Are you considering a multi-account structure in AWS but also worry about security and operational overhead? Then AWS Landing Zone solution comes to the rescue. In this article we take a deeper dive into Buzzcloud’s experience of the AWS Landing Zone solution.
Landing Zone is a pre-configured, secure, multi-account AWS environment based on AWS best practices. The solution helps customers save time by automating the set-up of their environments across multiple AWS accounts. This is highly relevant for larger enterprise customers with a need to automate user provisioning and yet comply with strict security requirements.
The AWS Landing Zone solution includes an initial security baseline that can be used as a starting point for establishing and implementing a customized account security baseline for your organization. Deploying the AWS Landing Zone solution will deploy this security baseline to all the accounts by default.
This solution is deployed into the AWS Organizations master account. The master account is used to financially manage accounts, create new accounts and manage configuration and access to AWS Landing Zone managed accounts. It hosts the landing zone resources such as the pipeline, step functions and account vending machine.
The solution leverages a number of AWS services such as:
- GuardDuty – a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.
- CloudTrail – logs, continuously monitors, and retains account activity related to actions across your AWS infrastructure.
- Config – continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
- Organizations – an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.
- Service Control Policies – acts as a filter that enables you to restrict what services and actions can be accessed by users and roles in the accounts that you attach the policy to.
- Service Catalog – allows IT administrators to distribute catalogs of approved products to end users, who can then access the products they need in a personalized portal. Account Vending Machine is created as a product, which makes creation of new accounts easier.
- Account Baseline – a set of CloudFormation templates that you run by default on the accounts.
A CloudFormation template is run initially, which creates an AWS Landing Zone configuration S3 bucket, an AWS CodePipeline and AWS Step Functions for implementing AWS Landing Zone configuration changes. The configuration bucket contains a manifest file that describes AWS account structures and dependencies required to implement a customer’s account baseline for new and existing accounts. The pipeline is automatically triggered whenever the configuration is updated.
Landing zone creates two organization units, Core OU and a custom (applications) OU. The core organization unit consists of three accounts by default: security, shared services and log archival.
The Security account is designated as the master Amazon GuardDuty account. GuardDuty findings from all member accounts can be viewed centrally. This account also aggregates Config compliance results. Automated actions can be implemented in this account by using Lambda functions. It is strongly recommended that access to this account be restricted to authorized security and compliance personnel.
Shared Services Account
This account can be used to host shared services such as AWS Managed Active Directory for AWS SSO integration, log analytics and reporting solution, such as Elasticsearch and Kibana.
Log Archive Account
This account just holds the central S3 bucket to store logs for long-term retention. CloudTrail and Config services from all accounts are configured to store log files in this bucket by default. The bucket should be protected by using MFA-delete feature and should only be accesses for security audits or compliance investigations.
- Easy to create new accounts with the default baseline.
- Out-of-the-box secure multi-account environment.
- Aligned with AWS best practices.
- Continuously improved and maintained by AWS.
- Very difficult to troubleshoot if things go wrong. The implementation of the solution is quite complicated, thousands of lines of CloudFormation and Step functions code.
- Requires expert knowledge, AWS recommends that the solution is deployed by their professional services or partners.
- AWS Organization’s master account is hosting too many resources.
- Hard to adapt and implement if you have a legacy enterprise multi-account structure.
Overall, we see a well implemented Landing Zone deployment as a great way for your development teams to focus more on innovation and development and less on setting up and managing a secure infrastructure.
As an Advanced Consulting Partner of AWS, Buzzcloud can help you deploy a well architected Landing Zone solution. We have in-depth experience on how to evolve and adapt Landing Zone solutions to your specific needs. We are driven by increasing our customers’ ability to innovate and reduce time to market.