Scribd Logo
Upload

Welcome to Scribd!

  • AWS Landing Zone: Pravin Menghani

    Uploaded by

    DR
    392 views16 pages
    AWS

    Original Title

    AWS Landing Zone

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    AWS

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    392 views16 pages

    AWS Landing Zone: Pravin Menghani

    Uploaded by

    DR
    AWS

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    AWS Landing zone

    Pravin Menghani
    Challenges
    • Complex process in setting up multiple accounts
    • Need of understanding multiple services
    • Applying similar security practises across multiple
    accounts
    • Implementing same RBAC structure across
    accounts
    • Setting up multiple AWS Accounts and user
    accounts, their accesses
    • Setting up multiple VPC across multiple accounts
    • Following AWS Best Practises
    AWS Landing zone
    • AWS Landing Zone is a solution that helps
    customers more quickly set up a secure, multi-
    account AWS environment based on AWS best
    practices.
    Promises that AWS Landing zone can
    fulfill
    • Automated AWS multi-account setup
    • Basic security guidelines
    • Codified best practices (including updates directly from
    AWS); for example, automated CloudTrail setup and
    VPC/network design
    • DevOps best practices: Infrastructure-as-Code with the use
    of codified templates and continuous delivery, whereby
    your own extensions can be rolled out globally.
    • High adaptability owing to the use of templates
    • Modularity
    • Single Sign-On and central management of access rights
    (optional)
    Multi-Account structure
    Multi-Account structure
    • AWS Organizations Account
    • The AWS Landing Zone is deployed into an AWS
    Organizations account. This account is used to manage
    configuration and access to AWS Landing Zone
    managed accounts. The AWS Organizations account
    provides the ability to create and financially manage
    member accounts. It contains the AWS Landing Zone
    configuration Amazon Simple Storage Service (Amazon
    S3) bucket and pipeline, account configuration
    StackSets, AWS Organizations Service Control
    Policies (SCPS), and AWS Single Sign-On (SSO)
    configuration.
    Shared Services Account
    • The Shared Services account is a reference for
    creating infrastructure shared services such as
    directory services. By default, this account
    hosts AWS Managed Active Directory for AWS
    SSO integration in a shared Amazon Virtual
    Private Cloud (Amazon VPC) that can be
    automatically peered with new AWS accounts
    created with the Account Vending Machine
    (AVM).
    Logging Account

    • The Logging account contains a central


    Amazon S3 bucket for storing copies of all
    AWS CloudTrail and AWS Config log files in an
    audit log account.
    Security Account

    • The Security account creates auditor (read-


    only) and administrator (full-access) cross-
    account roles from a Security account to all
    AWS Landing Zone managed accounts. The
    intent of these roles is to be used by a
    company's security and compliance team to
    audit or perform emergency security
    operations in case of an incident
    AVM
    • The Account Vending Machine (AVM) is an
    AWS Landing Zone key component. The AVM
    is provided as an AWS Service
    Catalog product, which allows customers to
    create new AWS accounts in Organizational
    Units (OUs) preconfigured with an account
    security baseline, and a predefined network.
    AVM
    AVM
    • AWS Landing Zone leverages Service Catalog to grant
    administrators permissions to create and manage AWS
    Landing Zone products and end user’s permissions to
    launch and manage AVM products.

    • The AVM uses launch constraints to allow end users to


    create new accounts without requiring account
    administrator permissions.

    • Optional products can be deployed using AVM, such as


    the Centralized Logging component.
    AVM
    Account baseline
    • A ‘baseline’ is provisioned in all accounts. In the default
    configuration, the baseline contains:
    • CloudTrail setup (audit logs)
    • AWS Config and a basic rule set (‘Governance’) used,
    for example, to send an alert if CloudTrail has been
    deactivated
    • IAM password policy for IAM users
    • Cross-account access from the Security account
    • An optional VPC according to specifications
    • Notifications and alarms, for example when root users
    log in
    Disadvantage of Landing zone
    • Landing Zone sets up a few resources by
    default that cost money. The most costly of
    them are:
    • Active Directory Service
    • AD Connector in the master account
    • AWS Config Rules for each AWS account
    • EC2 instance as Remote Desktop
    Gateway/JumpHost to connect to Active
    Directory
    Landing zone CF Template
    • https://s3.amazonaws.com/solutions-
    reference/aws-landing-zone/latest/aws-
    landing-zone-initiation.template

    You might also like