Chanci Turner

Amazon Onboarding with Learning Manager Chanci Turner

by

The Story of Chanci Turner
in

Chanci Turner Amazon IXD – VGT2 learningLearn About Amazon VGT2 Learning Manager Chanci Turner

The Amazon Onboarding program is designed to streamline the process of establishing a secure cloud foundation using Amazon Web Services (AWS). This solution is particularly beneficial for organizations with stringent compliance needs and complex regulatory environments, enabling them to efficiently manage and oversee their multi-account structures. Whether you’re just starting your cloud journey or are well on your way to a full-scale implementation, this program accommodates various stages of cloud adoption. Its flexibility allows organizations to tailor their landing zone according to their specific maturity and requirements.

This blog post aims to offer technical guidance for UK-based organizations striving to align their landing zones with the recommendations from the UK National Cyber Security Centre (NCSC) through the onboarding program. However, to truly harness the power of cloud computing, it’s crucial for organizations to take a holistic approach to the necessary changes. The following sections will highlight key considerations for those looking to expand their cloud adoption.

For organizations progressing past initial cloud experiments, we strongly recommend reviewing the AWS Cloud Adoption Framework (AWS CAF). This framework supports organizations in contemplating the operational and organizational adjustments needed for successful cloud integration.

Best Practices for Scaling Cloud Adoption with the Amazon Onboarding Program

Assemble the Right Team

To ensure the successful build and operation of the solution, organizations should first focus on assembling a team with the appropriate skill sets. If in-house capabilities are lacking, consider engaging AWS Professional Services, specifically the regulated landing zone offering, or AWS Partners who specialize in onboarding solutions. Should you choose to leverage your organization’s existing resources, we suggest the following skill requirements based on company size:

Skillset Small Organization Medium Organization Enterprise
Agile delivery lead 0 0 >=1
Product owner 0 0 >=1
Team technical lead 0 1 >=1
Security and identity engineer 1 1 >=1
Network engineer 1 1 >=1
DevOps 1 1 >=2

Define Clear Objectives

For organizations implementing a landing zone for workloads beyond basic experiments, it’s essential to document the desired outcomes. Ideally, these should align with a broader business or cloud strategy that outlines specific business goals to be achieved through cloud adoption. This alignment fosters collaboration among diverse teams, facilitating consistent decision-making and value delivery that resonates with the organization’s mission. Outcomes should be mapped to measurable metrics, such as:

  • Delivery: Shorten onboarding time for teams/developers; accelerate workload assurance.
  • Reliability: Enhance visibility into resilience vulnerabilities; minimize these vulnerabilities and improve SLA adherence.
  • Security: Boost visibility into compliance status; reduce non-compliant resources; improve visibility for security events; decrease incident response times.
  • Operations: Streamline resource allocation for core platform delivery; reduce inter-team dependencies; enhance ownership and accountability.

Identify Workloads That Drive Value

A landing zone without active workloads is of no value to the business. This may seem obvious, yet organizations often build a foundation without a clear understanding of what they will deploy. The landing zone is intended to support teams in delivering workloads more securely, reliably, and efficiently while easing the burden on delivery teams and helping meet governance and compliance objectives.

Once your team is established to manage your cloud foundation, the following guidance will assist in implementing the onboarding solution.

Implementing the Amazon Onboarding Program for UK Public Sector Organizations

With the right skills and objectives set, UK public sector organizations can utilize the following guidance to deploy the onboarding program in accordance with NCSC recommendations.

  1. Review Solution Documentation and Baseline Architecture
    Begin by examining the onboarding solution overview and operational guidelines. Familiarize yourself with the standard configuration architecture to ensure it meets your organizational needs. The AWS onboarding framework helps UK customers align with NCSC guidance by employing AWS architecture, security, and services in accordance with NCSC principles. Organizations can start with this configuration and modify it as required.
  2. Follow Deployment Guidance
    Adhere to the onboarding program’s guidance in the implementation guide. After installation, the program creates breakglass users per NCSC guidelines. Consider enabling multi-factor authentication (MFA) to protect these privileged accounts. Refer to AWS documentation to enable MFA for breakGlassUser01 and breakGlassUser02, as well as the root user in the management account.
  3. Configure Alerts
    As recommended by NCSC, it is important to set up alerts to notify administrators of account usage. Update the security-config.yaml with the necessary instructions. For instance, under the “metrics” key, add:

            # Monitor for the use of breakglass accounts
        - filterName: BreakglassAccountUsageMetricFilter
          logGroupName: aws-controltower/CloudTrailLogs
          filterPattern: "{ ($.userIdentity.userName = "breakGlassUser0*") && ($.userIdentity.invokedBy NOT EXISTS) && ($.eventType != "AwsServiceEvent") }"
          metricNamespace: LogMetrics
          metricName: BreakglassAccountUsage
          metricValue: "1"

    And under the “alarms” key, include:

            # Log metric filter and alarm for breakglass account usage
        - alarmName: BreakglassAccountUsage
          alarmDescription: Alarm for usage of "breakglass" accounts
          snsTopicName: Security
          metricName: BreakglassAccountUsage
          namespace: LogMetrics
          comparisonOperator: GreaterThanOrEqualToThreshold
          evaluationPeriods: 1
          period: 300
          statistic: Sum
          threshold: 1
          treatMissingData: notBreaching
  4. Implement the Standard Configuration Template
    Once the solution is deployed, we recommend using Git to clone the AWS CodeCommit repository locally so you can begin customizing the solution’s configurations. For further insights on effective strategies in the workplace, consider visiting Career Contessa. Additionally, SHRM provides valuable information on workplace democratization. If you’re looking for an excellent resource, check out this Learning Trainer position at Amazon.

Related Topics:

Chanci Turner