Customizing and scaling your AWS Control Tower environment

Transcript

1. © 2022, Amazon Web Services, Inc. or its affiliates. ©

   2022, Amazon Web Services, Inc. or its affiliates. Customizing and scaling your AWS Control Tower environment Nicolas David (he/him) Senior Startup Solutions Architect MEA Amazon Web Services

2. © 2022, Amazon Web Services, Inc. or its affiliates. Agenda

   AWS Control Tower landing zone Common customizations The Customizations for AWS Control Tower (CfCT) solution CfCT best practices and considerations Multi-organization deployments End-to-end account vending example 2

3. © 2022, Amazon Web Services, Inc. or its affiliates. ©

   2022, Amazon Web Services, Inc. or its affiliates. Before we begin 3

4. © 2022, Amazon Web Services, Inc. or its affiliates. Data

   residency in AWS Control Tower adds to our toolbox of programmatically setting up guardrails and data controls. As data regulations evolve, this capability will assist compliance and help us enable innovation to serve patients around the world. William Taggart Executive Director, Cloud Computing and DevOps 4

5. © 2022, Amazon Web Services, Inc. or its affiliates. AWS

   Control Tower 5 The easiest self-service solution to automate the setup of new AWS multi-account environments Deployment of AWS best-practice blueprints and guardrails An AWS service, offering automated account creation based on AWS best practices Dashboard for monitoring compliance status AWS Managed Services (AMS) version of multi-account environment

6. © 2022, Amazon Web Services, Inc. or its affiliates. Landing

   zone provisioned by AWS Control Tower 6 Management account AWS Control Tower AWS Organizations AWS SSO AWS CloudFormation StackSets AWS Service Catalog (Account Factory) Security OU Sandbox OU AWS SSO directory Log archive account Audit account Provisioned accounts Account baseline Centralized AWS CloudTrail and AWS Config logs Account baseline Security notifications Security cross-account roles AWS Config aggregator Account baseline Network baseline

7. © 2022, Amazon Web Services, Inc. or its affiliates. ©

   2022, Amazon Web Services, Inc. or its affiliates. With your baseline environment set up, what’s next? 7

8. © 2022, Amazon Web Services, Inc. or its affiliates. Top

   5 customization categories 8 Identity Identity providers IAM role and policy Service control policy

9. © 2022, Amazon Web Services, Inc. or its affiliates. Top

   5 customization categories 9 Identity Security and compliance Identity providers IAM role and policy Service control policy Security tooling Encryption

10. © 2022, Amazon Web Services, Inc. or its affiliates. Top

    5 customization categories 10 Identity Security and compliance Networking Identity providers IAM role and policy Service control policy Security tooling Encryption AWS Transit Gateway IP allocation Routing Security groups

11. © 2022, Amazon Web Services, Inc. or its affiliates. Top

    5 customization categories 11 Identity Security and compliance Networking Logging Identity providers IAM role and policy Service control policy Security tooling Encryption AWS Transit Gateway IP allocation Routing Security groups AWS CloudTrail (data events) VPC Flow Logs Firewall logs Amazon CloudWatch logs

12. © 2022, Amazon Web Services, Inc. or its affiliates. Top

    5 customization categories 12 Identity Security and compliance Networking Logging Control Identity providers IAM role and policy Service control policy Security tooling Encryption AWS Transit Gateway IP allocation Routing Security groups AWS CloudTrail (data events) VPC Flow Logs Firewall logs Amazon CloudWatch logs AWS Config rules Resource policy (Amazon S3, Amazon SNS, AWS KMS) Preconfigured products

13. © 2022, Amazon Web Services, Inc. or its affiliates. Customization

    framework for AWS Control Tower 13

14. © 2022, Amazon Web Services, Inc. or its affiliates. AWS

    Control Tower customization – Example 14 --- region: us-east-1 version: 2021-03-15 resources: - name: IDP-Type1 resource_file: templates/saml-provider.template deployment_targets: organizational_units: - Infra-Prod accounts: - <account_id> deploy_method: (stack_set or scp) parameters: - parameter_key: Organization parameter_value: $[alfred_ssm_/corporate/organization] export_outputs: - name: /corporate/param_name value: $[output_<cf_output_name>] regions: - us-east-1

15. © 2022, Amazon Web Services, Inc. or its affiliates. ©

    2022, Amazon Web Services, Inc. or its affiliates. CfCT best practices and considerations 15

16. © 2022, Amazon Web Services, Inc. or its affiliates. CfCT

    considerations D E P L O Y M E N T 16 Any resource supported by CloudFormation should be deployed by CfCT

17. © 2022, Amazon Web Services, Inc. or its affiliates. CfCT

    considerations P A R A L L E L V S . S E Q U E N T I A L Region Region Region Region Region Region Region

18. © 2022, Amazon Web Services, Inc. or its affiliates. CfCT

    considerations F A U L T T O L E R A N C E performance vs. consistency

19. © 2022, Amazon Web Services, Inc. or its affiliates. CfCT

    considerations F A U L T T O L E R A N C E Proactively manage service quotas

20. © 2022, Amazon Web Services, Inc. or its affiliates. CfCT

    considerations F A U L T T O L E R A N C E Global resources

21. © 2022, Amazon Web Services, Inc. or its affiliates. CfCT

    considerations F A U L T T O L E R A N C E Using multiple organizations

22. © 2022, Amazon Web Services, Inc. or its affiliates. ©

    2022, Amazon Web Services, Inc. or its affiliates. AWS Security Reference Architecture 22

23. © 2022, Amazon Web Services, Inc. or its affiliates. Account

    Factory for Terraform (AFT) 23 • Terraform-based account provisioning pipeline • Feature support § AWS Enterprise Support enrollment § Amazon GuardDuty § AWS CloudTrail data events for Amazon S3 and AWS Lambda § Default VPC deletion • Bring your own TF customizations

24. © 2022, Amazon Web Services, Inc. or its affiliates. ©

    2022, Amazon Web Services, Inc. or its affiliates. Managing multiple organizations with CfCT 24

25. © 2022, Amazon Web Services, Inc. or its affiliates. Multi-organization

    management • Development vs. production organizations • Challenges • Environment properties • Automation • Single manifest pattern 25

26. © 2022, Amazon Web Services, Inc. or its affiliates. ©

    2022, Amazon Web Services, Inc. or its affiliates. Multi-organization manifest file overview 26

27. © 2022, Amazon Web Services, Inc. or its affiliates. End-to-end

    account vending solution S O L U T I O N E X A M P L E – P A R T O N E 27 1. User requests a new account using a ticketing system 2. Ticketing system calls account vending Lambda function 3. Lambda records request details in an Amazon DynamoDB table 4. Request validation (optional) 5. After validation, calls account vending function to proceed with account vending 6. Lambda calls AWS Service Catalog to create a new account 7. Monitor progress using AWS Step Functions 8. After account is successfully created, Lambda inventory functions registers a new account

28. © 2022, Amazon Web Services, Inc. or its affiliates. End-to-end

    account vending solution S O L U T I O N E X A M P L E – P A R T T W O 28 9. Creation of new account triggers lifecycle event Lambda function to • Add account to Active Directory and grant user(s) permission • Create alias for the new account • Grant new account permission to call network dispatcher • Grant new account permission for CloudWatch log destination • Update Amazon S3 account public access • Other as needed 10. Triggers AWS Control Tower customization to deploy necessary infrastructure and resources in the new account 11. When all resources are deployed, AWS Control Tower customization calls account vending function to update status 12. When all steps succeed, vending function calls ticketing system 13. Lambda resolves ticket and notifies user that requested account is ready for use

29. © 2022, Amazon Web Services, Inc. or its affiliates. Thank

    you! © 2022, Amazon Web Services, Inc. or its affiliates. Nicolas David [email protected] nuage_ninja