Streamlined Resource Management with the Infosys Automated Self-Service Landing Zone Solution for AWS

By Sajay Sethunath, Principal Partner Solutions Architect – AWS
By Uday Kumar Gupta, Distinguished Technologist – Infosys
By Rahul Gupta, Principal Architect – Infosys
By Prasath Chandramohan, Sr. Technology Architect – Infosys

Infosys

Infosys has crafted an automated self-service landing zone solution for Amazon Web Services (AWS) which employs AWS Control Tower to generate the customer’s organizational unit (OU) structure and set up individual accounts. It uses the infrastructure as code (IaC) tools from Terraform for infrastructure provisioning and Ansible for service configuration.

The landing zone (LZ) is a cloud computing concept that provides a pre-configured and secure environment, functioning as a springboard for organizations to manage their AWS resources effectively.

LZs come with default accounts, a structured account layout, essential networking infrastructure, and preset security configurations. This enables customers to swiftly deploy mission-critical applications and solutions across a multi-account environment under centralized governance.

In this post, we will discuss the details of a solution enabling the rapid deployment of a secure and scalable AWS landing zone in an automated manner.

Infosys, as an AWS Premier Tier Services Partner and Managed Services Provider (MSP), offers integrated consulting and technology solutions that leverage the flexibility and economics of cloud where IT and business services are delivered on demand.

Solution Overview

The Infosys automated self-service landing zone solution establishes a GitOps-based model environment, meaning that all provisioning and configuration changes are version-controlled and can be easily tracked. This environment is orchestrated through a Jenkins-based pipeline, ensuring smooth end-to-end management of the provisioning and configuration process.

The solution integrates security guardrails and policies, creating a protective framework for the client’s AWS environment. Furthermore, it provides options to add or configure security services based on specific customer requirements.

Users can easily provision and configure services using various means, including a portal user interface (UI), JSON-based policies and configurators, and dynamic environment creation templates. The solution is designed to manage and govern a multi-account environment that’s equipped to support highly-regulated workloads and intricate compliance requirements.

The swift establishment of a landing zone on AWS using this solution helps customers to be cloud-ready and armed with robust security, compliance, and operational capabilities.

Key Features

The automated self-service landing zone solution offers the following key features:

• Automates the provisioning and configuration of the AWS landing zone, simplifying the setup process.
• Enables policy as code, where service control and security policies for LZ components are defined in code, improving consistency and reliability.
• Offers pre-built features that accelerate LZ creation through standardized templates, reducing time to market.
• Includes reusable components created with AWS-recommended security and compliance parameters, ensuring industry best practices are followed.
• The solution is constructed using AWS-recommended best practices. It also incorporates features for governance, auditing, traceability, and continuous integration management, promoting a culture of accountability and continuous improvement.

Solution Architecture

The solution has a modular architecture that enables customers to leverage all or portions of the solution to build out an AWS landing zone.

Figure 1 – Architecture of self-service automated landing zone.

The solution is enabled across three major architecture facets. In addition to the following, it uses service control policies (SCPs) to manage the security and permissions that are available to customers’ AWS accounts. The defined and prioritized SCPs for the customer will be automated as code, and deployed using AWS Control Tower in the customer’s OU structure using the GitOps model.

Self-Service Orchestration

The solution uses the GitOps operational framework to automate the provisioning of infrastructure. It integrates CI/CD orchestrators, like Jenkins with Terraform for provisioning and Ansible for configuration, to enable end-to-end orchestration of AWS infrastructure provisioning.

The solution deploys the tools into a dedicated account, integrates Amazon CloudWatch and AWS CloudTrail logs, managed secrets using AWS Secrets Manager, and integrated with Active Directory and dingle sign-on (SSO) capabilities.

Provisioning supports the entire stack across infrastructure, application, security, and operational constructs. Orchestration is built using Node.js and Python code as part of the Jenkins orchestration pipeline for infrastructure provisioning.

Workflow-Based Provisioning

The solution uses a UI-based workflow for automated provisioning and configuring of infrastructure and application services. This UI integrates with ServiceNow, CMDB, and AWS Service Catalog, providing an easy and intuitive mechanism to access and provision the necessary services required by the customer.

Automation Based on Everything-as-Code

The solution provides a common group of security, risk, and compliance policies curated from Infosys implementation experience and validated against Center for Internet Security (CIS) recommendations. Examples of such policies are: Amazon Simple Storage Service (Amazon S3) bucket policy set to deny HTTP requests and multi-factor-authentication (MFA) delete enabled on S3 buckets.

Operations engineers on the customer teams will codify the necessary policies that are specific to their organization in JSON format. These policies are in addition to the commonly configured policies the solution enables.

Orchestration Flow

The diagram below shows the landing zone orchestration flow that provisions and configures the accounts and services through a Jenkins-based pipeline.

Figure 2 – Landing zone orchestration flow.

As you can see, the Jenkins pipeline triggers as a result of a Git push to the repository holding the infrastructure as code scripts. Jenkins then initiates the Terraform scripts, which describe the desired state of AWS resources and begin provisioning the necessary infrastructure.

Once the infrastructure is provisioned, Ansible playbooks are invoked, which apply configurations to the resources that were just created. This could include setting up networking, applying security policies, or deploying applications.

Any tests or validations defined in the pipeline are run to ensure the environment is set up correctly. If all tests pass, the pipeline concludes and leaves behind a fully provisioned and configured LZ.

Accounts and Services Provisioning and Configuration

The solution, when installed, enables provisioning and configures capabilities across a group of accounts, with common services that cut across all of these accounts. T

he common foundational capabilities the solution will provision include virtual private clouds (VPCs), subnets, security groups, and network access control lists (NACLs). It also supports account creation, provisioning, and configuration of services in a multi-Availability Zone environment.

The solution takes a prescriptive approach to account creation, associated service provisioning, and configuration. Described below are the accounts and services that will be enabled as part of the solution installation.

• AWS root/management account
  • Creates and configures AWS root account and parent OU
• Security account
  • Provisions and configures Amazon Route 53, AWS Transit Gateway, Jump Servers, and AWS Certificate Manager
  • Configures route table with routing to/from the internet and routing to other accounts
  • Creates AWS Identity and Access Management (IAM) user groups and policies
  • Defines and attaches security policies to configured services
  • Supports provisioning of intrusion detection and prevention services, and privileged access management tools
  • Supports configuring AWS Network Firewall, Amazon GuardDuty, Amazon Inspector, AWS WAF, AWS Resource Access Manager, and AWS Security Hub
• Shared services account
  • Provisions and configures infrastructure for antivirus software, configures consolidated logging and monitoring, and provides the capability to integrate with directory services such as Active Directory and Okta
  • Supports configuring AWS services like Amazon Simple Notification Service (SNS) and Resource Access Manager, as well as other services like backups, golden images, and collaborative tools
• Logging account
  • Configures CloudWatch, CloudTrail, Resource Access Manager, and VPC flow logs
  • Supports provisioning and configuring SIEM tools like Splunk
• Network account
  • Enables configuration of network connectivity options like AWS Direct Connect, AWS Transit Gateway, and virtual private network (VPN)
  • Supports configuring AWS Resource Access Manager
• Non-production and production accounts
  • Provides dynamic templates to create environments with the necessary dependencies that can be customized to configure appropriate services like VPC, subnets, VPC peering, load balancers, bastion host, CloudWatch, log groups, AWS Key Management Service (AWS KMS), logging subscription, StackSets, and Resource Access Manager
• Audit accounts
  • Supports configure SNS service to support enabling security notifications

Policy Management Using SCPs

The solution uses service control policies (SCPs) to establish central control over the available permissions for accounts in the customer organization. SCPs are automated in-line with CIS security benchmarks, which enables a centralized mechanism to define a baseline set of CIS aligned security policies, to which the customer can add, update, and manage additional ones as per their requirements.

This approach enables a central location to define policies and drive enforcement and compliance of these security policies. Examples of this include restricting access based on the requested AWS region, preventing IAM users and roles from making specified changes, preventing users from disabling CloudWatch or altering its configuration, allowing specific accounts to share only specified resource types, and preventing any VPC that doesn’t already have internet access from getting it.

Conclusion

The Infosys self-service multi-account landing zone solution using AWS Control Tower offers organizations a streamlined approach to managing their AWS resources.

With its self-service capabilities, pre-built features, and modular architecture, the solution simplifies the setup process and accelerates time to market. It prioritizes security and compliance through centralized policy management and aligns with industry best practices.

As organizations continue to adopt cloud technologies, this solution provides a robust foundation for efficient infrastructure provisioning, application deployment, and governance. It enables organizations to establish a secure and scalable AWS environment, paving the way for successful cloud operations and digital transformation.

.

.

Infosys – AWS Partner Spotlight

Infosys is an AWS Premier Tier Services Partner and MSP that offers integrated consulting and technology solutions leveraging the flexibility and economics of cloud where IT and business services are delivered on demand.

Contact Infosys | Partner Overview | Case Studies