AWS Control Tower for Compliance, Governance, and taming your cloud estate

Transcript

1. AWS CONTROL TOWER FOR COMPLIANCE, GOVERNANCE AND TAMING YOUR CLOUD

   ESTATE_

2. PART 1 WHAT IS CONTROL TOWER?_

3. Photo by Natalie Rhea on Unsplash

4. WHY GO MULTI-ACCOUNT?_ Security SaaS tenant isolation Blast radius reduction

   Developer productivity Avoiding service limits Ease of cost attribution

5. Desired outcome: An account structure that isolates cloud operations, unrelated

   workloads, and environments into separate accounts, increasing security across the cloud infrastructure. AWS Well-Architected framework, SEC01-BP01 “

6. MULTI ACCOUNTS_ Netflix: > 3,000 Lyft: “hundreds” McDonald’s: >2,500

7. None

8. 2006 2009 2017 2019 2023 AMAZON SQS GA The first

   AWS service goes live AWS MANAGEMENT CONSOLE GA Web GUI for managing the AWS platform AWS ORGANIZATIONS GA Policy based management AWS CONTROL TOWER GA Manage multiple accounts at scale TODAY

9. MULTI-ACCOUNT GOVERNANCE CONCERNS_

10. SaaS: Multi-tenancy SMB/Enterprise: Corporate Governance MULTI-ACCOUNT GOVERNANCE CONCERNS_

11. SECURITY CONCERNS_ Who can access which resources? Is public access

    locked down? What activity is logged? Who can read/write log data? Is encryption at rest enforced? Is encryption in transit enforced? Where are we storing confidential information?

12. LEGAL CONCERNS_ In which legal jurisdiction is data stored and

    processed? Are we following all relevant local legislation? Are we meeting our contractual commitments to customers?

13. COST CONCERNS_ Are we paying too much for our cloud

    resources? Are we generating waste, paying for unused resources? Can we avoid accidentally generating a large bill? Which department is responsible for which part of the bill? How do costs divide out across SaaS tenants?

14. STAFFING CONCERNS_ Who’s responsible for operating which account? How do

    I contact the right team when something goes wrong? Do we have enough people to run this platform?

15. PRODUCTIVITY CONCERNS_ How can we manage all this complexity, without

    slowing down? How can product teams maintain autonomy over their platform whilst conforming to local policy?

16. Photo by Jacopo Maia on Unsplash

17. None
18. None

19. Photo by Pascal Meier on Unsplash

20. LANDING ZONE_ A well-architected, self-service multi-account AWS environment providing: Account

    & network structure Identity & access services Security baseline and guardrails Cost guardrails Centralised management Logging and monitoring Account/application blueprints

21. The purpose of a platform team is to enable stream-aligned

    teams to deliver work with substantial autonomy. The stream-aligned team maintains full ownership of building, running, and fixing their application in production. The platform team provides internal services to reduce the cognitive load that would be required from stream-aligned teams to develop these underlying services. Matthew Skelton, Manuel Pais Team Topologies “
22. None

23. JUST IMAGINE_

24. None

25. AWS CONTROL TOWER MAKES IT EASIER TO BUILD A LANDING

    ZONE_

26. AWS Control Tower AWS Organizations AWS Config Amazon GuardDuty AWS

    Identity and Access Management AWS Security Hub AWS IAM Identity Center AWS Service Catalog AWS Budgets AWS CloudTrail Amazon Inspector

27. Sandbox OU Security OU logs flow Management account AWS Control

    Tower AWS IAM Identity Center AWS Service Catalog (Account Factory) Log Archive account Audit account Example account AWS CloudFormation StackSets AWS Organizations AWS Config Logs Baseline Baseline Baseline VPC
28. None
29. None

30. WHAT’S A SERVICE CONTROL POLICY?_ Similar to an IAM policy

    Applies to OUs Sets limits on actions Also affects the root account!

31. SCP USE CASES_ Deny access to whole regions Prevent disabling

    of CloudTrail logs or GuardDuty Deny provision of expensive resources Prevent unencrypted object uploads to S3 Enforce a resource tagging policy

32. DESIGN DECISIONS_ What OUs do I need? What additional service

    accounts do I need? Do I want to delegate some services to other accounts? What security controls should I deploy? Should I hook up my IAM accounts with my external IdP? How will I determine what budgets to set in my accounts? What’s a good resource tagging strategy to enforce? Do I have existing accounts to migrate under the new Organization?

33. BE AWARE_ Not available in every region. IAM Identity Center

    and Control Tower must be deployed in the same region Installation can’t be fully automated* Best practice is to start with a fresh root account. There are costs to consider.

34. WHAT DOES IT COST?_ AWS Control Tower itself is a

    free AWS service The tools it provisions can incur cost: AWS Config rules can be surprisingly expensive S3 costs for log archive storage

35. HOW LONG DOES IT TAKE?_ Enabling Control Tower can be

    done pretty quickly. Choosing and defining security controls can be time consuming. Conforming existing accounts needs to be done carefully.

36. PART 2 INTEGRATING CONTROL TOWER_

37. INTEGRATION TYPES_ Integrate other AWS services Extend your landing zone

    Integrate with external services

38. ACCOUNT CUSTOMISATION_ Uses AWS Service Catalog LZ provides a baseline

    You can add your own blueprints
39. None

40. WHEN TO USE THIS?_ ACCOUNT BASELINE FARGATE BLUEPRINT LAMBDA BLUEPRINT

    SERVICE A TEST SERVICE A PROD SERVICE B TEST SERVICE B PROD

41. WHEN TO USE THIS?_ ACCOUNT BASELINE FARGATE BLUEPRINT SAAS TENANT

    1 SAAS TENANT 2 SAAS TENANT 3 SAAS TENANT 4

42. CUSTOMIZATIONS FOR CONTROL TOWER (CfCT)_ Run customisations when new accounts

    are created. Orchestrated by AWS CodePipeline Executed using CloudFormation StackSets Low cost Serverless components

43. LIFECYCLE EVENTS_ CreateManagedAccount UpdateManagedAccount EnableGuardrail DisableGuardrail SetupLandingZone UpdateLandingZone RegisterOrganizationalUnit DeregisterOrganizationalUnit

    PrecheckOrganizationalUnit
44. None

45. USE CfCT TO DEPLOY_ Monitoring and alerts AWS GuardDuty config

    Additional SCPs CloudWatch cross account console Budgets

46. INTEGRATE WITH SLACK OR TEAMS_

47. None

48. CLOUDFORMATION VS TERRAFORM (PULUMI, CDK, ETC)_

49. BASELINE Deployed to all accounts Limited variation between accounts Managed

    by privileged users Administered by a platform team Slow rate of change WORKLOAD Deployed to subset of accounts Managed by application team High rate of change/deployment More complex

50. BASELINE USING CLOUDFORMATION_ StackSets are region and multi- account aware

    Native support: no bootstrapping no additional infrastructure

51. USE ANYTHING FOR WORKLOADS_ Teams can choose their own IAC

    tooling to suit them Platform should make it easy for them to use their choice of tool.

52. INTEGRATE WITH TERRAFORM CLOUD_

53. None

54. WHAT ABOUT ACCOUNT FACTORY FOR TERRAFORM?_

55. None

56. AFT DOWNSIDES_ Requires costly “serverful” infrastructure Makes Terraform feed like

    CloudFormation 😱 Slow feedback loops Not very ergonomic

57. INTEGRATE WITH YOUR IdP_

58. WHY INTEGRATE YOUR IdP?_ Central user management Increased security Comply

    with regulations Integrate with device management (e.g. Kolide)

59. SUPPORTED IdPs_ Azure AD Cyberark Google Workspace JumpCloud Okta OneLogin

    PingIdentity

60. PART 3 CONTROL TOWER FOR COMPLIANCE_

61. ISO/IEC 27001 Defines requirements for an ISMS Non-prescriptive Risk based

    approach

62. WHY DO WE NEED ISO 27001?_

63. SUPPLIER QUESTIONNAIRES_

64. WITH COMPLIANCE_ Questionnaires are easier to answer …or avoided altogether

    Sales cycle is shorter Close bigger deals Reduce operational risks

65. TWO PARTS_ ISO 27001 Mandatory ISMS Requirements ISO 27002 Optional

    Annex A Controls
66. None
67. None

68. SECURITY CONTROLS_ Preventive (Service Control Policies) Detective (AWS Config Rules)

    Proactive (AWS CloudFormation Hooks)
69. None
70. None

71. IMPLEMENTING ANNEX A CONTROLS ON AWS_

72. 8.15 LOGGING_ To record events, generate evidence, ensure the integrity

    of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. “

73. 8.15 LOGGING DEPENDENCIES_ 5.25 Assessment and decision on info sec

    events 5.28 Collection of evidence 5.37 Privacy & protection of PII 8.10 Information deletion 8.11 Data masking 8.16 Monitoring activities 8.17 Synchronised time sources 8.25 Use of cryptography

74. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention requirements Sensitive data in logs is protected Log analytics & anomalous behaviour detection
75. None

76. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection
77. None

78. { "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudtrail:StopLogging", "cloudtrail:DeleteTrail"

    ], "Resource": "*", "Effect": "Deny" } ] }

79. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection
80. None

81. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection

82. Sandbox OU Security OU logs flow Management account AWS Control

    Tower AWS IAM Identity Center AWS Service Catalog (Account Factory) Log Archive account Audit account Example account AWS CloudFormation StackSets AWS Organizations AWS Config Logs Baseline Baseline Baseline VPC

83. Workload OU Security OU Infrastructure OU Non-prod OU Prod OU

    Developer Sandbox OU logs flow network path Transitional OU Policy Staging OU Suspended OU Amazon Athena Backup vault Backup snapshots Management account Log Archive account Audit account Shared Services account Backups account Security Tooling account Bob's sandbox account Alice's sandbox account Test account Staging account Production account AWS Control Tower AWS Organizations AWS Config AWS IAM Identity Center Logs Baseline Baseline Baseline Baseline Baseline Baseline Baseline Baseline AWS Chatbot AWS Backup Amazon GuardDuty Admin AWS Budgets AWS Budgets VPC VPC Baseline VPC Baseline VPC

84. MANAGEMENT ACCOUNT

85. SECURITY OU

86. INFRASTRUCTURE OU

87. WORKLOAD OU

88. DEVELOPER SANDBOX OU

89. OTHER OUs

90. COMPLIANCE APPROACH_ Perform a security risk assessment Score and prioritise

    those risks Identify controls from the standard that you wish to adopt. Map these controls to those available in AWS Control Tower Roll these out

91. WRAPPING UP_

92. SOME TAKEAWAYS_ Control Tower: complex but powerful Get the most

    out of it by integrating with other things Great for governance across all types of business A key part of any compliance story
93. None