Centralized Governance for a Financial Institution: Orchestrating AWS Accounts with Organization Units

Introduction:

A prominent financial institution, with a vast online footprint and a substantial customer base, faced the challenge of managing multiple AWS accounts across various environments, including development, testing, production, logging, and monitoring. Adhering to stringent financial regulations, such as PCI-DSS, was paramount for ensuring secure and compliant transactions on their high-traffic microservices-based platform.

This case study showcases the successful implementation of AWS Organization Units (OUs) to establish a centralized management structure for the institution’s interconnected AWS accounts. Our expertise in designing and deploying a robust OU architecture, coupled with AWS Control Tower, enabled the client to streamline account governance, enforce consistent policies, and maintain a robust security posture across all accounts, while seamlessly aligning with their compliance obligations. Additionally, we created a landing zone with dashboards and applications, providing a unified view and control over their AWS infrastructure. 

Challenges:

• Managing multiple AWS accounts across various environments (development, testing, production, logging, and monitoring)
• Adhering to stringent financial regulations like PCI-DSS for secure and compliant transactions on their high-traffic microservices-based platform.
• Need for centralized management structure for interconnected AWS accounts.
• Streamlining account governance and enforcing consistent policies across all accounts.
• Maintaining robust security posture across all accounts while aligning with compliance obligations.
• Unified view and control over AWS infrastructure through a landing zone with dashboards and applications.

Timelines:

Our experienced team understood their vast and complex infrastructure to tailor the services and strategies to be applied to their infrastructure.

• Understanding the multi-account configuration: 10-15 days (about 2 weeks)
• Cloud Deployments: 2 months
• Cost Optimization: 2 months
  
  

The Architecture:

The Solution:

Implemented AWS Organization Units (OUs) and Control Tower to centrally manage the institution’s interconnected AWS accounts across environments. Designed a robust OU architecture to streamline governance, enforce policies, maintain security posture, and ensure compliance adherence. Established a landing zone with dashboards and applications for unified infrastructure control. Additionally, integrated AWS Single Sign-On (AWS SSO) and AWS IAM Identity Center to centralize identity management, enabling secure access control and enhancing the overall security posture of the AWS environment.

Steps for Setting up the Landing Zone:

Initial Setup:

AWS Organizations:

• We created an AWS Organization to establish a multi-account AWS environment.
• We configured Organizational Units (OUs) for different environments:
  • Development OU
  • Testing OU
  • Production OU
  • Log archive OU
  • Audit OU

AWS Single Sign-On (AWS SSO) Integration:

• We integrated AWS SSO with the AWS Organization to enable centralized access management across all accounts.
• We set up AWS SSO as the primary authentication provider for our AWS accounts, eliminating the need for managing individual IAM users across multiple accounts.
• We implemented centralized user provisioning and de-provisioning processes using AWS SSO.

Technical Details:

• We configured AWS SSO to establish trust relationships with AWS accounts.
• We created SSO permission sets and assigned them to user groups based on OU.
• We set up account assignments to link AWS accounts to the AWS Organization.
• We enabled multi-factor authentication (MFA) for enhanced security and compliance with AWS SSO.

AWS Control Tower:

• We integrated AWS Control Tower with the AWS Organization, AWS SecurityHub, and AWS SSO to establish a multi-account landing zone.
• We leveraged AWS Control Tower to establish a secure and compliant multi-account AWS environment with built-in governance capabilities.
• AWS Control Tower allowed us to enforce proactive controls (guardrails) to prevent policy violations and misconfigurations across our AWS accounts.
• We integrated AWS Control Tower with AWS Security Hub to enable detective controls that detect non-compliant resources and misconfigurations within our AWS accounts.
• By combining proactive and detective controls, we enhanced our overall security posture and ensured compliance throughout the development lifecycle.

Technical Details:

• We enrolled our AWS Organization into AWS Control Tower, enabling centralized management and governance across multiple AWS accounts.
• We defined and deployed Guardrails (AWS Config rules and Service Control Policies) through AWS Control Tower to enforce security and compliance standards proactively.
• We enabled and configured Security Hub controls within AWS Control Tower, allowing Security Hub to detect and report on non-compliant resources (detective controls).
• We automated the deployment and updates of Guardrails and Security Hub controls using AWS CloudFormation templates and AWS Control Tower APIs (e.g., Enable Control, Disable Control).
• We configured AWS Control Tower to automatically provision new accounts with predefined Guardrails, Security Hub controls, and landing zone components (AWS Config, AWS CloudTrail, AWS Security Hub).
• We leveraged AWS Control Tower’s integration with AWS SSO to centralize access management and enforce granular permissions based on Organizational Units (OUs).
• We implemented version control and change management processes for Guardrails and Security Hub controls to ensure traceability and accountability.
• We regularly reviewed and updated Guardrails and Security Hub controls to align with evolving organizational policies and industry best practices.

Security and Compliance:

Guardrails:

• We implemented AWS Control Tower Guardrails to enforce security and compliance policies consistently across all accounts and environments.
• We implemented stringent guardrails to adhere to strict regulatory requirements and security standards applicable to financial institutions, Payment Card Industry Data Security Standard (PCI DSS), and Basel III.
• Guardrails help ensure data protection, access controls, and audit trails are in place for sensitive financial data and transactions, enabling us to maintain customer trust, avoid regulatory penalties, and protect against financial crimes and fraud.
• Guardrails are essential for implementing the principles of least privilege and segregation of duties, which are critical security best practices in the financial sector to mitigate the risk of insider threats and unauthorized access to sensitive information.
• Guardrails help enforce data residency and sovereignty requirements, ensuring that financial data is stored and processed within approved geographical boundaries, adhering to local laws and regulations.
• Guardrails support the implementation of defence-in-depth strategies, layering multiple security controls to protect against various types of threats and attack vectors, which is crucial for safeguarding financial systems and data.
• Guardrails enable consistent enforcement of security policies and controls across multiple accounts and environments, reducing the risk of configuration drift and ensuring a uniform level of protection for financial workloads, regardless of their deployment location.

Technical Details:

• We applied preventive guardrails through Service Control Policies (SCPs) to restrict the creation of resources that do not meet compliance standards, such as enforcing encryption at rest for data stores and enabling multi-factor authentication for all IAM users.
• We implemented detective guardrails using AWS Config Rules to continuously monitor for non-compliant configurations, such as detecting public exposure of Amazon S3 buckets containing financial data or identifying security groups with overly permissive inbound rules.
• We integrated AWS Config Rules with AWS Security Hub to centralize and prioritize findings related to guardrail violations, enabling prompt remediation actions.
• We leveraged AWS Control Tower’s built-in guardrails specific to financial services, such as enforcing encryption for Amazon EBS volumes and ensuring AWS CloudTrail is enabled for audit logging.
• We defined custom Service Control Policies (SCPs) to enforce additional guardrails mandated by financial regulations, such as restricting the use of certain AWS Regions or services based on data residency requirements or prohibiting the sharing of resources outside the organizational units designated for financial workloads.
• We implemented guardrails using AWS IAM permission boundaries to restrict the maximum permissions that can be granted to IAM entities, preventing excessive privileges that could lead to unauthorized access or actions.
• We established detective guardrails to monitor and alert on changes to critical configurations, such as modifications to Service Control Policies, AWS Config Rules, or AWS CloudTrail settings, ensuring the integrity of our guardrail implementation.

Centralized Governance:

• Within the landing zone, we provisioned AWS Config, AWS CloudTrail, and AWS Security Hub for centralized governance, compliance monitoring, and security analysis across all accounts.

AWS Config:

• We implemented AWS Config to gain visibility into the configuration state of our AWS resources across multiple accounts and regions.
• AWS Config provides a detailed view of resource configurations, relationships, and historical changes over time.
• It helps us track and manage resource configurations within our AWS environment, ensuring compliance with internal policies and best practices.
• AWS Config enables us to continuously monitor and assess the configuration of our resources against desired settings defined through AWS Config Rules.
• It plays a crucial role in our overall governance and compliance strategy by detecting and reporting non-compliant resource configurations.
• We can aggregate the collected config logs and aggregate those to store in the bucket of the designated account.

Technical Details:

• We enabled AWS Config across all accounts and regions within our AWS environment to ensure comprehensive resource tracking and configuration management.
• We configured AWS Config to discover and generate configuration items for supported AWS resource types, capturing their initial state and subsequent configuration changes.
• We leveraged AWS Config’s integration with AWS Config Rules to define and implement rules that evaluate resource configurations against desired settings.
• We created custom AWS Config Rules tailored to our specific requirements, incorporating evaluation logic defined through AWS Lambda functions.
• AWS Config continuously evaluates our resource configurations against the defined rules, invoking the associated Lambda functions to assess compliance.
• When a resource violates the conditions of a rule, AWS Config flags the resource and the rule as non-compliant, triggering notifications to our Amazon SNS topic.
• We configured AWS Config to deliver configuration items, including configuration history files and snapshots, to a dedicated Amazon S3 bucket for long-term storage and analysis.
• We implemented access controls and permissions using AWS Identity and Access Management (IAM) to ensure secure and controlled access to AWS Config and its associated resources.
• We integrated AWS Config with other AWS services, such as Amazon CloudWatch, to monitor and analyse AWS Config metrics, ensuring optimal performance and timely troubleshooting.

AWS CloudTrail:

• We implemented AWS CloudTrail as a critical component of our security and compliance strategy, enabling comprehensive auditing, monitoring, and analysis of account activity and API calls across our multi-account AWS environment.
• CloudTrail plays a crucial role in meeting regulatory requirements by providing a centralized audit trail of all actions performed within our AWS accounts.
• It supports our incident response and forensic investigation efforts by providing detailed logs of AWS API calls, including information about the caller, the time of the call, and the source IP address.

Technical Details:

• We enabled AWS CloudTrail across all accounts and regions within our AWS environment, ensuring comprehensive logging and auditing of account activity.
• We configured CloudTrail to deliver log files to a centralized, secure Amazon S3 bucket, employing appropriate access controls, encryption, and lifecycle policies for long-term log retention and compliance with data protection requirements.
• We set up CloudTrail trails to capture API activity across all accounts, including management events (control plane operations) and data events (data plane operations) for supported services.
• We leveraged CloudTrail’s integration with AWS Config to gain visibility into changes made to resource configurations, enabling effective monitoring and enforcement of desired configurations.
• We implemented CloudTrail Log File Integrity Validation to ensure the integrity and authenticity of log files, mitigating the risk of log tampering or unauthorized modifications.
• We configured CloudTrail to deliver log file digest files to a separate Amazon S3 bucket for secure storage and verification of log file integrity.
• We integrated CloudTrail with Amazon CloudWatch Logs, enabling real-time monitoring, analysis, and alerting on specific API activities or potential security events.
• We defined and implemented AWS CloudWatch Events rules and Amazon SNS notifications to receive alerts on specific CloudTrail events, such as unauthorized API calls or changes to critical resources.
• We employed AWS Identity and Access Management (IAM) policies and roles to restrict access to CloudTrail log files and management functions, adhering to the principle of least privilege.
• We regularly reviewed and analysed CloudTrail logs using AWS services like Amazon Athena and AWS CloudTrail Lake, enabling efficient querying, reporting, and identification of potential security risks or compliance violations.

AWS Security Hub:

• We integrated AWS Security Hub to receive findings from AWS Config Rules and AWS CloudTrail, providing a comprehensive view of security and compliance posture.
• AWS Control Tower is integrated with AWS Security Hub to provide detective controls that help monitor the AWS environment across multiple accounts and organizational units (OUs).
• The integration is accomplished through a service-managed standard called “Service-Managed Standard: AWS Control Tower,” which supports a subset of controls from the AWS Foundational Security Best Practices (FSBP) standard.
• This service-managed standard is available only for AWS Control Tower customers and is created when the first Security Hub control is enabled in the AWS Control Tower console.
• AWS Control Tower enables Security Hub if it’s not already enabled when the first control is enabled.

Technical Details:

• We enabled AWS Security Hub across all accounts. The Security Hub controls are active at the OU level and not automatically enabled for all OUs or individual accounts.
• When new controls are added to the Security Hub, they are not automatically added to the Service-Managed Standard: AWS Control Tower.
• To enable or remove controls, it’s recommended to use the AWS Control Tower console or APIs (Enable Control and Disable Control) to avoid drift.
• Security Hub calculates a security score and provides findings for the Service-Managed Standard: AWS Control Tower, which is available in the Security Hub console but not in AWS Control Tower.
• AWS Control Tower receives daily status updates from the Security Hub for the service-managed standard controls and reports drift if an update is not received.
• Drift notifications are sent via Amazon SNS to the AWS Control Tower security-aggregate-notification channel, which requires subscription.
• To remediate drift, you can re-register the OU in the AWS Control Tower console or deactivate and re-activate the drifted control.
• Some Security Hub controls may not operate in certain AWS Regions where AWS Control Tower is available due to unsupported underlying functionality.

Cross-Account Trust Relationships:

• We established cross-account trust relationships as a foundational component of our multi-account AWS environment, enabling centralized management, governance, and enforcement of policies across all member accounts.
• Cross-account trust relationships facilitate the secure sharing of resources, services, and data between accounts while maintaining appropriate isolation and access controls.
• They allow us to implement a hierarchical structure with a central account responsible for managing and enforcing security, compliance, and operational policies across the entire AWS environment.
• Cross-account trust relationships support the implementation of advanced security and compliance controls, such as centralized logging, monitoring, and incident response capabilities.
• They enable efficient resource management and cost optimization by allowing the centralized provisioning, configuration, and decommissioning of resources across multiple accounts.

Technical Details:

• We configured AWS Identity and Access Management (IAM) roles and policies to establish trust relationships between the central account and member accounts, granting the necessary permissions for cross-account access and operations.
• We implemented Service Control Policies (SCPs) through AWS Organizations to restrict operations and resource configurations across member accounts, ensuring compliance with our security and operational requirements.
• We leveraged AWS Organizations to create organizational units (OUs) and hierarchically structure our accounts based on their purpose, environment, or other criteria, allowing for granular policy application and delegation of administrative control.
• We defined and implemented cross-account IAM roles with appropriate permissions boundaries and access controls, adhering to the principle of least privilege and segregation of duties.
• We established secure communication channels and encrypted data transfer mechanisms between accounts to protect sensitive information and maintain data integrity during cross-account operations.
• We integrated centralized monitoring, logging, and alerting solutions, such as AWS CloudTrail and Amazon CloudWatch, to gain visibility into cross-account activities and promptly detect and respond to potential security incidents or policy violations.
• We regularly reviewed and audited cross-account trust relationships, IAM roles, and Service Control Policies to ensure their continued effectiveness, compliance with evolving security standards, and alignment with our organizational requirements.

Monitoring and Logging:

• We deployed dashboards and applications within the landing zone to provide a unified view and control over the AWS infrastructure.
• We established centralized monitoring and logging to detect and respond to security incidents, operational issues, and performance bottlenecks across multiple AWS accounts.

Technical Details:

• We deployed monitoring and logging solutions, such as Amazon CloudWatch and AWS CloudTrail, within the landing zone.
• We integrated with AWS Services like CloudWatch, CloudTrail, and Security Hub for centralized visibility and alerting.
• We implemented custom dashboards and reporting tools for real-time monitoring and historical analysis.
• We configured automated alerts and notifications for critical events and incidents.
• We implemented log retention policies and archiving strategies to comply with organizational and regulatory requirements.
• We integrated monitoring and logging with incident response processes and playbooks for efficient troubleshooting and resolution.

Connectivity and Access Control:

• We ensured connectivity and data flow between the central account, member accounts, the landing zone, and AWS SSO for seamless management, monitoring, and access control. In a multi-account AWS environment, ensuring secure connectivity and appropriate access control mechanisms is crucial for effective management, monitoring, and governance across accounts.
• We established robust connectivity between the central account, member accounts, the landing zone (shared services account), and AWS Single Sign-On (AWS SSO) to enable seamless management, monitoring, and access control across the entire AWS environment.
• Secure connectivity between accounts allowed for centralized operations, such as resource provisioning, configuration management, and policy enforcement, while maintaining isolation and segregation of responsibilities.
• Connectivity also enabled the centralized collection of logs, metrics, and security events from all accounts, facilitating comprehensive monitoring, analysis, and incident response capabilities.
• We implemented network segmentation and security controls to isolate and protect critical resources and sensitive data across multiple AWS accounts, adhering to the principle of least privilege and reducing the risk of unauthorized access or data breaches.
• Network segmentation and access controls ensured that resources and data were accessible only to authorized entities, minimizing the potential impact of security incidents and limiting the blast radius in case of a compromise.

Technical Details:

• We established secure communication channels between accounts using VPC peering or AWS Transit Gateway connections, enabling secure and efficient data transfer while maintaining network isolation and traffic control.
• We configured AWS Identity and Access Management (IAM) roles and policies to govern cross-account access and resource sharing, ensuring that only authorized entities with the necessary permissions could perform specific operations or access sensitive resources.
• We implemented network security controls, such as security groups and network access control lists (NACLs), to restrict traffic flow between accounts and resources, limiting exposure and reducing the attack surface.
• We integrated our connectivity and access control mechanisms with AWS Single Sign-On (AWS SSO) for centralized user authentication and authorization, enabling consistent access management and audit trails across the entire AWS environment.
• We implemented network traffic mirroring and inspection techniques, such as AWS Traffic Mirroring and AWS Network Firewall, to gain visibility into network traffic patterns and enable real-time security monitoring and threat detection across accounts.
• We regularly reviewed and audited network configurations, access controls, and connectivity mechanisms to identify and mitigate potential security risks, ensure compliance with evolving security standards, and align with our organizational requirements.
• We established robust logging and monitoring processes to track and analyze connectivity and access-related events, enabling prompt detection and response to potential security incidents or policy violations.
• We leveraged automation and Infrastructure as Code (IaC) techniques to ensure consistent and repeatable deployment of connectivity and access control configurations across accounts, reducing the risk of misconfigurations and human errors.

Outcome:

• Centralized Management: The implementation of AWS Organization Units (OUs) and AWS Control Tower enabled centralized management of interconnected AWS accounts across different environments, streamlining governance and policy enforcement.
• Enhanced Security Posture: The integration of AWS Single Sign-On (SSO) and AWS IAM Identity Center centralized identity management and access control, enhancing the overall security posture of the AWS environment.
• Improved Compliance Adherence: The implementation of AWS Control Tower Guardrails, AWS Config Rules, and Service Control Policies helped enforce security and compliance policies consistently across all accounts and environments.
• Centralized Governance and Monitoring: The provisioning of AWS Config, AWS CloudTrail, and AWS Security Hub within the landing zone enabled centralized governance, compliance monitoring, and security analysis across all accounts.
• Unified Infrastructure Control: The establishment of a landing zone with dashboards and applications provided a unified view and control over the AWS infrastructure.
• Scalability and Agility: The implementation of a centralized landing zone with cross-account trust relationships and connectivity between accounts likely improved the scalability and agility of the AWS environment, enabling easier management and resource allocation across accounts.
• Cost Optimization: While specific cost savings figures are not provided, the centralized management, governance, and compliance measures implemented could potentially lead to cost optimization by reducing operational overhead, improving resource utilization, and mitigating security and compliance risks.

Conclusion:

The implementation of AWS Organization Units, Control Tower, Single Sign-On, and IAM Identity Center established a centralized landing zone for managing the institution’s interconnected AWS accounts across environments. This landing zone enabled centralized governance, enforced security and compliance policies, provided unified infrastructure control through dashboards and applications, and facilitated cross-account connectivity and access control. While specific cost savings figures are unavailable, the centralized management, optimized resource allocation, and improved security and compliance posture likely contributed to cost optimization and positioned the institution for scalable and agile growth within its industry.