The Landing Zone’s design needs to consider who would access the AWS accounts, and what kind of permissions they will have. The principle of least privilege helps as a guide for defining the bare minimum permissions the developers or the tools need to perform some activity in the AWS accounts.
Auditing all activities with AWS CloudTrail, which is the security auditing and troubleshooting service, allows the platform owners or security professionals to alert and investigate any unexpected usage across all AWS accounts. We discussed the service integrations with AWS Organizations, and this is something that CloudTrail can also benefit from. As a best practice, enabling an organization-wide trail allows centralized aggregation of audit data in an S3 bucket that sits in the LogArchive account. This automatically injects trail configurations into the new accounts as and when they are created, or an existing account joins the organization. As part of enterprise security measures, you should enforce an SCP that blocks any IAM action that could result in tampering with the data contained in this S3 bucket, or modification of any encryption keys used by the CloudTrail service.
Secondly, for user access needs, I would highly recommend using AWS IAM Identity Center, which allows you to create and connect all workforce users centrally and manage their access across all other AWS accounts. With Identity Center, you can leverage existing identity providers (IdPs) such as Azure Active Directory to federate users into the AWS accounts.
Note
The IAM Identity Center control plane is only available in the AWS region where the service is instantiated. It’s good practice to prepare for scenarios where the same region is impacted by a disaster. Identity Center not being available could mean that all your users’ access to AWS accounts would be locked out. To mitigate this, it’s recommended to have a set of break-glass IAM users that can be used in exceptional circumstances for emergency access. These credentials should be safeguarded with MFA; the access key ID and secret access key should remain with different people to avoid misuse. Of course, all the activities should be audited and credentials rotated at regular intervals.
Third, it’s difficult to ensure awareness and preventive measuresof all possible security incidents that can happen in the AWS accounts. Amazon GuardDuty is a low-hanging fruit that leverages machine learning to identify unusual network traffic, DNS logs, CloudTrail events, and potential scenarios of privilege escalation. It can also alert about unusual EC2 behaviors that are representative of malware and Bitcoin mining. By leveraging integration with AWS Organizations, GuardDuty can automatically scan all your AWS accounts across the organization and feed the findings into AWS Security Hub, which is an aggregator of security checks from multiple other services.
DevOps and config management
Your Landing Zone implementation is going to be managed as code, just like any other software application. It’s highly recommended to start this off with well-defined practices such as IaC, CI, and automated code validations. Any CloudFormation templates you author should pass the security check gates and policies that define what you can and cannot do in your AWS landscape.
Most of the AWS solutions trigger off of a source code repository, often managed inAWS CodeCommit. We will see what this looks like in practice when we cover the CfCT solution later in this chapter.
As the deployments tools have permission to deploy resources into almost any other account in your organization, it’s invaluable to enforce the right access controls on these pipelines so that they are not misused in any way. Access to the accounts that host the deployment tools and frameworks should be highly restricted as well. If you’d like to use other CI/CD systems, such as GitLab, you might be interested in looking at Open ID Connect (OIDC) integrations with AWS IAM, which removes the need for provisioning any temporary IAM users, or credentials, for use in your CI/CD pipelines.