Built on Control Tower
Find this blog interesting? Make sure you register and join us on Nov 17 for an AWS Control Tower Activation Day.
Control Tower and BoCT Overview
Cloud transformation is a large undertaking. The setup and governance can be complex and time-consuming, slowing down the very innovation you’re trying to speed up. Many organizations decide to implement AWS Control Tower because it provides the easiest way to set up and govern a secure, multi-account AWS environment; called a landing zone.
AWS Control Tower (CT) creates your landing zone using AWS Organizations, bringing ongoing account management and governance and implementing best practices based on AWS’s experience working with thousands of customers as they move to the cloud. Implementing Control Tower is the obvious first step for many large organizations, but determining the what and how of enhancing the default functionality to meet the enterprise’s needs requires a partner with extensive experience.
BoCT is an accelerator program driven by partner expertise and contributions, which expedites AWS adoption focusing on account management and governance. Its core methodology is a 4×4 functional approach, centering on four automations for four processes. These include accelerating the LZ setup, implementing 3rd party software and data solutions, reusing best practices customizations, and advanced observability for managing and tracking cost.
The components covering the 4×4 include Account Vending through CT, identifying and implementing AWS Marketplace solutions, development of self-service and sharing through the AWS Service Catalog, and insight into cost control ranging from budgets to licensing. This is achieved by using standardized components, compliant usage, reusable patterns, automation at scale, agility with governance, and oversight with accountability.
AWS has fabricated a proven multistage approach to help customers meet their goals and objectives. The sequential progression entails Discover & Engage, Safe & Secure Landing Zone, Deploy Approved Patterns (Service Catalog), and the Final Review Workshop. Ultimately committing to the process will result in expedited best practice foundations, faster software procurements, and enhanced cost management and governance.
Stelligent’s engagement approach will help quick-start your learning journey. You will discuss the pros and cons of making an informed choice, demo, and develop PoCs to experiment with your workloads in mind. You can work with Stelligent to create a prescriptive, time-boxed engagement to help you eliminate inertia.
Stelligent BoCT Offerings
Customizations for Control Tower (CfCT) is an orchestration pipeline that integrates with Control Tower for deploying custom account baseline and configuration requirements for advanced enterprises. Organizations can easily add customizations to the AWS Control Tower landing zone using an AWS CloudFormation template and service control policies (SCPs). Then, companies deploy the custom template and policies to individual accounts and organizational units (OUs) within your organization. This solution integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with your landing zone.
Stelligent has supported numerous CfCT implementations, and through partnering with AWS has developed the expertise to quickly deliver the solution with future optimizations in mind to reduce technical debt.
Industry Best Practices
Financial Services, Healthcare & Lifesciences, Government, Tech & Media, and Travel & Hospitality share similar technical challenges. Regulations, auditing requirements, compliance, and security stand out as top priorities. Our extensive experience implementing controls for FFIEC, HIPAA, CIS, CMMC, NIST, FedRAMP, and other compliance requirements stands out within the AWS partner ecosystem.
Stelligent has 15 years of working in lockstep with these industries to enhance senior management and has peace of mind adopting new DevOps and cloud technology. Our process reflects the AWS Cloud Adoption Framework (CAF) Security Perspective focusing on Identity and Access Management, Detective Controls, Infrastructure Security, Data Protection, Incident Response.
Enterprise OU and Account Structuring
The base Control Tower deployment is designed to cover the basic management and governance requirements. However, in reality, highly-regulated enterprises have complex team structures, compliance, and auditing requirements which entail significantly complex OU and Account structure to accommodate.
Data redundancy, decoupling IAM access, reducing blast radius, and enabling the full suite of security and observability tools.
Control Tower is the preferred AWS tool for implementing preventive and detective controls as part of account baselining. While the standard console orchestration implements 20 guardrails natively, CfCT empowers customers to expand to cover their compliance requirements seamlessly.
One of Stelligent’s core competencies is developing preventive and detective controls. We have identified reusable AWS Config, SCP, and cfn-nag artifacts from dozens of past projects for commonly requested compliance requirements. These include ensuring encryption, validating the least privilege, and limiting traffic to accounts by checking security group and ACL configurations.
Advanced Security and Observability Patterns
Properly implementing AWS security and observability patterns in a multiple account environment at scale requires dozens of additional Add-ons and SCP policies. The default Control Tower implementation is limited in the services activated and aggregated through Security Hub. GuardDuty, IAM Access Analyzer, Inspector, CloudWatch security logs, and CloudTrail access details are critical findings for a best practice security architecture. Our customized codified add-ons help quickly secure the Workload accounts by enabling the services and configuring the aggregation to accounts with limited access for the security team.
Observability is critical for responding to issues in the cloud. Our enhancements aggregate the entire CloudWatch spectury (Alarms, Events, Logs, etc.) to a singular dashboard in AWS and can be integrated into tools like Service Now, ELK, and Splunk.
Enhanced Orchestration and Deployment
CfCT is potentially the most important orchestration pipeline for your AWS environments. Therefore, reducing lead time for changes and deployment misconfiguration should be a major consideration.
Stelligent has developed a multi-layered approach to increasing agility that allows engineers to deploy changes without the risk of disrupting core services and access. This is achieved by implementing two versions of the CfCT solution, a Golden Pipeline and an Agile Pipeline. The Golden Pipeline contains the core security, observability, and SCP codebase. Minimizing pushes to this repository reduces potential errors to key services and configurations. The Agile Pipeline is where additional account baselines, OU-specific SCP, and experimentation can take place.
Extensive Add-On Library
Many of the features listed above are implemented through our extensive Add-On library, consisting of hundreds of Cloudformation templates to enable various forms of best practice account architectures for different industries and company sizes. As a result, these accelerators save both time and money as developing from the ground up can take months or years.
Stelligent Amazon Pollycast