Aws Landing Zone 3n4gs

AWS Landing zone Pravin Menghani

Challenges • Complex process in setting up multiple s • Need of understanding multiple services • Applying similar security practises across multiple s • Implementing same RBAC structure across s • Setting up multiple AWS s and s, their accesses • Setting up multiple VPC across multiple s • Following AWS Best Practises

AWS Landing zone • AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi AWS environment based on AWS best practices.

Promises that AWS Landing zone can fulfill • Automated AWS multi- setup • Basic security guidelines • Codified best practices (including updates directly from AWS); for example, automated CloudTrail setup and VPC/network design • DevOps best practices: Infrastructure-as-Code with the use of codified templates and continuous delivery, whereby your own extensions can be rolled out globally. • High adaptability owing to the use of templates • Modularity • Single Sign-On and central management of access rights (optional)

Multi- structure

Multi- structure • AWS Organizations • The AWS Landing Zone is deployed into an AWS Organizations . This is used to manage configuration and access to AWS Landing Zone managed s. The AWS Organizations provides the ability to create and financially manage member s. It contains the AWS Landing Zone configuration Amazon Simple Storage Service (Amazon S3) bucket and pipeline, configuration StackSets, AWS Organizations Service Control Policies (SS), and AWS Single Sign-On (SSO) configuration.

Shared Services • The Shared Services is a reference for creating infrastructure shared services such as directory services. By default, this hosts AWS Managed Active Directory for AWS SSO integration in a shared Amazon Virtual Private Cloud (Amazon VPC) that can be automatically peered with new AWS s created with the Vending Machine (AVM).

Logging • The Logging contains a central Amazon S3 bucket for storing copies of all AWS CloudTrail and AWS Config log files in an audit log .

Security • The Security creates auditor (readonly) and (full-access) cross roles from a Security to all AWS Landing Zone managed s. The intent of these roles is to be used by a company's security and compliance team to audit or perform emergency security operations in case of an incident

AVM • The Vending Machine (AVM) is an AWS Landing Zone key component. The AVM is provided as an AWS Service Catalog product, which allows customers to create new AWS s in Organizational Units (OUs) preconfigured with an security baseline, and a predefined network.

AVM

AVM • AWS Landing Zone leverages Service Catalog to grant s permissions to create and manage AWS Landing Zone products and end ’s permissions to launch and manage AVM products. • The AVM uses launch constraints to allow end s to create new s without requiring permissions. • Optional products can be deployed using AVM, such as the Centralized Logging component.

AVM

baseline • A ‘baseline’ is provisioned in all s. In the default configuration, the baseline contains: • CloudTrail setup (audit logs) • AWS Config and a basic rule set (‘Governance’) used, for example, to send an alert if CloudTrail has been deactivated • IAM policy for IAM s • Cross- access from the Security • An optional VPC according to specifications • Notifications and alarms, for example when root s

Disadvantage of Landing zone • Landing Zone sets up a few resources by default that cost money. The most costly of them are: • Active Directory Service • AD Connector in the master • AWS Config Rules for each AWS • EC2 instance as Remote Desktop Gateway/JumpHost to connect to Active Directory

Landing zone CF Template • https://s3.amazonaws.com/solutionsreference/aws-landing-zone/latest/awslanding-zone-initiation.template