AWS Landing Zone-Transformation Day October 2017 ... AWS
LONDON
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone Koen vd Biggelaar - Sr Mgr AWS Solutions Architecture Mahmoud ElZayet – Solutions Builder
Tuesday 31st October 2017
Planning a Migration? Key Questions to consider
What are our key drivers
How do we configure our AWS environment
How do we develop a business case
What are best practices for Security and Compliance
What is our application portfolio
Which partners are we going to use ?
What types of migration will we use
How do we build a Cloud Operating Model
What is an AWS Landing Zone? - A baseline secure multi-account AWS environment configured based on best practices
H
- A starting point for your application migration journey - An environment that allows for iteration & extension over time
What to Expect from the Session
H
Understand
Engage
Build
Operate
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Cloud Adoption Framework
Application Migration
H
Create Landing Zone
Migrate Apps
Operate & Optimise
Landing Zone Journey Logging
Config
Imaging
Access
Identities
Federation Migrate
Start
Accounts
Network
Security
Identity & Operational Automation Access
What’s Next ?
Iterate
Operate & Optimise Domains
Direct Connect
Central Services
Service Catalog
Automation
End User Interaction
Current State Typical Enterprise Situation
Lines of Business Infrastructure Request Central IT Governance & Service Management
Provisioning
Characteristics • • •
Lead times ~days to weeks Service catalogue of components Often process-heavy service management
Agility versus Control How to choose?
I need control, so I can protect our business
We want agility, so we can innovate in our business
Business & Business IT
?
Central IT
Current State Opportunity to achieve Agility and Control Landing Zone Lines of Business
Landscape Management
Templates Policy & Best Practices
Automation
Central IT
Opportunities • •
Monitor & Respond
•
Lead times in minutes Service catalogue of landscapes Automated service management
Guiding Principles
Security
Landscapes & Automation
Cloud IT Consumers
Start
Accounts
Network
Security
Identity & Access
Operational Automation
What’s Next ?
Account Structure •
Don’t overdo on Day One
•
Use separate accounts for:
Cost Allocation
Resource Management and Ownership
Security and Compliance Isolation (production non-prod, logging)
Account Structure Billing Central Accounts
Security and Audit
Application Accounts
Production Generic
Production Critical
Shared Services
Dev & Test
Dev & Test
Business Apps Option: Per AWS Region
Analytics IoT Mobile Digital Platforms
Initial Account Structure Different Perspectives Security & Audit Account Billing Account
Consolidated Billing
Shared Services Account
Billing Account
Logs
Application Account(s)
Billing Account Structure
VPC Peering
Security & Audit Account Application Account(s)
Shared Services Account Structure
Application Account(s)
Security & Audit Account Structure Billing
Billing Account Shared Services Account
Shared Services Account
Security & Audit Account
Application Account(s)
Logs
Peering
Billing Account Security & Audit Account Shared Services Account
Application Account Structure
Manage Multiple Accounts CloudFormation StackSets Payer / Adminstrator Account
Stack Set
Template
Target Account: A
Stack Account C
Target Account: A
Target Account: B
Stack
Stack
Account D Region
Account E
Target Account: B
…
Account C
Stack
Account D Region
Account E
…
Manage Multiple Accounts AWS Organizations Root Lookup Stack Set
OU
Deploy
Account A
OU
OU
OU Stack Set
Account B
Account C
Start
Accounts
Network
Security
Identity & Access
Operational Automation
What’s Next ?
Individual VPC Patterns ü Hybrid 2-tier (public and private) ü Internal-only ü Internet-only ü Hybrid 3-tier (Presentation/Application/Data) AWS Quick Start: Scalable VPC PCI DSS
Multiple VPN/DX VIFs Connect Applications running in multiple VPC to your DC
§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§§§§§§
AWS Answers: How do I connect multiple VPCs in a single AWS Region?
ü Leverage existing AWS Direct Connect to route traffic between VPCs ü Offers customers the ability to incorporate transitive routing ü Need to create more than 100 connections per VPC
Multi-VPC Partially Meshed VPC Peering §§§§§§§§§§§ §§§§§§§§§§§ §§§§§§§§§§§ §§§§§§§§§§§ §§§§§§§§§§§ §§§§§§§§§§§ §§§§§§§§§§§ §§§§§§§§§§§ §§
ü Can create multiple VPCs within the same or different region/account ü Do not require full connectivity between all of their VPCs ü Central shared services VPC ü Multiple VPCs that need access to shared resources but do not each other ü Require fewer than 100 peering connections per VPC
AWS Answers: How do I share a single VPN connection with multiple VPCs?
Transit VPC
§§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§
AWS Answers: How do I build a global transit network on AWS?
ü Uses customer-managed EC2 VPN instances in a dedicated transit VPC with an IGW ü Implements a transit VPC ü Want more advanced connection types, such as inter-region connectivity, or multi-VPC connectivity to on-premises resources
Start
Accounts
Network
Security
Identity & Access
Operational Automation
What’s Next ?
Set Per-Account Security Baseline Configuration of the security baseline Access Control AWS Identity and Access Management (IAM) IAM password and other policies
Billing Account
AWS Organizations
Shared Services
Amazon VPC
AWS AWS Directory Service Catalog Service
Auditing and Governance AWS Config Centrally store configuration changes AWS CloudTrail
Application Accounts Application Accounts Application Accounts Application Accounts
Security Log Account
Centrally store audit logs Amazon S3 bucket (security logs)
Security Notifications AWS CloudWatch Alerts Alert and send security notifications
AWS Labs Github: aws-config-rules AWS Quick Start: quickstart-compliance-common (Github)
Build Compliance into your AWS accounts • • •
Implement the CIS Foundations Benchmark Use the UK-OFFICIAL compliance Quick Start Deploy the AWS Labs CIS Foundation Benchmark Checklist templates
§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§§§§§§
AWS Labs Github: aws-security-benchmark
AWS Security Blog: Announcing Industry Best Practices for Securing AWS Resources
AWS Quick Start: UK-OFFICIAL
Log everything centrally for analysis AWS CloudTrail
Amazon EC2
Flow Logs VPC subnet
Log
Centralised logging makes it easy for security teams to consolidate AWS logs and analyze them to detect incidents
Amazon S3
Amazon CloudWatch
You can do this by simply using: Amazon Elasticsearch Service
AWS Lambda
Transform
Search
AWS Answers: How can I implement a centralized logging solution on AWS? What are the native AWS security-logging capabilities?
• • • • •
Amazon ElasticSearch Service CloudTrail logs VPC flow logs EC2 server logs AWS Config logs
Choose how to start your compute Private images or import your current ones User administration
Configure your environment as you like
Whitelisting and integrity
Options to create or import your own ‘gold’ images 1. 2. 3. 4.
Malware and IPS
Import existing VMs to AWS Procure partner AMI from AWS Marketplace Create and save your own custom images Bootstrapping a base AMI
Vulnerability management Audit and logging Hardening and configuration
Operating system
Launch instance
AMI catalogue
AWS Marketplace: CIS Hardened AMIs
EC2
Configure instance
Running instance
AWS Devops Blog: How to Create an AMI Builder with AWS CodeBuild and HashiCorp Packer
Your instance
Start
Accounts
Network
Security
Identity & Access
Operational Automation
What’s Next ?
Identity and Access Management Control access and segregate duties everywhere You get to control who can do what in your AWS environment when and from where Fine-grained control of your AWS cloud with multi-factor authentication Integrate with your existing corporate directory and provide SSO to your customers. Support for SAML 2.0 (like your existing Active Directory) and OpenID compatible Identity Providers (IdPs). You can use AWS managed policies, policies for typical job functions or customer-generated policies using the policy generator and test with the policy simulator AWS account owner
Identity and Access Management Identity Federation Identity and authentication
Identity Store
AD Group
Browser interface Corporate Data Center
Mapping to specific IAM role with access policy
Access to AWS
Select an Identity Federation Option
• • • •
Cross-Account Roles with IAM Cross-Account Roles with AWS Directory Service SAML Federation Custom Identity Broker
Example: Cross-Account Roles with AWS Directory Service §§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§ §§§§ switch role
users
AWS Directory Service
Shared-services account
Sub-accounts (Billing, Security, Application)
•
Users and groups are managed in one account (Shared-services) using AWS Directory Service
•
IAM roles in every account is used for fine-grained authorization
•
Can be integrated with on-premises user directory for authentication
AWS Answers: How do I manage multiple AWS accounts for security purposes?
Start
Accounts
Network
Security
Identity & Access
Operational Automation
What’s Next ?
Agility and Control AWS Service Catalog and Marketplace
Standardise Control Govern
Organizations
Agility Self-Service Time to Market
…allows organizations to create and manage catalogs of IT services and software on AWS
Developers
Key Features Tag Enforcement
Share Portfolios
Portfolio Level IAM access
Version & Re-use Products
Denial of end-user access to underlying services
API, CLI, Console
Constraint CloudFormation Parameters
AWS Marketplace to AWS Service Catalog Copy
AWS Ops Automator • Automation Framework • Central Administration • Multi-Account/Multi-Region • Pre-built Actions • Custom Actions (Auto-retry, logging, concurrency…etc.)
AWS Answers: https://aws.amazon.com/answers/infrastructure-management/ops-automator/
EC2 instance scheduler CloudWatch Logs
CloudWatch Metrics
CloudWatch rule triggers Scheduler
CloudFormation scheduler stack
A single template deploys all solution components
Tagged EC2 Scheduler role
Scheduler configuration table AWS Answers: How do I automatically start and stop my Amazon EC2 instances?/
EC2 Instance information
Scheduler Lambda function
Instance state table
instances for one or more AWS accounts
IAM cross account roles controls access to AWS accounts
What have we built so far? High-level Architecture
Stack Set Admin Account Stack Sets
CloudTrail, Config & IAM Baseline
Billing Account
Security Account
Centralised Logging Analytics
CAM SubAccount
Logging Buckets
Cost Optimization Monitor
VPC Flow & Instance Logs
Shared Services Account
Cross Account Manager
Stand Alone Templates
Scalable VPC Quick Start
Application Accounts
Ops Automator/ Instance Scheduler
Start
Accounts
Network
Security
Identity & Access
Operational Automation
What’s Next ?
Managing to the Portfolio Value
Portfolio Tier
Requirements
Operations Model
Approx. % Portfolio*
DevOps
15%
Differentiators
High rate of change & innovation; Possibly business-critical, but not always
Table Stakes
Business-critical, but low rate of change. Needs high availability, maximum reliability, and durable DR
Automated Efficiency
25%
Commodity
COTS & commodity, minimal risk, low change, standard downtime & reliability requirements
AutomatedTraditional
60%
60% - 70%
*estimated numbers
Provided Under NDA
IT Spend Against Portfolio
30% - 40%
Running Multi-Modal Migrations Mass migration
Maturity
Traditional Operations+
Re-platform / Refactor
Maturity
Automated Operations
Mass Migration
Capex to Opex
Cloud Capable Applications
Capex to Opex
Cost Out
Value Automation
Nascent Services
Operational Transition
Facilities Closure
Consistent Operations
Cloud COE
Managed Services
Increasing Levels of Effort with Increasing Levels of Return
Re-architect
Development and Operations Serverless Compute
Continuous Integration
Disruptive Technolog y
Cloud Aware Applications
Maximum Efficiency
Advanced Architecture
Executing Multi-Modal Migrations Sprint 1
Sprint 2 Sprint 3
Sprint 4
Sprint 5
Sprint 6
Sprint 7
Program
Deploy Landing Zone
Extend, Integrate and Manage Landing Zone Migration Business Case
Brown
Discovery Prep
Discovery Pipeline Generation
Migration Patterns Creation
Green
Discovery
Re-Host Re-Factor Complex App (single sprint) Greenfield Migrations Innovation
Key Take-Aways •
Configuring your AWS environment matching your operations and migration needs, is a key step in your cloud journey
•
Maximise automation, including cost optimization (i.e. resize instances, on-off schedules)
•
Check aws.amazon.com/answers for guidance and packaged solutions helping you to build your own Landing Zone
•
Be agile for your Migrations, not everything can be planned upfront
H
LONDON
Thank you!
Landing Zone Resources (1/3) Title
Link
Cost Optimization Monitor
https://aws.amazon.com/answers/account-management/cost-optimizationmonitor/
Scalable VPC Quick Start
https://docs.aws.amazon.com/quickstart/latest/vpc/
PCI DSS Quick Start
https://aws.amazon.com/quickstart/architecture/accelerator-pci/
How do I connect multiple VPCs in a single AWS Region?
https://aws.amazon.com/answers/networking/aws-single-region-multi-vpcconnectivity/
How do I share a single VPN connection with multiple VPCs?
https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpnconnection-sharing/
How do I build a global transit network on AWS?
https://aws.amazon.com/answers/networking/aws-global-transit-network/
Microsoft Active Directory
https://aws.amazon.com/quickstart/architecture/active-directory-ds/
How do I ensure I set up my AWS account securely?
https://aws.amazon.com/answers/security/aws-secure-account-setup/
How do I setup AWS Identity and Account Management (IAM) for my organization?
https://aws.amazon.com/answers/security/aws-iam-in-practice/
Landing Zone Resources (2/3) Title
Link
Compliance Quick Start
https://github.com/aws-quickstart/quickstart-compliance-common
CIS Security Benchmark
https://github.com/awslabs/aws-security-benchmark
Security Blog: Announcing Industry Best Practices for Securing AWS Resources
https://aws.amazon.com/blogs/security/announcing-industry-best-practicesfor-securing-aws-resources/
UK-OFFICIAL Compliance Quick Start
https://aws.amazon.com/quickstart/architecture/accelerator-uk-official/
How can I implement a centralized logging solution on AWS?
https://aws.amazon.com/answers/logging/centralized-logging/
What are the native AWS security-logging capabilities?
https://aws.amazon.com/answers/logging/aws-native-security-loggingcapabilities/
CIS Hardened AMIs
https://aws.amazon.com/marketplace/seller-profile?id=6b3b0dc2-c6f4-487b8f29-9edba5f39eed
How to Create an AMI Builder with AWS CodeBuild and HashiCorp Packer
https://aws.amazon.com/blogs/devops/how-to-create-an-ami-builder-with-awscodebuild-and-hashicorp-packer/
How should I manage multiple AWS accounts for security purposes?
https://aws.amazon.com/answers/account-management/aws-multi-accountsecurity-strategy/
Landing Zone Resources (3/3) Title
Link
User Access Management Module
http://www.awslandingzone.com/modules/landing-zone-user-access.pptx
How do I monitor the cross-region replication of my Amazon S3 objects?
https://aws.amazon.com/answers/infrastructure-management/crr-monitor/
AWS Ops Automator
https://github.com/awslabs/aws-ops-automator
DynamoDB Continuous Backup Utility
https://github.com/awslabs/dynamodb-continuous-backup
How do I automatically start and stop my Amazon EC2 instances?
https://aws.amazon.com/answers/infrastructure-management/ec2-scheduler/
How do I receive notifications as I approach AWS service limits?
https://aws.amazon.com/answers/account-management/limit-monitor/
Deck Guidelines Fonts, sizes, colors, and layouts are all pre-built in this template. Color palette Please do not use gradients, shadows, or outlines on shape elements. Limit color use for chart graphics to grayscale plus one accent color.
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone Koen vd Biggelaar - Sr Mgr AWS Solutions Architecture Mahmoud ElZayet – Solutions Builder
Tuesday 31st October 2017
Planning a Migration? Key Questions to consider
What are our key drivers
How do we configure our AWS environment
How do we develop a business case
What are best practices for Security and Compliance
What is our application portfolio
Which partners are we going to use ?
What types of migration will we use
How do we build a Cloud Operating Model
What is an AWS Landing Zone? - A baseline secure multi-account AWS environment configured based on best practices
H
- A starting point for your application migration journey - An environment that allows for iteration & extension over time
What to Expect from the Session
H
Understand
Engage
Build
Operate
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Cloud Adoption Framework
Application Migration
H
Create Landing Zone
Migrate Apps
Operate & Optimise
Landing Zone Journey Logging
Config
Imaging
Access
Identities
Federation Migrate
Start
Accounts
Network
Security
Identity & Operational Automation Access
What’s Next ?
Iterate
Operate & Optimise Domains
Direct Connect
Central Services
Service Catalog
Automation
End User Interaction
Current State Typical Enterprise Situation
Lines of Business Infrastructure Request Central IT Governance & Service Management
Provisioning
Characteristics • • •
Lead times ~days to weeks Service catalogue of components Often process-heavy service management
Agility versus Control How to choose?
I need control, so I can protect our business
We want agility, so we can innovate in our business
Business & Business IT
?
Central IT
Current State Opportunity to achieve Agility and Control Landing Zone Lines of Business
Landscape Management
Templates Policy & Best Practices
Automation
Central IT
Opportunities • •
Monitor & Respond
•
Lead times in minutes Service catalogue of landscapes Automated service management
Guiding Principles
Security
Landscapes & Automation
Cloud IT Consumers
Start
Accounts
Network
Security
Identity & Access
Operational Automation
What’s Next ?
Account Structure •
Don’t overdo on Day One
•
Use separate accounts for:
Cost Allocation
Resource Management and Ownership
Security and Compliance Isolation (production non-prod, logging)
Account Structure Billing Central Accounts
Security and Audit
Application Accounts
Production Generic
Production Critical
Shared Services
Dev & Test
Dev & Test
Business Apps Option: Per AWS Region
Analytics IoT Mobile Digital Platforms
Initial Account Structure Different Perspectives Security & Audit Account Billing Account
Consolidated Billing
Shared Services Account
Billing Account
Logs
Application Account(s)
Billing Account Structure
VPC Peering
Security & Audit Account Application Account(s)
Shared Services Account Structure
Application Account(s)
Security & Audit Account Structure Billing
Billing Account Shared Services Account
Shared Services Account
Security & Audit Account
Application Account(s)
Logs
Peering
Billing Account Security & Audit Account Shared Services Account
Application Account Structure
Manage Multiple Accounts CloudFormation StackSets Payer / Adminstrator Account
Stack Set
Template
Target Account: A
Stack Account C
Target Account: A
Target Account: B
Stack
Stack
Account D Region
Account E
Target Account: B
…
Account C
Stack
Account D Region
Account E
…
Manage Multiple Accounts AWS Organizations Root Lookup Stack Set
OU
Deploy
Account A
OU
OU
OU Stack Set
Account B
Account C
Start
Accounts
Network
Security
Identity & Access
Operational Automation
What’s Next ?
Individual VPC Patterns ü Hybrid 2-tier (public and private) ü Internal-only ü Internet-only ü Hybrid 3-tier (Presentation/Application/Data) AWS Quick Start: Scalable VPC PCI DSS
Multiple VPN/DX VIFs Connect Applications running in multiple VPC to your DC
§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§§§§§§
AWS Answers: How do I connect multiple VPCs in a single AWS Region?
ü Leverage existing AWS Direct Connect to route traffic between VPCs ü Offers customers the ability to incorporate transitive routing ü Need to create more than 100 connections per VPC
Multi-VPC Partially Meshed VPC Peering §§§§§§§§§§§ §§§§§§§§§§§ §§§§§§§§§§§ §§§§§§§§§§§ §§§§§§§§§§§ §§§§§§§§§§§ §§§§§§§§§§§ §§§§§§§§§§§ §§
ü Can create multiple VPCs within the same or different region/account ü Do not require full connectivity between all of their VPCs ü Central shared services VPC ü Multiple VPCs that need access to shared resources but do not each other ü Require fewer than 100 peering connections per VPC
AWS Answers: How do I share a single VPN connection with multiple VPCs?
Transit VPC
§§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§
AWS Answers: How do I build a global transit network on AWS?
ü Uses customer-managed EC2 VPN instances in a dedicated transit VPC with an IGW ü Implements a transit VPC ü Want more advanced connection types, such as inter-region connectivity, or multi-VPC connectivity to on-premises resources
Start
Accounts
Network
Security
Identity & Access
Operational Automation
What’s Next ?
Set Per-Account Security Baseline Configuration of the security baseline Access Control AWS Identity and Access Management (IAM) IAM password and other policies
Billing Account
AWS Organizations
Shared Services
Amazon VPC
AWS AWS Directory Service Catalog Service
Auditing and Governance AWS Config Centrally store configuration changes AWS CloudTrail
Application Accounts Application Accounts Application Accounts Application Accounts
Security Log Account
Centrally store audit logs Amazon S3 bucket (security logs)
Security Notifications AWS CloudWatch Alerts Alert and send security notifications
AWS Labs Github: aws-config-rules AWS Quick Start: quickstart-compliance-common (Github)
Build Compliance into your AWS accounts • • •
Implement the CIS Foundations Benchmark Use the UK-OFFICIAL compliance Quick Start Deploy the AWS Labs CIS Foundation Benchmark Checklist templates
§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§§§§§§
AWS Labs Github: aws-security-benchmark
AWS Security Blog: Announcing Industry Best Practices for Securing AWS Resources
AWS Quick Start: UK-OFFICIAL
Log everything centrally for analysis AWS CloudTrail
Amazon EC2
Flow Logs VPC subnet
Log
Centralised logging makes it easy for security teams to consolidate AWS logs and analyze them to detect incidents
Amazon S3
Amazon CloudWatch
You can do this by simply using: Amazon Elasticsearch Service
AWS Lambda
Transform
Search
AWS Answers: How can I implement a centralized logging solution on AWS? What are the native AWS security-logging capabilities?
• • • • •
Amazon ElasticSearch Service CloudTrail logs VPC flow logs EC2 server logs AWS Config logs
Choose how to start your compute Private images or import your current ones User administration
Configure your environment as you like
Whitelisting and integrity
Options to create or import your own ‘gold’ images 1. 2. 3. 4.
Malware and IPS
Import existing VMs to AWS Procure partner AMI from AWS Marketplace Create and save your own custom images Bootstrapping a base AMI
Vulnerability management Audit and logging Hardening and configuration
Operating system
Launch instance
AMI catalogue
AWS Marketplace: CIS Hardened AMIs
EC2
Configure instance
Running instance
AWS Devops Blog: How to Create an AMI Builder with AWS CodeBuild and HashiCorp Packer
Your instance
Start
Accounts
Network
Security
Identity & Access
Operational Automation
What’s Next ?
Identity and Access Management Control access and segregate duties everywhere You get to control who can do what in your AWS environment when and from where Fine-grained control of your AWS cloud with multi-factor authentication Integrate with your existing corporate directory and provide SSO to your customers. Support for SAML 2.0 (like your existing Active Directory) and OpenID compatible Identity Providers (IdPs). You can use AWS managed policies, policies for typical job functions or customer-generated policies using the policy generator and test with the policy simulator AWS account owner
Identity and Access Management Identity Federation Identity and authentication
Identity Store
AD Group
Browser interface Corporate Data Center
Mapping to specific IAM role with access policy
Access to AWS
Select an Identity Federation Option
• • • •
Cross-Account Roles with IAM Cross-Account Roles with AWS Directory Service SAML Federation Custom Identity Broker
Example: Cross-Account Roles with AWS Directory Service §§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§ §§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§ §§§§ switch role
users
AWS Directory Service
Shared-services account
Sub-accounts (Billing, Security, Application)
•
Users and groups are managed in one account (Shared-services) using AWS Directory Service
•
IAM roles in every account is used for fine-grained authorization
•
Can be integrated with on-premises user directory for authentication
AWS Answers: How do I manage multiple AWS accounts for security purposes?
Start
Accounts
Network
Security
Identity & Access
Operational Automation
What’s Next ?
Agility and Control AWS Service Catalog and Marketplace
Standardise Control Govern
Organizations
Agility Self-Service Time to Market
…allows organizations to create and manage catalogs of IT services and software on AWS
Developers
Key Features Tag Enforcement
Share Portfolios
Portfolio Level IAM access
Version & Re-use Products
Denial of end-user access to underlying services
API, CLI, Console
Constraint CloudFormation Parameters
AWS Marketplace to AWS Service Catalog Copy
AWS Ops Automator • Automation Framework • Central Administration • Multi-Account/Multi-Region • Pre-built Actions • Custom Actions (Auto-retry, logging, concurrency…etc.)
AWS Answers: https://aws.amazon.com/answers/infrastructure-management/ops-automator/
EC2 instance scheduler CloudWatch Logs
CloudWatch Metrics
CloudWatch rule triggers Scheduler
CloudFormation scheduler stack
A single template deploys all solution components
Tagged EC2 Scheduler role
Scheduler configuration table AWS Answers: How do I automatically start and stop my Amazon EC2 instances?/
EC2 Instance information
Scheduler Lambda function
Instance state table
instances for one or more AWS accounts
IAM cross account roles controls access to AWS accounts
What have we built so far? High-level Architecture
Stack Set Admin Account Stack Sets
CloudTrail, Config & IAM Baseline
Billing Account
Security Account
Centralised Logging Analytics
CAM SubAccount
Logging Buckets
Cost Optimization Monitor
VPC Flow & Instance Logs
Shared Services Account
Cross Account Manager
Stand Alone Templates
Scalable VPC Quick Start
Application Accounts
Ops Automator/ Instance Scheduler
Start
Accounts
Network
Security
Identity & Access
Operational Automation
What’s Next ?
Managing to the Portfolio Value
Portfolio Tier
Requirements
Operations Model
Approx. % Portfolio*
DevOps
15%
Differentiators
High rate of change & innovation; Possibly business-critical, but not always
Table Stakes
Business-critical, but low rate of change. Needs high availability, maximum reliability, and durable DR
Automated Efficiency
25%
Commodity
COTS & commodity, minimal risk, low change, standard downtime & reliability requirements
AutomatedTraditional
60%
60% - 70%
*estimated numbers
Provided Under NDA
IT Spend Against Portfolio
30% - 40%
Running Multi-Modal Migrations Mass migration
Maturity
Traditional Operations+
Re-platform / Refactor
Maturity
Automated Operations
Mass Migration
Capex to Opex
Cloud Capable Applications
Capex to Opex
Cost Out
Value Automation
Nascent Services
Operational Transition
Facilities Closure
Consistent Operations
Cloud COE
Managed Services
Increasing Levels of Effort with Increasing Levels of Return
Re-architect
Development and Operations Serverless Compute
Continuous Integration
Disruptive Technolog y
Cloud Aware Applications
Maximum Efficiency
Advanced Architecture
Executing Multi-Modal Migrations Sprint 1
Sprint 2 Sprint 3
Sprint 4
Sprint 5
Sprint 6
Sprint 7
Program
Deploy Landing Zone
Extend, Integrate and Manage Landing Zone Migration Business Case
Brown
Discovery Prep
Discovery Pipeline Generation
Migration Patterns Creation
Green
Discovery
Re-Host Re-Factor Complex App (single sprint) Greenfield Migrations Innovation
Key Take-Aways •
Configuring your AWS environment matching your operations and migration needs, is a key step in your cloud journey
•
Maximise automation, including cost optimization (i.e. resize instances, on-off schedules)
•
Check aws.amazon.com/answers for guidance and packaged solutions helping you to build your own Landing Zone
•
Be agile for your Migrations, not everything can be planned upfront
H
LONDON
Thank you!
Landing Zone Resources (1/3) Title
Link
Cost Optimization Monitor
https://aws.amazon.com/answers/account-management/cost-optimizationmonitor/
Scalable VPC Quick Start
https://docs.aws.amazon.com/quickstart/latest/vpc/
PCI DSS Quick Start
https://aws.amazon.com/quickstart/architecture/accelerator-pci/
How do I connect multiple VPCs in a single AWS Region?
https://aws.amazon.com/answers/networking/aws-single-region-multi-vpcconnectivity/
How do I share a single VPN connection with multiple VPCs?
https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpnconnection-sharing/
How do I build a global transit network on AWS?
https://aws.amazon.com/answers/networking/aws-global-transit-network/
Microsoft Active Directory
https://aws.amazon.com/quickstart/architecture/active-directory-ds/
How do I ensure I set up my AWS account securely?
https://aws.amazon.com/answers/security/aws-secure-account-setup/
How do I setup AWS Identity and Account Management (IAM) for my organization?
https://aws.amazon.com/answers/security/aws-iam-in-practice/
Landing Zone Resources (2/3) Title
Link
Compliance Quick Start
https://github.com/aws-quickstart/quickstart-compliance-common
CIS Security Benchmark
https://github.com/awslabs/aws-security-benchmark
Security Blog: Announcing Industry Best Practices for Securing AWS Resources
https://aws.amazon.com/blogs/security/announcing-industry-best-practicesfor-securing-aws-resources/
UK-OFFICIAL Compliance Quick Start
https://aws.amazon.com/quickstart/architecture/accelerator-uk-official/
How can I implement a centralized logging solution on AWS?
https://aws.amazon.com/answers/logging/centralized-logging/
What are the native AWS security-logging capabilities?
https://aws.amazon.com/answers/logging/aws-native-security-loggingcapabilities/
CIS Hardened AMIs
https://aws.amazon.com/marketplace/seller-profile?id=6b3b0dc2-c6f4-487b8f29-9edba5f39eed
How to Create an AMI Builder with AWS CodeBuild and HashiCorp Packer
https://aws.amazon.com/blogs/devops/how-to-create-an-ami-builder-with-awscodebuild-and-hashicorp-packer/
How should I manage multiple AWS accounts for security purposes?
https://aws.amazon.com/answers/account-management/aws-multi-accountsecurity-strategy/
Landing Zone Resources (3/3) Title
Link
User Access Management Module
http://www.awslandingzone.com/modules/landing-zone-user-access.pptx
How do I monitor the cross-region replication of my Amazon S3 objects?
https://aws.amazon.com/answers/infrastructure-management/crr-monitor/
AWS Ops Automator
https://github.com/awslabs/aws-ops-automator
DynamoDB Continuous Backup Utility
https://github.com/awslabs/dynamodb-continuous-backup
How do I automatically start and stop my Amazon EC2 instances?
https://aws.amazon.com/answers/infrastructure-management/ec2-scheduler/
How do I receive notifications as I approach AWS service limits?
https://aws.amazon.com/answers/account-management/limit-monitor/
Deck Guidelines Fonts, sizes, colors, and layouts are all pre-built in this template. Color palette Please do not use gradients, shadows, or outlines on shape elements. Limit color use for chart graphics to grayscale plus one accent color.
