AWS service goes live AWS MANAGEMENT CONSOLE GA Web GUI for managing the AWS platform AWS ORGANIZATIONS GA Policy based management AWS CONTROL TOWER GA Manage multiple accounts at scale TODAY
locked down? What activity is logged? Who can read/write log data? Is encryption at rest enforced? Is encryption in transit enforced? Where are we storing confidential information?
resources? Are we generating waste, paying for unused resources? Can we avoid accidentally generating a large bill? Which department is responsible for which part of the bill? How do costs divide out across SaaS tenants?
teams to deliver work with substantial autonomy. The stream-aligned team maintains full ownership of building, running, and fixing their application in production. The platform team provides internal services to reduce the cognitive load that would be required from stream-aligned teams to develop these underlying services. Matthew Skelton, Manuel Pais Team Topologies “
accounts do I need? Do I want to delegate some services to other accounts? What security controls should I deploy? Should I hook up my IAM accounts with my external IdP? How will I determine what budgets to set in my accounts? What’s a good resource tagging strategy to enforce? Do I have existing accounts to migrate under the new Organization?
and Control Tower must be deployed in the same region Installation can’t be fully automated* Best practice is to start with a fresh root account. There are costs to consider.
by privileged users Administered by a platform team Slow rate of change WORKLOAD Deployed to subset of accounts Managed by application team High rate of change/deployment More complex
of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. “
events 5.28 Collection of evidence 5.37 Privacy & protection of PII 8.10 Information deletion 8.11 Data masking 8.16 Monitoring activities 8.17 Synchronised time sources 8.25 Use of cryptography
log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention requirements Sensitive data in logs is protected Log analytics & anomalous behaviour detection
log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection
log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection
log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection