AWS Landing zone: A framework for defining and creating foundations for accounts by automating, baking security baseline, controls, governance, organized, auditable, scalable and self serviceable.
A set of best practices ingested in an AWS account before migration. Reliable infrastructure. The tenet of LZ are:
- Automation driven versioned infrastructure, such as CI/ CD, Cloudformation templates
- Multi-account AWS environment based on AWS best practices, limiting blast radius
- Adaptable foundation with guardrails, safeguarding in case of any mis happening
- Set of architecture patterns, proxy accesses
Building/ Designing LZ components:
- Accounts: as discussed Multi account strategy
- Network:Domains, Direct Connect, Core Services
- Security: Centralized Logging, Configuration, Image (AMI)
- IAM: Access, Identity, Federation
- Cloud Users: Provide users to deploy the accounts, services by using Service Catalog, Automation (avoid manual steps) etc
- Now, Migrate, Iterate the above steps and Operate and Optimise.
Further break ups:
What we need to design/ think of when creating the components:
- Account Structure
* Centralized Logging
* Environment Isolation
* Billing Visibility
* Shared Services
* Limited Blast Radius
- Network Design
* VPC Design- how many VPC needed
* Subnet Design- Dividing them in private/ public depending on requirement and expose of services, Bastion hosts
* ACL and Security Groups- Properly defined Access control lists to check ingress/ egress traffic
* Logging and Motioning- Enabling Cloudwatch/ Cloudtrail, checks who did what, Intel
-Security
* Amazon GuardDuty enabled
* Amazon CloudWatch for metrics and alarms
* AWS CloudTrail logs for audit
* VPC Flow logs enabled
* AMI Factory for approved and tested images
* AWS Config rules to track changes
-IAM
* SSo
* Least privileged accounts
* Segregation of accounts
A set of best practices ingested in an AWS account before migration. Reliable infrastructure. The tenet of LZ are:
- Automation driven versioned infrastructure, such as CI/ CD, Cloudformation templates
- Multi-account AWS environment based on AWS best practices, limiting blast radius
- Adaptable foundation with guardrails, safeguarding in case of any mis happening
- Set of architecture patterns, proxy accesses
Building/ Designing LZ components:
- Accounts: as discussed Multi account strategy
- Network:Domains, Direct Connect, Core Services
- Security: Centralized Logging, Configuration, Image (AMI)
- IAM: Access, Identity, Federation
- Cloud Users: Provide users to deploy the accounts, services by using Service Catalog, Automation (avoid manual steps) etc
- Now, Migrate, Iterate the above steps and Operate and Optimise.
Further break ups:
What we need to design/ think of when creating the components:
- Account Structure
* Centralized Logging
* Environment Isolation
* Billing Visibility
* Shared Services
* Limited Blast Radius
- Network Design
* VPC Design- how many VPC needed
* Subnet Design- Dividing them in private/ public depending on requirement and expose of services, Bastion hosts
* ACL and Security Groups- Properly defined Access control lists to check ingress/ egress traffic
* Logging and Motioning- Enabling Cloudwatch/ Cloudtrail, checks who did what, Intel
-Security
* Amazon GuardDuty enabled
* Amazon CloudWatch for metrics and alarms
* AWS CloudTrail logs for audit
* VPC Flow logs enabled
* AMI Factory for approved and tested images
* AWS Config rules to track changes
-IAM
* SSo
* Least privileged accounts
* Segregation of accounts
Comments