Manage AWS Accounts with Control Tower Landing Zones and SSO

How does your company manage your Amazon Web Services accounts?

If you have teams of developers and multiple users with different job functions, how do you handle user access? What about user restrictions to production and development environments? How about log and audit accounts? Do you implement AWS best practices for multi-account management?

This article explores AWS SSO to manage AWS Landing Zone access.

Discover what a landing zone does and how to implement the right solution. Learn about security baseline services in the cloud. See how to migrate your existing AWS accounts using AWS Control Tower.

Read on to learn how to manage your AWS user accounts and how hiring a consulting partner will help.

AWS Accounts and User Accounts

It would be helpful to start by disambiguating the term "account" in AWS. There are two kinds of accounts we refer to in this piece:

AWS Accounts

These are containers in which we run services and deploy our workloads. Our monthly bills are based on all the services we run in our accounts. We may have a separate AWS account for each environment, like production and staging, or perhaps for different business units or applications.

User Accounts

These are each for individual users to access the AWS account, deploy workloads, run services, view logs, and make configurations. User accounts are based on authorization policies that determine which services and actions within those services are permitted by the administrator for the user.

Every Amazon Web Services account comes with two user account types:

1. The account owner or root user
2. Identity and Access Management (IAM) users

The root user account acts as the administrator account and is automatically generated when your AWS account is first created. The credentials you receive when you sign up with AWS (the act of creating an AWS account) are for the account's root user. While logged in as the root user, you create additional IAM accounts, each with security credentials and access controls.

Amazon encourages companies to follow the best practice of immediately creating an IAM user with full admin privileges and disabling the root user's CLI access keys to avoid the risk of this user account, with its unfettered authorization, from being compromised by a 3rd party. The AWS account owner can then use their administrator IAM user for most tasks and only log in as root when absolutely necessary.

AWS Organizations

Amazon enables companies to control their AWS accounts through AWS Organizations.

An AWS Organization allows your company to centrally manage and organize your AWS accounts on Amazon Web Services. With it, you can create new AWS accounts and group those accounts to:

• Allocate resources
• Organize workflows
• Apply policies and guardrails for governance
• Simplify billing

You can also carry out programmatically through a CLI and SDKs for popular programming languages, many administrative actions such as creating new AWS accounts, creating organizational units, moving accounts into those OUs, listing and creating policies, and much more.

What Is an AWS Landing Zone?

Managing an organization of AWS accounts isn't for the faint of heart.

Configuration requires expert knowledge of AWS architecture best practices. Configuring multiple accounts with relevant services and establishing security baselines and access controls is time-consuming. It's easy to make a mistake which can lead to significant security issues further along in production.

An AWS Landing Zone solution aims to ease this burden.

It works within the AWS Organizations service to set up multi-account environments. Instead of creating AWS accounts from scratch, Landing Zones come with pre-defined designs. These ensure that a secure baseline gets followed from the outset and include:

• Multi-account architecture
• Access and identity management
• Governance and data security
• Network design and logging

AWS Account Vending Machine

A Landing Zone deploys AWS Account Vending Machine (AVM) to provision and configure accounts. The AVM is an AWS Service Catalog product that organizes new AWS accounts into OUs.

These Organizational Units come preconfigured with a specific network and account security baseline.

Admins can create as many AWS Landing Zone products and user permissions as they wish. End users can also create new accounts if their permissions allow it.

Security Baseline Services

A system's weakest point is its users. Poor user account management can grant access to unauthorized personnel. That's why AWS implements a range of security baseline services.

The default security baseline settings incorporate eight services which are outlined below.

AWS CloudTrail

AWS CloudTrail is a logging service that tracks your users' actions across AWS's infrastructure in your accounts.

All logs get stored in an S3 bucket in a log archive account. The trail also extends to AWS CloudWatch logs for local operations for 14 days. You can even use this service to detect unusual activity and monitor threats.

Cross-account access works alongside CloudTrail to configure audit access. It also provides emergency security access to Landing Zone accounts.

AWS Config

AWS Config rules monitor among other things, storage encryption across services like AWS EBS, S3, and RDS.

They also check IAM password policies, group rules, and multi-factor authentication (MFA) and other things to ensure they remain within your pre-determined configurations.

All records are logged within the S3 audit bucket.

Amazon Virtual Private Cloud (VPC)

Amazon VPC is the foundation of your network within a region in an AWS account.

You can launch AWS resources in one of these isolated virtual networks that you define. You decide the IP address ranges for subnets in your VPC(s), covering IPv4 and IPv6 addresses.

Amazon VPC grants access to multiple layers of security, including network access control lists (NACLs) and security groups.

AWS Landing Zone Notifications

Amazon CloudWatch automatically notifies authorized AWS users in the event of:

• Root account login attempts
• Console login failures
• API authentication failures

Amazon GuardDuty bolsters this protection by monitoring for malicious activity.

It checks for unauthorized behaviours across your AWS accounts, S3 data stores, and workloads. AI Machine Learning analyzes billions of events across these services at lightning speed. And you can activate it directly from the AWS Management Console.

What Is AWS SSO?

Amazon Single Sign-On (AWS SSO) service simplifies SSO access to AWS accounts and business apps.

It works within the AWS Organizations system and uses SAML 2.0 (Security Assertion Markup Language). This open XML standard authenticates and authorizes data between identity and service providers.

In essence, SSO means that with a single set of credentials, one can log in to all the accounts in an organization.

The Single Sign-On option communicates with an AWS SSO endpoint which validates the SSO Directory. A valid login grants access to a list of services that match the user's credentials.

Unified Administration Experience

AWS SSO aims to help simplify account access for administrators and your workforce.

The administration portal lets you define and customize access for each user and group. SSO will also provide your users with a portal to view all their cloud applications and accounts in one place.

AWS SSO offers greater flexibility than traditional directory platforms. It can run alongside existing AWS account access management through AWS IAM. With a few clicks, you can connect the service to your existing identity sources.

Create and Manage AWS Landing Zones With AWS Control Tower

The AWS Control Tower is a service that creates Landing Zones from your AWS Organization management account.

No longer is it necessary to implement your own landing zone solution from scratch. Control Tower makes it easy to deploy a Landing Zone with a few clicks and it offers an Account Factory feature that is part of AWS Service Catalog.

Control Tower helps with governance and implements best practices. Setup includes blueprints that configure AWS security and management services. These blueprints provide:

• Identity management
• Federate access to AWS account
• Centralize logging for cross-account auditing purposes
• Define workflows for new accounts
• Account baselines with network configs

There are mandatory and 'strongly recommended' rules or guardrails with which you must comply.

These guardrails help enforce Service Control Policies (SCPs). They detect policy violations using the AWS Config rules. These rules remain in force when you create new accounts or edit existing users. Control Tower builds a summary report of how each of your accounts conforms.

Types of Guardrails in Control Tower

Guardrails govern security, compliance, and operations through a set of pre-packaged rules. You can apply them across your enterprise or only to specific account groups.

A guardrail is written in plain English and is either detective or preventive.

Preventive guardrails aim to ensure deployments conform to your existing policies. Detective guardrails actively monitor live resources for not adhering to your rules lists.

Control Tower translates guardrails into AWS policies automatically. It offers pre-defined rule sets that you can choose to implement—for example, preventing public read access to the log archive.

AWS Control Tower Dashboard and Third-Party Solutions

The Control Tower dashboard displays:

• Total number of organizational units (OUs)
• Number of enabled guardrails
• Status of OUs and accounts against guardrails
• Non-compliant resources

Third-party developers have developed a range of software that integrates with AWS Control Tower. Available from the AWS Marketplace, they solve operational issues and infrastructure concerns.

Account Access and Cloud Migration

Adopting Amazon Web Services and the cloud brings a range of benefits. However, one of the major challenges for system admins is migrating user accounts and managing access.

Amazon makes cloud migration as painless as possible.

With AWS Directory Service, you can import Microsoft Active Directory records for Windows-based networks. AWS tools also work with Azure AD and Okta Universal Directory. Existing roles and user groups even integrate with your new setup.

Yet, some CIOs sweat at the thought of transitioning to a cloud solution.

That's why it's essential to work alongside an AWS professional like Pilotcore. We can assist your cloud adoption migration to ensure that no user gets left behind.

Successful Cloud Strategies With Pilotcore

Amazon Web Services offers several robust and secure options to manage AWS accounts and access to them.

AWS SSO and AWS landing zones with Control Tower provide a smooth way to create and govern accounts, users, roles, and policies. Everything gets audited and stored in a secure S3 bucket. Alert systems like GuardDuty even notify you of unusual activities like root access login attempts.

To avail of the AWS infrastructure and to set up accounts takes a complete knowledge of the AWS platform. Thankfully, Pilotcore is here to help.

As an AWS Partner Network Consulting Partner, we have expert, certified consultants experienced in AWS deployment. We'll work with you to develop the right solution for your workloads so you can start reaping the benefits of the cloud right away. Our services list covers everything from cloud architecture design to DevOps. We can even help reduce your monthly AWS bills.

Contact our team in Ottawa today and discover how to manage your AWS users better.