AWS re:Inforce 2019: Implementing Your Landing Zone (FND210)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to reinforce thank you thank you all for joining us and working with us in this interesting format can you hear me okay okay thank you for joining us thank you for being here for our first security conference it's great to see you and it's great to spend time with you and thank you for being here in this session hopefully you'll find it helpful and we'll do what we can to try and make it as informative as possible my name is Sam almalik I'm an worldwide enterprise tech leader for enterprise greenfield and for the last three years or so we've been working on defining account strategy and defining an approach for helping our customers build out their 80s environment we've started to call it landing zone and I'll make sure that as part of this session we clarify what's lower case landing zone upper case landing zone control tower AMS I'm hoping that by the end of this session you'll be slightly less confused about all the stuff that we have out there before I start by a show of hands how many people have seen this before okay how many people are tired of seeing this and hear explanations of what it actually is so the four of you can listen to the music for the next 15 minutes or so I'll give you a high-level overview of this and then we'll go from there so we'll talk about what's a landing zone lower case landing zone upper case landing zone what does it take to implement it the services that it takes whether it's C 2 B ass landing zone or control tower well think about one versus the other when do I use landing zone window I use control tower AMS the managed services and how the whole big picture fits together and at the very end you also get to help me define what the next set of guidance and things that we're planning to put out there for you are what are the areas we've got a list of things that we're thinking through customers just want to get things done I want to release new products but I want to make sure they're secure I wanna be able to move fast but I want to make sure that operationally I'm resilient and given the business security conference will focus more on the security side of it what if every single developer every single application can launch applications and be ready to go and you as a security practitioner don't have to worry about them doing the wrong thing and if they do it's at least isolated and the blast radius is small enough that it's minimal risk overall so they can move forward and go go and launch new product and services that's the core idea behind building a landing zone and the multi-account strategy guidance and everything we've been putting together has been driven out of the security organization within AWS based on the collective best practices but how we do do that how do we stay scalable resilient while we're still compliant and make sure we're still able to adapt what we've come to at least today ws is you need a landing zone not to be confused by the AWS landing zone solution this is just the place that helps you launch products and services or get them to take off if you're thinking of a landing zone it's an environment that's pre-configured allows you to use multiple accounts and it's a starting point for development an account and of itself is not special in that other than it provides us this container that's the level of isolation it happens to be that with in AWS that is the best way to truly isolate resources so when you're thinking about it from a mental model all we're looking at is a way for us to be able to isolate resources and accounts so that users can go and do things and if they break something if they download an insecure open-source product or if they leak credentials the blast radius is limited it just so happens then I count is the best way we at ATS have for achieving that and if I can get everybody to be able to just launch something and know that what they're doing is not going to impact others and that if they do have a security leak or something goes wrong it's isolated to that that allows me to build things more comfortably it allows me to be able to feel safe well relatively safe and secure because knowing most security practitioner there is no such thing as safe but we'll get there so the lower case landing zone it's a pre-configured environment for your presence it's scalable and flexible we decided that we've been telling you this guidance since 2016 set up accounts put Corps put shared services and earlier in 2017 28 yeah 2018 rather we launched an implementation of that practice we call the database landing zone solution yesterday we launched it abuse control tower which by the way they're doing a session there but don't leave mine to go listen to theirs they're doing it again later control tower is taking the same practices and things that we've done in a dubious landing zone solution implementing it as a managed service and a little bit later we'll talk about decision points how do you pick one versus the other or do you use both so we've talked a little bit about this an account is the highest level of isolation lets me do things like my security boundary my API limits throttling billing separation it is the only true way to separate things within AWS environment in fact if I set up an account and you set one up that level of isolation and separation is the same as if you set up two separate accounts or you then within the same company so it helps us provide that approach most times customers start with one you can start with one and play with it so if you're a new company starting out or just a person start with one account play learn figure stuff out what people soon realizes one account doesn't give them the level of isolation they want and things start to get a bit messy I was talking to a Cecil once and he said well of course you'd recommend all of this because it means we pay you more money so for those of you who don't know accounts are free B PCs are free I am users are free so you can set up a thousand accounts or one account it's all free until you start launching resources the intention is to help you build things that are isolated on the other end of the spectrum we have customers that are moving toward thousands of accounts many customers have that today but when you start torrent going toward that model it's the aggregation problem how do I bring everything together how do I know what's going on across the board many customers are somewhere in between but my personal goal and to a certain extent as we see this journey happening over the last few years customers are more and more moving toward a lot of accounts because they provide a really good level of isolation one might not be enough because you might have multiple teams you might actually be one person that has multiple projects that are regulated differently if they are regulated or you just want to keep the account clean so I've got my environment for application a just sitting there may be different security controls and compliance rules around them or I really want the true billing separation between them might have two different teams that have completely different approaches to doing things and rather than have them step on one another and kill each other's resources they're all sitting in separate containers that are isolated and separated from one another which again happens to be the account but to achieve this at scale we need to start thinking of ways to make sure that this is automated how can I get every team that wants to be able to build something new or every developer to have an environment that they can just get started in how do I make sure that they can go at any time and have it be able to scale how do I go from days or hours to minutes to somebody gets spun up and being ready and to do that we want it to be self-service think of guardrails not blockers traditional operations team and is there any set security teams it tends to be the answer is no until you can prove how do you make it work the right way but what if I can have the guardrails and things in place so I know when something does go wrong to allow that innovation to happen and turn my security team and organization into an group that can actually build and put things in place to help manage and monitor the rest of the organization and as you look through this model you'll see that a lot of things are owned by the security team to help build that approach but we also want that visibility what happened who did what when where did they come from and most importantly flexibility because whatever you come up with today I promise you will change a year from now a few months from now in some cases and being able to think through a flexible platform that helps us enable our business to move forward I come from a software development background and I do fundamentally understand the idea that if I open up my server to the whole world to every possible IP address it really does make it convenient to get things done but if I tell that to any security person they will kick me out of the room but what if you have the guardrails and things in place that you know that I remember when I first started at AWS I opened up a redshift cluster public IP address open to the Internet and I think within a few hours I got a ticket from our security team which was terrifying because I had just started at the company telling me I violated policy go do something about it and of course I went and I did I didn't have any information on it other than some public data set that I loaded but it allowed me to make the right decision and enabled me to be an insecurity and gave me those things in place what if we can move toward that model now I'm not promising you that I can give you that today but this is the mental framework and things that we think about as we move forward so a few things we do before we start locker Dench's for the root account enable cloud trail guard duty to make sure we get security findings we want to federate our accounts so as people come in and leave you have an existing process so your existing directory whether it's an Active Directory or for those of you that hate Active Directory LDAP you have a way to authenticate and federate into the accounts that is from an identity provider think about the rules and things do I want all of my volumes to be encrypted so um I ask three buckets to be encrypted and how do I know if somebody does something wrong or they don't encrypt the bucket then from there to establish that isolation we've got a whole bunch of accounts and things to start thinking about again think of it of that container space that we're talking about not to be confused with container that's associated with docker just this space that we can put together so we start with the top of the hierarchy the organization's master account should be owned by somebody who's responsible for the security of the organization sometimes it's a cloud center of excellence in conjunction with the security team but it is an account that allows you to manage a whole number of other accounts within your organization it should be limited resources minimal things you get consolidated bills go up there and it is there to host your overall environment you can deploy things like service control policies which as of a few weeks ago we've released the ability to do granular service control policies but here's one that's just stopped somebody from being able to disable cloud trail so we've got a log of the API calls happening within the account and I want to block somebody from being able to stop that I can put that service control policy as the master level and it supersedes any privileges in the sub accounts even the root account so nobody can go in and stop it or if I've got a production account and I don't want anybody to have an Internet gateway it's an isolated VPC I can add a policy like this from there we start thinking about the foundation of building blocks that help our organization we just happen to call those core accounts because we couldn't come up with a better name and it makes sense so these are the things that the rest of the organization depends on and again even if you're a small start-up or your one-man shop having that level of isolation helps make things easier down the line and each one of these will match they'll have their own development lifecycle so my shared services account isn't going to be just a production one and I only use that but for the purpose of this we're showing it as one box once I've established core where do my security logs go I want someplace isolated I send them there and we call that the log archive account your cloud trail logs from every single account or every single place goes in there it's a single source of truth it's your security log config logs some customers choose to start putting some application logs and things in there but the golden rule is keep it so it's only hosting the logs we're not putting compute we're not putting log analysis we're not putting any of that in that account this is the single source of truth if we wanted to compute on it or do analysis will give read-only access to the content from somewhere else and it can go in and access it in fact if I user logs in I would alarm on it because that should not happen now that have a place to store my logs I go into my security account and that's again owned by my security organization and the goal is I need to be able to know what's going on in the rest of my environment its security logs going to log archive it might be connected to your data center if you've got a sim on Prem and that's where you want to aggregate your findings or if you've got tooling on Prem it needs to connect to your guard duty master your findings but it's also got a cross account access into all your other accounts within AWS because you might have automated tooling running in place are there any security groups that are open to the world any volumes that are not encrypted that alarm I got when I first started at AWS happened because there is a cross account role sitting in my personal AWS account that an automated scan ran and detected that I created a redshift cluster with a security group open to the world and that's the model we're trying to go after it's how do I find these things as quickly as possible in an automated way as possible plus there's a read/write role that allows you to affect changes should not be the way to log in as a human or a security practitioner again that's a fail-safe mechanism what if there's an issue what if there's a compromise and I can't reach the owner of that account it allows me to effect change if I need to or even allows me to make changes to policies and guardrails within that account down the line common tank things and tooling that I want to do I go through shared services when you start out you might have one shared services over time you might have 20 common tooling and services that I need for my organization maybe my directory may be a golden AMI some customers have gone as far as created a separate account for the golden a.m. eyes to be used by the rest of the organization with subscription mechanism on it so I know when a new one comes in and the development teams can pull in the latest one some customers go in and build the deployment pipeline for going cross accounts and that becomes another one of the shared services and in all of this we're thinking in terms of the areas of responsibility of the people that own the accounts we're matching the people that own things when we talk about teams it's the same concept may be looking for limits or snapshot life cycles do I have snapshots from three years ago that nobody has looked at and I've got a snapshot every single day maybe I should some clear out some older things limit monitoring those kinds of things limited access the team that owns that area of responsibility network again your network team is likely to be a different team from your central IT managing the network infrastructure Direct Connect goes there transit gateway would give me Manish they're allowing that level of isolation again to happen on the network side and similar concept log archive things go there by the way we have this recession was also done at least these components we're done at reinvent this past year so there's a recording I'm intentionally not going to go every single detail because there's a number of things later on I want to make sure that we get to so for the four of you that raised your hands I'll make this faster don't worry developer sandbox is they need to play they need to learn they need to figure things out and I know this one sounds terrifying giving every single developer an account with full access and they can go play and get things done but you treat it as a company resource just like a company laptop it's part of the HR process onboarding for employees there's a spending limit on it no more than $50 a month or $100 a month to learn and figure stuff out and the reality is the people that want to sneak out the data they can go set up an account with their Gmail account if they want it to and then put stuff up there at least now you have visibility and it enables the organization to get started it enables the developers to learn and figure things out disconnect it from everything this is not connected to your data center in any way it is isolated it's cloud trail logs are still going into the log archive accounts so at least you have that visibility and know what's going on but it's isolated they can play and learn and figure stuff out and at least if they make big mistakes they make them in a small account that's very isolated just to them from there I start thinking about my teams back to the idea of shared ownership and who owns what who's responsible for things so I start thinking about my team that has product X and unlike one of our leadership cinemas on which is think big in this case we want to think small what's the smallest unit that I can make this so that this one team that owns this one or two services can go launch it and build it in there and they can move forward with what they need to do again in all of this we're sending cloud trail logs and everything in the right places making sure those cross account roles the auditing and scanning and things are happening while these accounts are running and for this we just match our development lifecycle we've got a development account for that particular team if you have development alpha beta gamma however many you just match those so we'll go developments will go into pre prod these can be as many as you need for your development lifecycle similar concept connected to where it needs to go so shared services because it might rely on directory services there and it's connected to my pre prod network on Prem production similar concept cloud trail logs going now our connectivity to the right places and hopefully you're promoting things from pre prod I've tested it validated everything works now I can say it's gonna go into production extremely limited access in some cases you could have the access only limited to a handful of people that are not even part of the application team or the senior leaders on that team to make sure that things are done but largely we want it to be automated and if we can get to that point it's another place that we reduce the potential area of human mistakes over time as it becomes easier to create accounts and use them and we have a process around it we have things that just start to grow organically maybe there's a common set of data that a whole bunch of applications use I can build a data leak around it or build a few common services and I can build a number of these team shared services and if you extrapolate that a little bit further the more accounts that get created the more teams that are building it you'll have this big mesh of interconnectivity between things as you offer services and resources for everybody to use so for the beginning not one I generally think about but just know this is the progression down the line and as it becomes easier to manage accounts and create them it's no longer a decision point if should I create one or not it's let's just create one put it together if we're not sure let's just put one together we got a new team member that came on board hasn't used AWS before it just let's put a few accounts in there let them play get things done and again we're keeping an eye we're making sure what it is tradition of the problem been how hard is it to manage this stuff okay so your innovation pipeline ends up looking something like this we got my developer accounts maybe I decide to create a POC account we're gonna try something and if it looks like it makes sense got business approval on it let's move it into the dev and from there go into pre prod prod and follow the same process that we always have done or in some cases I just go right from my developer account because I made a decision I like it it makes sense let's just go into dev and move forward and finally there will be exceptions there will be special accounts so other than just teams what if I'm subject to PCI it's much easier to go to an auditor and say this account is my PCI holds the credit card information that's it there's nothing else here's the set of people so it helps with that isolation and once again reducing the blast radius so by the end we end up back to that diagram I asked you at the very beginning we have production we have non prod we're matching our development lifecycle we have core accounts that represent what we need there might be other core accounts or things that you need and overtime these grow you might find that you're going to create two or three log archive accounts some customers have said they're auditing team have said well log archive sounds great everything's going there but I want my own copy owned by my auditing team - you'll pay double the money for the storage but if that's what you have to have that's another thing you can do there and have it copied directly right in there and then some examples are the first teams that might make sense maybe a team to help manage your bills and cost optimization and make sure that you're buying the right reserved instances so that you're saving as much money as you can or minimizing your costs or we've got an auditing team that has decided they do want their own copy of the logs or even just one or on tooling to access the log archive logs so that they can determine if we've met some compliance rules or law or regulations again they might have dev pre prod prod as needed because they're building their tooling and things that might want to check because of course all of your auditing teams have full development teams that can do all of the stuff and get it done in an automated way or I've got an amazing new product or an idea same thing match the development lifecycle think small what about my QA and staging traditionally we talked about this whole idea of an account being a container it's an isolation but if we've got an orchestration framework around it that helps me spin up additional accounts or deploy guardrails and masts to all of these accounts but I have a mistake in that piece of code what if I have a typo that denies access to all of s3 and I go deploy it to my production landing zone and now shut down every single application across every single account that I have we recommend a queue and staging landing zone environment - this is not your development and production and pre prod accounts for the individual teams those are sitting within the master one as always this is the development and staging for the landing zone itself the orchestration framework that controls all of this which should be more tightly controlled in terms of development and deployment but making sure that I can test those changes and we establish a second landing zone albeit a smaller one but mirrors my master one so that I can make changes to that orchestration framework without potentially breaking my entire organization so if I were to go do this and if we're gonna build something around it I start by defining a tagging strategy my automation strategy create my bunch of accounts and get started and there's a whole bunch of lists of things and this is by no means an exhaustive list things to start thinking about if I'm establishing this environment what do I do for each one of those accounts for my log archive enabling my MFA delete enable versioning limited access setting all of that stuff up in place and then for every single one of the accounts there's a common checklist in addition to the individual things that you've seen there you've seen it referenced in the last slide enabling mfa making sure that those logs I mentioned my cloud trail logs are going to the right place in the log archive account and up until a year year and a half ago this is kind of where my presentation would end I would flip over to a customer and then tell you go do it but then we decided to take it a little bit further and help you get started in that process so in 2018 we launched what we call database landing zone solution which instead of taking you months to start building this and putting some foundational framework in place we provided a cloud formation template that creates a code pipeline that allows you to do those things so it sets up the code pipeline we've got a shared services account log archive security the cross account roles configures the log archive account so that the logs from those security things are going there enables config enables a number of guard guardrails things like config rules that report on encryption but most importantly it creates what we called an account vending machine which of course in control tower we decided to rename again but we'll clarify all of that as we move forward so it's an account vending machine whose function is instead of using mate abuse organizations API is directly to create an account you make use of the account vending machine to create an account and what it will do is it will go in and take care of that initial plumbing if I create a new account through the account vending machine my cross account security roles that we spoke about they get created my cloud trail gets configured from the moment that's created and it's logs going to the log archive account in addition to a local copy in its own account so the developer whoever is in that account can view their own logs if they need to don't have to go to you to ask you for them and they can't stop it because you put the SCP in place so they can't stop it and it sets at the connectivity to the shared PPC account so that every new account and every new container that we set up is already connected and ready to go so back to that queue a landing zone thing that we just spoke about I would just launch two of these one for testing and validating this one you get all the code it's available you talk to your account team to help you get access to it the reason we chose not to publish it broadly is because it's a complex solution it uses a number of services and it is a bit more complex to get going so we wanted to make sure to improve that experience and work with our customers to work through it to make it easier for them so if you talk to your account team they can work with you to get you access there is no charge for this it's available and even if you built your landing zone already or I've started to we've got something you're happy with but this does something a bit better or something you want to learn from take it try it out do what you need to do with it so if I go back to that list that I showed before it starts to take away some of those things creates log archive security shared services gives you the account vending machine so I can start creating developer sandboxes if I want and it takes care of a number of things not everything but it takes care of a number of things there so it makes it easier to get started and because you have the full code to it you can customize do anything you want to it provided you have knowledge about fifteen of our services and can go figure it out and learn from it so it does require a certain amount of uplift but we know customers that have spent months if not years trying to build something and a significant amount of money to trying to launch these types of things this helps you get started so they give it a little bit more context when I start thinking about this entire landing zone concept that lowercased landing zone what does it take to actually operate and build things in AWS I've got the account management aspect of it got things like account metadata who's the owner what's the function of that account what I need to be protected in there is it subject to compliance program what are those account level things I need to do and policy deployment enforcement remediation notification all of those things are things that I need landing zone starts to give you some SMS topics that you can potentially use it gives you some configure rules to help you do things like encrypted AWS encrypted EBS volumes and takes care some of the policy deployment again back to this idea this does not give you everything yet but it starts to do some of those things and the areas pointed to are the things that it really does and you start thinking through yesterday you heard about it abyss control tower if you haven't there's another session later today if you want to dive deeper into that one there's one happening over there right now but thank you for being here how do i implement it now you thought about landing zone it's code it's everything now we listen to our customers they like landing zone but it requires a good amount of complexity and you need to know the code and you need to manage it and do it yourself so we decided to build a managed service version of what landing zone is and that's what control tower is it solves the same problem except it does it as a managed service so you go into the account launch it provided the right limits are in place and it goes creates log archive creates a security account although in there we call it aught it does not create shared services at this point instead of setting up an account vending machine we call it account factory so it's the same function I can go in and set this up so log archive audit account it's a pre-configured secure environment and enables guardrails and governance and you can define things it comes with 30 guardrails so I can get started and I can play with it and I can try it out needs to be launched in new account you cannot launch it in an existing one in fact you cannot have enabled organizations on that account yet if you have it will not work and it will do that check so don't try and cheat now you can try it today it's a free service you only pay for the resources it launches and if you look at the FAQ page and the pricing page we have some examples of how much would actually cost you if you launch it using certain configurations but think of it as a managed service version of the AWS landing zone solution so you get to enable you set up a landing zone you have the centralized identity so god uses SSO so back to the idea of Federation that we talked about using iam is not as easy to manage but if I've got a single provider for my identity single sign-on whether it's a directory landing zone sets it up by using an active directory here it uses AWS SL and will drive it a little bit deeper into one versus the other and when to choose one versus the other but for now control tower only supports SSO so it becomes harder to integrate with additional ones puts guardrails in place and automates the checking around them and one unique feature that it has that landing zone does not have is it actually gives you a dashboard of findings and what's happening in there how many OU's do you have number of accounts how many preventive guardrails detective guardrails it's a security conference but I assume most of you preventive are things you're stopping people from doing detective are things you really can't stop but you want to detect that they happen and get notification so it builds those things in place and you can have a dashboard and back to that aggregation problem I described earlier starting to bring things together so I can start looking at it use that in combination with security hub and you can start having a centralized place to look at these findings and working through them use account factory to launch new accounts and provision them to people and you know what's going on by looking through it got a dashboard visibility built an identity monitoring notification all of it built in and as of yesterday it has gone GA so feel free to go try it play with it see what it does how it works attend a session later today if you're not flying home what are they gonna dive deeper into this with a whole demo and everything and if we finish you early enough you might be able to see the demo over there so back to that same list that we did before similar things the only thing it does not do it does not create the shared services account not you can go spin up an account with the account factory or iterate on it and depending on what decision you make where you want to go it might have shared services in there in the next iteration so let's look at it in context similar diagram to before we've got all of this metadata stuff everything that we have policy deployment remediation and again similar things that it takes care of it has a dashboard but I don't have a reporting dashboard on here that'll be for the next version of the presentation but similar concept you still have to think about the account metadata how do I know what sits in what account it also unlike landing zone starts taking care of that bigger circle which is a collection of guardrails whereas landing zone does individual guardrails control tower you can define a template around a set of guardrails and start making use of that which we call a blueprint so anyone have this question which one do I go with so tried to put together a list of things to start thinking about some of the pros some of the cons what they look like so landing zone it's a cloud formation deployment I deploy it there's about 15 services or so and it takes care of it there's a code pipeline if I need to make an update you need to download the code make updates and relaunch it control tower it's a managed service you have no idea what our code is we take care of it you just launch it and it goes landing zone you have the code you can do whatever you want you could name it non landing zone for anything for all I care you can do whatever you want with it cuz you've got full control and full code an infinite customization because you get to do it but if you do that you have to maintain it and that might be a perfectly viable option for many customers who have the staff and expertise to do this land control tower there's a set of fixed blueprints right now most regions are supported as long as there are services there that we're using that are supported so commercial regions are all supported except for gov cloud and China because the underlying services and some of those are not available account structure a complete flexibility again you have the code you can do what you want control tower is more opinionated there's two non configurable core accounts no shared services and no VPC is being launched landing zone does take care of the B PC landing zone is complex and it does require a significant amount of expertise to get it to work and to troubleshoot it sometimes you have to look through a whole bunch of logs to figure out what happened control tower self-service there's a GUI that you can just click and get things done there is no API as of right now so these are some of the decision points which one do I want to go with I've already got an existing landing zone in place that works for you and does what you need maybe it makes sense to stay with it I'll wait I'll wait for the clapping what if I have landing zone today or what if I decide what if I'm afraid to use AWS landing zone because I'm afraid if I use it then I miss out on control tower and I want to may be able to use it later the service team has committed that you will be able to migrate existing accounts at some point down the line will come out with better guidance around what should you do and not do within landing zone based implementations to help with control tower and this by the way is right out of the FAQ that we have on our public website so even if at some point you decide that landing zone is what you want but are hesitant because you don't want to maintain it down the line there will be a migration path so which one should you choose think about control tower and scape abilities does it mean what you need today and if it doesn't quite meet it but you want to get started with it and grow with the environment then go with control tower if you don't have the people that can manage the complexity of managing a landing zone using that solution with the services and being able to troubleshoot and change things start with control tower and move forward do you have an existing landing zone today that meets your needs you might not want control tower or landing zone just continue to use it and see if control tower evolves to get to the point where it meets what you want do you need the full customization full control over everything then go with data based landing zone solution and I promise to give you a little bit of more context to help you understand the bigger picture around everything that we're doing so back in 2016 this is what multi-account strategy looked like and because I drew that diagram personally it does not look very good unlike the one that you saw earlier which shows you the nicer version of it and if you notice it's similar we have a security account there's no log archive back then we were telling you put the logs in the security account and then a year later we decided it makes more sense to separate it out we don't have teams we have be use which of course because we mentioned business units summers white and put their entire business units into accounts that had hundreds or thousands of users and hit every possible limit imaginable not only that we've had some instances where customers had somebody go in and closed down their entire account because somebody was just playing and doing something with it so here's where we are today we started out with the security and governance approach everything you see in multi accounts strategy was done with a group of security experts within AWS that have worked with a number of customers to come out with what makes sense as a pattern so we decided to give out guidance and we started that back in 2015-2016 then from there we wanted to provide you a way to do an implementation and the way to implement it was an essay or professional services or a partner advising you on what you might want to do given that possible framework then from there we wanted to think about infrastructure operations and application operations so from a guidance perspective yet the multi account strategy which for reinvent 2016 and 2017 we ran multiple sessions to help customers think through that 2018 we called we used the landing zone name but it was the same thing architecting security and governance across your landing zone then we decided in early 2018 to give you some implementation which was the database landing zone but many of our customers might have built their own landing zone already some may not like it or love or maybe they love what they have and they use it all the time so they might have built one whether it's based on the multi account strategy or their own things we came out with a base landing zone which implements the multi account strategy best practices and now control tower built on the landing zone build and that same guidance to make things happen then you want to think about your infrastructure how do I operate it could be your operations team it could be a managed services provider and they manage any of those things if you've got a managed services provider they're probably managing a their own custom built partner landing zone on your behalf and allowing you to make use of it or you can use AMS which is an Amazon managed service that takes care of infrastructure operations then from an application operations perspective I didn't draw the arrows because it would have been very full I've got my infrastructure taken care of what about my application side again that could be your operations team you have today managed service provider or as many of you know DevOps or def suck-ups to start thinking through this and for many enterprises going into DevOps is not what happens on day one that takes a long time if you ever get there but it starts to inspire some ideas and if def suck-ups what if every time somebody checks in a piece of code before they go to production there's validation checks that the security team does in an automated manner to get things done so as I mentioned if you want to learn a bit more about control tower there's a session later today 5:00 to 6:00 p.m. right over there there's one that you just missed I'm sorry about that but it will be recorded but if you want to attend their session later today or if you want to run over there and ask some questions pretend you're attending you can go do that I wanted to get some feedback from you don't worry I'm not keeping you here for long this is a list of things that we're starting to think about offering guidance our customers on and naturally at some point starting to implement things like how do I set up my service control policies identity Federation possible ways to do it networking do I use transit gateway V PC peering shared V PC private link there's a lot of options what about my CI CD how do i do my publishing and deployment pipelines what about alerting and recommendations forensics landing zone so when you fill out the survey if you can remember this list or at least one thing that you would like to see us do just put it in the things to you that matter that make more sense for you that you think would like us to put guidance in we'll be meeting again we'll be meeting later this summer to start putting a number of this stuff late together to start publishing out to our customers to help you understand and naturally this will feed into our product development and eventually what are we put out there but at least helping our customers understand what do we see broadly what are the best practices so feel free to do that so thank you all for joining thank you for taking the time I really appreciate it [Applause]

Info

Channel: Amazon Web Services

Views: 23,982

Rating: 4.9521914 out of 5

Keywords: AWS, Amazon Web Services, Cloud, cloud computing, AWS Cloud, AWS re:Inforce, AWS re:Inforce 2019, security, identity, compliance, cloud security, AWS security, cloud security community, learning conference, Detective Controls, Infrastructure Security, Data Protection, Incident Response, Governance, Risk, Compliance, security best practices, The Foundation, AWS re:Inforce 2019 Sessions, Session, FND210, Sam Elmalak, 200 - Intermediate

Id: nNy5UjzejNc

Channel Id: undefined

Length: 47min 57sec (2877 seconds)

Published: Wed Jun 26 2019