By Mark Ross, Lead Cloud Architect – Atos
By Martin Foote, Lead Cloud Architect – Atos
By Tomasz Owczarczyk, Cloud System Architect – Atos
By Yusuf Okul, Partner Solutions Architect – AWS

Atos-AWS-Partners
Atos
Connect with Atos-1

As larger, more complex and critical workloads are migrated to Amazon Web Services (AWS), customers are rightly concerned about how to appropriately secure and gain visibility of those workloads, and ensure compliance standards are met.

Customers are looking for streamlined, automated processes to be able to adopt AWS at scale without it becoming unmanageable, and they want it to be user friendly to avoid “shadow IT” appearing outside of centralized governance.

Digital Cloud Services (DCS) is a fully managed AWS landing zone-as-a-service from Atos, an AWS Advanced Consulting Partner and Managed Service Provider (MSP). Atos holds AWS Competencies in Migration and Mainframe Migration consulting, as well as Level 1 MSSP Security Consulting.

The DCS solution on AWS offers a managed landing zone platform with enterprise-grade security, providing customers with the ideal environment to start or continue their business transformation, at pace and scale in a self-service manner.

With DCS AWS, customers are safe in the knowledge the underlying platform is built to Center for Internet Security (CIS) benchmarks and AWS Well-Architected Framework standards.

DCS AWS is designed and built from the ground up using cloud-native services augmented with cloud-aware third-party products. It inherently benefits from the scale, elasticity, and availability of AWS, and offers different policies to meet different regulatory frameworks.

DCS AWS puts customer self-service at the heart of the solution. Once the initial onboarding and setup of the landing zone is complete, customers are free to provision AWS accounts and DCS AWS will wrap the security, monitoring, and management around it.

Additional services within the account are possible via tagging, where the DCS AWS event-driven architecture will manage Amazon Elastic Compute Cloud (Amazon EC2) instance monitoring, backup, patching, and anti-malware, regardless of the customer’s chosen provisioning method.

Customer Benefits

DCS AWS is a flexible, modular service and can be used in a variety of scenarios:

  • Green-field adoption.
  • Brown-field adoption.
  • AWS commercials via Atos or customer direct.
  • Atos partner-led, partner-resold, or customer-direct AWS support.

DCS AWS removes the need for customers to spend significant time designing, preparing, and deploying their enterprise landing zone for consuming AWS services at scale in a secure and robust manner.

Once the landing zone is deployed, fully secured resource accounts can be self-serve and provisioned in around 30 minutes, allowing customers to focus on delivering business value.

New resource accounts can be provisioned from the AWS Management Console, or programmatically using the AWS Service Catalog API. Customers can plug this into their CI/CD systems, or any programs and tools they use to prepare infrastructure for application or project teams.

All resources are created using an infrastructure as code (IaC) approach, so it is predictable, secure, and programmatically expandable.

Shared Responsibility Model

DCS AWS operates in the customer portion of the AWS Shared Responsibility Model.

Security and compliance is a shared responsibility between AWS and the customer. This shared model can help relieve customers’ operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

Atos-DCS-Security-1.1

Figure 1 – Digital Cloud Services and the AWS Shared Responsibility Model.

The DCS core service provides the base account and networking security, management, and monitoring services. Accounts are secured with preventative guardrails, ensuring key configuration cannot be changed.

For specific industry and regulatory requirements, preventative guardrails stop specific services from being used. Detective guardrails identify and notify where undesirable configuration have been made that should be reviewed and remediated.

Artificial intelligence (AI) and machine learning (ML) services are used to provide threat detection and identify permissions across accounts and outside of the AWS Organization.

Networking services are provided to connect virtual private clouds (VPCs) utilizing AWS Transit Gateway, and hybrid connectivity back to on premises using virtual private networks (VPNs), AWS Direct Connect, or both.

Dashboards and reports are visualized to allow the environment to be reviewed. Customers can use self-serve provisioning of new accounts to agreed blueprints, without the need to wait hours or days for an engineer to do it, either via AWS Service Catalog or other processes.

The DCS “Managed OS” and “Managed RDS” services can be consumed to hand off common tasks for these components, whilst customers ultimately retain control of them.

An event-driven approach is used, whereby once provisioned customers can onboard instances to the DCS service. DCS undertakes an agreed set of tasks, such as installing the Amazon CloudWatch unified agent, enable patching via AWS Systems Manager, adding them to a backup schedule, and enabling compliance scanning.

Anything outside of the current DCS service can be freely provisioned and managed by the customer directly—within the limits of the agreed preventative guardrails.

This self-service, event-driven automation approach increases business agility and allows customers to provision resources in whatever way they see fit.

Architectural Overview: Cloud Core

A high-level architecture of the “Cloud Core” DCS AWS service offering is shown in Figure 2. This defines the constituent parts, which can be enabled to gain visibility, control, security compliance, and enforce policy throughout the customer’s landscape.

The modular approach enables optionality of the component services, which can then be applied in either a greenfield Control Tower-led deployment, or applied to existing customer landscapes.

Atos-DCS-Security-2

Figure 2 – Overview of the DCS AWS Core landing zone.

When a customer wants to provision a new landing zone, the following AWS services will be configured:

  1. Organization master: AWS Control Tower, AWS Organizations, AWS Single Sign-On (SSO), AWS Resource Access Manager, and billing.
  2. Audit account: AWS Config and Amazon GuardDuty aggregators, AWS Security Hub, AWS IAM Access Analyzer for Organizations.
  3. Log archive account: Consolidated AWS CloudTrail and Config logs, limited permissions to prevent tampering and viewing.
  4. Network account: AWS Transit Gateway, AWS Direct Connect, AWS VPN, Amazon Route 53.
  5. Management account: CI/CD runners, AWS Service Catalog, management services for ITSM integration preparation.
  6. Service account: AWS Service Catalog, Amazon CloudWatch dashboard, reporting.
  7. Resource accounts: Various services deployed in the resource account to link back to accounts 1-6 for centralized management and governance.

Architectural Overview: Managed OS/RDS

A high-level architecture focused of the Managed OS/RDS DCS AWS service offering is shown in Figure 3. This defines the constituent parts, which are used to provide ongoing management, backup, reporting, and posture using the AWS-native toolset coupled with an Atos DCS developed event-driven approach.

The event-driven engine enables customers to elect when to engage the DCS value add services on a self-serve basis, following the initiation of this optional component on top of a DCS AWS “Cloud Core” environment.

Atos-DCS-Security-3

Figure 3 – Overview of the DCS AWS Managed OS/RDS Service.

  1. AWS Systems Manager: Managed OS DCS AWS service offering makes heavy use of the Systems Manager suite of tools to provide various aspects of the ongoing management of instances.
  2. AWS Backup: Maintaining backup copies of EC2 and Amazon Relational Database Service (Amazon RDS) components is easy with AWS Backup.
  3. Amazon EventBridge: Recognizing changes within the customer’s landscape, and feeding those changes to the DCS Management Account to invoke the necessary workflows is done using Amazon EventBridge.
  4. Amazon CloudWatch: Used to collect metrics and logs, and set alarms which trigger functions within the DCS Management Account.
  5. Amazon Inspector: Used for security compliance scanning for EC2 instances.
  6. Service account: Gives the customer visibility through the capability of self-service reporting of the landscape.
  7. Management account: Hosts a number of components which drive the value-add service offering, including workflows powered by AWS Step Functions, Amazon DynamoDB tables, AWS Lambda functions, and outbound secure internet proxy used for connectivity to internet endpoints required to secure the end systems like antivirus.
  8. Audit account: AWS Security Hub hosted within the Audit account provides alerts for Amazon Inspector findings.

Self-Service Automation

Self-service is foundational to DCS AWS, as the service is designed to provide security and governance to help customers consume AWS services safely, without reducing agility and the ability to innovate.

To provide value-added services created by Atos, AWS Service Catalog is utilized by customers. For the provisioning of a new account that has the DCS AWS configuration out of the box, for example, customers can use their tools of choice, such as web console, API interface, or IaC.

The Service Catalog central portfolio is shared into customers’ accounts, allowing additional self-service functionality within that account as part of the ongoing service.

Each product represents one of the services Atos provides and exposes to customers for self-service. Blueprints contain anticipated options for specific services. For example, if the selected service is backup, then one blueprint can be used to switch on one type of backup, whereas another blueprint can provide further backup options such as cross-region or cross-account replication.

With this concept, customers have multiple versions of the service, which can be applied dependent on needs and may differ between business units or production and non-production environments.

DCS self-service is used in conjunction with AWS Control Tower and provides additional services over and above what Control Tower offers. This includes additional security services, backup, or enhanced VPC configuration.

Atos-DCS-Security-4

Figure 4 – Overview of DCS AWS Service Catalog.

Self-Service Use Case: New Account

One self-service scenario is the creation of a new AWS account, complete with the DCS AWS security and governance services provided out of the box.

When a customer wants to provision a new account, the following AWS services will be configured:

  • AWS CloudTrail with centralized logging to an audit account and Amazon CloudWatch logs within each account.
  • CloudWatch alarms, including metric filters to provide CIS benchmarked alerts on CloudTrail logs.
  • Config Rules with centralized logging to an audit account.
  • Amazon GuardDuty
  • AWS IAM roles and policies
  • IAM Access Analyzer
  • AWS Security Hub
  • Amazon Inspector (network level)
  • AWS Trusted Advisor
  • AWS Backup
  • Security control policies are applied to limit region activity, in addition to any organizational unit-level polices for regulatory compliance or services customers specifically want to disable.

Coordination between all of these components is done automatically after the account provision process finishes via Atos’ DCS automation.

Atos-DCS-Security-5

Figure 5 – New account provisioning process.

The diagram above shows a new account product provisioning flow:

  1. Customer goes to AWS Service Catalog, selects a service to provision, and fills out the form.
  2. New artefact of the provisioned product is instantiated.
  3. AWS CloudFormation stack initiated from the product invokes DCS Deployment Framework.
  4. Framework components process request and trigger Account Vending Machine (AVM) product.
  5. AVM creates new resource account and sets up AWS baseline configuration.
  6. When the new resource account is created, it’s signaled back to the DCS Deployment Framework.
  7. Framework starts provisioning additional DCS AWS resources, sets up, and configures the relevant services.
  8. When services are ready, the DCS Deployment Framework returns information about completion to Service Catalog and new account and services are available for customer use.

Onboarding

The DCS AWS platform is delivered using an everything-as code-approach. This allows customers to select services and configuration parameters that meet requirements such as regulatory compliance, backup retention and duplication policies, or maintenance windows for patching of EC2 instances.

At the start of the customer engagement to onboard to DCS AWS, onboarding workshops are held with customer stakeholders to agree on the required modules, as well as the configuration parameters within those modules.

Customers can elect to take the default settings for these modules or provide parameters that meet their needs. If there’s a brownfield take-on of an existing environment, a discovery phase is undertaken to understand any transition requirements.

The DCS AWS platform is built for the customer using existing code blueprints for the required modules, along with any customer-specific parameters. It’s tested and handed over to the customer to use, and to the operations team to support the customer on an ongoing basis.

At this point, the customer can provision additional AWS resources in whatever way they choose, and new hardened and secured AWS accounts can be provisioned via AWS Service Catalog.

Where customers require Atos to provide additional management and monitoring services, they can tag these components and the event-driven architecture will bring them under management.

Atos can also provide additional services within the new environment, including application assessment and migrations, ongoing application management, Internet of Things (IoT) services, big data, or AI/ML services as required by the customer.

Conclusion

As customers adopt AWS at pace and scale for complex, critical workloads, it’s imperative this is done with appropriate governance, visibility, and control whilst avoiding a poor user experience for customers.

Developing and deploying applications into a managed landing zone environment with self-service capabilities is critical to this approach, allowing developers to innovate at pace and ensure appropriate levels of security and compliance. This is in addition to backup, patching, vulnerability scanning and security threat detection that’s provided to keep bad actors away from valuable business data.

The Digital Cloud Services (DCS) solution from Atos provides a modular approach, allowing customers to plug and play the parts that add the most value for them. With Atos providing the support and ongoing development of the services within the DCS AWS service, customers can unlock their staff to concentrate of adding business value.

.
Atos-APN-Blog-CTA-1
.


Atos – AWS Partner Spotlight

Atos is an AWS Advanced Consulting Partner and leader in digital services that believe bringing together people, business, and technology is the way forward.

Contact Atos | Partner Overview

*Already worked with Atos? Rate the Partner

*To review an AWS Partner, you must be a customer that has worked with them directly on a project.

Categories: APNSecurity