Koen vd Biggelaar - Sr Mgr AWS Solutions ArchitectureMahmoud ElZayet – Solutions Builder

Tuesday 31st October 2017

Simplify & Standardise Your Migration to AWS with a Migration Landing Zone

LONDON

Planning a Migration?Key Questions to consider

How do we configure our AWS

environment

What are best practices for Security and

Compliance

How do we build a Cloud Operating

Model

How do we develop a

business caseWhat types of

migration will we useWhat is our

application portfolioWhat are our key

drivers

Which partners are we going to use ?

What is an AWS Landing Zone?

- A baseline secure multi-account AWS environment

configured based on best practices

- A starting point for your application migration journey

- An environment that allows for iteration & extension

over time

H

What to Expect from the Session

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

H

Understand

Build

Engage

Operate

AWS Cloud Adoption Framework

Application Migration

Create Landing Zone Migrate Apps Operate & Optimise

H

Landing Zone Journey

Domains DirectConnect

Start Accounts

EndUserInteraction

AutomationServiceCatalog

CentralServices

Migrate

Iterate

Operate&Optimise

Logging Config Access Identities Federation

Network Security Identity&Access

OperationalAutomation

What’sNext?

Imaging

Infrastructure Request

Current StateTypical Enterprise Situation

Governance &

Service Management

Central IT

Lines of Business

Provisioning

Characteristics• Lead times ~days to weeks• Service catalogue of components• Often process-heavy service

management

Agility versus ControlHow to choose?

We want agility, so we can

innovate in our business

I need control, so I can protect

our business

Business & Business IT Central IT?

Monitor&

Respond

Landing Zone

TemplatesPolicy &

Best Practices

Landscape Management

Current StateOpportunity to achieve Agility and Control

Automation

Lines of Business Central IT Opportunities

• Lead times in minutes• Service catalogue of

landscapes• Automated service

management

Security

Guiding Principles

Landscapes&

Automation

Cloud ITConsumers

Start Accounts Network Security Identity&Access

OperationalAutomation

What’sNext?

Account Structure

• Don’t overdo on Day One• Use separate accounts for:

Security and Compliance Isolation(production non-prod,

logging)

Cost Allocation Resource Management and Ownership

Account Structure

Billing

Security and Audit

Shared Services Dev & Test Mobile

IoT

Business Apps Digital Platforms

Option: Per AWS Region

Production Generic

Production Critical

Central Accounts

Application Accounts

Dev & Test

Analytics

ApplicationAccount(s)

Peering

BillingAccount

Security&AuditAccount

SharedServicesAccount

Logs

Billing

Billing Account Structure Security & Audit Account Structure

Shared Services Account Structure Application Account Structure

Security&AuditAccount

Logs

BillingAccount

SharedServicesAccount

ApplicationAccount(s)ConsolidatedBilling

Security&AuditAccount

SharedServicesAccount

ApplicationAccount(s)

BillingAccount

SharedServicesAccount

VPCPeering

BillingAccount

Security&AuditAccount

ApplicationAccount(s)

Initial Account StructureDifferent Perspectives

Manage Multiple AccountsCloudFormation StackSets

Stack Set

Payer / AdminstratorAccount

Template

Region

Stack

TargetAccount: A

Stack

TargetAccount: B

Account C Account D Account E …Region

Stack

TargetAccount: A

Stack

TargetAccount: B

Account C Account D Account E …

Manage Multiple AccountsAWS Organizations

Root

OU

OU OUOU

Stack Set

Stack Set

Account B Account C

Account A

Lookup

Deploy

Start Accounts Network Security Identity&Access

OperationalAutomation

What’sNext?

Individual VPC Patterns

ü Hybrid 2-tier (public and private)

ü Internal-only

ü Internet-only

ü Hybrid 3-tier (Presentation/Application/Data)

AWS Quick Start:Scalable VPCPCI DSS

§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§

§§§§§§§§§§§§§§§§§§§§§§§§§§§§

ü Leverage existing AWS Direct Connect to route traffic between VPCs

ü Offers customers the ability to incorporate transitive routing

ü Need to create more than 100 connections per VPC

Multiple VPN/DX VIFsConnect Applications running in multiple VPC to your DC

AWS Answers:How do I connect multiple VPCs in a single AWS Region?

ü Can create multiple VPCs within the same or different region/account

ü Do not require full connectivity between all of their VPCs

ü Central shared services VPCü Multiple VPCs that need access to shared resources

but do not each otherü Require fewer than 100 peering connections per

VPC

§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§

§§

Multi-VPC Partially MeshedVPC Peering

AWS Answers:How do I share a single VPN connection with multiple VPCs?

§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§

Transit VPC

ü Uses customer-managed EC2 VPN instances in a dedicated transit VPC with an IGW

ü Implements a transit VPCü Want more advanced connection types, such

as inter-region connectivity, or multi-VPC connectivity to on-premises resources

AWS Answers:How do I build a global transit network on AWS?

Start Accounts Network Security Identity&Access

OperationalAutomation

What’sNext?

Set Per-Account Security BaselineConfiguration of the security baseline

AWS Identity and Access Management (IAM) IAM password and other policies

AWS ConfigCentrally store configuration changes

Auditing and Governance

Access Control

AWS CloudTrail

Centrally store audit logs

Amazon S3 bucket(security logs)

Security Log Account

Billing Account Shared Services

Application AccountsApplication Accounts

Application AccountsApplication Accounts

Security Notifications

AWS CloudWatch AlertsAlert and send security notifications

AWS Organizations

AmazonVPC

AWS DirectoryService

AWS Service Catalog

AWS Quick Start:quickstart-compliance-common (Github)

AWS Labs Github:aws-config-rules

§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§

§§§§§§§§§§§§§§§§§§§§§§§§§§§§

Build Compliance into your AWS accounts

• Implement the CIS Foundations Benchmark• Use the UK-OFFICIAL compliance Quick Start• Deploy the AWS Labs CIS Foundation Benchmark

Checklist templates

AWS Labs Github:aws-security-benchmark

AWS Security Blog:Announcing Industry Best Practices for Securing AWS Resources

AWS Quick Start:UK-OFFICIAL

Log everything centrally for analysisCentralised logging makes it easy for security teams to consolidate AWS logs and analyze them to detectincidents

VPC subnet

AmazonEC2

Flow Logs

AWSCloudTrail

Amazon S3

Amazon CloudWatch

AWS Lambda

AmazonElasticsearch

Service

You can do this by simply using:• Amazon ElasticSearch Service• CloudTrail logs• VPC flow logs• EC2 server logs• AWS Config logsLog Transform Search

AWS Answers:How can I implement a centralized logging solution on AWS?What are the native AWS security-logging capabilities?

Choose how to start your compute Private images or import your current ones

Launch instance

EC2

AMI catalogue Running instance Your instance

Hardening and configuration

Audit and logging

Vulnerability management

Malware and IPS

Whitelisting and integrity

User administration

Operating system

Configure instance

Configure your environment as you likeOptions to create or import your own ‘gold’ images1. Import existing VMs to AWS 2. Procure partner AMI from AWS Marketplace3. Create and save your own custom images4. Bootstrapping a base AMI

AWS Marketplace:CIS Hardened AMIs

AWS Devops Blog:How to Create an AMI Builder with AWS CodeBuild and HashiCorp Packer

Start Accounts Network Security Identity&Access

OperationalAutomation

What’sNext?

You get to control who can do what in your AWS environment when and from where

Fine-grained control of your AWS cloud with multi-factor authentication

Integrate with your existing corporate directory and provide SSO to your customers. Support for SAML 2.0 (like your existing Active Directory) and OpenID compatible Identity Providers (IdPs).

You can use AWS managed policies, policies for typical job functions or customer-generated policies using the policy generator and test with the policy simulator

AWS account owner

Identity and Access ManagementControl access and segregate duties everywhere

Corporate Data Center

Browser interface

Identity Store

Identity and Access ManagementIdentity Federation

AD Group

Identity and authentication

Mapping to specific IAM role with access policy

Access to AWS

Select an Identity Federation Option

• Cross-Account Roles with IAM• Cross-Account Roles with AWS Directory Service• SAML Federation• Custom Identity Broker

Example: Cross-Account Roles with AWS Directory Service

AWS Answers:How do I manage multiple AWS accounts for security purposes?

§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§§

§§§§ switch role

AWS Directory Service

users

Shared-services account Sub-accounts (Billing, Security, Application)

• Users and groups are managed in one account (Shared-services) using AWS Directory Service

• IAM roles in every account is used for fine-grained authorization• Can be integrated with on-premises user directory for authentication

Start Accounts Network Security Identity&Access

OperationalAutomation

What’sNext?

Agility and ControlAWS Service Catalog and Marketplace

DevelopersOrganizations

StandardiseControl Govern

Agility Self-Service

Time to Market

…allows organizations to create and manage catalogs of IT services and software on AWS

Key Features

Tag Enforcement

Portfolio Level IAM access

Denial of end-user access to underlying services

Constraint CloudFormation Parameters

Share Portfolios

Version & Re-use Products

API, CLI, Console

AWS Marketplace to AWS Service Catalog Copy

AWS Ops Automator

• Automation Framework

• Central Administration

• Multi-Account/Multi-Region

• Pre-built Actions

• Custom Actions (Auto-retry, logging, concurrency…etc.)

AWS Answers:https://aws.amazon.com/answers/infrastructure-management/ops-automator/

TaggedEC2

instances for one or more AWS accounts

IAM cross account roles

controlsaccess to

AWS accounts

Schedulerrole

Schedulerconfiguration

tableInstance state

table

EC2 Instanceinformation

CloudWatchLogs

CloudWatchMetrics

CloudWatch ruletriggers Scheduler

SchedulerLambdafunction

CloudFormationscheduler

stack

EC2 instance scheduler

A single template deploys all solution components

AWS Answers:How do I automatically start and stop my Amazon EC2 instances?/

Logging Buckets

CentralisedLogging Analytics

Cost Optimization

Monitor

SecurityAccount

What have we built so far?High-level Architecture

Shared ServicesAccount

BillingAccount

Stack Set Admin AccountStack Sets

Stand Alone Templates

Scalable VPC Quick

Start

Cross Account Manager

VPC Flow & Instance Logs

CloudTrail, Config & IAM Baseline

CAM Sub-Account

ApplicationAccounts

Ops Automator/

Instance Scheduler

Start Accounts Network Security Identity&Access

OperationalAutomation

What’sNext?

Managing to the Portfolio Value

Portfolio Tier Requirements Operations Model

Approx. %

Portfolio*

IT Spend Against Portfolio

DifferentiatorsHigh rate of change & innovation; Possibly business-critical, but not always

DevOps 15%

60% - 70%

Table StakesBusiness-critical, but low rate of change. Needs high availability, maximum reliability, and durable DR

Automated Efficiency 25%

CommodityCOTS & commodity, minimal risk, low change, standard downtime & reliability requirements

Automated-Traditional 60% 30% - 40%

*estimated numbers

Provided Under NDA

Increasing Levels of Effort with Increasing Levels of Return

Mass migration

Re-platform / Refactor Re-architectMaturity Maturity

Running Multi-Modal Migrations

Value Automation

Mass Migration

Capex to Opex

Cost Out

Facilities Closure

Consistent Operations

Traditional Operations+

Operational Transition

Cloud Capable

Applications

Capex to Opex

Nascent Services

Cloud COEManaged Services

Automated Operations

Cloud Aware

Applications

ServerlessCompute

Continuous Integration

Disruptive Technolog

y

Maximum Efficiency

Advanced Architecture

Development and Operations

Sprint 1

Executing Multi-Modal Migrations

Program

Brown

Green

Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6 Sprint 7

Deploy Landing Zone Extend, Integrate and Manage Landing Zone

Migration Business Case

Discovery Prep Discovery

Pipeline Generation

Migration Patterns Creation

DiscoveryGreenfield Migrations

Innovation

Re-FactorRe-Host

Complex App (single sprint)

Key Take-Aways• Configuring your AWS environment matching your operations

and migration needs, is a key step in your cloud journey

• Maximise automation, including cost optimization (i.e. resize instances, on-off schedules)

• Check aws.amazon.com/answers for guidance and packaged solutions helping you to build your own Landing Zone

• Be agile for your Migrations, not everything can be planned upfront

H

Thank you!

LONDON

Landing Zone Resources (1/3)Title Link

Cost Optimization Monitor https://aws.amazon.com/answers/account-management/cost-optimization-monitor/

Scalable VPC Quick Start https://docs.aws.amazon.com/quickstart/latest/vpc/

PCI DSS Quick Start https://aws.amazon.com/quickstart/architecture/accelerator-pci/

How do I connect multiple VPCs in a single AWS Region?

https://aws.amazon.com/answers/networking/aws-single-region-multi-vpc-connectivity/

How do I share a single VPN connection with multiple VPCs?

https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharing/

How do I build a global transit network on AWS?

https://aws.amazon.com/answers/networking/aws-global-transit-network/

Microsoft Active Directory https://aws.amazon.com/quickstart/architecture/active-directory-ds/

How do I ensure I set up my AWS account securely?

https://aws.amazon.com/answers/security/aws-secure-account-setup/

How do I setup AWS Identity and Account Management (IAM) for my organization?

https://aws.amazon.com/answers/security/aws-iam-in-practice/

Landing Zone Resources (2/3)Title Link

Compliance Quick Start https://github.com/aws-quickstart/quickstart-compliance-common

CIS Security Benchmark https://github.com/awslabs/aws-security-benchmark

Security Blog: Announcing Industry Best Practices for Securing AWS Resources

https://aws.amazon.com/blogs/security/announcing-industry-best-practices-for-securing-aws-resources/

UK-OFFICIAL Compliance Quick Start https://aws.amazon.com/quickstart/architecture/accelerator-uk-official/

How can I implement a centralized logging solution on AWS?

https://aws.amazon.com/answers/logging/centralized-logging/

What are the native AWS security-logging capabilities?

https://aws.amazon.com/answers/logging/aws-native-security-logging-capabilities/

CIS Hardened AMIs https://aws.amazon.com/marketplace/seller-profile?id=6b3b0dc2-c6f4-487b-8f29-9edba5f39eed

How to Create an AMI Builder with AWS CodeBuild and HashiCorp Packer

https://aws.amazon.com/blogs/devops/how-to-create-an-ami-builder-with-aws-codebuild-and-hashicorp-packer/

How should I manage multiple AWS accounts for security purposes?

https://aws.amazon.com/answers/account-management/aws-multi-account-security-strategy/

Landing Zone Resources (3/3)Title Link

User Access Management Module http://www.awslandingzone.com/modules/landing-zone-user-access.pptx

How do I monitor the cross-region replication of my Amazon S3 objects?

https://aws.amazon.com/answers/infrastructure-management/crr-monitor/

AWS Ops Automator https://github.com/awslabs/aws-ops-automator

DynamoDB Continuous Backup Utility https://github.com/awslabs/dynamodb-continuous-backup

How do I automatically start and stop my Amazon EC2 instances?

https://aws.amazon.com/answers/infrastructure-management/ec2-scheduler/

How do I receive notifications as I approach AWS service limits?

https://aws.amazon.com/answers/account-management/limit-monitor/

Deck Guidelines

Fonts, sizes, colors, and layouts are all pre-built in this template.

Color palette

Please do not use gradients, shadows, or outlines on shape elements. Limit color use for chart graphics to grayscale plus one accent color.