Simplifying AWS environments with AWS Landing Zone and Control Tower
A lot has been spoken and written about the cloud and the advantages it offers. However, with all these benefits, there are some complexities that one needs to deal with; the major one is the separation of resources based on the use case.
In AWS, an account is the only logical boundary for permissions. An uncoupled account structure is necessary to achieve isolation of billing, resource limit, and authorization by limiting the blast radius. To tackle this situation of the accrescent number of workloads and clutter with increased complexity in managing and maintaining the environments, AWS came up with a solution known as Landing Zone (LZ). In Landing Zone, AWS combines the best practices to launch a multi-account architecture.
The initial version of multi-account deployment was not through a service but via an AWS version of IAC known as CloudFormation Templates (CF templates). As mentioned by AWS, this procedure required a certain level of expertise and was not to be taken up by a novice engineer. It required a certain level of understanding of AWS architecture and the organization’s needs.
Later, AWS also released another solution, Control Tower, which would take the hassle out of the equation and allow engineers to set up their LZ with relative ease. But the trade-off in this situation was less customizability. Although both the solutions aimed to resolve the same bottleneck, they had some differences in their approach. For the LZ, an organization can get in touch with an AWS engineer who can provide tailor-made CF templates at a certain cost or allow its own experienced engineers to work on them. On the other hand, the Control Tower will only provide you with the options present on the console, drastically dropping the complexity and customization level.
Let’s see what both have to offer in detail.
The idea behind the Control Tower is to reduce operational overhead and provide a dashboard for ease of configuring accounts. There are many prerequisites to be fulfilled for setting up an AVM. The Control Tower automates most of that but at the cost of customization. The number of accounts also changes as the Control Tower creates only three accounts in its initiating run. The three accounts are master, audit, and log archive, and the security baseline is configured on each account. Launching of new accounts is possible through the Control Tower dashboard itself. You can also onboard existing accounts to a Control Tower implementation. The Control Tower automatically configures the Security baseline and guardrails on the account and allows onboarding only when the account is compliant. Non-compliance of accounts is usually the result of the existing security practices, which might interfere with the new guardrails being implemented or inaccurate access provisioning.
AWS Landing Zone Architecture
It is crucial to launch the AWS-landing-zone-initiation CloudFormation template to deploy the LZ on your AWS account. The initiation template creates an AWS LZ configuration S3 bucket, configuration zip file (manifest file), code pipeline, and step functions. The default LZ implementation deploys an SSO with an AWS SSO directory and allows access management for users and groups to the AWS accounts. Deploying the AWS LZ will also deploy a security baseline to the core accounts and any new accounts created afterward.
AWS Landing Zone solution incorporates an initial security baseline that builds and implements a customized account security baseline for your organization. The initial security baseline includes the following settings:
- One CloudTrail trail is created in each account and configured to send logs to a centrally managed Amazon Simple Storage Service (Amazon S3) bucket in the log archive account.
- AWS config rules for monitoring MFA, root account login, security groups, EBS, RDS, S3, etc.
- Security notification architecture
- GaurdDuty findings…read more