AWS Public Sector Blog

Announcing the Landing Zone Accelerator for Education to support customers in education and research

Amazon Web Services (AWS) announced the availability of Landing Zone Accelerator (LZA) for Education, an industry-specific deployment of the LZA on AWS, designed to further support education customers in designing cloud environments for their compliance needs.

The LZA on AWS solution is architected to align with AWS best practices and multiple, global compliance frameworks. When used in coordination with services such as AWS Control Tower, the LZA provides a comprehensive no-code solution across more than 35 AWS services and features to manage and govern a multi-account environment. The LZA is built to support customers with regulated workloads and compliance requirements. The new LZA for Education builds on the LZA to help customers secure their research workloads or workloads containing student data, by giving them a set of default configurations that they can use as a starting point and iterate on to define security and compliance posture as code.

Supporting security standards alignment with global compliance frameworks

The AWS Compliance Program helps customers understand the robust controls in place at AWS to maintain security and compliance in the cloud.

Education customers can benefit from the LZA for Education as the security controls implemented are aligned with several international frameworks, including:

  • US International Traffic in Arms Regulations (ITAR)
  • National Institute of Standards and Technology (NIST) 800-171
  • NIST 800-53
  • Cybersecurity Maturity Model Certification (CMMC)
  • National Cyber Security Centre (NCSC)

AWS education customers often tell us that they are looking to cloud technologies to help them both future-proof their institutions in support of their organizational objectives and address immediate issues and pain points, while reducing the amount of effort required to do this. One area of immediate concern is security.

Security has also been highlighted in the “Innovation Drivers in Higher Education” report as one the main priorities in higher education. In the report, customers note that there can be many repercussions from poor security practices, including cost, effort, and resources to resolve and remediate issues, as well as time to recover. According to Check Point Research, education and research organizations face more cyberattacks than organizations in any other sector.

Educational institutions are increasingly realizing the benefits of cloud-based solutions to help them grow their cloud services in support of their students, faculty, or research needs. However, given that one of the first things these institutions must do to realize these benefits is to develop a strategy for how to configure these cloud-based solutions in accordance to their security and compliance needs, a key question that may arise is: “How do we run sensitive workloads in AWS?”

The answer to this question depends on multiple factors, such as geographic location, regulatory requirements, or organizational goals. Leveraging a multi-account strategy sets the stage for improved security posture and growth. This is referred to as an AWS Landing Zone. Individual AWS accounts enable resource independence and isolation by being a boundary for security, access, and billing

For example, users outside of your account do not have access to your resources by default. By using a landing zone as a foundation, you can deploy your mission-critical application workloads and solutions across a centrally-governed multi-account environment. Further detail can be found in the Organizing your AWS Environment Using Multiple Accounts whitepaper.

The LZA for Education builds upon this guidance to quickly deploy a solution foundation in AWS designed to be secure, resilient, scalable, and automated. This foundation can accelerate your readiness for a cloud compliance program by deploying default accounts, account structure, security configurations for logging, monitoring, notification, and encryption.

The LZA helps establish platform readiness with security, compliance, and operational capabilities. It is important to note that the LZA solution will not by itself make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated to support compliance goals.

You must review, evaluate, assess, and approve the solution in compliance with your organization’s particular security features, tools, and configurations. It is the sole responsibility of you and your organization to determine which regulatory requirements are applicable and to make sure that you comply with all requirements.

For additional information on how to get started with the solution, please reference the Landing Zone Accelerator on AWS – Implementation Guide.

The Landing Zone Accelerator for Education architecture

The following architecture diagram shows an overview of the LZA for Education deployment.

Figure 1. The LZA for Education architecture.
Figure 1. The LZA for Education architecture.

The LZA for Education is a set of configuration files focused on meeting the needs of education-affiliated organizations.

LZA for Education incorporates the LZA’s best practices configurations, such as the detective guardrails defined in the Operational Best Practices for NIST 800-53 rev 5 Conformance pack. These are implemented using the AWS Config service, which records configuration changes to AWS resources and provides notification when those resources are not in compliance with a customer’s defined baseline.

AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation. AWS Security Hub standards, specifically the AWS Foundational Security Best Practices and the Center for Internet Security (CIS) AWS Foundations Benchmark, are configured and deployed as part of the LZA for Education. The LZA for Education uses AWS Security Hub and AWS Config to leverage centralized account delegation and provide a single set of optimized guardrails.

The LZA for Education uses AWS CloudTrail for centralized logging and configurable log retention to help you meet security and compliance needs related to accessing and auditing sensitive data and resources. Centralized networking with inspection, AWS Organizations service control policies and backup policies are provided as examples of how to establish controls when deploying workloads in your cloud environment.

For the protection of sensitive data, AWS Key Management Service (AWS KMS) is used to encrypt data at rest. Additionally, the LZA solution is covered by Developer through Enterprise AWS Support Plans, should you need assistance.

Get started with the AWS Landing Zone Accelerator for Education

To get started, follow the process outlined in the Landing Zone Accelerator on AWS – Implementation Guide. It is recommended to begin with a new AWS payer account without existing resources deployed.

The LZA for Education leverages AWS expertise to enable regulated customers to set up their AWS environments in days instead of weeks in an optimized and secure configuration. By reducing the undifferentiated heavy lifting of establishing a regulated cloud environment, organizations have the opportunity to focus on innovative solutions that provide the greatest value to the customers they serve.

To learn more about how AWS works with education customers globally, visit the AWS for Education hub. If you have questions, reach out to your AWS account team or send an inquiry to the AWS Public Sector Sales Team.

Read more about AWS for education:

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.

Leo Zhadanovsky

Leo Zhadanovsky

Leo Zhadanovsky, the chief technologist for education at Amazon Web Services (AWS), has spent nearly a decade sharing guidance on the best ways to leverage AWS services. As a speaker, Leo has delivered talks at conferences around the world, including re:Invent, OmniTI Surge, and PuppetConf. Behind the scenes, he helps customers build highly-available, scalable, and elastic architectures to fulfill their business needs. Leo first demonstrated his expertise in AWS as the director of systems engineering at the Democratic National Committee (DNC), where he ran the on-premise and cloud infrastructure for the DNC, in use by the Obama campaign, as well as the Democratic Party. In his free time, he enjoys cycling, traveling, and perfecting the crema on his espresso.

Justin Haydt

Justin Haydt

Justin Haydt is a solutions architect with Amazon Web Services (AWS). He works with AWS education technology (EdTech) customers providing architectural guidance and best practice recommendations, where he is passionate about open source and containerization. Prior to joining AWS, he worked in various consulting roles specializing in infrastructure management, DevOps, and security.

Wendy Corns

Wendy Corns

Wendy is a global business development lead and a member of the Environment Sustainability Technical Field Community at Amazon Web Services (AWS). Wendy assists education organisations in adopting cloud technology and achieving their digital transformation goals, for the benefit of their organisation and the student community.