Scribd Logo
Upload

Welcome to Scribd!

  • 110 views

    LandingZoneAccelerator FirstCallDeck

    Uploaded by

    Sheloq
    The Landing Zone Accelerator on AWS is an open-source software solution that accelerates the implementation of a customer's technical security controls and infrastructure foundation on AWS. It allows customers to build secure and compliant AWS environments in days instead of months or years so they can focus on innovation. The solution is installed directly from GitHub or delivered by AWS Professional Services and installs a multi-account environment with templates, configuration files, and tooling to establish security best practices.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    LandingZoneAccelerator FirstCallDeck

    Uploaded by

    Sheloq
    110 views23 pages
    The Landing Zone Accelerator on AWS is an open-source software solution that accelerates the implementation of a customer's technical security controls and infrastructure foundation on AWS. It allows customers to build secure and compliant AWS environments in days instead of months or years so they can focus on innovation. The solution is installed directly from GitHub or delivered by AWS Professional Services and installs a multi-account environment with templates, configuration files, and tooling to establish security best practices.

    Original Title

    LandingZoneAccelerator+FirstCallDeck

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The Landing Zone Accelerator on AWS is an open-source software solution that accelerates the implementation of a customer's technical security controls and infrastructure foundation on AWS. It allows customers to build secure and compliant AWS environments in days instead of months or years so they can focus on innovation. The solution is installed directly from GitHub or delivered by AWS Professional Services and installs a multi-account environment with templates, configuration files, and tooling to establish security best practices.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    110 views23 pages

    LandingZoneAccelerator FirstCallDeck

    Uploaded by

    Sheloq
    The Landing Zone Accelerator on AWS is an open-source software solution that accelerates the implementation of a customer's technical security controls and infrastructure foundation on AWS. It allows customers to build secure and compliant AWS environments in days instead of months or years so they can focus on innovation. The solution is installed directly from GitHub or delivered by AWS Professional Services and installs a multi-account environment with templates, configuration files, and tooling to establish security best practices.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 23

    Landing Zone Accelerator on AWS

    [First Name] [Last Name]


    [Title]

    November 2022

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Agenda

    • Security and Compliance Solutions


    • Landing Zone Accelerator on AWS Overview
    • Solution Highlights and Benefits
    • Features and Design
    • How to Get Started

    professional
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Compliance requirements

    ü Personnel ü System management & monitoring


    ü Incident response ü Log management & monitoring
    ü Boundary protection ü Compute and storage
    ü Identity and access control ü Networking
    ü Disaster recovery ü Virtualization
    ü Configuration management ü Data center
    ü Highly available architecture

    professional
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Customers need better visibility and security to
    optimize their next-gen cloud applications

    Increase operational efficiency for


    your cloud-based workloads and
    applications

    Improve visibility Enhance security


    posture
    professional
    services 4
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    AWS security, identity, and compliance solutions

    Identity & access Infrastructure Data Incident


    Detection Compliance
    management protection protection response

    AWS Identity & AWS Security Hub AWS Firewall Amazon Macie Amazon Detective AWS Artifact
    Access Management Manager
    (IAM) Amazon GuardDuty AWS Key Management CloudEndure DR AWS Audit Manager
    AWS Network Service (KMS)
    AWS Single Sign-On Amazon Inspector Firewall AWS Config Rules
    AWS CloudHSM
    AWS Organizations Amazon CloudWatch AWS Shield AWS Lambda
    AWS Certificate Manager
    AWS Directory AWS Config AWS WAF – Web
    Service application firewall AWS Secrets Manager
    AWS CloudTrail
    Amazon Cognito Amazon Virtual AWS VPN
    VPC Flow Logs
    Private Cloud (VPC) Server-Side Encryption
    AWS Resource Access
    AWS IoT Device
    Manager AWS PrivateLink
    Defender
    AWS Systems
    professional Manager 5
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Shared Responsibility Model

    Customer responsibility will be


    Security IN
    determined by the AWS Cloud
    the Cloud
    services that a customer selects

    AWS is responsible for


    Security OF protecting the infrastructure
    the Cloud that runs all of the services
    Customer
    offered in the AWS Cloud
    AWS

    professional
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    The Landing Zone Accelerator on AWS
    is an open-source software solution
    that accelerates the implementation of
    a customer’s technical security controls
    and infrastructure foundation on AWS

    professional
    services 7
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Solution Highlights
    • Build secure and compliant AWS environments in days, instead of months or
    years.
    • Focus time and critical budgets on migration, transformation, and innovation.

    • Documentation helps demonstrate compliance requirements are met and


    shortens time to prepare for accreditation of their AWS environment.
    • Customers can install the Solution directly from GitHub or have it delivered by
    AWS Professional Services or Partners.
    • Customers can get technical assistance from AWS Support.

    professional
    services 8
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Landing Zone Accelerator Benefits

    Customer resources focus Accelerate environment


    on learning to ‘operate’ in setups in days, not weeks
    the cloud

    Leverages AWS expertise Innovate through open


    source model

    Enables customers on Establish a


    Flexibility to
    integrate with other day 1, day 10, and day N, compliant and
    management tools supporting them throughout improved security
    their AWS journey posture

    professional
    services 9
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Architecture

    Public
    Feature Requests / GitHub
    Issues project

    AWS Cloud

    AWS Cloud

    AWS Cloud

    Customers Configuration Files Landing Zone Accelerator


    (yaml) (CDK)
    Multi-account environment

    professional
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Landing Zone Accelerator on AWS
    1
    Installation Template
    (AWS CloudFormation)

    Configuration Files
    (yaml)

    AWS CodePipeline

    AWS Cloud
    Development Kit

    Landing Zone
    Accelerator

    professional
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Landing Zone Accelerator on AWS
    Root OU Security OU
    1 Management (Root) Account Log Archive Account

    Installation Template
    (AWS CloudFormation)

    AWS Control Tower AWS Organizations AWS Single Sign-On


    2 Amazon CloudWatch AWS CloudTrail AWS Config

    Centralized Logs
    Configuration Files Bucket
    (yaml)

    3 Audit / Security Tooling Account

    AWS CodePipeline

    AWS Cloud
    Development Kit

    Landing Zone
    Accelerator

    professional
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Landing Zone Accelerator on AWS
    enable: true mandatoryAccounts:
    1 organizationalUnits: - name: Management
    - name: Security email: [email protected]
    - name: Infrastructure organizationalUnit: Root
    Installation Template - name: Dev isGovCloud: true
    (AWS CloudFormation) - name: Test - name: LogArchive
    - name: Prod email: [email protected]

    2 serviceControlPolicies: organizationalUnit: Security


    - name: Audit
    - name: AcceleratorGuardrails1
    email: [email protected]
    description: Accelerator GuardRails 1
    organizationalUnit: Security
    Configuration Files policy: service-control-policies/guardrails-1.json
    workloadAccounts:
    (yaml) type: customerManaged - name: SharedServices
    deploymentTargets: email: [email protected]
    organizationalUnits:
    3 - Infrastructure
    organizationalUnit: Infrastructure
    - name: Network
    taggingPolicies: email: [email protected]
    - name: TagPolicy organizationalUnit: Infrastructure
    AWS CodePipeline description: Organization Tagging Policy
    policy: tagging-policies/org-tag-policy.json
    deploymentTargets:
    4 organizationalUnits:
    - Root
    backupPolicies:
    - name: BackupPolicy
    AWS Cloud description: Organization Backup Policy
    Development Kit
    policy: backup-policies/org-backup-policies.json
    deploymentTargets:
    Landing Zone organizationalUnits:
    - Root
    Accelerator

    professional
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Landing Zone Accelerator on AWS
    Root OU Security OU
    1 Management (Root) Account Log Archive Account

    Installation Template
    (AWS CloudFormation)

    AWS Control Tower AWS Organizations AWS Single Sign-On


    2 Amazon CloudWatch AWS CloudTrail AWS Config

    Infrastructure OU Centralized Logs


    Configuration Files Bucket
    (yaml) Network Account

    3 Audit / Security Tooling Account

    AWS CodePipeline

    4
    Shared Services Account
    AWS Cloud
    Development Kit Dev / Test / Prod OU (Workload Ous)

    Landing Zone Workload Account 1 … N

    Accelerator

    professional
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Landing Zone Accelerator on AWS
    homeRegion: &HOME_REGION us-east-1 iamPasswordPolicy:
    allowUsersToChangePassword: true
    1 centralSecurityServices:
    delegatedAdminAccount: Audit hardExpiry: falserequireSymbols: true
    ebsDefaultVolumeEncryption: requireNumbers: true
    enable: true minimumPasswordLength: 14
    Installation Template passwordReusePrevention: 24
    excludeRegions: []
    (AWS CloudFormation) maxPasswordAge: 90
    s3PublicAccessBlock:
    enable: true awsConfig:
    2 excludeAccounts: []
    macie:
    enableConfigurationRecorder: true
    enableDeliveryChannel: true
    enable: true ruleSets:
    ... - deploymentTargets:
    Configuration Files organizationalUnits:
    (yaml) guardduty:
    enable: true - Root
    ... rules:
    3 securityHub: - name: accelerator-iam-user-group-membership-check
    complianceResourceTypes:
    enable: true
    regionAggregation: true - AWS::IAM::User
    excludeRegions: [] identifier: IAM_USER_GROUP_MEMBERSHIP_CHECK
    AWS CodePipeline
    standards: - name: accelerator-securityhub-enabled
    - name: AWS Foundational Security Best Practices v1.0.0 identifier: SECURITYHUB_ENABLED
    enable: true cloudWatch:
    4 controlsToDisable: metricSets:
    - regions:
    - IAM.1
    - EC2.10 - *HOME_REGION
    - Lambda.4 deploymentTargets:
    AWS Cloud organizationalUnits:
    Development Kit ssmAutomation:
    ... - Root
    accessAnalyzer: metrics:
    Landing Zone enable: true # CIS 1.1 – Avoid the use of the "root" account
    - filterName: RootAccountMetricFilter
    ...
    Accelerator logGroupName: aws-controltower/CloudTrailLogs
    filterPattern: '{$.userIdentity.type="Root”’
    metricNamespace: LogMetrics
    metricName: RootAccount
    professional
    services
    metricValue: "1"

    © 2022, Amazon Web Services, Inc. or its Affiliates.


    Landing Zone Accelerator on AWS
    Root OU Security OU
    1 Management (Root) Account Log Archive Account

    Installation Template
    (AWS CloudFormation)

    AWS Control Tower AWS Organizations AWS Single Sign-On


    2 Amazon CloudWatch AWS CloudTrail AWS Config

    Infrastructure OU Centralized Logs


    Configuration Files Bucket
    (yaml) Network Account

    3 Audit / Security Tooling Account

    AWS CodePipeline

    AWS Security AWS KMS


    4 Hub
    Amazon GuardDuty Amazon Macie
    Shared Services Account
    AWS Cloud
    Development Kit Dev / Test / Prod OU (Workload Ous)

    Landing Zone Workload Account 1 … N

    Accelerator

    professional
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Landing Zone Accelerator on AWS
    homeRegion: &HOME_REGION us-east-1 vpcs:
    1 defaultVpc: - name: Network-Endpoints
    delete: true account: Network
    excludeAccounts: [] region: *HOME_REGION
    Installation Template transitGateways: cidrs:
    (AWS CloudFormation) - name: Network-Main - 10.1.0.0/22
    account: Network internetGateway: false
    2 region: *HOME_REGION
    shareTargets:
    enableDnsHostnames: true
    enableDnsSupport: true
    organizationalUnits: instanceTenancy: default
    - Infrastructure routeTables:
    Configuration Files
    asn: 65521 - name: Network-Endpoints-Tgw-A
    (yaml)
    dnsSupport: enable routes: []
    vpnEcmpSupport: enable ...
    3 defaultRouteTableAssociation: disable subnets:
    defaultRouteTablePropagation: disable - name: Network-Endpoints-A
    autoAcceptSharingAttachments: enable availabilityZone: a
    AWS CodePipeline routeTables: routeTable: Network-Endpoints-A
    - name: Network-Main-Core ipv4CidrBlock: 10.1.0.0/24
    routes: [] ...
    - name: Network-Main-Segregated transitGateway:
    4 routes: [] name: Network-Main
    - name: Network-Main-Shared account: Network
    routes: [] gatewayEndpoints:
    - name: Network-Main-Standalone defaultPolicy: Default
    AWS Cloud
    routes: [] endpoints:
    Development Kit
    - service: s3
    - service: dynamodb
    Landing Zone interfaceEndpoints:
    central: true
    Accelerator defaultPolicy: Default
    endpoints:
    - service: ec2
    - service: ec2messages
    professional
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Landing Zone Accelerator on AWS
    Root OU Security OU
    1 Management (Root) Account Log Archive Account

    Installation Template
    (AWS CloudFormation)

    AWS Control Tower AWS Organizations AWS Single Sign-On


    2 Amazon CloudWatch AWS CloudTrail AWS Config

    Infrastructure OU Centralized Logs


    Configuration Files Bucket
    (yaml) Network Account

    3 Inspection VPC Endpoints VPC Audit / Security Tooling Account

    NGFW* Centralized
    AWS CodePipeline VPC Endpoints
    IDS/IPS*

    AWS Security AWS KMS


    4 AWS Transit Gateway
    Hub
    Amazon GuardDuty Amazon Macie
    Shared Services Account
    AWS Cloud
    Development Kit Dev / Test / Prod OU (Workload Ous)
    Shared Services VPC
    External Access VPC
    Landing Zone Bastions*
    Active Directory* Workload Account 1 … N

    Accelerator WSUS* / yum* Workload VPC 1 … N

    *For illustration only to demonstrate where these additional ACAS* / HBSS*


    capabilities and resources can be deployed
    professional
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Features - Security

    AWS Control Tower AWS Organizations Amazon CloudWatch AWS Config AWS CloudTrail

    AWS Service Catalog AWS Systems Manager

    AWS Security Hub Amazon GuardDuty Amazon Inspector Amazon Macie AWS Firewall
    Manager

    AWS Resource AWS Key Management AWS Identity and Access AWS Network Firewall
    Access Manager Service (AWS KMS) Management (IAM)
    professional
    services 19
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Features - Networking

    Amazon Virtual Private Cloud Amazon Route 53


    (Amazon VPC)

    AWS Transit Gateway AWS Direct Connect

    professional
    services 20
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Features - Operations

    AWS Budgets AWS Cost & AWS Cost Explorer


    Usage Report

    AWS Tools AWS Cloud Development AWS CodePipeline AWS CodeCommit AWS CodeBuild
    and SDKs Kit (AWS CDK)

    AWS Managed AWS Professional AWS Support


    Services Services

    professional
    services 21
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    How to Get Started

    https://github.com/awslabs/landing-zone-accelerator-on-aws https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
    GitHub Repository AWS Solutions
    Implementation and Deployment Guide
    professional
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.
    Thank you!

    professional
    services
    © 2022, Amazon Web Services, Inc. or its Affiliates.

    You might also like