Secure Your AWS Cloud Foundation: Get Started with AWS

Begin the Infrastructure as Code Journey

Many organizations begin their journey to the cloud with a pilot project. This is the best approach as it allows the organization to prove the value of Infrastructure as Code and a DevOps approach in a small, controlled environment where it can gain acceptance and grow the initiative, rather than employing a sweeping
approach which may be destined to fail under its own weight.

The DevOps model is about process improvement and that is best facilitated by technology. As a result, the most successful pilots begin with a landing zone which provides automation to facilitate standardization and governance. Successful pilots are small and impactful which means that although staff may be eager to dive in and get their hands dirty building a complete, scalable, landing zone, it is more important to do a minimum-viable landing zone and launch the first app.

While landing zones in a pilot environment are not yet customized to meet specific enterprise needs at scale, they should include all the basics, like security and operational best practices. A first pilot can play a gating role in determining your organization’s journey forward. Moreover, it can play a critical role in determining success while also being a great investment for future growth and velocity.

Knowledge Transfer

New technologies require new skills and the pilot team should also allow themselves the time — and resources — to acquire new skills as they will be responsible down the line for helping train additional resources as success spreads and scales throughout the organization.

As such, successful knowledge transfer generally includes:

• Interactivity, with the new team learning skills hands-on working alongside experienced peers
• Participation across the team, ensuring learning is both deep and wide
• Creation of a thorough runbook early in the process
• Correlation of deliverables to specific learnings
• Capture of knowledge training sessions for reference and future training
• A focus on both the ongoing ‘care and feeding’ of the landing zone and how to build upon it in the future
• Pre-configured hands-on labs

For organizations that are new to AWS, there is immense value in knowledge transfer sessions with experienced consultants as they can help your organization achieve a solid start — and provide you with the knowledge to build and expand for ongoing success.

Automate IT Processes at Scale

Following a successful pilot, organizations should focus on remediating any architectural shortcomings and prepare to scale for mass-migration. At this point, an organization’s landing zones should include:

1. Best-practices
2. Customization for the organization’s specific needs
3. Corporate and industry compliance, like CIS compliance
4. Tool preferences
5. Advanced technologies
6. Automation-at-scale

A scalable landing zone is truly enterprise-grade and ready for mass migration to the public cloud, especially when coupled with migration factories for refactoring and/or replatforming strategic applications. Past the migration phase, the landing zone continues to play a key role as a platform for continuous innovation and maximum business impact.

Build a Solid Cloud Foundation

A properly designed and deployed landing zone is the foundation for successful cloud adoption and migration. Because the landing zone is deployed before any applications are migrated to the cloud, it’s imperative to get it right the first time. Just like it’s difficult to make changes to the foundation of a house after it has been built, it is similarly difficult to make changes to the landing zone once applications are deployed. While changes can be made to the landing zone post-deployment, design level changes can result in application redeployment, and with it, additional downtime inefficiencies. Missteps along the way can lead to security risks, unscalable systems, and inefficiencies that can slow processes and overall progress of cloud migration. And while not impossible to modify the landing zone to address missteps, it’s certainly worth avoiding if at all possible by carefully planning and deploying landing zones correctly from the outset. Landing zones are not a one-size-fits-all exercise and there is no standard framework for a cloud landing zone. And, with over 100 decisions to be made to create a unified, secure, scalable and extendable landing zone in AWS, it’s highly recommended organizations have professional advice available. Public cloud consultants are likely to have worked with use cases similar to yours, and as a result, can readily help you sidestep common mistakes, implement best practices, and ultimately make the best technology and process decisions for your unique business needs.

Key Landing Zone Criteria

A well designed and deployed landing zone simplifies decisions without sacrificing outcomes by incorporating:

• Public cloud best-practices
• Consistent security
• Consistent management
• Automation
• Repeatability through Infrastructure as Code

While an enterprise cloud landing zone will feature customized infrastructure to match your specific security, networking, AMI and other needs, key criteria to consider include:

• Deployment of a Continuous Integration/Continuous Deployment (CI/CD) tool, like Jenkins, to build various pipelines for infrastructure provisioning, application, and service deployment.
• Enterprise Transit VPC for high security, scalability and availability needs; Transit VPC is critical for secure, reliable traffic flow between on-premises systems and the cloud.
• Account factory that automates the creation of additional accounts. Consider also creating custom security alarms and account creation workflows.
• EC2 pipelines that automate the creation and publishing of AMIs with custom security tests for AMI compliance.
• A compliance dashboard that monitors the AWS account config and alerts operators if the account goes out of compliance.

Frequently Asked Questions

In this last section, we will address the most frequently asked questions we receive about how to get started with cloud computing.

Q: Security is a top priority for our organization. How do we apply Security by Design principles?

A: Any foray into the public cloud — from a first-time pilot project to ongoing migration at scale — shares responsibility for cloud security via a “Shared Responsibility Model”. Before getting started, it’s important to understand where the responsibility of the public cloud provider ends and where yours begins. For example, AWS operates, manages and controls the components from the host OS and virtualization layer down to the physical security of the facilities where it operates. Its customers are responsible for the management of guest OSs, application software, AWS WAF and more. That said, a security by design approach that embraces the building of security into the cloud foundation and landing zones are indeed foundational. Security should include best practices like log monitoring and archiving; a compliance dashboard to ensure policies (security, regulatory and operational) are all continuously met; DDOS protection; secure network connectivity; policies around IAM roles and responsibilities and more. If you are in doubt about security best practices, we highly recommend you consult with a professional services firm that specializes in this area.

Q: We are in a highly regulated industry. How do we make the transition to AWS while remaining in compliance?

A: The foundation of consistent compliance is often sound security. As a result, we recommend a landing zone that monitors specific regulatory-related controls and objectives. In addition, a compliance dashboard can ensure that the appropriate team members are alerted should a system, configuration, etc. move out of a known, good state. Last, we highly recommend a security by design approach that embeds industry best practices into the cloud foundation.

Q: We are pursuing a multi-cloud strategy. Can landing zones still help?

A. Yes. Not only can they help with individual public cloud adoption, but landing zones can bring enhanced efficiency, greater standardization, and speed adoption of hybrid and multi-cloud/cloud-agnostic service environments.

Complete the form at the right to download the guide.

Flux7, an NTT DATA Company |  Enterprises gain fast time to value from Flux7 cloud implementation, automation and DevOps consulting services and solutions. Bring ideas to life and shorten time to market with modern IT systems and workflows that scale, secure and increase the efficiency of technology service delivery.  Flux7 Premier AWS Consulting Partners provide insight and expertise from 300+ DevOps projects.