Many years ago, I was working in a company where everything had to be created from scratch. Defining the requirements, designing the Rack, configuring the firewall, routers, and storage to be able to save data, defining user management, how to create all the infrastructure, and the list went on and on. This was a definitive infrastructure that hosted all customers and then managed them. Today, the way of thinking and drawing the entire infrastructure has changed. It has become much simpler thanks to flexibility and automation tools, but many of the requirements are the same.
When we start thinking about AWS and what customers want to do on AWS, we need to first think about requirements to better understand what the customers need. For example, which is the right service to use? What about security, governance, and baseline? How many accounts should I create for my customer based on own use cases? How many users, groups, and what permissions should they have?
Let me introduce you to the concept of a Landing Zone and Control Tower, and why they work well together.
AWS Control Tower is an AWS managed service able to control all the resources that are part of: AWS Organizations, Identity and Access Management, Guardrails, Service Catalog and multi AWS accounts. Through the Service Catalog, you can create as many accounts as you want and apply to them the rules based on the requirements. Control Tower setup a Landing zone in easy and secure way.
Landing Zone is a solution provided by AWS Control Tower or you can create your own solution based on your requirements. Your own CloudFormation or Terraform stacks across AWS accounts.
Landing Zone solution using Control Tower Service
Master Account
From the Master account, you can set up an AWS Control Tower that allows you to create:
Shared Accounts
Shared Accounts includes Logging Account and Audit Account. They are not provisioned by Service Catalog, but during Control Tower set up. They share resources among all Landing Zone provisioned accounts. It could be services or tools to your organization; for example, centralized directory, Active Directory for SSO integration, perhaps some infrastructure scanning, EBS volumes, golden AMI, or a simple DNS. Cross Account IAM Role is necessary to delegate access across AWS accounts.
Logging Account
Control Tower create this account by default, and the purpose of having this account is to collect all the logs from different account to this one. But what kind of logs do we need to collect? The logs could include infrastructure logs, application logs, VPC logs, Security logs, Database logs, etc.. This account become the single point of truth. It should be extremely limited access in that, if you do log into the account, you may want to consider alarming in that condition. It can also be Kinesis stream with Lambda function that collects the log in real-time. For more information, I explained a centralized logging solution in a previous article.
Audit Account
This account also is set up by Control Tower and the purpose of this is to establish security. In this account is established cross-account role, reports, real-time alerts. Make sure the users, groups, applications has the right permissions
Functional Account
How many accounts you should create here depends on your case, and how you want to build and implement your application. To have a significant software development project is the use of multiple environments, and each environment. Below, I’ve listed four AWS accounts (Dev, QA, Pre-Prod and Production) that you should have, at the very least, in your solution. You can scale easily by adding more AWS accounts using the service catalog in the master account.
Baseline Requirements:
To establish a set of requirements in each AWS account, the first step in establishing a Landing Zone that is set up around these account level requirements. We’ve got the concept of accounts, and each account is truly independent from any other account within. Therefore, the baseline requirements we want should include:
What is the best way of setting up a landing zone using Control Tower or set up your own Landing Zone?
In the image below, there are some pros and cons of using a control tower versus setting up your own landing zone.
Conclusions
The Landing Zone solution helps customers with large organizations to automate and easily add as many accounts as needed, as many organizations as needed, and guardrails. There are pros and cons using Control Tower to set up Landing Zone, so it’s up to you to determine how you are going to set up Landing Zone based on your case and requirements.
Give us your information below to start the conversation.