Accounts Governance Archives - Anuj Varma, Hands-On Technology Architect, Clean Air Activist https://www.anujvarma.com/tag/accounts-governance/ Production Grade Technical Solutions | Data Encryption and Public Cloud Expert Thu, 18 Jul 2019 02:04:13 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.4 https://www.anujvarma.com/wp-content/uploads/anujtech.png Accounts Governance Archives - Anuj Varma, Hands-On Technology Architect, Clean Air Activist https://www.anujvarma.com/tag/accounts-governance/ 32 32 AWS Governance https://www.anujvarma.com/aws-governance/ https://www.anujvarma.com/aws-governance/#comments Wed, 17 Jul 2019 21:51:05 +0000 https://www.anujvarma.com/?p=6114 Governance Users and IAM Governance No Root user creds (lock away creds). Create IAM users and assign specific roles. Create roles with granular access Cross account access roles Accounts Governance […]

The post AWS Governance appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]> Governance

Users and IAM Governance

  • No Root user creds (lock away creds).
  • Create IAM users and assign specific roles.
  • Create roles with granular access
  • Cross account access roles

Accounts Governance – Organizations and Landing Zones (Control Tower) for Multiple Accounts – Centralized logging account – with cross account access roles

  • Master: This is where you will find the AWS organisation. Also found here are Single Sign-On (SSO) and a service catalog for the ‘Account Vending Machine’ (AVM), which automates the process of creating new AWS accounts.
  • Security: Contains roles that allow you to switch to other accounts or receive notifications of security incidents.
  • Shared services: Contains Active Directory and other services that are used by all accounts.
  • Logging: This is the central landing place for logs, such as CloudTrail audit logs.

Resource Level Governance –  – Custom Policy PLUS CloudFormation

Simple Way = You can create an IAM policy that allows the action ‘CreateTags’ on a service, for example ‘ec2:CreateTags’ (as well as the ability to create a resource), and then have a condition attached that looks for a tag with a certain name having any value

Entire Infrastructure Automation – Cloudformation

  1. Reproducible – Automate infrastructure creation
  2. Automatic Dependencies – what to create first , second, next –  are resolved automatically – based on the References (Refs) in the stack definition.
PARAMETERS (INPUT PARAMETERS)  E.G. VPC NAME, REGION
MAPPINGS – FOR MULTI REGION TEMPLATES – CUSTOMIZING PER REGION – ESPECIALLY SINCE AMI ID IS DIFFERENT IN DIFFERENT REGIONS (FOR THE SAME IMAGE)
PSEUDO PARAMETERS – AVAILABLE BY DEFAULT – ACCOUNT ID, REGION
RESOURCES : { 

Refs

Installing / Configuring Software on Ec2 instance using UserData and Fn::Join Fn:: Base64

}

TerraForm

Create a Custom VM with two managed disks (EBS) on a cloud

Group of Resources Governance – Service Catalog (e.g. Create a custom training lab with custom software)

Service Catalog – Resource Level Automation –

  •   Create a portfolio and a product (using template constraint and launch constraint)

Tagging Enforcement using Service Catalog

  • Use AWS Service Catalog – DynamoDB , Lambda and Cloudwatch events

Tag Enforcement-1

The post AWS Governance appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]> https://www.anujvarma.com/aws-governance/feed/ 1