Our client is a marketing solutions provider to more than 500,000 small businesses across America, helping them effectively compete in today’s competitive marketplace. It does so through easy-to-use software that helps small business owners with the daily demands of running a business; with its market-leading search, display and social products; and searchable online portals.
This marketing organization is in the midst of a DevOps transformation. As it proceeded with its transformation, the company learned that there was a disconnect as IT and Development were using AWS separately from one another. Wanting to bring Development, IT and Security under one umbrella, the firm sought to encourage proactive involvement across teams using DevOps as a culture of practices for better cooperation and service delivery.
Wanting to validate its progress to date while also extending security policies to its new AWS DevOps environment, the company called in the AWS Premier Consulting Partner, Flux7. Specifically, the company was looking for Flux7 to help with its security best practices around role-based access, permissions, and multi-factor authentication.
The AWS consulting team immediately understood the marketing firm’s desire to build security into its new AWS environment. Indeed, security best practices are a built-in subset of our security by design approach. The teams agreed that a cloud landing zone that provides a secure, management foundation for landing applications in AWS. would be the best solution as it would be able to address its core security, development and IT goals with a solid foundation for its DevOps initiative moving forward.
AWS & Flux7 Best Practices Assure Security
We addressed the marketing firm’s account concerns with an account factory which allows it to create multiple AWS accounts for the highest level of resource and security isolation. And, with Identity and Access Management (IAM), that has been updated across all accounts, the organization is able to securely control access to AWS resources, consistently controlling who is authenticated and authorized to use resources, applying the principle of least privilege. With IAM, IT can effectively manage who can use what AWS resources and in which ways; security has complete control over account users, groups, roles, and permissions. It is in this phase of the project that we integrated with Okta for secure identity management and single sign-on as well as enabling multi-factor authentication (MFA) for privileged users.
In addition, the cloud landing zone ensures that every AWS account that is provisioned is secure and auditable. As a result, the CIS Rules Dashboard is applied. This set of security configuration best practices for hardening AWS accounts provides continuous monitoring capabilities.
When coupled with an AMI factory that bakes golden AMIs — baking an Amazon Machine Image (AMI) is the process of moving an application from code to an AMI — the team is able to create, verify and distribute AMIs that are standardized for security and compliance requirements. In this way, the company can deliver to business teams standard AMIs, ensuring developers are always using approved, compliant AMIs as the foundation for their own applications.
Advanced, Secure VPC
There are three distinct areas where the DevOps consultants helped the client with its AWS networking:
Transit VPC. This change now allows the firm to automatically provision Transit Virtual Private Clouds (VPCs) — which connect multiple VPCs that might be geographically diverse or in separate AWS accounts to a common VPC — and associate existing VPCs to it.
Shared Services VPC. This feature provides the IT team with a management environment to host core services and perform automation operations across its different environments as the Shared Services account is the core account and it has the infrastructure that can be used by multiple application environments.
VPC Factory. This functionality allows the firm to use VPC to launch AWS resources into a virtual network along with scalable infrastructure. It is built to leverage multiple layers of security through security groups and network access control lists. With VPC, the organization’s teams are able to gain complete control over the virtual networking environment, including a selection of custom IP address range, creation of subnets, and configuration of route tables and network gateways.
In addition to these security parameters, the teams worked together to install monitoring and logging. For example, Amazon CloudWatch was selected for its event monitoring, AWS CloudTrail for logging and EBS Snapshots with Lambda and S3 for backups.
As technology is core to this company’s business and competitive advantage in the marketplace, knowledge transfer to ensure its team could manage and extend its secure cloud foundation is critical to its ongoing success. As a result, the DevOps consulting team worked closely with the development, IT and security teams to teach them along the way the skills needed to configure and maintain its solution. In addition to working elbow-to-elbow with the team, coaching on specific tasks as they were completed, the consulting team held several knowledge transfer sessions focused on individual components of the solution.
The cloud landing zone provides a fast and secure platform for this company’s next steps on AWS, helping ensure they avoid common and potentially costly mistakes that can lead to security, scalability and other critical issues. Indeed, with the combination of AWS and Flux7 best practices, this firm now has a platform for consistent security, and compliance across its VPCs and AMIs, giving the team a spot from which it can migrate its applications with the knowledge that they will be secure from an AWS infrastructure perspective.
Post Date: 12/12/2018