Landing Zone Accelerator on AWS

Tom is an enterprise’s IT manager who leads a team that is responsible for driving the company’s cloud transformation. They have started a project on AWS Landing Zone with Control Tower, with the aim to introduce the number of benefits that their cloud service partner had been talking about for quite some time. Tom and the team are conscious that there can be various approaches on many aspects. They also have questions; for example, after the Control Tower managed Landing Zone is deployed, how can they maintain the best practices, prevent architectural and operational drifts – on the ongoing basis. They are in a sector that demands greater and greater data security governance so logically they would like the peace of mind knowing that the Control Tower structure will continue to fulfil this purpose, without risking itself becoming a toolset that is too complex, for their relatively small team. Their cloud service partner suggested for them to consider Landing Zone Accelerator. 

The Landing Zone Accelerator (LZA) on AWS solution focuses on landing zone solutions that align with AWS best practices and multiple global compliance frameworks. It is highly recommended for customers with highly-regulated workloads and complex compliance requirements (LZA itself does not guarantee compliance status but helps an organisation’s journey to those compliance frameworks), as well as any institutional customers that do not require high degree of customisations to their Control Tower setup. LZA helps to better manage and govern multi-account AWS environments through a streamlined, low-code, yet comprehensive solution. 

Let’s revisit what a landing zone is first. 

‘A landing zone is a well-architected, multi-account AWS environment that is scalable and secure. This is a starting point from which your organisation can quickly launch and deploy workloads and applications with confidence in your security and infrastructure environment. Building a landing zone involves technical and business decisions to be made across account structure, networking, security, and access management in accordance with your organisation’s growth and business goals for the future.’ – AWS documentation

So ultimately a landing zone is a foundational structure that as a starting point, can enable quality approaches on:


Migrations to AWS

New workload developments

Continued iteration and extension over time


As discussed in previous blog pieces, you do not have to have Control Tower with a Landing Zone setup, though enterprise and government entities will typically see the compelling benefits of a Control Tower managed Landing Zone solution. 


Landing Zone Accelerator on AWS (LZA)

LZA offers accelerated solution on the primary components of Control Tower Landing Zone environments:

The security governance controls and 

The cloud infrastructure foundation

At the heart of the LZA is an ongoing pipeline to deploy core landing zone infrastructure, with emphasis on Automation, Data Security, Compliance and Support. 

LZA is an open-source solution. Yaml based configuration files and GitHub project are inputs to the LZA which in turn will provision the feature/issue iterations to the AWS environments.

Below is a descriptive diagram by AWS on where LZA fits:



A few keywords describing LZA would be: streamlined, low-code, less-customised (comparing to CfCT)

Major solution benefits include:

Build a secure, compliant, multi-account foundational AWS environment in days instead of months or years
Automated implementation
Reducing defects in code as it comes with a single managed codebase
Prescriptive

LZA does not have to have Control Tower as it can work directly with AWS Organisations. But similar to what we mentioned earlier, Control Tower is the typical approach that LZA works on top of. 

There are mandatory accounts LZA needs: Management, Audit and LogArchive (please note it is not Log Archive, e.g., no space between the two words. When the Log Archive account was provisioned by previous Control Tower implementation, renaming was needed to remove the space.)

The following additional prerequisites apply:

AWS Code Commit, Code Build, Code Pipeline
GitHub


Below is an example LZA enabled cloud account structure provided by AWS for the ease of concept understanding:


The LZA configuration files are the primary user input interaction points. They are yaml files, easy to grasp, and straightforward to edit. A total of seven configuration files apply:

accounts-config.yaml
global-config.yaml
iam-config.yaml
network-config-yaml
organization-config.yaml
security-config.yaml
customizations-config.yaml (optional)

Below is a screenshot of the CodeCommit page, depicting six configuration files:




Clicking on a file name will allow viewing and editing of its lines.

A global-config.yaml file may start with looking like this:



As we can see, toggling line values from false to true, and adding additional inputs (snippets) are quite straightforward. Same goes for all other configuration files, such as network-config.yaml, where you can supply detailed network configuration inputs.

AWS has provided sample configurations for various sectors, like for education, healthcare, finance, etc, to be used as ready blueprints, based on which further specific inputs can be done. 

LZA’s source code is open source, GitHub based. A CodeBuild project is utilised to run the LZA pipeline CDK project to deploy LZA. The pipeline uses AWS CodeBuild to orchestrate for each action’s completion. Here are the orchestration flow steps: 

1. Source 
  1.1. Source 
  1.2. Configuration
2. Build 
3. Prepare 
4. Accounts 
5. Bootstrap
6. Review (optional) 
  6.1. Diff 
  6.2.  Approve 
7. Logging 
  7.1. Key 
  7.2. Logging 
8. Organization 
9. Security_Audit 
10. Deploy 
  10.1. Network_Prepare 
  10.2. Security 
  10.3. Operations 
  10.4. Network_VPCs 
    10.4.1. NetworkVpcStack 
    10.4.2. NetworkVpcEndpointsStack 
    10.4.3. NetworkVpcDnsStack 
  10.5. Security_Resources 
  10.6. Network_Associations 
    10.6.1. NetworkAssociationsStack 
    10.6.2. NetworkAssociationsGwlbStack 
  10.7. Finalize 

Sample screenshots are provided below as a visual guide:



Above is just a quick explanation on why LZA can claim to accelerate the build of a secure, compliant, multi-account foundational AWS environment from months to days, and can provide ongoing acceleration on continued iteration and extension over the years to come for an organisation. 


It is to note that Landing Zone Accelerator on AWS (LZA) takes a different approach to CfCT (Customizations for AWS Control Tower). If we compare the angles that CfCT and LZA take at an ultra high level:

- CfCT is for the customisation capabilities 

- LZA is for the prescriptive, streamlined approach 

In real world scenarios, since a majority of the organisations may not need or desire high levels of customisation, LZA would be the path that more organisations take. Both CfCT and LZA are growing and evolving in their capabilities and reach. It will be exciting to see how they help more with the cloud transformation journeys in the coming years.  

                                                                                                        -- Simon Wang








Comments

Post a Comment

Popular posts from this blog

Fairness Evaluation and Model Explainability In AI

Image
Artificial Intelligence (AI) relies on machine learning and its modelling to provide outcomes. Imagine a credit card company receives hundreds of thousands of applications each year and would like to use AI to do the first round of application filtering. If it is not developed properly, the AI decisions will be skewed with unfairness – such as rejecting a lot more applications from a certain age group, from a certain gender, or from a certain employment history pattern – UNFAIRLY. Please note unfairness is the key issue here – in other words, AI and machine learning inference that is not reflecting the due course in actual situations. This is typically called bias in AI and machine learning. Biases can come from various stages of a machine learning life cycle: • Biases may exist in the pre-training data -  e.g., the dataset to be used in machine learning training has biases in it • Biases may be introduced by the machine learning exercise  Below is a machine learning lifecycle char
Read more

AWS and Generative AI

Image
 Generative Artificial Intelligence, or Generative AI, GenAI, is one of the hottest topics in the recent months. You would ‘have to be living under a rock to not notice this massive topic’.  ‘Generative AI is a branch of AI that focuses on creating new data. It is a subset of machine learning. The goal of generative AI is to create new data that is similar to the data that was used to train the model.’ – texts generated by an AI tool.  Recently I experimented a couple of random text-to-image GenAI tools to observe how generative AI can create contents and how the data generated by different GenAI tools trained by different models is different. My experiment was straightforward: text-to-image GenAI tools ask you to provide some texts as a prompt, and then use this input to generate an image. So that was what I did. The prompt I supplied was: ‘female student graduation photo in front of a white building with flowers in hand in Paris’. Both GenAI tools I tested could output an image withi
Read more

Amazon CloudFront and Its Primary and Secondary Origins

Nowadays most of the online contents are web service based. A user accesses a specific content, for example a web page, by connecting their client end application (like a web browser) running on their desktop or mobile computing device to the server that hosts the web page. There are billions of websites and webpages. DNS services, online search engines and links on well known ‘portal’ websites help people to find and locate the contents they would like to visit.  A user’s web client device and the server it visits can be worldly apart: for example, let’s think of a user in Tasmania, Australia that uses its smart phone to visit a website hosted on a server that locates in a data centre in Montreal, Canada, which is more than sixteen thousand kilometres away. They are connected by the Internet. The Internet comprises of millions of inter-connected networks. Traffic on the Internet is routed between the users and the servers through those inter-connected networks in-between. Using the ab
Read more