AWS Landing Zone

Security

AWS Landing Zone will provide self-service security guardrails through setting up accounts and resources. AWS Landing Zone is partly made up of a Security Account, which, by default, includes security-focused tools such as an account baseline, security cross-account roles, Amazon GuardDuty  and Amazon SNS (security notifications). Security Account will provide what AWS sees as essential security functions for all AWS accounts in an organization such as security management, Log Archive and directory services.

Security Account security baselines include:

• Integrated access management policies -- in which AWS Landing Zone can allow a user to set a security admin as well as read-only policies for employees.
• An IAM password policy -- in which AWS Landing Zone can allow a user to set the password policy for complexity.
• AWS Config -- which can forward AWS resource configurations to a Log Archive S3 bucket-- a public cloud storage resource available in Amazon Web Services' Simple Storage Service (S3).
• AWS CloudTrail -- which sends AWS service application program interface (API) calls to an Amazon S3 Log Archive bucket.
• AWS Config Rules -- which is used to define rules surrounding provisioning, configuring and monitoring AWS resources, as well as multi-factor authentication (MFA) and encryption. Config will audit resource configurations continuously.
• Notifications -- which can configure an Amazon CloudWatch alarm or events, sending notifications whenever there is an API authentication failure, root account login's or console sign-in failures.
• Configurable Amazon Virtual Private Cloud (VPC) Infrastructure -- Landing Zone can configure initial networks for accounts, which means it can delete the default VPC, deploy requested AVM network types as well as use Shared Services VPC.

Security Account also includes Amazon GuardDuty, a managed cloud security monitoring service that can be used to detect behavior and threats that have the potential to compromise AWS accounts, resources or workloads. GuardDuty will make use of continuous monitoring and can detect attacker reconnaissance, compromised resources and compromised accounts. Attacker reconnaissance refers to threats such as failed login patterns, unusual API activity and port scanning. Compromised resources could refer to spikes in network traffic, while compromised accounts can refer to API calls from odd locations or attempts to disable CloudTrail.

These security precautions can allow an organization to implement their AWS environment while not having to put as much worry in security. 

On some occasions, security may be at the forefront of an organization's mind while implementing an AWS environment, but 'it doesn't have the manpower, centralized governance or skills to ensure security while migrating environments. On its website, AWS refers to a use case in which the organization, NetEnrich, was concerned about data security during migrations. A customer of NetEnrich wanted to gain better control of its AWS environment while enforcing a system that was compliant with regulatory frameworks such as HIPAA and SOC1, all while maintaining a system of checks, balances and having access controls. NetEnrich had these concerns along with an emphasis on account-level visibility and security. NetEnrich used AWS Landing Zone to accomplish its customer''s goal and, with the focus on security, implemented data security, logging, automated account provisioning, as well as Identity and Access Management. Configured policies were then integrated with the customer''s Active Directory Federation Services (AD FS) and AWS Single Sign-On (AWS SSO).

Basic Setup

AWS recommends an expert handle the installation of AWS Landing Zone since the setup process can be complicated. An AWS Landing Zone installation is handled using an initiation template, which is actually a CloudFormation template. The template allows users to select specific and basic settings in their Landing Zone Setup.

The initiation template will write to a config template on an S3 bucket, which aids in creation of the CodePipeline. The CodePipeline is used to run changes made to the config and will apply changes to the surrounding infrastructure.

The basic tenants in the setup process include the master, security, logging and shared services. The master includes core features and tools such as the CodePipeline, Single Sign-On and the Account Vending Machine, which helps automate the creation of new AWS accounts. Security includes the AWS Config aggregator and Amazon GuardDuty. Logging is the central location for logs that, for example, could come from CloudTrail audits. Shared services is the location where services in Landing Zone are accessed by all accounts.

When NetEnrich, for example, started to deploy AWS Landing Zone, its security account included the AWS Config aggregator, Amazon GuardDuty and alerts. NetEnrich's logging focused on adding Amazon VPC Flow Logs. Shared services focused on implementing a shared virtual private cloud for remote connectivity to different accounts.

Users who choose to set up AWS Landing Zone should also focus on design implementation, setting service limits if needed, creating and securing root users, creating member accounts and deploying AWS Landing Zone Initialization AWS CloudFormation stack. Users considering design should focus on securing passwords, MFA tokens and storage for the root user in each account. Design should also focus on organizing member accounts, implementing service control policies and naming root-user email addresses for AWS accounts. Member accounts can be made using the AVM.
Limits are placed by default to a specific number of accounts for an organization, so users implementing AWS Landing Zones should fill out an AWS support ticket to the master account to increase the limit.

Users should also focus on setting up and securing root users. Root user email addresses should be created with a naming scheme that will help organize any root user accounts. AWS will also generate a random password for a root user when a member account is created. The password can be changed by going through the account recovery process for the root user.

Users should also deploy AWS Landing Zone Initialization AWS CloudFormation stack, which can vary in time. Typically, The AWS Landing Zone Initialization AWS CloudFormation stack should take a couple of minutes and the AWS CodePipeline should take a few hours to complete.

Benefits

AWS Landing Zone includes benefits such as:

• Allows users to implement multiple core accounts in an organization.
• Automates setup of an AWS environment.
• Automates account provisioning.
• Creates a baseline for security.
• Operates in a DevOps environment.
• Can integrate with Gitlab.
• Security features include monitoring, alerts, logging, identity and access management, service control policies and multi-factor authentication.
• Governance options can automatically enable rules and dashboards.
• Provides visibility for resource utilization.
• Users can create new accounts from the AVM.
• AVM uses single sign-on to manage access to user accounts.

Concerns

Although AWS Landing Zone can be useful in setting up an AWS environment, users should still be aware of some concerns that may come with it. For example:

• In most cases, Landing Zone will need an AWS expert to set up -- complex enough for AWS to recommend it being deployed by their services.
• The more services used, the more complex the system can be, making it potentially difficult for users.
• With Landing Zones being complicated to set up, it can also be complicated to troubleshoot.
• Landing Zone may not be compatible with existing master accounts, meaning a new master account would have to be used.
• It might cause too much overhead for smaller organizations.

Cost

By default, Landing Zone has resources that require payments, such as AWS Config Rules and GuardDuty, for example. The cost of these resources should total around $200 monthly.