How to Secure Your AWS Landing Zone, the Kyndryl Way

Companies starting their AWS journey usually start with a single account which they use to run their production workloads. An AWS account can be thought of as a logical container that contains all your cloud resources and is used to simplify billing and other activities.

Things soon start becoming complex, however, as additional workloads start getting migrated to the cloud. As more and more departments demand the ease and flexibility that the cloud offers, your cloud environment starts to grow. Suddenly you need another account for logging, another for security, another for sandbox, engineering, production, etc., and what was a simple cloud environment soon becomes a complex multi-account giant!

The good news is that as the world’s biggest cloud provider, AWS gives you a huge number of services and tools that you can use to secure and govern a multi-account environment.

Let us start first with the concept of a Landing Zone. A Landing Zone, as per AWS, is a “well-architected, multi-account AWS environment that is a starting point from which you can deploy workloads and applications. It provides a baseline for multi-account architecture, identity and access management, governance, data security, network design, and logging.”

Simply put, a Landing Zone makes it easy for you to govern your multi-account environment and put in controls to ensure that your accounts follow baseline security policies.

You can either create a Landing Zone yourself or use an AWS-managed service referred to as AWS Control Tower.

The following diagram shows an AWS Control Tower-based landing zone account structure with different accounts and OUs.

What is AWS Control Tower

For customers starting out their cloud journey, AWS recommends using Control Tower, which is a fully managed service that creates a landing zone based on predefined best practices. AWS control tower will spin up an environment that comes built-in with AWS security best practices, and that automates various activities associated with a multi-cloud environment.

Some of the things which AWS Control Tower does for you are:

• Sets up Security GuardRails to ensure your Accounts do not go out of compliance with your security policies.
• Creates an Account Factory so that new accounts are provisioned with best practices in place. Security teams can allow departments to provision accounts via self-service, knowing that they will be created with security guardrails in place.
• Provides a dashboard that allows you to monitor the security health of your multi-cloud environment.
• Sets up AWS IAM Identity Center (the new version of AWS SSO) for identity federation.

The amount of ease and automation that the AWS control tower comes with makes it the preferred choice for setting up a secure AWS landing zone.

In addition to Control Tower, AWS provides other recommended services to set up a proper defense-in-depth security framework.

Amazon GuardDuty

Amazon GuardDuty is AWS’s native threat detection service that is powered by machine learning. GuardDuty monitors your environment to detect malicious activity within your workloads, such as EC2 instances, containers, S3, etc. It uses machine learning to build up a baseline of your environment across various data sources such as CloudTrail, VPC flow logs, DNS query logs, etc.

The best thing about GuardDuty is that it can be integrated with Control Tower using the delegated administration feature, which allows the oversight of multiple GuardDuty accounts. The cybersecurity team can nominate an account to be the delegated administrator in Control Tower, and this account will manage GuardDuty across your multi-account environment. You can create a new account or use one of the ones already provisioned by Control, such as the security account.

AWS Security Hub

Another important tool that is required to secure your Landing Zone is AWS security hub which is a native cloud security posture management service provided by AWS. It is a one-stop shop to monitor your entire AWS environment for security issues and to assess compliance against standards like CIS, PC IDSS, etc. AWS security hub allows you to consolidate findings from different security services like Guard Duty, Amazon Inspector, Amazon Macie, etc., in a single dashboard. It is an excellent tool to gain a holistic view of your security posture and see what the most critical security findings across accounts are.

Like GuardDuty, AWS Security Hub can also operate in a delegated administrator mode and monitor a multi-account environment. Security teams can set up an AWS security hub in this mode and aggregate their findings for both existing and new accounts within AWS Control Tower. Again, this can be done by setting up a new account and designating it as the administrator or by using one of the existing ones which AWS Control Tower creates.

AWS Cloud Trail

CloudTrail simplifies compliance audits by automatically recording and storing event logs to a central location service called AWS S3 bucket for actions made within the AWS account. It provides a history of activities in your AWS account. It helps to perform security analysis, troubleshooting, resolve operational issues and detect user behavior.

AWS Trusted Advisor

AWS Trusted Advisor is a great tool for improving system performance, saving cloud costs, and even minimizing the security gaps in your AWS account. It has observability tools that run best practice checks by inspecting the AWS environment.

Trusted Advisor security findings are configured to be sent as CloudWatch events and alerts.

Amazon Inspector

Is a great security tool for scanning vulnerabilities in your EC2 instances. In 2021 AWS engineering team extend and integrate it with a few more cloud-native services to scan container images that are stored in your ECR (Elastic Container Registry). There is no secret that everyone is moving from EC2 instances to containers, so they add more functionalities to it.

AWS Advanced Shield

If you are looking for DDoS protection and Zero-day attacks this is the best-in-class cloud-native security service for your AWS cloud components. It covers three types of protection layers 3, 4 (TCP), and 7 (Application layer). Moreover, it has WAF capabilities which means that your applications can be more secure behind it. Before you will enable it, you should know that it costs $3,000 per month which covers any account within your organization.

A secure Landing Zone is the starting point.

A Landing Zone sets a secure foundation for a multi-account AWS environment and should be looked at as the starting point and not the destination. By leveraging built-in tools like Control Tower, Security Hub, and GuardDuty, you can ensure that there is a solid framework built right from the start on which you can provision future workloads going forward. If you want to increase the security posture of your landing zone, you can combine 3rd party security solutions such as CheckPoint or Palo Alto FW, Imperva has a powerful WAF and many other cloud security solutions depending on your needs.