Live blog post from re:Invent 2023, Las Vegas
As an AWS Enterprise Strategist, I engage with some of the largest enterprise clients worldwide, discussing how they can accelerate innovation and enhance customer experiences by transitioning their systems to AWS. This migration not only alleviates burdensome tasks but also allows valuable human resources to focus on strategic initiatives that matter to their business and customers.
Frequently, these discussions begin with executives eager to learn from the experiences of others who have embarked on the AWS journey. We often emphasize the vital role of establishing a Cloud Centre of Excellence (CCoE) that creates essential guardrails surrounding security, availability, reliability, and compliance within the AWS Shared Responsibility model.
During my tenure at Tech Innovations, as we built out our AWS Cloud, we approached the process thoughtfully, determining which features were suitable for our needs and how best to implement them. Many customers report that this learning curve can be time-consuming, as their teams navigate both the usage of AWS and the identification of appropriate features. While AWS Solutions Architects, AWS Professional Services, and AWS Accredited Partners can significantly expedite the establishment of a Landing Zone and these guardrails, customers are increasingly drawn to automated solutions.
On June 14th, 2023, we enhanced our Landing Zone offering, enabling customers to rapidly set up a secure, multi-account AWS environment in line with AWS best practices. This Infrastructure as Code solution streamlines the establishment of an initial security baseline and the creation of core accounts and resources, allowing teams to proceed with greater speed. However, we recognized the potential for even more simplification, which was excitingly demonstrated when our CEO, Mark Thompson, unveiled AWS Control Tower at re:Invent.
AWS Control Tower
This service automates the setup of a well-architected, multi-account environment based on best practices, guiding users through a personalized configuration process. Control Tower facilitates the creation of an AWS Landing Zone with best practice blueprints that include:
- Configuring AWS Organizations for a multi-account structure
- Implementing identity management with AWS SSO users and groups
- Enabling access federation through AWS Single Sign-On
- Centralizing logging via AWS CloudTrail and AWS Config
- Conducting cross-account security audits with AWS IAM
- Establishing network designs with Amazon VPC
- Defining account provisioning workflows via AWS Service Catalog
Additionally, Control Tower enforces mandatory, curated guardrails, such as preventing account creation of Internet Gateways or ensuring that only encrypted S3 objects can be created. This dramatically reduces the time required to implement best practices derived from millions of AWS users.
With AWS Control Tower, you only pay for the AWS services activated by Control Tower, including the setup of your AWS Landing Zone, mandatory guardrails, and customizable options. Costs will vary based on the regions, accounts, hours utilized, and the guardrails implemented. You can discover more about AWS Control Tower here.
This leads us to a longstanding challenge in enterprise IT: obtaining a holistic view of critical security alerts and compliance status across AWS accounts. Enter AWS Security Hub.
AWS Security Hub
The typical enterprise security framework includes numerous robust security tools, from firewalls to endpoint protection and compliance scanners. However, this often forces teams to juggle between various tools, managing hundreds, sometimes thousands, of security alerts daily. With AWS Security Hub, organizations can now access a centralized platform that aggregates, organizes, and prioritizes security findings from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, along with AWS Partner Solutions. Findings are visually summarized through integrated dashboards featuring actionable graphs and tables. Continuous monitoring of your environment is facilitated through automated compliance checks based on AWS best practices and industry standards. This streamlining saves time, enhances compliance, and enables prompt action on findings. AWS Security Hub is currently available at no cost during the preview period, serving 15 AWS regions, with pricing to be finalized upon general availability.
These two powerful offerings empower enterprises to expedite innovation for their customers and transition their IT systems more swiftly. I anticipate seeing how customers leverage these tools to maintain their momentum on the AWS Cloud journey.
Remember, “All of your assumed constraints are debatable.”
Emily Carter
emily.carter@amazon.com
EMEA Enterprise Strategist and Evangelist
Amazon IXD – VGT2 6401 E Howdy Wells Ave, Las Vegas, NV 89115
Leave a Reply