Automating Security in multi-account environments
Why AWS Control Tower?
When AWS environments are first created, often the focus is on delivering value to end-users or customers. User accounts and services are added rapidly, code is deployed, instances fired up - all focussed on delivering business outcomes. But there eventually comes a point where managing the environment consumes a disproportionate amount of tech resources. This is the point where deploying AWS Control Tower to automate security should be considered.
Implementing AWS Control Tower could be described as taking a cookie-cutter approach to security - obviously, it’s more sophisticated, but the benefits are the same:
Quickly setup a new environment using Blueprints built on AWS best practices.
Automate on-going policy management using guardrails.
View the policies applied at a high level and in detail.
What's in the box?
AWS Control Tower comes with four key components:
Blueprints - to automate setup of your landing zone based on best-practice
Guardrails - for on-going governance over your AWS workloads
An Account Factory (Account Vending Machine) - to automate your account provisioning
A Dashboard - for visibility into your organisational units, accounts and guardrails
How is it set up?
Blueprints
Blueprints embody an AWS best practice approach to their subject matter. Blueprints can cover:
Identity Management
Federated Access to Accounts
Account baselines with network configurations
Workflows for provisioning accounts
Centralised logging using CloudTrail
Guardrails
Guardrails can be mandatory versus elective and preventative versus detective.
Mandatory guardrails, for example ‘Disallow Public Read Access to Log Archive’ are enabled by default;
other guardrails, such as ‘Enable MFA for Root User’ are strongly recommended and are based on AWS best practice.
Additionally, elective guardrails, such as ‘Disallow Console Access to IAM Users Without MFA’ enable you to lock down attempts at performing commonly restricted actions in an AWS enterprise environment.
A preventive guardrail ensures that your accounts maintain compliance, because it disallows actions that lead to policy violations.
Whereas, a detective guardrail detects noncompliance of resources within your accounts, such as policy violations, and provides alerts through the dashboard.
All guardrails are expressed in plain English, and AWS Control Tower translates the guardrails into granular AWS policies by:
Establishing a configuration baseline using AWS CloudFormation
For preventative guardrails - preventing configuration changes
For detective guardrails - continuously detecting configuration changes
Updating the status into the AWS Control Tower Dashboard
Account Factory
You can standardise the provisioning of new accounts using a pre-approved account configuration template. This allows you to automate the provisioning of new accounts and even enable self-service for your builders to configure and provision new accounts using AWS Service Catalog.
Dashboard
The Dashboard gives you visibility of Accounts, Guardrails and compliance status all in the one place.
Next Steps
If you would like to discuss any of these concepts in relation to your organisation, or need help with implementing any of them, PolarSeven is just a phone call away. We would be happy to give you a free consultation to discuss any of your security issues.