Implementation of Control Tower and AWS SSO in an existing AWS Organisation
AWS Control Tower offers an easy-to-use and secure landing zone in AWS. It is especially valuable to a small to midsize company, which may not have enough capability to design and build a custom solution, nor do they have requirements that would be unique enough.
AWS SSO is an identity federation solution that unifies access to AWS accounts through an identity provider. Control Tower utilises AWS SSO for configuring access roles, so it makes it logical to combine its deployment together with Control Tower.
Overview
Before AWS Control Tower became available, not every enterprise was willing to use AWS Landing Zone, as it was seen as too big a commitment, which would require continuous investment down the line. Many devops teams instead decided to use AWS Organisations and consolidated billing to run their AWS platforms and use their own internally designed solutions to deploy security controls and the shared infrastructure.
After AWS Control Tower was released, these organisations started looking at replacing their setups with what Control Tower offered. Even though the functionality it was released with was little, the IT management rightfully thought that following the official guidelines from AWS would be beneficial in the long run. The simplicity and low maintenance of the Control Tower was also seen as a plus.
Challenges
Decide on the target state. How much we want to move under Control Tower vs how much we want to keep
Deployment and partial migration have to be seamless, developers or end users must not be impacted
Existing SSO configuration needs to be retained, so people keep their access
Network must remain unchanged
Use Case
Our client is a mid-sized post-startup company, who develops an order management system for retail organisations. This is a high-load system and the company commitment to their client is 24/7 operation with no downtime.
Our client was looking at enhancing their security posture and going through a security-related certification process. This was their primary motive to implement AWS Control Tower, as it comes with all the security controls and guard-rails, configured to the best practices.
Innablr was engaged to identify gaps in the security posture and remediate them, getting the organisation ready for the certifications. Implementing AWS Control Tower was seen as one the remediation tactics.
Solution
The discovery phase showed that the organisation used AWS Organisations for policies and consolidated billing and had a custom configuration of the workload AWS accounts. AWS SSO was configured with an external SaaS identity provider for staff access to AWS. There was no consistency between different AWS accounts, no dedicated security or logging accounts and no central IP plan. Security mechanisms were somewhere misconfigured or not configured at all. AWS Security Hub was not initialised.
The proposed approach was:
Completely de-configure the existing security services
Initialise AWS Control Tower in the management account
Enrol existing accounts into the Control Tower OU-by-OU
Rely on the security controls provided by Control Tower
Use the existing SSO roles for staff access instead of those supplied with Control Tower
Use Control Tower VPC setup for new accounts, leave existing VPCs as is
VPC with overlapping IP ranges had to be migrated to ensure rout-ability
Result
Baseline for the security-related certification
Control Tower closes the majority of the gaps for getting the security certification done for the platform. This status was successfully attained by the customer later on.
Long-term sustainability for the AWS Platform
Control Tower is a landing zone solution supported by the vendor, which ensures an extended lifecycle for the platform
Repeatable out-of-the box account setup
No more need to support the hand-rolled setup for the workload AWS accounts, which allows for cost reduction
Managed network connectivity throughout the platform
Implementation of the Control Tower VPC setup together with a consistent IP plan allows for flexible and transparent connectivity management within the AWS platform
Download the full case study below
