Application modernisation project improves automation and account provisioning
A NSW Government department with over 10,000 employees wanted to find a better way of managing their AWS accounts and migrate their applications to a modern cloud environment.
Summary
Without good practices from the start, Cloud environments can quickly grow to accumulate unnecessary technical complexities leading to inefficiencies and security challenges.
The Department’s Development team was spending too much time on DevOps to the detriment of developing new releases of user functionality.
PolarSeven helped the Department re-architect their environment to align with the AWS Well Architected Framework, delivering efficiencies and knowledge-transfer in the process.
Challenges
Like many cloud environments, the Department's private cloud environment had grown organically over time with no standardised processes in place from the outset. They had different Amazon Virtual Private Clouds for the Production and Non-Production accounts, some applications were in the same account, whilst in others, multiple accounts were set up for different teams. In some cases roles were over-segregated, making the environment difficult to manage and work in, whilst in others, they were under-segregated making security difficult to manage.
Solutions
PolarSeven commenced their analysis by conducting a Well Architected Framework Review (WAFR) to measure the environment against the five pillars of the AWS best practice Well-Architected Framework which ensures an AWS environment provides a secure, high-performing, resilient and efficient infrastructure.
The Five Pillars of a Well Architected Framework
Operational Excellence - Ensures that the running and monitoring of the platform delivers business value, while continually improving processes and procedures. The main components are managing and automating the changes more efficiently and responding to events.
Security - Ensures correct protection of the information and systems in the platform with appropriate privilege management and controls to detect security events.
Reliability - Ensures that the platform is resilient and can recover quickly from failures to meet business and customer demand and manage change.
Performance Efficiency - Confirms that we are utilising the correct workloads for the requirements and ensuring efficiency as business needs evolve.
Cost Optimisation - Controls where money is being spent, selecting the most appropriate and number of resource types, analysing spend over time, and scaling to meet business needs without overspending.
The review identified Security and DevOps as key areas for improvement and PolarSeven addressed these in turn.
The first step in establishing a Well Architected Framework is establishing a robust security regime throughout the environment. PolarSeven built a new environment from the ground up, implementing AWS Landing Zone with AWS Control Tower, as it provides the most straightforward way to setup and govern new, secure, multi-account AWS environments based on AWS best practices. These include the Principle of Least Privilege to ensure users only get access to the resources they need to do the job.
PolarSeven established the relevant Organisational Units and applied Guardrails through the Control Tower dashboard. Guardrails provide the ability to implement preventative or detective controls to govern resources and compliance across AWS accounts, to keep the environment secure.
Secondly, to address DevOp issues, PolarSeven implemented AWS CloudFormation which allows developers to model and provision, in an automated and secure manner, all the resources needed for their applications across all regions and accounts via a plain text file.
AWS CloudFormation provides a single source of truth for all AWS and third party resources, with the benefits of:
Automated, replicable deployment
Cross account and Cross region management
Finally, PolarSeven commenced knowledge transfer to the Department’s Site Reliability Engineers to complete their understanding of DevOps and the toolsets required to support the new environment.
Benefits
The Department now has an understanding of how to use the AWS tools to provision new accounts, and manage their DevOps most efficiently.
Accounts are provisioned with ease using the AWS Account Vending Machine which ensures any user account deployed into the Landing Zone has the correct access and security controls built-in.
Application deployment is now automated to deliver code changes and new releases more rapidly, and with more consistency and control.