AWS Cloud Enterprise Strategy Blog

AWS Control Tower and AWS Security Hub – Powerful Enterprise Twins

Live blog post from re:Invent 2018, Las Vegas

As an AWS Enterprise Strategist I travel the globe talking to some of the largest enterprise customers on the planet about how they can truly innovate faster and deliver a much better customer experience by migrating their systems to AWS while in the process removing massive amounts of un-differentiated heavy lifting and freeing up their precious human resources to focus on things that really matter to their business and customers.

So many of the conversations I have start with executives rightly wanting to understand what lessons have been learnt from those who have undertaken the AWS journey before them. Historically we talk keenly about the importance of creating a Cloud Centre of Excellence (CCoE) and having this team establish the curated guardrails around security, availability, reliability, and compliance for the customer’s part of the AWS Shared Responsibility model.

As a customer, when I was at Capital One and my CCoE was building out our AWS Cloud, it was a thoughtful process of learning which features were appropriate for us to use and how we wanted to implement them. I do hear from customers that this process typically takes them a significant amount of time, as their teams are both learning to use AWS and learning which features to use. While AWS Solutions Architects, AWS ProServe, and AWS Accredited Partners can drastically reduce the time to build a Landing Zone and establish these guardrails, customers are greatly attracted to automating offerings.

On June 14th, 2018, we iterated on our Landing Zone solution to help customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. This infrastructure as code solution, which rapidly helps establish an initial security baseline and creates core accounts and resources, allows teams to move much more quickly. However, there was even more we could do make it even easier, and it was an exciting moment when Andy Jassy launched AWS Control Tower on Wednesday at re:Invent.

AWS Control Tower: Control Tower automates the set-up of a well-architected, multi-account environment based on best practices, and guides you through a step-by-step process to customize Control Tower to your organization. It will automate the creation of an AWS Landing Zone with best practice blueprints including:

  • Configuring AWS organizations to create a multi-account environment.
    • Providing for identity management using AWS SSO users and groups.
    • Federating access using AWS Single Sign-On.
    • Centralizing logging using AWS CloudTrail and AWS Config.
    • Enabling cross-account security audits using AWS IAM.
    • Implementing network design using Amazon VPC.
    • Defining workflows for provisioning accounts using AWS Service Catalog.

In addition, it will put in place mandatory, curated guardrails, such as blocking accounts from being able to create an Internet Gateway or ensuring only encrypted S3 objects can be created. This will incredibly shorten the amount of time it takes to get going with all the curated best practice from millions of customers who use AWS every day.

With AWS Control Tower, you pay only for AWS services enabled by Control Tower, which include the set-up of your AWS Landing Zone, mandatory guardrails, or customized options. You will incur costs for AWS services configured in the set-up of your Landing Zone, mandatory guardrails, and strongly recommended guardrails. No costs are incurred for strongly recommended guardrails that are preventative. The cost of each service will vary based on the number of regions, accounts, hours used, and guardrails enabled. You can find out more about AWS Control Tower here.

This then leads to one of the most perennial problems that has existed in enterprise IT for a long time—that of having a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. This is where Security Hub comes in.

AWS Security Hub: The typical enterprise security landscape has a number of powerful security tools deployed. From firewalls and endpoint protection to vulnerability and compliance scanners. But oftentimes this leaves your team switching back and forth between these tools to deal with hundreds, and sometimes thousands, of security alerts every day. With Security Hub you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner Solutions. Your findings are visually summarized on integrated dashboards with actionable graphs and tables. You can also continuously monitor your environment using automated compliance checks based on the AWS best practices and industry standards your organization follows. This allows you to save time with aggerated findings, improve compliance with automated checks, and quickly take action on findings. AWS Security Hub is offered at no cost during the preview period and is available as a region service in 15 of the current AWS regions. Pricing will be finalized when the service becomes generally available.

These two new powerful offerings will enable enterprises to move even faster to build new innovations for their customers and migrate their IT systems even faster. I look forward to seeing and hearing how customers use this to keep their momentum moving forward for their journey to AWS Cloud.

Remember , “All of your assumed constraints are debatable.”

Jonathan Allen
EMEA Enterprise Strategist and Evangelist

Jonathan Allen

Jonathan Allen

Jonathan joined AWS as an Enterprise Strategist & Evangelist in May 2017. In this role, he works with enterprise technology executives around the globe to share experiences and strategies for how the Cloud can help them increase speed and agility while devoting more of their resources to their customers. Prior to joining AWS, Jonathan was Chief Technology Officer and Senior Director in Capital One Banks UK division. Jonathan was part of the banks Global Technology Leadership team that selected AWS as their Predominant Cloud Partner in 2014, and was accountable for architecting, engineering and execution of the technical build out and system migrations of the banks AWS Cloud strategy in partnership with the US divisions until 2017, by which time the all development had moved Cloud First. Jonathan managed a global team and held all budgetary responsibility for the technology operations and strategy execution, adoption of agile only, technical talent transformation and recruitment and creation of the banks Cloud Governance framework. During Jonathan's 17 years at Capital One he also led large scale transformations including the roll out of regulatory compliance, move from outsourcing to out-tasking, engagement with AWS Cloud Partners, adoption of DevOps at scale and the focus of an engineering led culture. In 2012, he was awarded IT Manager of the Year by The Chartered Institute for IT. He holds a Diploma in Computer Studies from Loughborough College and a CIO MBA from Boston University.