AWS Public Sector Blog

How the Landing Zone Accelerator on AWS supports NCSC cloud security guidance

How the Landing Zone Accelerator on AWS supports NCSC cloud security guidance

Amazon Web Services (AWS) has collaborated with the UK National Cyber Security Centre (NCSC) to tailor advice on how UK public sector customers can use the Landing Zone Accelerator on AWS (LZA) to help meet the NCSC’s guidance on “using cloud services securely.” By using the UK implementation guide for the LZA, UK customers can design environments that will help them to align to new NCSC guidance.

What is a landing zone?

A landing zone is a well-architected, multi-account AWS environment that is scalable and secure. A landing zone provides the central architecture and guardrails in a foundational cloud environment. This is a starting point from which an organization can quickly launch and deploy workloads and applications with confidence in their security and infrastructure environment.

The Landing Zone Accelerator on AWS solution

AWS built the LZA solution to significantly reduce the time it takes for customers to set-up a landing zone designed to align with compliance goals in highly regulated industries. LZA helps customers deploy a cloud foundation that is architected to align with AWS best practices and multiple global compliance frameworks. Using LZA on AWS, customers with highly-regulated workloads and complex compliance requirements can better manage and govern their multi-account environment. The solution is flexible enough to support organisations of all sizes, from small organisations starting on their cloud journey to large enterprises who are “all-in” on AWS.

Note: This solution will not, by itself, make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated.

How the LZA on AWS supports the NCSC cloud guidance

The NCSC’s guidance on using cloud services securely describes 13 actions customers should consider when building cloud environments. The UK-specific implementation guide of the LZA helps UK customers implement an architecture that is not only aligned to AWS best practices, but also specifies additional configurations that can help UK customers to align with the NCSC cloud security guidance. After deployment, customers are free to add configurations that meet their specific organisation’s requirements.

Learn how the LZA on AWS can support each recommended action in the NCSC’s guidance:

1. Adapt to the cloud

LZA helps customers adapt to the cloud by following secure-by-design principles to implement a secure foundation, helping IT teams empower business users to leverage technology to support mission goals by enabling a governed self-service model for IT and cloud resources across the organisation. Customers should not only understand the AWS Shared Responsibility Model with their cloud service provider, but they should also think about a shared responsibility model within their organisation, between the landing zone and the internal customers it supports.

Figure 1. Shared responsibility model including landing zone responsibilities.

Figure 1. The AWS Shared Responsibility Model including landing zone responsibilities.

Figure 1 builds on the standard Shared Responsibility Model, adding a middle tier for the landing zone and landing zone operations. This middle tier should describe what responsibilities the organization will undertake, such as centralised logging for example. This enables the consumers of the organisation’s services to understand where their responsibility for their applications lies. This will be different between organisations based on what capabilities the landing zone offers. To help define the organisation’s shared responsibility model, customers can read further on AWS Cloud Foundations, Cloud Centres of Excellence and building a cloud operating model.

2. Authenticate user identities

LZA recommends the use of AWS IAM Identity Center (successor to AWS Single Sign-On) to authenticate user identities and enable single sign-on access to cloud resources. IAM Identity Center allows customers to integrate with their existing identity stores to simplify the management of their AWS accounts. This also helps make use of existing joiners, movers and leavers processes, and existing authentication policies, such as posture management and multi-factor authentication (MFA).

LZA also lets customers automate the creation of identity and access management (IAM) policies that can be granted to groups of users defined in the existing organisation’s identity store. This helps streamline access to the cloud without having to define and manage another set of identities and processes.

3. Authenticate service identities

Customers can use IAM roles to make sure that service interactions are authenticated and authorised. AWS signs these requests using the AWS Signature Version 4 algorithm. To help customers integrate workloads and services programmatically, AWS provides different mechanisms, such as mutual TLS and Amazon Elastic Compute Cloud (Amazon EC2) roles. When a customer’s service is unable to use these methods and must use long lived credentials (such as API keys), LZA deploys Amazon GuardDuty, which implements monitoring to identify and alert when suspected credential exfiltration has been identified.

4. Apply access controls

Beyond the management of users and groups and permissions through IAM Identity Center, LZA also enables AWS Identity and Access Management Access Analyzer. This service helps users identify overly permissive or unused permissions to help organisations manage their cloud access appropriately.

5. Use automation to enforce security

LZA is designed to automate the configuration of security services to meet AWS best practices for security. The solution manages the automated deployment and configuration of centralised cloud auditing and logging services; security services for continual compliance checks; threat detection; identifying overly permissive policies; data protection services (for example, scanning for personally identifiable information, or PII); security event forensics tooling to help identify the root cause during investigations; and many others.

6. Establish an organisational structure

LZA helps automate the configuration of an organisational structure. The LZA documentation helps organisations plan their structure to meet their unique objectives, while the UK implementation guide defines a generic organisational structure to help organisations get started.

 7. Use workspaces effectively

In an AWS context, the NCSC term “workspaces” are AWS Accounts (not to be confused with user accounts). AWS Accounts are formal security boundaries, limiting the scope of impact between users and teams. LZA automates the deployment of AWS Accounts and the configuration of appropriate governance and guardrails, such as centralised logging to a central environment; budgets to govern spend, networking, and security services like threat detection and notifications to a central security team account. The LZA best practices template deploys the following default account structure displayed in Figure 2.

Figure 2. The diagram shows the basic account structured created by the LZA best practices configuration, coupled with additions made in the implementation guidance to support the NCSC guidance.

Figure 2. The diagram shows the basic account structured created by the LZA best practices configuration, coupled with additions made in the implementation guidance to support the NCSC guidance.

8. Protect networked services

LZA offers a comprehensive network automation capability, starting by allowing customers to define and manage their IP address to allow broad firewalls rules to isolate traffic and help prevent misallocation of overlapping ranges. LZA can support multiple network operating models, either centralised or decentralised, offering the ability to automate router (AWS Transit Gateway), network (Amazon Virtual Private Cloud (Amazon VPC)), firewall deployment (AWS Network Firewall) and DNS (Amazon Route 53), among others. This helps customers enforce strong network isolation for both north/south and east/west.

9. Establish observability

Establishing observability with reliably stored and protected logs is essential to building actionable insights to detect and respond to events. LZA configures a robust logging strategy by deploying cloud auditing services (AWS CloudTrail) across AWS accounts in the organisation and storing an immutable copy of the logs in a tightly governed central log archive account. It also configures security service logging, such as with Amazon GuardDuty, Amazon VPC flow logs, AWS Security Hub, and AWS IAM Access Analyzer, among others. LZA builds an effective log monitoring strategy using Amazon CloudWatch to allow users to send system and application logs to their local account, which again are replicated to the central log archive account. LZA automatically sets up alerting based on specific criteria, such as anomalous login activity and alarms. Finally, it provides a notification mechanism that users and security teams can use to get notified of security events.

10. Prepare for an incident

While LZA doesn’t specifically help define an incident response plan, it does provide capabilities and services that can help organisations respond to incidents. Additionally, LZA can configure Amazon Detective, which simplifies the investigative process and helps security teams conduct faster and more effective investigations. With the Amazon Detective prebuilt data aggregations, summaries, and context, customers can quickly analyse and determine the nature and extent of possible security issues.

11. Protect secrets carefully

LZA helps customers protect secrets carefully with AWS Secrets Manager, which helps manage, retrieve, and rotate database credentials, API keys, and other secrets throughout their lifecycles. Secrets Manager also implements monitoring and alerting to identify and notify local admins and security teams if suspicious activity associated with credential use is identified. Additionally, customers can implement Amazon CodeGuru to identify any hard-coded secrets in their application code. Finally, secrets that LZA creates and utilises are protected using customer managed keys with AWS Key Management Service (AWS KMS).

12. Protect your data

LZA provides many data protection controls, such as helping prevent users from anonymously sharing data, through Amazon Simple Storage Service (Amazon S3) Block Public Access, security controls that look for overly permissive access policies or network controls, or preventative controls to enforce encryption at rest through service control policies. LZA also supports Amazon Macie, which can identify sensitive data that might be stored without the appropriate compliance controls in place.

 13. Maintain security over time

LZA is an officially supported AWS solution. AWS manages the solution and periodically releases updates to both the deployment engine and the best practices architecture. LZA has been designed to allow users to implement these updates with ease and benefit from the investment AWS makes to keep landing zones up-to-date and designed with the most current security best practices.

Getting started with LZA on AWS for UK customers

Visit the UK public sector getting started page to find resources you can use to start skilling up and implementing a landing zone with the Landing Zone Accelerator on AWS.

If you are looking for support in designing, building and operating a landing zone, AWS Professional Services, AWS Managed Services, and the Amazon Partner Network can help.

If you would like to find out more, please contact the AWS Public Sector team.