Amazon Web Services (AWS) is an extensive cloud service platform by Amazon that extends database storage, computing power, content delivery, etc. helping businesses grow. AWS assist companies with a myriad of tasks including data processing, warehousing, game development and a lot more. Owing to its unique offering, the popularity of AWS continues to grow as it generated net sales revenue of a whopping USD 232 Billion in the year 2018.
Challenges of Creating AWS Account
Creating an AWS account is a strenuous task to accomplish as it involves multiple steps that require manual authorization. Additionally, there are various other factors to take into consideration like the requirement of IAM (Identity and Access Management) account, logging accounts, handling of cross-account permissions and much more.
AWS Landing Zone — The Solution
To streamline this complex process, AWS has offered a turnkey solution, denoted as the AWS Landing Zone that completely automates the creation of a secure and efficient multi-account environment on AWS.
Simplifying the AWS Account Creation Process
The AWS Landing Zone solution aims at helping customers set up a secure multi-account AWS environment while adhering to the best of AWS practices. AWS Landing Solution automates the set-up of the AWS environment for running secure and scalable workloads while implementing an initial security baseline. It also offers a baseline environment to start a multi-account architecture, identity, and access management, data security, governance, network design, and logging.
Types of AWS Account
Essentially there are four types of AWS accounts that can be deployed through the AWS service catalog
- AWS Organization Account
AWS Organization Account is used to efficiently manage configuration and access to the AWS Landing Zone. It basically offers the ability to create and manage member accounts. With the deployment of AWS Landing Zone in the AWS organization account, users can avail features such as Amazon Simple Storage Service, account configuration StackSets, AWS Single Sign-on (SSO) configuration, AWS Organisations Service Control Policies, etc.
- Shared Services Account
The Shared Services Account is used to create infrastructure shared services. These accounts by default host AWS managed active directories for AWS SSO integration within a Shared Amazon Virtual Private Cloud (Amazon VPC). The Amazon VPC is capable of automatically pairing with new AWS accounts created within the Account Vending Machine (AVM).
- Log Archive Account
This account includes a central Amazon S3 bucket for securing copies of AWS CloudTrail and AWS Config log files within a log archive account. The access to this account is typically restricted to the auditors and security team for forensic investigations associated with account activities.
- Security Account
It creates the role of the auditor (read-only) and administrator (full-access) to all AWS Landing Zone managed accounts. These accounts are used by the security and compliance team of the company to audit and perform emergency security operations in case of discrepancies.
Account Vending Machine Architecture
Account Vending Machine (AVM) is one of the key components of the AWS Landing Zone. It is used as an AWS Service Catalogue product that enables users to generate new AWS accounts in Organizational Units (OUs) preconfigured with an account security baseline and a predefined network.
Account Set-up Using AWS Landing Zone:
Installing
The entire setup process is executed through CloudFormation, also denoted as an ‘initiation template’ that allows users to select basic settings. Additionally, the initialization process writes a config template to an S3 Bucket, which serves as a source for CodePipeline. The CodePipeline integrates every change made to the config and applies the same to the main infrastructure.
(source: https://aws.amazon.com/answers/aws-landing-zone/)
Testing
Furthermore, to test the installation process, the user needs to change the ‘BuildLandingZones’ parameter to ‘False’ in order to prevent the configuration from launching immediately. This allows the user to inspect the final config and make necessary modifications before running it. Moreover, change the ‘LockStackSetExecutionRole’ to ‘False’ to ensure access to sub-accounts. However, care must be taken to change the parameter back to ‘True’, or else, it restricts the administrator access in sub-accounts.
Creating Account
Once the AWS Landing Zone has been successfully set up, users can easily create new AWS accounts via the ‘AWS-Landing-Zone-Account-Vending-Machine’ in the AWS Service Catalogue. Once AVM is launched, the user needs to add the preferred name to the account and choose the appropriate AVM version.
AWS Landing Zone — Easing the Cloud Adoption Process
- Fuss Free Cloud Adoption
AWS Landing Zone allows users to create various interconnected and structured accounts seamlessly, thereby saving up significant time by accelerating the transition process to a cloud platform.
2. Flexible and Scalable
With the AWS Landing Zone, users obtain a consistent underlying platform, allowing them to efficiently develop their cloud set-up. A consistent base platform also makes it easier for users to reuse the codes in order to modify their cloud platform in the future.
3. Secure and Compliant Infrastructure
AWS Landing Zone adheres to the best practices of AWS. This ensures that security, governance and compliance requirements are embedded into all landing zone accounts, by default. Furthermore, AWS offers optimized security through its account baseline settings including:-
- AWS CloudTrail — It is created within each account and configured to send logs to a centrally operated Amazon Simple Storage (Amazon S3) bucket and AWS CloudWatch Logs.
- AWS Config — It stores account configuration log files within a centrally managed Amazon S3 bucket in the log archive account.
- AWS Config Rules — It allows monitoring of storage encryption, root account multi-factor authentication (MFA), AWS Identity and Access Management (IAM) password policy, insecure security group rules, and Amazon S3 public read and writes.
- AWS Identity and Access Management (IAM) — It is used to configure the IAM password policy.
- Cross-Account Access — It is used to configure audit and emergency security administrative access and emergency security administrative access to AWS Landing Zone accounts.
- Amazon Virtual Private Cloud (VPC) — It configures the initial network for an account including depleting the default VPC, deploying the AVM requested network type, and network peering with the Shared Services.
- AWS Landing Zone Notifications — Amazon CloudWatch alarms and events are configured to send notification on root account login, API authentication failures, and console sign-in failures.
- Amazon Guard Duty — It is configured to setup automatic threat detection.
AWS Landing Zone — Facilitating a Strong Foundation for Multi-Account Structure
AWS Landing Zone extends an effective and efficient way to build a multi-account structure that comes with security and governance. It also offers a stable foundation for AWS that facilitates seamless modifications, which enables users to spend less time worrying about migrating their resources, thereby allowing them to invest more time in generating valuable outputs on the cloud platform.
Want to test it on your own?
You can test AWS Landing Zone yourself. We recommend that you first run your tests in a newly created account with a new organization so that you can gain some experience in a sandbox environment. Landing Zone itself comes as a CloudFormation template and can, therefore, be installed with one click:
Here are AWS’ docs: