aws control tower v2/jp_security and... · 2019-02-25 · create network baseline apply account...
Post on 11-Jul-2020
1 Views
Preview:
TRANSCRIPT
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mark Ryland, Director, Office of the CISO, AWS Security
AWS Control Tower � �������������
���� � 1 �
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS ����������
$�#�����������
��!���
��
�&���(%'��("� �
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS��*#��- &0%+
���-93@B:2+��.-����1�'&
�!���+84CA=B:21���1�())�
�&0
� +��&0=7<8��15>C;*$0/",68:?1
��&0
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
�������#��"����
�����1-': ��#�� �
�!%)(:2�,;5.$����
�#���
/+790&!6;.8':�*43:.!��
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
!%$8.����+'25-"�����
����19*4#8
Lock AWS Account Credential���(“Root Account”)
EnableAWS CloudTrailAmazon GuardDuty
Define!%$8.�796������
Federate �����,529)38�
EstablishInfosec �����796!%$8.
Identify&0/8* �������!()38���
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
���������������
AWS Services in Your VPC
VPC Endpoints for Amazon S3
DNS in-VPC with Amazon Route 53
Logging VPC Traffic with VPC
Flow Logs
VPC VPC VPC VPC
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
������������ ��
DeveloperSandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations
SharedServices
Network
Log Archive
Prod
Team SharedServices
Optional Network Path
Network Path Log Flow
Data CenterDeveloper Accounts
Orgs: Account management
Log Archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data Lake
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
�-�C')E3��E,�
�EN^dTfWbeB��9L=Zf`
+�EZf`5�$:@��A6KI2D+�ENRQe\M��:0��D��EYSad[OBUe^cPNeXM�?�,�
IJ��"CAWS E&�B&�/.Vf]XE�!AWS Organizations, AWS Service Catalog and AWS Config%
<E D38K;F@ENRQe\D31@0AWSVf]XEH>BH_X\C�1�M *:0(�:@17=GE#4C��5�,
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Landing Zone”2���
H
• ���2LDIKQ@H;D1�-(,&� 32&E?O:.DBWQJS0NSGV:>=UIAWS��
• ����6����0/2,42DFWIM<UI
• :KRBWCPU2N<ATWCPU2,42DFWIM<UI
• ��0�8�+)��.��% $�%!#"�'8&*709�5��
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The AWS Landing Zone )+-��
�*FK=043LA��*;>A0>D*���/
�)%-<JGN9HL
� �*E:ADI7?1:(���)�'#��
����!,;6GJ?1(5CBL:*��"��
EN:I2L043LA(043LAMEL@1L8MF9L*��
���$.&��
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing ZoneR�%
• syhY_\}k'�RKSRr~fw[}O��RKSRqz~t|~b• syhY_\}k �RKSRgauxjZG*�G��c~pf1�W�XL��3�• An account vending machineQUMNgauxjZr~fw[}3�OOTQG4RY_\}k �R/� WJVIOH�-
Y_\}k,&
• AWS Single Sign-onQUVv~d~Y_\}kRYbgf,&• 6�,&RKSRY_\}k"�)P{~yR3�
I:OYbgf,&
• !5�RKSR0�Y_\}kR�� • Y_\}kR��gauxjZ3�O8<;79CB>@? DFA=ERr~fw[}R$(• nik|~br~fw[}R��• Amazon GuardDutyQUVG*2O[}jxe]}kP.��+
gauxjZO`om}f
• Landing ZoneR#-�WYl^}QUMN��Q���-���
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone ������ ����
Amazon S3 Bucket(manifest file)
AWS CodePipeline
AWS Service Catalog
Account Baseline
Core OU
AWS SSOAWSOrganizations
AWS Organizations Account
Shared Services Account Log Archive Account
Account Baseline
Security Account
NetworkBaseline
Account Baseline
Aggregate CloudTrail and
Config Logs
Account Baseline
Security Cross-Account
Roles
SecurityNotifications
Organizations Account• Account Provisioning • Account Access (SSO)
Shared Services Account• Active Directory• Log Analytics
Log Archive• Security Logs
Security Account• Audit / Break-glassAmazon
GuardDuty Master
Parameterstore
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone ������ ����
Amazon S3 Bucket(manifest file)
AWS CodePipeline
AWS Service Catalog
Account Baseline
Core OU
AWS SSOAWSOrganizations
AWS Organizations Account
Shared Services Account Log Archive Account
Account Baseline
Security Account
NetworkBaseline
Account Baseline
Aggregate CloudTrail and
Config Logs
Account Baseline
Security Cross-Account
Roles
SecurityNotifications
Organizations Account• Directory Connector
Shared Services Account• Microsoft AD• Centralized Logging Solution
Centralized Logging Solution
AWS MicrosoftAD
DirectoryConnector
Amazon GuardDuty Master
Parameterstore
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Account Vending Machine
AWS Service Catalog
Account Vending Machine (AWS Service Catalog)
• Account creation factory • User Interface to create new accounts• Account baseline versioning• Launch constraints
Creates/updates AWS account
Apply account baseline stack sets
Create network baseline
Apply account security control policy
Account VendingMachine
AWS Organizations
Security
AWS
Log Archive
AWS
Shared Services
AWS
AWS
New AWS
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The AWS Landing Zone Pipeline
Source Validate/Build/Test Deploy Core Account Structure
Deploy Core Resources
Deploy Service Catalog Portfolio/Products
Deploy Baseline Resources
Launch AVM for Core accounts
AWSOrganizations
AWS Account Baseline StackSets
Logging Security credentials
AWS Service Catalog
StackSet AWS Service Catalog
Core
Amazon S3 bucket
Vended Accounts
AWS CloudFormation
templates
Manifest fileAWS Landing Zone Zip File
AWS CodeBuild
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Landing Zone�����
#�� ������� ������
% ��������������
!��" �$�
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone��������
Working backwards
Operating like code
Designing for failure
Embracing enterprise DevOps
Applying guardrails not barriers
Running lean teams
Automating everything
Well-Operated ��� Well-Operated��� ����
AWS���������via AMS
• Month to Month
• AWS Out of the Box
• Curated Services & Management Tools
• Infrastructure Ops, Security & Compliance
����������
• 100+ Partners
• Certification Program
• Third Party Audit
• End-to-End Services
� �������
• Service Catalog
• Modeling and Provisioning
• Automation and Operations
• Monitoring and Logging
AWS�����+ ���������
+ Partner
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Control Tower
AWS Control Tower7QZIVBY��&8/VYNAYFKZY6JMO@MP? �-&JEU@2Well-architected4SXL@DCYO6AWS��?��.=:62.'!�6��,>/LZT2(01:&AWS6@DCYO?�"5��*��.=+3)�34<&,;5�"@DCYO7��,>/����6GYPVB@YIRWHZ5 ��5��.=/9&���6# 6%�5$�-8.'
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Control Tower Features
AWS Landing Zone��K���
#-* $98<:96 +9?1:Lnz_sUy��AMFsygTy\bzyKaehSemR���DAaZpSG-166!.:/45<1/<10IoudSXVyhK#-*��R��EQNKGEB_femkU_femG$98<:96 +9?1:K��KX_coU`RYUiDMEB
���GCQ��K�"•#-* (:3.85@.<598;R��DFoudSXVyh��K��•#-* *58361 *538!98qz]zH\uzmR��DF&%��•#-* *58361 *538!(8R��DF&%KlWgvz^ry
•#-* $69=0+:.56H#-* $98253JOQw\K����•#-* &#'JOQSXVyhJ� �IaZptfT��•#7.@98 ,)$JOQjehxz[K�•#-* *1:>5/1 $.<.693JOPSXVyh���Kxz[lwz�
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Control Tower Features
H\MYOYMTUZs!�
H\YOYMTUt^��� r�6hqa�� �s�������~A%i{foryz^ELJ&���r}k{/0)q�����~��i{kvs�����q� �~��hui_c�$d������i{�n^�Cohm�2g|k� �� �d5)r!�g|ui_FXW[YXUDKX]PYnt�e>'d��g|{H\YOYMTUs� �w��h^c�$t�� ���^`{at.1��r>'i{qp!�i{,�~?� 4ni_
FXW[YXUDKX]PYt� �� �s� �~<-q��� 3:h^ELJDFUX\OGXYVM[TXWrylm;�i{��� ~�8hui_uk^�'i{� ��s�a�x#�� qp~A%hkz^ELJDFXWQTR I\UPZrylm� ~"*hkzi{fod 4ni_uk^jbhk������x��������r@=i{� ��s(9�Bs��� tFXW[YXUDKX]PYDOMZSNXMYOr7+i{fow 4
ni_
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Control Tower Features
���A���B<DB�$.(%,$-&
�,+/-,*�",1'-��$.(%,$-&C�#!���B���A���KE<H;EB>;3��FRXUA@7@B8H4�:J=4I62LONWS7��:J=4I62��B 0$-&-$)*7���:J=4I62PWTVMLWQB� ��C@BG5AEB62��;I9?E��>;3
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Get Started
https://aws.amazon.com/jp/controltower/
https://aws.amazon.com/answers/aws-landing-zone
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you
top related