Announcing the Landing Zone Accelerator for Education to support customers in education and research
Amazon Web Services (AWS) announced the availability of Landing Zone Accelerator (LZA) for Education, an industry-specific deployment of the LZA on AWS, designed to further support education customers in designing cloud environments for their compliance needs.
The LZA on AWS solution is architected to align with AWS best practices and multiple, global compliance frameworks. When used in coordination with services such as AWS Control Tower, the LZA provides a comprehensive no-code solution across more than 35 AWS services and features to manage and govern a multi-account environment. The LZA is built to support customers with regulated workloads and compliance requirements. The new LZA for Education builds on the LZA to help customers secure their research workloads or workloads containing student data, by giving them a set of default configurations that they can use as a starting point and iterate on to define security and compliance posture as code.
Supporting security standards alignment with global compliance frameworks
The AWS Compliance Program helps customers understand the robust controls in place at AWS to maintain security and compliance in the cloud.
Education customers can benefit from the LZA for Education as the security controls implemented are aligned with several international frameworks, including:
- US International Traffic in Arms Regulations (ITAR)
- National Institute of Standards and Technology (NIST) 800-171
- NIST 800-53
- Cybersecurity Maturity Model Certification (CMMC)
- National Cyber Security Centre (NCSC)
AWS education customers often tell us that they are looking to cloud technologies to help them both future-proof their institutions in support of their organizational objectives and address immediate issues and pain points, while reducing the amount of effort required to do this. One area of immediate concern is security.
Security has also been highlighted in the “Innovation Drivers in Higher Education” report as one the main priorities in higher education. In the report, customers note that there can be many repercussions from poor security practices, including cost, effort, and resources to resolve and remediate issues, as well as time to recover. According to Check Point Research, education and research organizations face more cyberattacks than organizations in any other sector.
Educational institutions are increasingly realizing the benefits of cloud-based solutions to help them grow their cloud services in support of their students, faculty, or research needs. However, given that one of the first things these institutions must do to realize these benefits is to develop a strategy for how to configure these cloud-based solutions in accordance to their security and compliance needs, a key question that may arise is: “How do we run sensitive workloads in AWS?”
The answer to this question depends on multiple factors, such as geographic location, regulatory requirements, or organizational goals. Leveraging a multi-account strategy sets the stage for improved security posture and growth. This is referred to as an AWS Landing Zone. Individual AWS accounts enable resource independence and isolation by being a boundary for security, access, and billing
For example, users outside of your account do not have access to your resources by default. By using a landing zone as a foundation, you can deploy your mission-critical application workloads and solutions across a centrally-governed multi-account environment. Further detail can be found in the Organizing your AWS Environment Using Multiple Accounts whitepaper.
The LZA for Education builds upon this guidance to quickly deploy a solution foundation in AWS designed to be secure, resilient, scalable, and automated. This foundation can accelerate your readiness for a cloud compliance program by deploying default accounts, account structure, security configurations for logging, monitoring, notification, and encryption.
The LZA helps establish platform readiness with security, compliance, and operational capabilities. It is important to note that the LZA solution will not by itself make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated to support compliance goals.
You must review, evaluate, assess, and approve the solution in compliance with your organization’s particular security features, tools, and configurations. It is the sole responsibility of you and your organization to determine which regulatory requirements are applicable and to make sure that you comply with all requirements.
For additional information on how to get started with the solution, please reference the Landing Zone Accelerator on AWS – Implementation Guide.
The Landing Zone Accelerator for Education architecture
The following architecture diagram shows an overview of the LZA for Education deployment.
Figure 1. The LZA for Education architecture.
The LZA for Education is a set of configuration files focused on meeting the needs of education-affiliated organizations.
LZA for Education incorporates the LZA’s best practices configurations, such as the detective guardrails defined in the Operational Best Practices for NIST 800-53 rev 5 Conformance pack. These are implemented using the AWS Config service, which records configuration changes to AWS resources and provides notification when those resources are not in compliance with a customer’s defined baseline.
AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation. AWS Security Hub standards, specifically the AWS Foundational Security Best Practices and the Center for Internet Security (CIS) AWS Foundations Benchmark, are configured and deployed as part of the LZA for Education. The LZA for Education uses AWS Security Hub and AWS Config to leverage centralized account delegation and provide a single set of optimized guardrails.
The LZA for Education uses AWS CloudTrail for centralized logging and configurable log retention to help you meet security and compliance needs related to accessing and auditing sensitive data and resources. Centralized networking with inspection, AWS Organizations service control policies and backup policies are provided as examples of how to establish controls when deploying workloads in your cloud environment.
For the protection of sensitive data, AWS Key Management Service (AWS KMS) is used to encrypt data at rest. Additionally, the LZA solution is covered by Developer through Enterprise AWS Support Plans, should you need assistance.
Get started with the AWS Landing Zone Accelerator for Education
To get started, follow the process outlined in the Landing Zone Accelerator on AWS – Implementation Guide. It is recommended to begin with a new AWS payer account without existing resources deployed.
The LZA for Education leverages AWS expertise to enable regulated customers to set up their AWS environments in days instead of weeks in an optimized and secure configuration. By reducing the undifferentiated heavy lifting of establishing a regulated cloud environment, organizations have the opportunity to focus on innovative solutions that provide the greatest value to the customers they serve.
To learn more about how AWS works with education customers globally, visit the AWS for Education hub. If you have questions, reach out to your AWS account team or send an inquiry to the AWS Public Sector Sales Team.
Read more about AWS for education:
- Data security and governance best practices for education and state and local government
- Building a team knowledge base with Amazon Lightsail
- The top 3 innovation drivers in higher education in 2023
- Best practices for creating highly available workloads
Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.
Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.