Provisioning Secure, Compliant, and Operations-Ready Accounts on AWS
AWS Accounts form the foundations of your operating environments. An AWS Account serves as a container for your AWS resources including configuration of services, security & compliance controls, cost controls, and scaling. As a best practice, each and every application or project should deploy into its own AWS Account. The need to deliver hundreds or even thousands of distinct applications, each with their own AWS Account, brings new challenges for enterprises.
How do you ensure provisioning of AWS Accounts scales and doesn’t become a bottleneck to deployment? How do you ensure consistency in guardrails and security controls? How can you deploy AWS Accounts with standardized sets of resources for networking and observability? How do you achieve both autonomy and governance?
The Mphasis Stelligent Enterprise Account Factory delivers the capability for DevOps teams to develop and provision validated and standardized AWS Accounts. These AWS Accounts are provisioned with enterprise standard resources for networking, security, and observation. DevOps teams gain the capability to define, build, validate, and publish standardized AWS Account products that enforce quality, security, and governance. Product and development teams are empowered to deploy validated AWS Accounts on-demand, without involving operations teams, and with confidence that they meet enterprise operational standards.
Enterprise Account Factory builds on the AWS Control Tower offering which provides an easy way to set up and govern a secure, multi-account AWS environment (Landing Zone). Customizations for AWS Control Tower allows for deployment of custom resources and Service Control Policies. Enterprise Account Factory extends this capability further by adding the capability to define complex sets of Account controls and guardrails and to enforce them through the deployment pipeline.
AWS Account Guardrails and Controls
DevOps teams, driven by enterprise requirements, define and codify guardrails and controls that will apply globally for all AWS Accounts. These controls set standardized guardrails for configuration of AWS Accounts, Service Control Policies, Cost Controls, and Security & Compliance Controls. Complex configuration and operation controls can also be defined for global resources like networking, security, and observation services that are deployed in every AWS Account. Account controls are written in the form of templates utilized by Stelligent’s cfn_nag open source tool or AWS CloudFormation Guard. This capability allows you to execute ‘unit tests’ of candidate Account Products that enforce enterprise requirements.
AWS Account Products
With global standards for AWS Accounts in place, DevOps teams can now build AWS Account Products for deployment. Account Products are templates that define configuration of the AWS Accounts, related Service Control Policies, and any global resources that are deployed along with the account. These templates can be stored in AWS CodeCommit for versioning of new or updated templates allowing for agile management and iteration of Account Products.
When the DevOps team commits a new or modified Account Product template, the Enterprise Account Factory pipeline triggers an instance of AWS CodePipeline which will execute the validation and publication automation. The template is sourced and a series of static analysis checks utilizing Stelligent’s cfn_nag or AWS CloudFormation Guard are executed to validate that the account product meets the defined Enterprise standards. If the account product violates any defined standards, the pipeline fails and provides fast feedback to the developer to correct any misconfigurations. When the template meets all requirements it is published as a validated Account Product artifact stored in AWS CodeCommit.
Provisioning AWS Accounts
The validated Account Product can now be provisioned on-demand from AWS Control Tower. Full integration with the Customization for AWS Control Tower provides a workflow for creation and modification of AWS Control Tower managed accounts. The Account Product template is executed by AWS CloudFormation which utilizes StackSets to provision or update AWS Accounts. API calls to AWS Organizations are made for additional account configuration including Service Control Policies. Accounts are registered and managed with AWS Control Tower providing a single operation workflow for all AWS Account management.
The Mphasis Stelligent Enterprise Account Factory solution fully automates the development, provisioning, and operations of AWS Accounts. By codifying the configuration, your organization gains the ability to utilize standard DevOps practices and tools for the management of AWS Accounts within the AWS Control Tower framework. The solution extends the capabilities of Customization for AWS Control Tower with capabilities to deliver deep and complex controls for globally provisioned AWS services like AWS VPCs, Transit Gateways, AWS Config, AWS CloudTrail, AWS IAM, and more services commonly provisioned in all AWS Accounts. Compliance and security of AWS Accounts is codified and enforced by the pipeline and workflow.
With full automation of AWS Account provisioning, developers and business units can now confidently deploy AWS Accounts that are day-one operational and secure. DevOps teams can be confident that all provisioned accounts meet enterprise standards and operate within guardrails for usage, cost, and configuration.
Helping Scale DevOps Capabilities Through Automation
Our mission is to help enterprises accelerate, secure, and modernize software delivery. We do this by building smart automation that allows for efficient delivery at scale. Our frameworks empower your developers to confidently deploy new code while ensuring that quality and security standards are met. develop and deliver quality software quickly and at scale and develop with confidence while focusing on business growth and development. To learn more or speak to a Solutions Architect please contact us.
Built on Control Tower
Mphasis Stelligent is proud to be an AWS Built on Control Partner and a Management and Governance Partner!
We’ve worked closely with the AWS Control Tower product team to develop our Enterprise Account Factory solution to complement AWS Control Tower functionality. Enterprise Account Factory builds on Customization for Control Tower and allows you to scale the Account delivery workflow and process.
To learn more about AWS Control Tower, we recommend exploring the AWS Control Tower Workshops.