Open in app

Sign in

Write

Sign in

Delivus Cloud Infrastructure — Landing Zone setup

kokospapa
딜리버스
Published in
6 min readOct 8, 2021

This article illustrate how to setup AWS cloud environment, account, IAM user and permissions.

This article is a second part of a series. If you want to jump to other sections please refer to links below

Part1 — Cloud governance
Part2 — Landing Zone setup (this article)
Part3 — Account Creation (TBD)
Part4 — Guardrail(TBD)

Landing Zone

https://www.youtube.com/watch?v=RSv9H59AsoI

AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. With the large number of design choices, setting up a multi-account environment can take a significant amount of time, involve the configuration of multiple accounts and services, and require a deep understanding of AWS services.

Superwerker

As mentioned on previous article, we will use superwerker to setup our landing zone.

Superwerker - Quick Start

Automates AWS Cloud deployments backed by decades of expertise and best practices This Quick Start is for organizations…

aws.amazon.com

Superwerker is a free, open-source solution that lets you quickly set up an AWS Cloud environment following best practices for security and efficiency so you can focus on your core business. It is built by AWS Advanced Partners who have decades of experience setting up and automating AWS Cloud environments.

The Quick Start automates the configuration of the following AWS services and features:

  • AWS Control Tower for setting up and governing a secure, multi-account AWS environment.
  • AWS Single Sign-On (AWS SSO) for managing access to multiple AWS accounts and business applications with a single login.
  • Amazon GuardDuty for monitoring and protecting your AWS accounts, workloads, and data against malicious activity, threats, and breaches.
  • AWS Security Hub for aggregating, organizing, and prioritizing your security alerts and findings from AWS services.
  • AWS Backup for centrally managing and automating backups across AWS services.
  • AWS Budgets for configuring cost threshold alarms.
  • Preventative guardrails with service control policies that protect the infrastructure from intentional or unintentional mistakes, such as using restricted AWS Regions, deleting backup copies, and deactivating security features.
  • AWS Systems Manager, including its OpsCenter resource for viewing, investigating, and resolving operational issues.
  • Amazon Simple Email Service (Amazon SES) for providing secure mailboxes and IT service catalog aliases for all root accounts.
  • Amazon CloudWatch dashboard with information and links to resources, such as how to set up your AWS account, how to set up SSO with existing identity providers, and how to access GuardDuty and Security Hub dashboards.

Deploying Superwerker

Prerequisite

→AWS account(Root user acceess)

→ DNS configured Domain (recommend to use route53 for ops email)

Quick start guide

We recommend you to go through the quickstart guide. We won’t bother to copy and paste the whole walkthrough rather comment of where we had our blocks.

Superwerker on the AWS Cloud

Deploying this Quick Start builds the following Superwerker environment in the AWS Cloud. Figure 1. Quick Start…

aws-quickstart.github.io

Walkthough

You will be able to deploy Superwerker Template as soon as clicking the following link(https://fwd.aws/Ag3x4).

You can toggle features as shown below. We turned on all the features since we use them all. (Control tower, SSO are included)

Heres are tricky part of the deployment.

If you refer to the quickstart guide, you need to create subdomain and delegate DNS zone.

When entering values in to the CloudFormation template, you must provide both a domain (example: mycompany.com) and subdomain (example: aws) names for a DNS zone created by Superwerker. The installation provides Name Server (NS) entries for the newly created DNS zone. You must create an NS entry within your DNS provider to delegate the DNS zone (these records are available later in the CloudWatch dashboard). The Superwerker installation waits until the delegation is properly configured.

Refer to following document for domain delegation.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingNewSubdomain.html

Once finished, You will be able to confirm cloud formations stacks have been deployed.

Control Tower

Let’s go to Control Towerto check out everything is setup properly. Once deployed, you will be able to see accounts, guardrail and OUs at once.

Organization and accounts might be different.

we will briefly go over the menu for details.

Organization Units

You will be able to see OUs at once. Certain OUs(root, security, sandbox) are created automatically. We added Workload OU for deployment environment.

Account

Account Factory

You can

With the account factory you can provision new accounts and enroll existing accounts, and you can standardize your account and network configurations for creating multiple accounts. If you create an account manually you need to configure Cloudtrail and AWS config everytime.

Guardrail

Guardrails are set of rules to enforce compliance for the governance for the cloud environment. They can be applied on OU level.

There are two types of guardrail behaviors

  • Preventive — A preventive guardrail ensures that your accounts maintain compliance, because it disallows actions that lead to policy violations. The status of a preventive guardrail is either enforced or not enabled. Preventive guardrails are supported in all AWS Regions.
  • Detective — A detective guardrail detects noncompliance of resources within your accounts, such as policy violations, and provides alerts through the dashboard. The status of a detective guardrail is either clear, in violation, or not enabled. Detective guardrails apply only in those AWS Regions supported by AWS Control Tower.

AWS Control Tower provides three categories of guidance: mandatory, strongly recommended, and elective guardrails.

  • Mandatory guardrails are always enforced.
  • Strongly recommended guardrails are designed to enforce some common best practices for well-architected, multi-account environments.
  • Elective guardrails enable you to track or lock down actions that are commonly restricted in an AWS enterprise environment.

Applying guardrails

You can enable recommended and elective guardrails per OU. Select certain guardrail to enter detailed view and click Enable guardrail on OU

Users and Access

You can find out AWS SSO related configuration. We will go over in detail about how to create new account and permission sets.

Shared Account

Management — Used for billing for all accounts in an organization, to create new accounts, and to manage access to all accounts.

Log archive — Used as a repository of logs of API activities and resource configurations from all accounts.

Audit — A restricted account for your security and compliance teams to gain read and write access to all accounts.

Landing Zone settings

You can update guardrails and other configuration regarding landing zone here.

Activities

Every landing zone related activities are logged here

Moving on

Now that we have pretty good Idea about the landing zone, let’s we will go over to how to create account using account factory with AWS SSO.

AWS
Aws Landing Zone
Aws Sso
Superwerker
Cloud Governance

--

--

kokospapa
딜리버스

Written by kokospapa

18 Followers
Editor for

10x AWS Certified | 5x GCP Certified | 4x Azure Certified | CKAD | Cloud Native | Data Engineer | BigQuery

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams