Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Customizing and scaling your AWS Control Tower ...

Customizing and scaling your AWS Control Tower environment

Nicolas DAVID

October 18, 2022
Tweet

More Decks by Nicolas DAVID

Other Decks in Technology

Transcript

  1. © 2022, Amazon Web Services, Inc. or its affiliates. ©

    2022, Amazon Web Services, Inc. or its affiliates. Customizing and scaling your AWS Control Tower environment Nicolas David (he/him) Senior Startup Solutions Architect MEA Amazon Web Services
  2. © 2022, Amazon Web Services, Inc. or its affiliates. Agenda

    AWS Control Tower landing zone Common customizations The Customizations for AWS Control Tower (CfCT) solution CfCT best practices and considerations Multi-organization deployments End-to-end account vending example 2
  3. © 2022, Amazon Web Services, Inc. or its affiliates. ©

    2022, Amazon Web Services, Inc. or its affiliates. Before we begin 3
  4. © 2022, Amazon Web Services, Inc. or its affiliates. Data

    residency in AWS Control Tower adds to our toolbox of programmatically setting up guardrails and data controls. As data regulations evolve, this capability will assist compliance and help us enable innovation to serve patients around the world. William Taggart Executive Director, Cloud Computing and DevOps 4
  5. © 2022, Amazon Web Services, Inc. or its affiliates. AWS

    Control Tower 5 The easiest self-service solution to automate the setup of new AWS multi-account environments Deployment of AWS best-practice blueprints and guardrails An AWS service, offering automated account creation based on AWS best practices Dashboard for monitoring compliance status AWS Managed Services (AMS) version of multi-account environment
  6. © 2022, Amazon Web Services, Inc. or its affiliates. Landing

    zone provisioned by AWS Control Tower 6 Management account AWS Control Tower AWS Organizations AWS SSO AWS CloudFormation StackSets AWS Service Catalog (Account Factory) Security OU Sandbox OU AWS SSO directory Log archive account Audit account Provisioned accounts Account baseline Centralized AWS CloudTrail and AWS Config logs Account baseline Security notifications Security cross-account roles AWS Config aggregator Account baseline Network baseline
  7. © 2022, Amazon Web Services, Inc. or its affiliates. ©

    2022, Amazon Web Services, Inc. or its affiliates. With your baseline environment set up, what’s next? 7
  8. © 2022, Amazon Web Services, Inc. or its affiliates. Top

    5 customization categories 8 Identity Identity providers IAM role and policy Service control policy
  9. © 2022, Amazon Web Services, Inc. or its affiliates. Top

    5 customization categories 9 Identity Security and compliance Identity providers IAM role and policy Service control policy Security tooling Encryption
  10. © 2022, Amazon Web Services, Inc. or its affiliates. Top

    5 customization categories 10 Identity Security and compliance Networking Identity providers IAM role and policy Service control policy Security tooling Encryption AWS Transit Gateway IP allocation Routing Security groups
  11. © 2022, Amazon Web Services, Inc. or its affiliates. Top

    5 customization categories 11 Identity Security and compliance Networking Logging Identity providers IAM role and policy Service control policy Security tooling Encryption AWS Transit Gateway IP allocation Routing Security groups AWS CloudTrail (data events) VPC Flow Logs Firewall logs Amazon CloudWatch logs
  12. © 2022, Amazon Web Services, Inc. or its affiliates. Top

    5 customization categories 12 Identity Security and compliance Networking Logging Control Identity providers IAM role and policy Service control policy Security tooling Encryption AWS Transit Gateway IP allocation Routing Security groups AWS CloudTrail (data events) VPC Flow Logs Firewall logs Amazon CloudWatch logs AWS Config rules Resource policy (Amazon S3, Amazon SNS, AWS KMS) Preconfigured products
  13. © 2022, Amazon Web Services, Inc. or its affiliates. AWS

    Control Tower customization – Example 14 --- region: us-east-1 version: 2021-03-15 resources: - name: IDP-Type1 resource_file: templates/saml-provider.template deployment_targets: organizational_units: - Infra-Prod accounts: - <account_id> deploy_method: (stack_set or scp) parameters: - parameter_key: Organization parameter_value: $[alfred_ssm_/corporate/organization] export_outputs: - name: /corporate/param_name value: $[output_<cf_output_name>] regions: - us-east-1
  14. © 2022, Amazon Web Services, Inc. or its affiliates. ©

    2022, Amazon Web Services, Inc. or its affiliates. CfCT best practices and considerations 15
  15. © 2022, Amazon Web Services, Inc. or its affiliates. CfCT

    considerations D E P L O Y M E N T 16 Any resource supported by CloudFormation should be deployed by CfCT
  16. © 2022, Amazon Web Services, Inc. or its affiliates. CfCT

    considerations P A R A L L E L V S . S E Q U E N T I A L Region Region Region Region Region Region Region
  17. © 2022, Amazon Web Services, Inc. or its affiliates. CfCT

    considerations F A U L T T O L E R A N C E performance vs. consistency
  18. © 2022, Amazon Web Services, Inc. or its affiliates. CfCT

    considerations F A U L T T O L E R A N C E Proactively manage service quotas
  19. © 2022, Amazon Web Services, Inc. or its affiliates. CfCT

    considerations F A U L T T O L E R A N C E Global resources
  20. © 2022, Amazon Web Services, Inc. or its affiliates. CfCT

    considerations F A U L T T O L E R A N C E Using multiple organizations
  21. © 2022, Amazon Web Services, Inc. or its affiliates. ©

    2022, Amazon Web Services, Inc. or its affiliates. AWS Security Reference Architecture 22
  22. © 2022, Amazon Web Services, Inc. or its affiliates. Account

    Factory for Terraform (AFT) 23 • Terraform-based account provisioning pipeline • Feature support § AWS Enterprise Support enrollment § Amazon GuardDuty § AWS CloudTrail data events for Amazon S3 and AWS Lambda § Default VPC deletion • Bring your own TF customizations
  23. © 2022, Amazon Web Services, Inc. or its affiliates. ©

    2022, Amazon Web Services, Inc. or its affiliates. Managing multiple organizations with CfCT 24
  24. © 2022, Amazon Web Services, Inc. or its affiliates. Multi-organization

    management • Development vs. production organizations • Challenges • Environment properties • Automation • Single manifest pattern 25
  25. © 2022, Amazon Web Services, Inc. or its affiliates. ©

    2022, Amazon Web Services, Inc. or its affiliates. Multi-organization manifest file overview 26
  26. © 2022, Amazon Web Services, Inc. or its affiliates. End-to-end

    account vending solution S O L U T I O N E X A M P L E – P A R T O N E 27 1. User requests a new account using a ticketing system 2. Ticketing system calls account vending Lambda function 3. Lambda records request details in an Amazon DynamoDB table 4. Request validation (optional) 5. After validation, calls account vending function to proceed with account vending 6. Lambda calls AWS Service Catalog to create a new account 7. Monitor progress using AWS Step Functions 8. After account is successfully created, Lambda inventory functions registers a new account
  27. © 2022, Amazon Web Services, Inc. or its affiliates. End-to-end

    account vending solution S O L U T I O N E X A M P L E – P A R T T W O 28 9. Creation of new account triggers lifecycle event Lambda function to • Add account to Active Directory and grant user(s) permission • Create alias for the new account • Grant new account permission to call network dispatcher • Grant new account permission for CloudWatch log destination • Update Amazon S3 account public access • Other as needed 10. Triggers AWS Control Tower customization to deploy necessary infrastructure and resources in the new account 11. When all resources are deployed, AWS Control Tower customization calls account vending function to update status 12. When all steps succeed, vending function calls ticketing system 13. Lambda resolves ticket and notifies user that requested account is ready for use
  28. © 2022, Amazon Web Services, Inc. or its affiliates. Thank

    you! © 2022, Amazon Web Services, Inc. or its affiliates. Nicolas David [email protected] nuage_ninja