AWS Partner Network (APN) Blog
How Accenture Accelerates Building a Secure Cloud Foundation Natively on AWS
By Jon Holt, Technology Architecture Science Associate Director – Accenture AWS Business Group
By Vahagn Madatyan, Network Security Lead Architect – Accenture AWS Business Group
By Rajdeep Banerjee, Sr. Partner Solutions Architect – AWS
Accenture |
Enterprise-wide adoption of cloud resources brings operational scalability but security challenges as well. Non-centralized builders can create disparate growth, and tracking common compliance and security can be challenging.
Teams often don’t operate with a common goal which results in a lack of accountability across multiple stakeholders. Further, long AWS environment provisioning times and lack of automation can hinder the agile development cycle and lead to complex governance challenges.
Accenture’s Secure Cloud Foundation (SCF) addresses these challenges by establishing a well-defined, automated account provisioning process to provide a scalable governance framework. It offers guardrails to enable secure and streamlined self-service to innovate with cloud-native services across the organization’s application teams.
The SCF solution leverages infrastructure as code (IaC) with pre-defined best practices and automates security guardrails. As a result, teams can break organizational barriers and take accountability for outcomes.
In this post, we’ll walk through how Amazon Web Services (AWS) and Accenture are helping customers rapidly set up Secure Cloud Foundation on AWS leveraging the Velocity platform from the Accenture AWS Business Group (AABG). Specifically, we’ll explain how Velocity’s SCF component can minimize time and effort to set up a robust and secure cloud foundation on AWS for greenfield and brownfield customers.
Accenture is an AWS Premier Tier Services Partner and Managed Services Provider (MSP) that offers comprehensive solutions to migrate and manage operations on AWS.
Velocity Introduction
Accenture and AWS co-created and co-funded the Velocity platform to eliminate the barriers to innovation, now and into the future, so customers can worry less about cloud complexities and spend more time creating real business value.
Velocity is an automated, repeatable, opinionated, yet flexible platform that optimizes for business outcomes, including speed, resilience, scale, and agility. It includes a rich set of ready-to-use solutions and software delivery accelerators that Accenture and AWS can deliver to customers with the click of a button.
Velocity is continuously innovating new and improved AWS-powered industry, cross-industry, and technology solutions so customers can innovate faster, build better, and spend smarter. SCF is one of several Velocity powered solutions from the AABG.
Secure Cloud Foundation Framework
To accelerate the development of cloud foundation and adoption, Accenture came up with the SCF framework, which comprises 10 blocks to cover the framework. Each block is an independent deployable unit in the AWS environment.
Figure 1 – Accenture’s Secure Cloud Foundation framework.
At the very bottom of this graphic, we start with the Base Foundation block that manages AWS Organizations and sets up the management and member accounts relationship. The foundation also takes care of the enrollment of new accounts to cloud-native security tooling like Amazon GuardDuty and more to ensure customers’ AWS environments are secure and maintain a secure baseline.
Moving up from the Base Foundation, the SCF framework has the Network layer that manages AWS networking components like centralized Amazon Virtual Private Clouds (VPCs), Amazon Route 53, and end-to-end inspection of traffic using AWS Network Firewall.
Next in the topology, the Identity layer tackles how to simplify entitlement and identity management leveraging AWS IAM Identity Center.
From there, SCF offers blocks to manage AWS workloads. The Endpoint layer includes standardizing golden Amazon Machine Images (AMIs), creating AMI pipelines, and managing patches. The Endpoint layer also provides capabilities of vulnerability assessments of the newly-vended AMIs, deploying security agents to workloads, so that container to serverless workloads can be hosted safely.
After establishing the foundation architecture and workload, the next components of the framework deals with Monitoring and Observability using AWS Lake Formation. SCF offers a Data Governance and Security strategy with centralized backup and disaster recovery using AWS-native services.
Finally, SCF offers a DevSecOps layer to provide AWS CodePipeline designed to be deployed using a self-service model.
Using AWS Control Tower in Secure Cloud Foundation
SCF blocks are designed to leverage AWS Control Tower features in the landing zone environments.
AWS Control Tower is used for both greenfield and brownfield environments where customers are looking to manage multiple accounts in their landing zone. AWS Control Tower helps create, orchestrate, and monitor multi-account environments.
Tower Post Processor Block
When customers are vending AWS accounts at scale, they need a mechanism to automate the security configuration and apply consistent baseline security across all accounts. That’s why Accenture built Tower Post Processor, to automate the security configuration whenever AWS accounts are vended through AWS Control Tower or other account vending mechanisms.
This block helps you to automate the enablement of key security services for newly-provisioned accounts and configurations against a common baseline, and auto remediates drift from that baseline.
Architecture
The Control Tower Post Processor solution involves leveraging AWS Control Tower features to automatically enable various security services and settings for all accounts within the AWS Organizations. The block will set up an AWS Lambda function which will respond to Control Tower lifecycle events, and assume the AWSControlTowerExecution role in the member accounts to perform downstream actions of configuration and service enablement.
This block also enables and configures delegated admin for key AWS security services like AWS Security Hub. You are recommended to use a central account as the delegated administrator for the security services.
Sample actions you can process via the block are:
- Account-level actions: These actions are applicable to all regions in the account and includes Amazon Simple Storage Service (Amazon S3) block public access and creates a strong AWS Identity and Access Management (IAM) password policy.
- Region-level actions: These actions are specific to a region and include default an Amazon Elastic Block Store (Amazon EBS) encryption policy and delete default VPCs.
Figure 2 – Tower Post Processor architecture.
IAM Block
In a typical enterprise, new AWS accounts are provisioned at scale as teams and businesses grow. Account administrators need a mechanism to deploy a standardized set of IAM roles and permissions sets in your organization.
The baseline roles and permissions will be assumed by your organization’s users to perform their duties, but it can be challenging to manually deploy and manage standard sets of IAM roles and permissions across accounts to maintain the security posture.
The SCF IAM block helps to create least privileged roles and permission sets at scale using IaC to reduce management overhead and reduce risk of misconfigurations across a complex, multi-region, AWS account structure.
The IAM block provisions two key resources:
- IAM roles for federated access to AWS accounts using AWS IAM.
- Single Sign-On permission sets for SSO access to AWS accounts using AWS IAM Identity Center.
Architecture
The IAM block has a concept of manifest files which contain the IAM policies and are either default IAM block policies or custom policies that IAM developers create in customer environments.
The manifest policies are stored in an Amazon S3 bucket and leveraged by AWS CodePipeline to pull down and generate appropriate AWS CloudFormation template that will be deployed as a CloudFormation StackSet into your target accounts.
The resources deployed will be either IAM roles or policies in the target accounts. You can enable SSO role generation from the AWS IAM Identity Center console to deploy the roles and permission sets into the target accounts inside the AWS Organizations.
Figure 3 – IAM architecture.
Central Network Block
Proper cloud networking isolates the networking services configuration and operation from the individual application workloads, security, and other infrastructure while still allowing use case specific flexibility. This arrangement not only limits connectivity, permissions, and data flow, but also supports separation of duties and least privilege for your teams that need to operate in these accounts.
Both north-south and east-west traffic must be considered and controlled, though inbound traffic is generally considered higher risk and deserves appropriate routing, monitoring, and potential issue mitigations.
The Central Network block provides value across different network capabilities including intrusion detection, intrusion protection, domain name system (DNS), and hub-and-spoke networking. The main purpose of the block is to deploy an enterprise networking environment model, with centralization of management of common network infrastructure vending and sharing, DNS routing policies, firewall policies, and network monitoring logs.
Architecture
The Central Network block recommends to use a dedicated networking account as it enables:
- Centralized design approach for managing and sharing network infrastructure.
- Reduces management overhead for network administrator.
- Enforces least privilege/separation of duties principles
The block leverages AWS Service Catalog products for AWS Certificate Manager private certificate authority subordinates for application-level certificate management. AWS Service Catalog deploys subordinate authorities to appropriate AWS accounts that can be used by application teams.
The block also offers a set of standardized baseline VPCs for use cases like Web Tier VPC, Application Tier VPC, Database Tier VPC. The block will provision various VPC structures using AWS Service Catalog to support a wide array of use cases.
The blocks utilizes AWS Resource Access Manager to share subordinate authorities for private certificates, and VPC subnets to other target application accounts or Organizational Units. This will satisfy the least privilege principle by making resources available for application teams without providing resource configuration ability to those teams. For instance, an application team can deploy their servers to a VPC but will not be able to update the route tables or NAT Gateway configuration for the VPC.
The block leverages AWS Transit Gateway to act as the hub for all the VPC products getting deployed inside AWS environments. When AWS Service Catalog deploys those VPCs, they will be attached to the Transit Gateway and route tables are used to ensure that ingress/egress, while east-west traffic is appropriately enabled for all those VPCs.
Transit Gateways are bound per region but Central Network can set up multi-region peering between Transit Gateways to establish multi-region connectivity. Through the Transit Gateway route table, all traffic is routed to an inspection VPC, where all east-west and north-south traffic can be inspected and logged via either AWS Network Firewall or third-party firewall services.
Central Network also centralizes and automates the management of DNS via Amazon Route 53, network rules via AWS WAF, and AWS Firewall Manager, IP address management with the Amazon IPAM service, and consolidates usage of VPC endpoints to allow private connection.
Figure 4 – Central Network architecture.
Secure Cloud Foundation Benefits
SCF provides innovative automation and orchestration of cloud controls to drive faster cloud adoption at scale, while maintaining integrity of security posture and enforcing appropriate governance.
Key benefits include:
- Speed: Leverage AWS Service Catalog-based deployments for foundational infrastructure, reducing required skills and making available expert resources to focus on higher value/higher return initiatives.
- Cost effectiveness: Elimination of manual processes (spreadsheets, emails, ITSM tickets) reduces cost through timely and consistent application of pre-approved policies, security guardrails, and change control.
- Supportability at scale: Ability to provision hundreds of pre-configured accounts with integrated tools/controls, approved configurations, and minimal drift.
- Security and compliance: SCF incorporates AWS-native security controls as applicable and is extensible to use latest AWS security capabilities like Amazon Security Lake. SCF blocks are optimized to support and handle sensitive data and regulated workloads and meet industry leading compliance standards.
Conclusion
Accenture and AWS have worked together for more than a decade to help organizations realize value from their applications and data. The collaboration between the two companies, the Accenture AWS Business Group (AABG), enables enterprises to accelerate their pace of digital innovation and realize incremental business value from cloud adoption and transformation.
In this post, we showcased Accenture’s Secure Cloud Foundation (SCF) on the Velocity platform that can minimize time and effort to set up a robust and secure cloud foundation on AWS for greenfield and brownfield customers. To learn more, reach out to the Accenture AWS Business Group.
Accenture – AWS Partner Spotlight
Accenture is an AWS Premier Tier Services Partner and MSP that provides end-to-end solutions to migrate to and manage operations on AWS. By working with the Accenture AWS Business Group (AABG), a strategic collaboration by Accenture and AWS, organizations can accelerate the pace of innovation to deliver disruptive products and services.
Contact Accenture | Partner Overview | AWS Marketplace | Case Studies