognito Amazon Virtual AWS VPN
VPC Flow Logs
Private Cloud (VPC) Server-Side Encryption
AWS Resource Access
AWS IoT Device
Manager AWS PrivateLink
Defender
AWS Systems
professional Manager 5
services
Shared Responsibility Model
Customer responsibility will be

Security IN
determined by the AWS Cloud
the Cloud
services that a customer selects
AWS is responsible for

Security OF protecting the infrastructure
the Cloud that runs all of the services
Customer
offered in the AWS Cloud
AWS
professional
services
The Landing Zone Accelerator on AWS
is an open-source software solution
that accelerates the implementation of
a customer’s technical security controls
and infrastructure foundation on AWS
professional
services 7
Solution Highlights
• Build secure and compliant AWS environments in days, instead of months or
years.
• Focus time and critical budgets on migration, transformation, and innovation.
• Documentation helps demonstrate compliance requirements are met and

shortens time to prepare for accreditation of their AWS environment.
• Customers can install the Solution directly from GitHub or have it delivered by
AWS Professional Services or Partners.
• Customers can get technical assistance from AWS Support.
professional
services 8
Landing Zone Accelerator Benefits
Customer resources focus Accelerate environment

on learning to ‘operate’ in setups in days, not weeks
the cloud
Leverages AWS expertise Innovate through open

source model
Enables customers on Establish a

Flexibility to
integrate with other day 1, day 10, and day N, compliant and
management tools supporting them throughout improved security
their AWS journey posture
professional
services 9
Architecture
Public
Feature Requests / GitHub
Issues project
AWS Cloud
AWS Cloud
AWS Cloud
Customers Configuration Files Landing Zone Accelerator

(yaml) (CDK)
Multi-account environment
professional
services
1
Installation Template
(AWS CloudFormation)
Configuration Files
(yaml)
AWS CodePipeline
AWS Cloud
Development Kit
Landing Zone
Accelerator
professional
services
Root OU Security OU
1 Management (Root) Account Log Archive Account
AWS Control Tower AWS Organizations AWS Single Sign-On

2 Amazon CloudWatch AWS CloudTrail AWS Config
Centralized Logs
Configuration Files Bucket
(yaml)
3 Audit / Security Tooling Account
AWS CodePipeline
AWS Cloud
Development Kit
Landing Zone
Accelerator
professional
services
enable: true mandatoryAccounts:
1 organizationalUnits: - name: Management
- name: Security email: example-management-root-account@amazon.com
- name: Infrastructure organizationalUnit: Root
Installation Template - name: Dev isGovCloud: true
(AWS CloudFormation) - name: Test - name: LogArchive
- name: Prod email: example-log-archive-account@amazon.com
2 serviceControlPolicies: organizationalUnit: Security

- name: Audit
- name: AcceleratorGuardrails1
email: example-audit-account@amazon.com
description: Accelerator GuardRails 1
organizationalUnit: Security
Configuration Files policy: service-control-policies/guardrails-1.json
workloadAccounts:
(yaml) type: customerManaged - name: SharedServices
deploymentTargets: email: example-shared-service-accounts@amazon.com
organizationalUnits:
3 - Infrastructure
organizationalUnit: Infrastructure
- name: Network
taggingPolicies: email: example-network-account@amazon.com
- name: TagPolicy organizationalUnit: Infrastructure
AWS CodePipeline description: Organization Tagging Policy
policy: tagging-policies/org-tag-policy.json
deploymentTargets:
4 organizationalUnits:
- Root
backupPolicies:
- name: BackupPolicy
AWS Cloud description: Organization Backup Policy
Development Kit
policy: backup-policies/org-backup-policies.json
deploymentTargets:
Landing Zone organizationalUnits:
- Root
Accelerator
professional
services
Root OU Security OU

Infrastructure OU Centralized Logs

(yaml) Network Account
AWS CodePipeline
4
Shared Services Account
AWS Cloud
Development Kit Dev / Test / Prod OU (Workload Ous)
Landing Zone Workload Account 1 … N
Accelerator
professional
services
homeRegion: &HOME_REGION us-east-1 iamPasswordPolicy:
allowUsersToChangePassword: true
1 centralSecurityServices:
delegatedAdminAccount: Audit hardExpiry: falserequireSymbols: true
ebsDefaultVolumeEncryption: requireNumbers: true
enable: true minimumPasswordLength: 14
Installation Template passwordReusePrevention: 24
excludeRegions: []
(AWS CloudFormation) maxPasswordAge: 90
s3PublicAccessBlock:
enable: true awsConfig:
2 excludeAccounts: []
macie:
enableConfigurationRecorder: true
enableDeliveryChannel: true
enable: true ruleSets:
... - deploymentTargets:
Configuration Files organizationalUnits:
(yaml) guardduty:
enable: true - Root
... rules:
3 securityHub: - name: accelerator-iam-user-group-membership-check
complianceResourceTypes:
enable: true
regionAggregation: true - AWS::IAM::User
excludeRegions: [] identifier: IAM_USER_GROUP_MEMBERSHIP_CHECK
AWS CodePipeline
standards: - name: accelerator-securityhub-enabled
- name: AWS Foundational Security Best Practices v1.0.0 identifier: SECURITYHUB_ENABLED
enable: true cloudWatch:
4 controlsToDisable: metricSets:
- regions:
- IAM.1
- EC2.10 - *HOME_REGION
- Lambda.4 deploymentTargets:
AWS Cloud organizationalUnits:
Development Kit ssmAutomation:
... - Root
accessAnalyzer: metrics:
Landing Zone enable: true # CIS 1.1 – Avoid the use of the "root" account
- filterName: RootAccountMetricFilter
...
Accelerator logGroupName: aws-controltower/CloudTrailLogs
filterPattern: '{$.userIdentity.type="Root”’
metricNamespace: LogMetrics
metricName: RootAccount
professional
services
metricValue: "1"

Root OU Security OU


AWS CodePipeline
AWS Security AWS KMS

4 Hub
Amazon GuardDuty Amazon Macie
AWS Cloud
Landing Zone Workload Account 1 … N
Accelerator
professional
services
homeRegion: &HOME_REGION us-east-1 vpcs:
1 defaultVpc: - name: Network-Endpoints
delete: true account: Network
excludeAccounts: [] region: *HOME_REGION
Installation Template transitGateways: cidrs:
(AWS CloudFormation) - name: Network-Main - 10.1.0.0/22
account: Network internetGateway: false
2 region: *HOME_REGION
shareTargets:
enableDnsHostnames: true
enableDnsSupport: true
organizationalUnits: instanceTenancy: default
- Infrastructure routeTables:
Configuration Files
asn: 65521 - name: Network-Endpoints-Tgw-A
(yaml)
dnsSupport: enable routes: []
vpnEcmpSupport: enable ...
3 defaultRouteTableAssociation: disable subnets:
defaultRouteTablePropagation: disable - name: Network-Endpoints-A
autoAcceptSharingAttachments: enable availabilityZone: a
AWS CodePipeline routeTables: routeTable: Network-Endpoints-A
- name: Network-Main-Core ipv4CidrBlock: 10.1.0.0/24
routes: [] ...
- name: Network-Main-Segregated transitGateway:
4 routes: [] name: Network-Main
- name: Network-Main-Shared account: Network
routes: [] gatewayEndpoints:
- name: Network-Main-Standalone defaultPolicy: Default
AWS Cloud
routes: [] endpoints:
Development Kit
- service: s3
- service: dynamodb
Landing Zone interfaceEndpoints:
central: true
Accelerator defaultPolicy: Default
endpoints:
- service: ec2
- service: ec2messages
professional
services
Root OU Security OU


3 Inspection VPC Endpoints VPC Audit / Security Tooling Account
NGFW* Centralized
AWS CodePipeline VPC Endpoints
IDS/IPS*
AWS Security AWS KMS

4 AWS Transit Gateway
Hub
Amazon GuardDuty Amazon Macie
AWS Cloud
Shared Services VPC
External Access VPC
Landing Zone Bastions*
Active Directory* Workload Account 1 … N
Accelerator WSUS* / yum* Workload VPC 1 … N
*For illustration only to demonstrate where these additional ACAS* / HBSS*

capabilities and resources can be deployed
professional
services
Features - Security
AWS Control Tower AWS Organizations Amazon CloudWatch AWS Config AWS CloudTrail
AWS Service Catalog AWS Systems Manager
AWS Security Hub Amazon GuardDuty Amazon Inspector Amazon Macie AWS Firewall
Manager
AWS Resource AWS Key Management AWS Identity and Access AWS Network Firewall
Access Manager Service (AWS KMS) Management (IAM)
professional
services 19
Features - Networking
Amazon Virtual Private Cloud Amazon Route 53

(Amazon VPC)
AWS Transit Gateway AWS Direct Connect
professional
services 20
Features - Operations
AWS Budgets AWS Cost & AWS Cost Explorer

Usage Report
AWS Tools AWS Cloud Development AWS CodePipeline AWS CodeCommit AWS CodeBuild
and SDKs Kit (AWS CDK)
AWS Managed AWS Professional AWS Support

Services Services
professional
services 21
How to Get Started
https://github.com/awslabs/landing-zone-accelerator-on-aws https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
GitHub Repository AWS Solutions
Implementation and Deployment Guide
professional
services
Thank you!
professional
services

LandingZoneAccelerator FirstCallDeck

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LandingZoneAccelerator FirstCallDeck

Uploaded by

Copyright:

Available Formats

Landing Zone Accelerator on AWS

[First Name] [Last Name]

© 2022, Amazon Web Services, Inc. or its Affiliates.

• Security and Compliance Solutions

ü Personnel ü System management & monitoring

Increase operational efficiency for

Improve visibility Enhance security

Identity & access Infrastructure Data Incident

Customer responsibility will be

AWS is responsible for

• Documentation helps demonstrate compliance requirements are met and

Customer resources focus Accelerate environment

Leverages AWS expertise Innovate through open

Enables customers on Establish a

Customers Configuration Files Landing Zone Accelerator

AWS Control Tower AWS Organizations AWS Single Sign-On

3 Audit / Security Tooling Account

2 serviceControlPolicies: organizationalUnit: Security

AWS Control Tower AWS Organizations AWS Single Sign-On

Infrastructure OU Centralized Logs

3 Audit / Security Tooling Account

Landing Zone Workload Account 1 … N

© 2022, Amazon Web Services, Inc. or its Affiliates.

AWS Control Tower AWS Organizations AWS Single Sign-On

Infrastructure OU Centralized Logs

3 Audit / Security Tooling Account

AWS Security AWS KMS

Landing Zone Workload Account 1 … N

AWS Control Tower AWS Organizations AWS Single Sign-On

Infrastructure OU Centralized Logs

3 Inspection VPC Endpoints VPC Audit / Security Tooling Account

AWS Security AWS KMS

Accelerator WSUS* / yum* Workload VPC 1 … N

*For illustration only to demonstrate where these additional ACAS* / HBSS*

AWS Service Catalog AWS Systems Manager

Amazon Virtual Private Cloud Amazon Route 53

AWS Transit Gateway AWS Direct Connect

AWS Budgets AWS Cost & AWS Cost Explorer

AWS Managed AWS Professional AWS Support

You might also like

For illustration only to demonstrate where these additional ACAS / HBSS*