Overview

Tech Reformers Account QuickStart enables a secure foundation in the cloud by deploying AWS Control Tower. The following deliverables are part of this engagement:

Plan

• Project kick-off meeting

• AWS Control Tower design and discovery workshop

• Set project goals and objectives.

• Review the AWS Control Tower prerequisites required for deployment.

• Build a backlog of tasks for the project.

• Define the AWS Control Tower use cases.

Design

• Establish a new management account with Organizations and AWS Control Tower structure for Organizational units (OU’s) to establish baselines across all AWS accounts.

• Establish landing zone settings: regions, configurations, access, logging, and encryption.

• Plan authentication and authorization (Identity provider, logging, encryption).

• Plan security controls (NIST 800-53 Rev 5, CIS AWS Benchmarks 1.4, PCI DSS version 3.2.1).

• Design a model single-account and single-VPC AWS environment.

• Design AWS networking components including VPC definitions, subnets, security groups, and transit gateways. Plan IP addressing strategy for the organization.

• Plan tagging strategy.

• Plan centralized billing.

• Plan on establishing connectivity for AWS with VPN or Direct Connect, if required. Develop a detailed architecture design document.

Configure

• Configuration of the landing zone, including AWS best practices in Control Tower.

• Configure Identity and Access Management and, if required, SSO.

• Configure SCP Policies.

• Implement baseline security controls for logging and auditing.

• Implement Account Factory configuration based on design.

• In AWS Organizations, set up Configure Artifact, AWS Backup, AWS IAM Identity Center, AWS Trusted Advisor, CloudTrail, Config, Resource Access Manager, and Systems Manager.

• Implement a tagging strategy as designed for billing and administrative functionality.

• Configure CloudCheckr for centralized billing and monitoring of AWS Well-Architected Framework pillars.

• Develop final as-built documentation.