Utilizing AWS Landing Zones: Best Deployment Practices

Utilizing AWS Landing Zones: Best Deployment Practices
By Jay Smith / on 08 Sep, 2023

AWS Landing Zones provide a simple way to set up a secure and scalable multi-account environment on AWS based on best practices. The goal is to establish a solid account structure with controls around isolation, compliance, and access right from the start.

Key benefits:

  • Isolation between workloads and accounts
  • Built-in security controls
  • Centralized identity and access management
  • Pre-configured network design
  • Default governance guardrails
  • Consolidated logging

Overall, Landing Zones give organizations a structured approach to launching new workloads and applications quickly and securely on AWS.

Benefits of a Multi-Account Environment

Using multiple AWS accounts provides important benefits for security, isolation, and organizational management. Here are some of the key advantages of structuring your AWS footprint with separate accounts:

Isolation

  • Account isolation limits blast radius of failures or breaches to a single account rather than impacting everything.
  • Workload isolation ensures changes in one workload don’t affect others.
  • Resource isolation contains impacts of outages, resource limits, etc.
  • Data isolation secures and separates sensitive data.

Security Controls

  • Per-account security controls enable fine-grained policies based on sensitivity.
  • Separate accounts allow for more focused audits and compliance.
  • Accounts can be managed by separate security teams.

Access Management

  • Granular IAM policies per account and workload.
  • Access can be locked down at the account level.
  • Cross-account access management establishes secure sharing.

Organizational Management

  • Account structure maps to business units and functions.
  • Account ownership aligns with teams.
  • Billing and chargeback can be accounted per account.
  • Account quotas are separate - no noisy neighbor problems.

Operational Agility

  • Accounts facilitate delegation of ownership.
  • Self-service account creation enables innovation.
  • New workloads can be spun up quickly in new accounts.

So in summary, the multi-account approach is a security and design best practice for organizations using AWS at scale. AWS provides tools like AWS Organizations to make creating and managing multiple accounts easier.

AWS Organizations Overview

AWS Organizations is an AWS service that enables you to centrally manage and govern your environment as you scale your workloads across multiple AWS accounts.

With Organizations, you can create separate AWS accounts underneath a root account and organize them into organizational units (OUs). This supports the recommended account structure aligned to your business needs.

Key capabilities include:

  • Centralized management of accounts and policies
  • Hierarchical grouping of accounts into OUs
  • Cross-account access controls
  • Consolidated billing and chargeback
  • Account isolation through Service Control Policies (SCPs)

Key Components

AWS Organizations is made up of:

  • Root account - The original AWS account used to setup Organizations.
  • Organizational units (OUs) - Containers for grouping AWS accounts.
  • AWS accounts - Individual accounts created under the Organizations structure.
  • Master account - Central point of administration for the organization.

OUs provide the flexibility to model your account structure and hierarchy however you want.

Policies

Organizations enables you to apply policies across multiple accounts without having to manually configure each one:

  • Service control policies (SCPs) - Whitelists and blacklists for AWS services.
  • Tag policies - Require tags on resources for governance.
  • Backup policies - Central backup settings.

These facilitate consistent guardrails and controls for compliance across all accounts.

Overall, AWS Organizations provides the foundation for a structured, governed multi-account environment aligned to your business’s needs.

AWS Control Tower vs Custom Landing Zones

When setting up a secure multi-account environment on AWS, you have two primary options:

  1. Use AWS Control Tower
  2. Build a custom landing zone

AWS Control Tower

AWS Control Tower provides a managed service to automate the setup of a landing zone based on AWS best practices.

Key features:

  • Creates core accounts and OUs
  • Applies pre-configured guardrails and policies
  • Provides account factory for provisioning new accounts
  • Central dashboard for monitoring and visibility

Benefits:

  • Fully managed service
  • Fast setup following AWS blueprints
  • Built-in governance and compliance
  • Simple account provisioning

Tradeoffs:

  • Less flexible for customization
  • Limited to AWS regions where Control Tower is available

Custom Landing Zone

You can build your own custom landing zone implementation on AWS.

This involves defining a baseline environment including:

  • Identity and access management
  • Network design
  • Governance model
  • Security controls
  • Auditing and logging

Benefits:

  • Complete customization to your requirements
  • Not limited to Control Tower regions
  • Full control over all aspects

Tradeoffs

  • Time and expertise required for implementation
  • Ongoing management overhead
  • No built-in governance guardrails

For most organizations, we recommend starting with AWS Control Tower and then customizing as needed. But for advanced requirements, custom landing zones are an option.

Core Components of a Landing Zone

A landing zone provides the foundation for running secure, scalable workloads on AWS across multiple accounts.

The core components that need to be established for a robust landing zone are:

Identity and Access Management

  • Centralized directory for user identities and SSO
  • Federated access to AWS accounts
  • Cross-account IAM roles for admin access
  • Granular IAM policies in each account

Governance Model

  • Account structure and hierarchy
  • Naming conventions
  • Resource tagging policies
  • Change control processes

Network Design

  • VPC topology aligned to use cases
  • Hybrid connectivity to on-premises
  • Network security and DDoS protection
  • Route tables and access controls

Security Baseline

  • Encryption enabled by default
  • Security groups and NACLs
  • AWS Config rules to audit configurations
  • CloudTrail event logging

Auditing and Logging

  • CloudTrail logs sent to central S3 bucket
  • VPC Flow Logs for network monitoring
  • AWS Config records aggregated centrally
  • CloudWatch metrics and dashboards

By implementing these key pillars upon a solid AWS account structure, organizations can deploy workloads and applications with the security, governance, and network functionality required for business critical systems.

Ongoing management of the landing zone is also critical over time as the organization scales on AWS.

Implementing a Security Baseline

A core step in deploying a landing zone is defining and implementing a default security baseline across all accounts. This establishes fundamental security protections by default.

Elements of a strong multi-account security baseline include:

Identity and Access

  • Ensure multi-factor authentication enabled for all privileged users
  • Require strong passwords and rotation policies
  • Disable root account access keys
  • Enable AWS IAM Identity Center for SSO

Network Controls

  • Restrict RDP/SSH access to bastion hosts
  • Implement security groups to allow only required ports/protocols
  • Enable VPC flow logs for visibility into traffic

Data Protection

  • Enable encryption of data at rest and in transit
  • Block public S3 buckets
  • Enforce least privilege access to data

Visibility and Auditing

  • Send CloudTrail logs to central logging account
  • Aggregate AWS Config data centrally
  • Enable AWS Config rules to audit configurations
  • Forward logs to SIEM or monitoring tools

Compliance Standards

  • Check regional regulatory compliance requirements
  • Consult compliance team on applicable standards
  • Adjust Config rules and controls to adhere to standards

Response Planning

  • Enable GuardDuty for malicious behavior detection
  • Configure event-driven notifications for security events
  • Establish incident response playbooks and testing

The goal is to apply this baseline across all accounts consistently using tools like AWS Organizations SCPs. Exceptions can be handled through formal exemption processes.

Regular audits of the security baseline are critical to identify any drift from the desired state over time.

Account Provisioning Options

As your organization scales its use of AWS, new accounts will need to be created over time for new workloads, environments, and projects.

There are two primary options for provisioning new accounts in a secure and governed manner:

Account Vending Machine

The account vending machine (AVM) is an automation tool provided by AWS services like Control Tower and Organizations.

It allows new accounts to be created while adhering to your account structure, naming conventions, and security policies.

Key capabilities:

  • Automated creation of accounts
  • Enforces onboarding of required configurations
  • Applies baseline security automatically
  • Integrates with existing identity provider
  • Allows governance of new accounts

Benefits:

  • Increased speed of account provisioning
  • Reduced manual processes
  • Consistent configuration and security
  • Oversight of account creation

Manual Account Creation

New AWS accounts can be manually created as needed outside of an automated approach.

This involves steps such as:

  • Creating new AWS account
  • Configuring users and groups
  • Applying base policies
  • Onboarding to centralized logging
  • Integrating with AD or SSO

Benefits:

  • Maximum flexibility in one-off scenarios
  • No additional services required

Drawbacks:

  • Slower process
  • Risk of human error
  • Duplicate work across accounts
  • Loose governance over new accounts

For most organizations, implementing an AVM provides major efficiency and security gains as their AWS footprint scales. But manual approaches may be needed in some cases.

Best Practices for Deployment

When implementing landing zones and multi-account environments, there are a number of best practices to follow:

Governance

  • Document account management procedures
  • Automate policy and config management
  • Centralize identity management
  • Enforce naming conventions
  • Implement processes for account creation/deletion

Networking

  • Use separate VPCs for different environments
  • Align VPC architecture to organizational needs
  • Implement least privilege security groups
  • Enable VPC flow logs
  • Establish hybrid connectivity

Security

  • Never use root accounts except for emergencies
  • Lock down IAM permissions to least privilege
  • Enable encryption and role separation by default
  • Continuously audit configurations
  • Formalize exemption process for one-off changes

Logging

  • Send logs to central repository
  • Retain logs based on compliance requirements
  • Aggregate logs into dashboards and alerts
  • Correlate logs across services
  • Automate analysis of logs via SIEM

Change Management

  • Utilize Infrastructure as Code tools
  • Test changes in lower environments first
  • Establish approval gates for changes
  • Maintain audit trail of changes
  • Implement change freeze windows where required

Adhering to strong practices in these areas will enable smooth growth and operation of even large-scale multi-account AWS environments.

Management Considerations

Once a landing zone and multi-account environment is deployed, ongoing management and governance is required for it to continue meeting business needs over time.

Change Management

  • Have automated processes to push changes across accounts
  • Review configurations for drift on regular basis
  • Maintain approval workflows for change requests
  • Ensure documentation stays up to date

Access Controls

  • Review IAM permissions and roles quarterly
  • Log and audit all privileged actions
  • Rotate access keys and passwords per policy
  • Integrate new human users/applications promptly

Security Monitoring

  • Monitor VPN endpoints, security groups, NACLs
  • Tuning and maintenance of WAF rules
  • Alarm configuration for usage spikes or anomalies
  • Regular penetration testing and red teams

Cost Optimization

  • Keep unused resources turned off
  • Right size instance types to workloads
  • Delete unused volumes and orphaned resources
  • Leverage Savings Plans and RI discounts

Incident Response

  • Run regular incident response simulations
  • Have 24/7 on-call contact information handy
  • Document triage and escalation procedures
  • Develop capabilities to isolate compromised accounts

Compliance Audits

  • Maintain compliant configurations via Config Rules
  • Collect evidence needed for control certification
  • Perform internal audits to identify gaps
  • Remediate issues prior to external audits

With strong processes in each of these areas, organizations can scale their multi-account AWS footprint while effectively managing risk, security, costs and compliance over time.

Conclusion

Implementing a secure and scalable multi-account environment on AWS is a best practice for organizations of any size.

The AWS account structure provides clear boundaries for management, isolation, and access controls.

Services like AWS Organizations make it easier to create accounts while maintaining centralized policies and compliance.

AWS Control Tower delivers pre-built landing zones following AWS security and governance guardrails.

For advanced customization, organizations can build their own landing zones tailored to their needs.

Key elements to focus on include:

  • Identity and access management
  • User and resource segmentation
  • Network topology and connectivity
  • Visibility through logging and auditing
  • Automated governance and controls
  • Incident response planning

No matter which approach is taken, maintaining the landing zone with strong change management processes is critical over time.

By leveraging the tools and best practices discussed, companies can deploy workloads on AWS across accounts with confidence in their security posture, operational integrity, and business alignment.

The multi-account model facilitated by landing zones provides the foundation for scale, agility, and innovation on the AWS cloud. Looking for help with AWS Landing Zones or other advanced cloud technologies? The IT professionals at God Particle IT Group have the skills and experience to architect, build, and manage complex systems at scale. We specialize in cloud platforms like AWS and can provide enterprise-level support to develop and Cloud engineered applications. Whether you need assistance with design, implementation, optimization, or managed services, contact us to see how we can help launch your next innovation. With deep expertise across today’s leading technologies, God Particle IT Group offers responsive, high-touch services to innovate faster.