AWS Landing Zone -
improve creation and management of resources in the AWS account,
while maintaining high level of security
AWS Landing Zone is one of many services for managing resources in the cloud. It was created in order to use the cloud potential and easier configuration of accounts in the organization.
Thanks to its functionality, it allows for more efficient configuration of the environment, while maintaining AWS Best Practices, without the need for deep analysis of individual services and facilitates during making complicated design decisions. In practice, the service includes ready AWS accounts, including the minimum security basis (IAM), and allows you to create new accounts with a given configuration. The service has found application in the design of services, where the organizational structure is multi-level.
TIP! At the end of this post you will find a link to the infographics.
AWS Landing Zone is:
- secure environment configured based on AWS Best Practices
- the starting point to start the migration of client’s data/applications
- an environment that over time can be developed and adapted to changing technological needs.
It is a solution that provides a complete basis for starting work with cloud architecture; creating multiple accounts, identity and access management, data security and network design.
The undoubted advantages of using the service are:
- simplicity in implementation
- automation of the entire deployment process
- the possibility of easy configuration to the user’s needs
- security
The above advantages make it worth to take a closer look at its components. In the next part of this post we will discuss: security issues, AWS Organizations and notifications.
Security
The “Security baseline” offered by Landing Zone is an ideal base that can be quickly and easily configured and adapted to the customer’s needs. It includes such AWS services as:
- AWS CloudTrail,
- AWS Config,
- AWS Config Rules,
- AWS Identity and Access Management,
- Cross-Account Access (access for multiple accounts)
- Amazon Virtual Private Cloud (VPC).
Their settings have been chosen so that when the new template is implemented in the account, the service automatically configured the account with the previously mentioned security features.
AWS Organizations
AWS Organizations is a service that enables clients to create multiple AWS accounts with the possibility of jointly managing them in a uniform and automatic manner. Additionally, it creates the possibility of grouping them into organizational units (OU), which in turn allows you to administer them as individual systems. Each of these accounts is configured with a minimum security basis, consistent with Good AWS Practices. AWS Landing Zone automatically creates 3 separate AWS accounts: SharedServices, Logging and Security.
- The SharedServices account is a reference to shared infrastructure elements, e.g. directory services.
- The Logging account contains the central bucket S3 – this is where all the logs from AWS CloudTrail and AWS Config will get.
- In turn, from the Security account level, you can create roles between administrator and auditor accounts, as well as for all managed accounts in the AWS Landing Zone service.
The diagram below perfectly illustrates the relationship between individual accounts.
The diagram of creating accounts in the AWS Landing Zone service.
Source: AWS Landing Zone
Notifications
AWS Landing Zone configures alarms and events for AWS CloudWatch, which in turn sends notifications about console logons failures, API authentication errors and changes within the account. These changes may apply to security groups, peering connections or modifications in EC2 instance states. The solution configures Topics in the AWS SNS service on each of the accounts in the Organization. Lambda subscribed automatically, passes all notifications to the shared Amazon SNS queue in the AWS Organizations account. The functionality is designed to enable local administrators to subscribe and receive selected notifications on the account.
The diagram of notification activity in the AWS Landing Zone service
Source: AWS Landing Zone
Additional components
Other, equally important elements of the AWS Landing Zone service include:
- Account Vending Machine (AVM), which is delivered as an AWS product that allows customers to create new accounts in organizational units (OU).
- User Access (dostęp użytkownika), ensuring the lowest level of permissions – individual access to the account is the basic element of AWS account management.
Building a Landing Zone
The first step should be to familiarize yourself with the AWS CloudFormation templates.
In this scope, AWS has prepared two templates, the first of which is used to create groups of IAM users and roles, and the second to implement all related components of the Landing Zone solution.
The entire solution is shown in the diagram below:
The CloudFormation implementation diagram in the AWS Landing Zone service.
Source: AWS Landing Zone, AWS Implementation Guide, Lalit Grover, March 2018.
ATTENTION! This solution is intended for AWS customers who did not have configured and implemented accounts in AWS.
To start the Landing Zone creation process, you must create an AWS account with an email address that has not been used before. Then, the AWS Organizations service should increase the number of accounts to 10.
Proper implementation is carried out in three steps:
- creation of IAM resources,
- creation and configuration of other resources,
- update of the parameters of centralized logging.
The entire procedure is based on the AWS CloudFormation stacks and is fully automated.
Here are the steps to implement/deploy:
Creation of IAM resources
- Log into the AWS console and select the AWS CloudFormation service, and then the
aws-landing-zone-iam-assets template. You can also download it for your own implementation. - The template is launched by default in the Eastern USA (N. Virginia) – change your target region in the region bar.
- On the Detail page, enter stack’s name.
- The parameters must be verified and any changes introduced.
- Then click Next.
- In Options also click Next.
- On the summary page, it’s a good idea to check your settings carefully. Remember to check the confirmation box. The template creates Identity and Access Management (IAM) resources.
- Then click Create to deploy Stack.
The whole process should last no longer than 5 minutes. Then the CREATE_COMPLETE message should appear.
Creation and configuration of other resources
ATTENTION! before any further steps are taken, make sure that the IAM resource template has been started. In this step, the Landing Zone is created.
- Log into the AWS console and select the AWS CloudFormation service, and then
the aws-landing-initiation template. You can also download it for your own implementation. - The template is launched by default in the Eastern USA (N. Virginia) – change your target region in the region bar.
ATTENTION! The aws-landing-initiation template is available in specific regions, please check its availability in your region. The template is also available in Europe. - On the Detail page, enter stack’s name.
- The parameters must be verified and any changes made – the parameters have default settings.
- Then click Next.
- In Options also click Next.
- On the summary page, it’s a good idea to check your settings carefully. Remember to check the box confirming the consent to create IAM resources, because the template creates the identity and access management (IAM) resources.
- Then click Create to deploy Stack.
The whole process should last no longer than 5 minutes. Then the CREATE_COMPLETE message should appear. The status can be verified in the AWS CloudFormation console.
Update of the parameters of centralized logging
After implementing and deploying the AWS CloudFormation templates, you must manually update the Elasticsearch Endpoint and Master Account Role parameters
- You must configure the account so that it can be freely switched between the Primary and the SharedServices account
- The SharedServices account identifier can be found on the Outputs tab of the initialized template
- Use AWSCloudFormationStackSetExecutionRole for the role
- In the AWS Management Console, go to the CloudFormation console and then Stack
- Select the main StackSet template from “(SO0009) – AWS Centralized Logging Solution” in the description
- Select the Output tab and copy the values for the DomainEndpoint and MasterRole keys
- Switch to the Main Account (ie. with the username)
- Go to the CloudFormation console and then to StackSet
- Choose the spoke template
- Update the values of the Elasticsearch Endpoint and Master Account Role parameters with the previously copied values in step 4
- To update, select Stack management and select Edit stack
- Choose Next and then the option of the current template
- Choose Next and update two parameters
- Choose Next
- On the summary page, it’s a good idea to check your settings carefully. Be sure to check the confirmation box, the template creates the identity and access management (IAM) resources.
- Then click Create to deploy Stack.
The whole process should last no longer than 5 minutes. Then the CREATE_COMPLETE message should appear. The status can be verified in the AWS CloudFormation console.
To sum up, AWS Landing Zone is a service that allows you to quickly and easily create an organizational network of accounts in the AWS environment. Thanks to the configured default settings that have been attached to the templates of AWS CloudFormation, it is certain that the user data is properly secured from the beginning of the process.
Here you can download the infographic about AWS Landing Zone.