Scalable, Secure, and Efficient AWS Cloud Operations with Crayon’s Landing Zone Accelerator

By Francesco Caroli, Global Cloud Services Lead – Crayon
By Marin Radjenovic, Sr. Solutions Architect – Crayon
By Mirche Mirkoski, Sr. Solutions Architect – Crayon
By Adi Simon and Steve Drew, Sr. Partner Solutions Architects – AWS

Crayon

A landing zone is well-architected, multi-account Amazon Web Services (AWS) environment that is scalable and secure. It allows your organization to be agile whilst providing governance and security at scale.

Building a landing zone involves technical and business decisions to be made across account structure, networking, security, and access management in accordance with your organization’s growth and business goals for the future. This process and efforts require careful planning and can take months, yet is a mandatory step to establish a strong cloud foundation, which applies in the following scenarios:

• Setting up a fresh AWS environment
• Migrating workload to AWS
• Improving existing organization and account governance

The process and efforts towards establishing a landing zone can often take months. Over the years, Crayon has executed numerous AWS migration projects globally and concluded that a core set of migration tasks could be fully automated. Automating the core tasks significantly reduces time-to-cloud value for any company with AWS ambitions. Companies with limited or no DevOps and infrastructure as code (IaC) capabilities can now benefit from AWS the same day the decision is made.

In this post, we’ll focus on Crayon’s customizable landing zone accelerator as a foundation for a prospective AWS customer. The landing zone accelerator is a well-architected multi-account architecture with AWS Identity and Access Management (IAM), governance, data security, network design, and logging.

Crayon is an AWS Premier Tier Services Partner with Competencies in Migration, DevOps, Machine Learning, and more. Crayon provides guidance on the best solutions for clients’ business needs and budgets with software, cloud, artificial intelligence, and big data.

AWS Organization and Account Structure

Crayon’s landing zone is a custom implementation that follows AWS prescriptive guidance in an automated way while providing flexibility to the customer to support further customizations to meet their business requirements.

Customers can choose to use their existing AWS Organization or let Crayon’s landing zone accelerator create a new AWS Organization during deployment.

Below is an illustration of the default account structure created along with the AWS services that are enabled by default. Icons in grey represent services that can be optionally configured or onboarded after the landing zone is established.

Figure 1 – Standard deployment configuration.

There are four AWS accounts within two foundational Organizational Units (OUs) that are created as part of the default landing zone deployment. Further OUs can be created when workloads are migrated.

Adopting the use of multi-account aligns with SEC01-BP01 separate workloads using accounts best practices within the Security Pillar of AWS Well-Architected Framework.

Figure 2 – AWS organizational unit architecture.

• Security account is where all Amazon GuardDuty findings from all organization member accounts in the region where it’s deployed are aggregated. It also serves as AWS Config rules aggregator, performing compliance rule checks from all organization member accounts in the region where it’s deployed.
• Log Archive account is where all AWS CloudTrail logs from all regions and all AWS accounts within the organization. Logs from AWS Config are also aggregated into this account. Logs are stored in respective Amazon Simple Storage Service (Amazon S3) buckets, encrypted at rest. Amazon S3 Lifecycle is used to automatically transition older logs to more cost-effective storage classes, such as S3 Standard-IA or S3 Glacier.
• Shared Services account configures services that are shared across the customer’s organization. Examples of such services AWS Managed Microsoft AD, AWS-native CI/CD services, or third-party services that make sense to be shared between the accounts/environments.
• Networking account is used to configure shared network services which can be used to deploy and configure common services in this account, such as AWS Transit Gateway
• Workload account(s) are used to provide isolation boundaries between environments (such as production, development), and workloads, to provide a strong isolation boundary for security, billing and access.

Service Control Policies (SCP) are enabled and attached to the root of the organization, which means it will apply to all AWS accounts. Crayon’s landing zone accelerator has a default SCP that customers can use out-of-the-box but can also be tailored to a specific scenario.

This SCP prevents Amazon GuardDuty, AWS CloudTrail, and AWS Config from being disabled, and prevents tampering of virtual private cloud (VPC) flow logs and IAM Access Analyzer. It also prevents creation of Resource Access Shares using AWS Resource Access Manager that are shared with external principals outside the organization, which prevents users or roles in any affected account from leaving AWS Organizations.

Crayon’s landing zone can be extended to cover multiple regions. By doing this, regional services within each account will be replicated in the new region.

Figure 3 – Multi-region deployment configuration.

Baseline Services

To support compliance, security requirements, and reduce risk, Crayon’s landing zone provides a set of preconfigured AWS services that are configured for the customer needs right out-of-the-box, namely:

• To provide audit trails, AWS CloudTrail is automatically enabled on existing and new AWS accounts that will be onboarded into the organization. A multi-region organizational trail is configured, while logs will be sent to the central Amazon S3 bucket in the logging account.
• To protect your AWS accounts with intelligent threat detection, Amazon GuardDuty is automatically enabled on existing and new AWS accounts that will be onboarded into the organization. All findings will be sent to the security account. This aligns with the SEC05-BP04 ‘Implement inspection and protection’ best practice of the Well-Architected Framework.
• To assess, audit, and evaluate configurations of your resources, AWS Config is enabled on all accounts under the Core OU, including the organization master account. Conformance packs deploy automated compliance checks across all organization accounts, setting audit baselines; for example, auditing whether root multi-factor authentication (MFA) is enabled, no Amazon S3 buckets have public access enabled, or Amazon Relational Database Service (Amazon RDS) instances have public access.
• Config rules aggregator will be created in the security account, which can guide customers towards meeting regulatory compliance rules such as PCI-DSS, HIPAA, and more.
• To support cost optimization, AWS Compute Optimizer is enabled at the organization level, giving customers aggregated view of AWS recommendations for right-sizing Amazon Elastic Compute Cloud (Amazon EC2) instances, auto scaling groups, Amazon Elastic Block Store (Amazon EBS) volumes, AWS Lambda functions, and AWS Fargate instances across the entire organization.
• To alert you on anomalies detected, Amazon GuardDuty high and critical findings will be picked up by Amazon EventBridge and configured to use Amazon Simple Notification Service (SNS) as its target, so that security team can receive email notifications. This aligns with the OPS10-BP01 ‘Use a process for event, incident, and problem management’ best practices of the Well-Architected Framework.
• To audit permissions of users and resources, IAM Access Analyzer is configured for the organization, with the security account as the delegated administrator. IAM Access Analyzer analyzes policies and reports a list of findings for resources that grant public or cross-account access from outside your AWS Organizations in the IAM console and through APIs.
• To provide a centralized view for health events across your AWS Organization, an AWS Health Organization view can be optionally enabled on the master account to centralize AWS Health open issues, scheduled changes, and other notifications.
• AWS Resource Access Manager is also included in the landing zone implementation. It’s a centralized service that provides a consistent experience for sharing different types of AWS resources across multiple accounts like AWS Transit Gateway, VPCs, and subnets.

DevOps

Crayon’s landing zone is a HashiCorp Terraform IaC-based solution. Customers can leverage their existing CI/CD pipelines, or Crayon can assist customers without pre-existing CI/CD pipelines, to deploy the landing zone, and helping customers adopt the DevOps model.

Currently, the landing zone accelerator is tested with the following DevOps tooling:

• AWS CodePipeline, AWS CodeCommit, AWS CodeBuild
• GitHub Actions
• Bitbucket Pipelines
• Terraform Cloud, Terraform CLI

Crayon’s Acceleration Kits

After the landing zone is deployed, focus moves on to the workload migration. Crayon’s best practices when it comes to AWS migrations are embodied by a set of reference architectures called AWS accelerators. A library of accelerators is available which can be used on top of the landing zone accelerator to deploy the workloads being migrated or created.

Building upon the landing zone, the accelerators focus on supporting workload deployments, providing features such as:

• Centralized backup: An accelerator kit based on the AWS Backup service provides a dedicated backup account that aggregates backups from all accounts in AWS Organization to meet your organization’s data backup policy.
• CI/CD: Provides IaC code for creating CI/CD pipelines using AWS CodePipeline for AWS Fargate and AWS Lambda.
• Application performance metrics: To define CloudWatch custom metrics, alarms and dashboards through code, to monitor the health of applications migrated.
• Scalable Aurora database clusters: Reducing time in setting up Amazon Aurora in alignment with best practices. This accelerator can deploy an Aurora cluster in a single region with single master and multiple read replicas, Aurora Serverless, or to deploy Aurora global databases that span across multiple regions.
• Crayon serverless framework: Helps reduce coding effort for serverless, simplifies creation of policies, and triggers Lambda functions and AWS Step Functions, providing a comparable level of abstraction to AWS Serverless Application Model (SAM).

Customer Success: FSubSea

FSubSea supplies sustainable, robust, and autonomous subsea pumps for the global renewables, oil and gas, and green infrastructure markets. Crayon helped FSubSea embark on its AWS journey by implementing a well-architected landing zone solution. The approach by Crayon helped FSubSea establish best practices in terms of AWS account management, separation of duties, and governance that is enforced to every AWS account.

By quickly establishing a strong foundation, FSubSea could concentrate its efforts on bringing workloads to AWS, with the confidence of a secure, well-architected cloud environment, deployed in minutes, reducing the time to value for the company’s overall business and customers.

Conclusion

Customers looking to set up their first AWS environment, migrate workloads to AWS, or improve existing AWS Organization and governance can now use Crayon’s landing zone accelerator to reduce their time to value.

Crayon leverages the AWS Migration Acceleration Program (MAP), which is a comprehensive framework that helps organizations speed up their cloud migration journey, and is based upon AWS’s experience migrating thousands of enterprise customers to the cloud.

Crayon helps customers save on third-party licensing costs whilst building a migration plan to AWS, leveraging AWS Optimization and Licensing Assessment (OLA). Then, Crayon helps accelerate the build of the landing zone to drive operational readiness prior to actual execution of workload migration or modernization.

.

.

Crayon – AWS Partner Spotlight

Crayon is an AWS Premier Tier Services Partner and customer-centric innovation and IT services company that provides guidance on clients’ business needs and budgets with software, cloud, artificial intelligence (AI), and big data.

Contact Crayon | Partner Overview | AWS Marketplace | Case Studies