ACAI Lab – Secure AWS Landing Zone


21 Nov
Michael Ullrich

The following blog-post introduces the ACAI Lab – Secure AWS Landing Zone 

It lets you experience live AWS Landing Zone deployment in a publicly accessible sandbox environment from two perspectives: Security Operator, Application DevOps-Team. 

 

Here are the direct links to the accounts of the individual roles –It’s recommended to open each account’s URL in a different private browser window in order to avoid single-sign-on related issues: 

Perspective Account Account-ID Links
Security Operator Core Monitoring 321744974957
Security Operator Core Logging 735600569007 https://secure-lz.aws.acai-labs.ch/core-logging
Security Operator Core Auditing 263761644432 https://secure-lz.aws.acai-labs.ch/core-auditing/securityhub
https://secure-lz.aws.acai-labs.ch/core-auditing/guardduty
Application DevOps-Team Business Prod 212262933260 https://secure-lz.aws.acai-labs.ch/business1-prod
Application DevOps-Team Business NonProd 001683013005 https://secure-lz.aws.acai-labs.ch/business1-nonprod

Core Monitoring Account

Thprovided Kibana dashboard visualizes event logs (AWS CloudTrail, AWS Security Hub and Amazon GuardDuty) of all AWS accounts belonging to your landing zone and collected in real-time. 

Core Logging Account

Try the Core Logging live demo by clicking here: https://secure-lz.aws.acai-labs.ch/core-logging

The Core Logging account contains the S3 buckets for the audit logs. The logs are KMS encrypted have versioning enabled and a life-cycle policy configured for limited data retention.

Core Auditing Account

The Core Auditing Account provides the Amazon Security Hub master and the Amazon GuardDuty master aggregating the data from all members. So, from a single navigation point you can get security insights on the whole landscape of your AWS accounts.

AWS Security Hub

Try the Core Auditing Security Hub live demo by clicking here: https://secure-lz.aws.acai-labs.ch/core-auditing/securityhub

AWS Security Hub is your single pane of security.

In the lab AWS Security Hub has two standards enabled – for details see our other blog post: Security Standards recommended for your AWS Landing Zone

Detailed overview of CIS AWS Foundations Benchmark security controls:

Amazon GuardDuty

Try the Core Auditing GuardDuty live demo by clicking here: https://secure-lz.aws.acai-labs.ch/core-auditing/guardduty

GuardDuty provides you an overview of the security findings which popped up in your account landscape. Per finding you get detailed information as a starting point for your analysis: 

Business Accounts

This is where the landing zone scales out – you can have hundreds of business accounts.

Try out the existing sample business accounts by clicking here: https://secure-lz.aws.acai-labs.ch/business1-prod or https://secure-lz.aws.acai-labs.ch/business1-nonprod

Note, that you can also navigate to Amazon Security Hub and Amazon GuardDuty in each of the accounts and will see the data on account-level. 

Detailed Lab-Overview

The following image provides you an overview of the AWS services deployed in the lab and the dataflows.

Detailed Overview

 

Important information on data privacy
Please note that for AWS Console Access you will be redirected to AWS. Your IP-address will be logged and show up in various AWS services. 
To hide your IP-address you can either create an EC2 instance and use it as a jump-host or use a VPN provider. 

 

We are ACAI Consulting – specialized in AWS Multi Account Security and Governance.
If you have any questions, feel free to get in touch with us: blog@acai.gmbh

 

ACAI Lab – Secure AWS Landing Zone