Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Control Tower for Compliance, Governance, a...

AWS Control Tower for Compliance, Governance, and taming your cloud estate

Learn how AWS Control Tower makes governance easier, gives confidence that your teams are using the cloud safely, and keeps costs in check.

This content was delivered at an in-person event by The Scale Factory.

The Scale Factory

November 02, 2023
Tweet

More Decks by The Scale Factory

Other Decks in Technology

Transcript

  1. WHY GO MULTI-ACCOUNT?_ Security SaaS tenant isolation Blast radius reduction

    Developer productivity Avoiding service limits Ease of cost attribution
  2. Desired outcome: An account structure that isolates cloud operations, unrelated

    workloads, and environments into separate accounts, increasing security across the cloud infrastructure. AWS Well-Architected framework, SEC01-BP01 “
  3. 2006 2009 2017 2019 2023 AMAZON SQS GA The first

    AWS service goes live AWS MANAGEMENT CONSOLE GA Web GUI for managing the AWS platform AWS ORGANIZATIONS GA Policy based management AWS CONTROL TOWER GA Manage multiple accounts at scale TODAY
  4. SECURITY CONCERNS_ Who can access which resources? Is public access

    locked down? What activity is logged? Who can read/write log data? Is encryption at rest enforced? Is encryption in transit enforced? Where are we storing confidential information?
  5. LEGAL CONCERNS_ In which legal jurisdiction is data stored and

    processed? Are we following all relevant local legislation? Are we meeting our contractual commitments to customers?
  6. COST CONCERNS_ Are we paying too much for our cloud

    resources? Are we generating waste, paying for unused resources? Can we avoid accidentally generating a large bill? Which department is responsible for which part of the bill? How do costs divide out across SaaS tenants?
  7. STAFFING CONCERNS_ Who’s responsible for operating which account? How do

    I contact the right team when something goes wrong? Do we have enough people to run this platform?
  8. PRODUCTIVITY CONCERNS_ How can we manage all this complexity, without

    slowing down? How can product teams maintain autonomy over their platform whilst conforming to local policy?
  9. LANDING ZONE_ A well-architected, self-service multi-account AWS environment providing: Account

    & network structure Identity & access services Security baseline and guardrails Cost guardrails Centralised management Logging and monitoring Account/application blueprints
  10. The purpose of a platform team is to enable stream-aligned

    teams to deliver work with substantial autonomy. The stream-aligned team maintains full ownership of building, running, and fixing their application in production. The platform team provides internal services to reduce the cognitive load that would be required from stream-aligned teams to develop these underlying services. Matthew Skelton, Manuel Pais Team Topologies “
  11. AWS Control Tower AWS Organizations AWS Config Amazon GuardDuty AWS

    Identity and Access Management AWS Security Hub AWS IAM Identity Center AWS Service Catalog AWS Budgets AWS CloudTrail Amazon Inspector
  12. Sandbox OU Security OU logs flow Management account AWS Control

    Tower AWS IAM Identity Center AWS Service Catalog (Account Factory) Log Archive account Audit account Example account AWS CloudFormation StackSets AWS Organizations AWS Config Logs Baseline Baseline Baseline VPC
  13. WHAT’S A SERVICE CONTROL POLICY?_ Similar to an IAM policy

    Applies to OUs Sets limits on actions Also affects the root account!
  14. SCP USE CASES_ Deny access to whole regions Prevent disabling

    of CloudTrail logs or GuardDuty Deny provision of expensive resources Prevent unencrypted object uploads to S3 Enforce a resource tagging policy
  15. DESIGN DECISIONS_ What OUs do I need? What additional service

    accounts do I need? Do I want to delegate some services to other accounts? What security controls should I deploy? Should I hook up my IAM accounts with my external IdP? How will I determine what budgets to set in my accounts? What’s a good resource tagging strategy to enforce? Do I have existing accounts to migrate under the new Organization?
  16. BE AWARE_ Not available in every region. IAM Identity Center

    and Control Tower must be deployed in the same region Installation can’t be fully automated* Best practice is to start with a fresh root account. There are costs to consider.
  17. WHAT DOES IT COST?_ AWS Control Tower itself is a

    free AWS service The tools it provisions can incur cost: AWS Config rules can be surprisingly expensive S3 costs for log archive storage
  18. HOW LONG DOES IT TAKE?_ Enabling Control Tower can be

    done pretty quickly. Choosing and defining security controls can be time consuming. Conforming existing accounts needs to be done carefully.
  19. WHEN TO USE THIS?_ ACCOUNT BASELINE FARGATE BLUEPRINT LAMBDA BLUEPRINT

    SERVICE A TEST SERVICE A PROD SERVICE B TEST SERVICE B PROD
  20. WHEN TO USE THIS?_ ACCOUNT BASELINE FARGATE BLUEPRINT SAAS TENANT

    1 SAAS TENANT 2 SAAS TENANT 3 SAAS TENANT 4
  21. CUSTOMIZATIONS FOR CONTROL TOWER (CfCT)_ Run customisations when new accounts

    are created. Orchestrated by AWS CodePipeline Executed using CloudFormation StackSets Low cost Serverless components
  22. USE CfCT TO DEPLOY_ Monitoring and alerts AWS GuardDuty config

    Additional SCPs CloudWatch cross account console Budgets
  23. BASELINE Deployed to all accounts Limited variation between accounts Managed

    by privileged users Administered by a platform team Slow rate of change WORKLOAD Deployed to subset of accounts Managed by application team High rate of change/deployment More complex
  24. BASELINE USING CLOUDFORMATION_ StackSets are region and multi- account aware

    Native support: no bootstrapping no additional infrastructure
  25. USE ANYTHING FOR WORKLOADS_ Teams can choose their own IAC

    tooling to suit them Platform should make it easy for them to use their choice of tool.
  26. AFT DOWNSIDES_ Requires costly “serverful” infrastructure Makes Terraform feed like

    CloudFormation 😱 Slow feedback loops Not very ergonomic
  27. WHY INTEGRATE YOUR IdP?_ Central user management Increased security Comply

    with regulations Integrate with device management (e.g. Kolide)
  28. WITH COMPLIANCE_ Questionnaires are easier to answer …or avoided altogether

    Sales cycle is shorter Close bigger deals Reduce operational risks
  29. 8.15 LOGGING_ To record events, generate evidence, ensure the integrity

    of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. “
  30. 8.15 LOGGING DEPENDENCIES_ 5.25 Assessment and decision on info sec

    events 5.28 Collection of evidence 5.37 Privacy & protection of PII 8.10 Information deletion 8.11 Data masking 8.16 Monitoring activities 8.17 Synchronised time sources 8.25 Use of cryptography
  31. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention requirements Sensitive data in logs is protected Log analytics & anomalous behaviour detection
  32. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection
  33. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection
  34. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection
  35. Sandbox OU Security OU logs flow Management account AWS Control

    Tower AWS IAM Identity Center AWS Service Catalog (Account Factory) Log Archive account Audit account Example account AWS CloudFormation StackSets AWS Organizations AWS Config Logs Baseline Baseline Baseline VPC
  36. Workload OU Security OU Infrastructure OU Non-prod OU Prod OU

    Developer Sandbox OU logs flow network path Transitional OU Policy Staging OU Suspended OU Amazon Athena Backup vault Backup snapshots Management account Log Archive account Audit account Shared Services account Backups account Security Tooling account Bob's sandbox account Alice's sandbox account Test account Staging account Production account AWS Control Tower AWS Organizations AWS Config AWS IAM Identity Center Logs Baseline Baseline Baseline Baseline Baseline Baseline Baseline Baseline AWS Chatbot AWS Backup Amazon GuardDuty Admin AWS Budgets AWS Budgets VPC VPC Baseline VPC Baseline VPC
  37. COMPLIANCE APPROACH_ Perform a security risk assessment Score and prioritise

    those risks Identify controls from the standard that you wish to adopt. Map these controls to those available in AWS Control Tower Roll these out
  38. SOME TAKEAWAYS_ Control Tower: complex but powerful Get the most

    out of it by integrating with other things Great for governance across all types of business A key part of any compliance story