Enterprise Application Owner's View of Cloud Landing Zones
7 min read
- Sasha Tulchinskiy, Senior Solutions Architect, Deloitte
- Tony Witherspoon, Principal, Deloitte
- Allen Brodjeski, Senior Solution Architect, Deloitte
Questions arise when enterprise application owners seek to migrate application workloads to Cloud Computing environments. Many large organizations implement so called Cloud Landing Zones, which are sets of tools and processes that ensure security and predictability of onboarding, operations and retirement of applications in the Cloud.
Find Amazon Web Services Prescriptive Guidance on Landing Zones here
We will walk you through several considerations for line of business application team onboarding to Amazon Web Services. In addition, this information might be useful for Cloud Operations and Engineering teams that create and maintain Cloud Landing Zones for your organization, to anticipate what application owners will be looking for and how the onboarding process can become as frictionless as possible.
Application Onboarding Considerations
Application teams should take the following steps to prepare for Cloud onboarding:
- Learn about current Enterprise Cloud Landing Zone capabilities and onboarding procedures, which should include description of self-service capabilities, a list of AWS and third-party services that are approved for use, a process of requesting approvals for services that are not yet approved, allowed geographic regions and AWS account segmentation strategies. Do you see deployment, logging, monitoring and security tools that you employ now? Do you see red flags for restrictive configuration requirements, unfamiliar mandatory tools and procedures?
- Review application's technical stack to identify opportunities for employment of managed services provided by AWS
- Review services that applications depend on and potential impacts of network connectivity changes after migration. Watch out for additional network hops and choking devices, decreased bandwidth and increased latency.
- Consider Cloud skillsets and maturity of your team to embrace a shared responsibility model, identify distinct roles to assume and use AWS IAM security policies and permission boundaries, develop and maintain application and Infrastructure-as-Code pipelines.
- Be aware of your application’s technical debt that could have accumulated over years, as organizations may have different expectations for applications that run in Cloud environment in comparison to what was acceptable in a traditional datacenter.
- Understand Landing Zone cost management and optimization capabilities, both long-term and during a transition period, when your line of business may incur charges for both current and future Cloud environment resource consumption.
Cloud Landing Zones on AWS
Let us look deeper into a few of AWS products and services that should be employed for building and operating an Enterprise-level Cloud Landing Zones, and how it will impact your experience with onboarding.
AWS Organizations started as a centralized billing capability, but it also offers ability to create and govern thousands of AWS accounts through automated account provisioning, logical grouping into a hierarchy of Organizational Units (OU), Service Control Policies (SCP), cross-account access and resource sharing.
SCPs is the method to enforce restrictions on AWS Services and Regions through a list of privileges from one or more policies assigned to an OU within your AWS Organization to which your AWS account is assigned to. This type of policy is often referred as setting up "preventive security controls" (as you cannot misconfigure something in your AWS account if you do not have access to do it). It ensures that only allowed AWS resources are deployed.
AWS Control Tower
AWS Control Tower creates a management layer to AWS Organizations and helps with Cloud Landing Zones governance. This is a preferred way to manage Landing Zones, but it is possible that your organization is using a different approach (custom-built scripts, third-party management tools like HashiCorp Terraform Landing Zone, or an AWS Landing Zone accelerator, which is superseded by the AWS Control Tower service).
An Account Factory feature standardizes provisioning of new accounts with pre-approved configurations. Built-in templates can be tailored to specific organizations’ needs.
More advanced Landing Zone implementations integrate the Account Factory with ITSM systems like Service Now to automate workflows of requesting, approval and provisioning of AWS accounts and resources, and coordination of changes to non-AWS resources (such as on-premise network connectivity, DNS, Active Directory, etc.)
While not having a significant impact on your ability to bring applications to the Cloud, a choice of Landing Zone management tool may provide indications of your organization's Cloud Operations maturity.
AWS Config Rules evaluate configuration of AWS accounts and, optionally, trigger automated responses. There are many rules created and managed by AWS out-of-the-box. However, ability to add Custom rules helps to address specific organizational needs.
AWS Config Rules are examples of "detective security controls" and you should be aware of the rules established in the Enterprise Landing Zone, especially if automated remediation scripts are in place (which are known as "corrective controls").
AWS Identity and Access Manager
AWS Identity and Access Manager (IAM) is a foundation of access control management on AWS. Your Cloud Operations Team should follow AWS best practices, including :
- Access to AWS Console and API is federated with Enterprise Directory Service, thus eliminating a need to use separate AWS account level credentials.
- A set of IAM Roles and associated Policies/Permission Boundaries is created automatically by AWS Control Tower Account Factory during initial AWS account setup. These roles reflect organization's "separation of duties" strategy and include sets of permissions for Cloud Ops, Security and pre-set Application-level roles (such as developers, DBA, read-only). Additional IAM Roles can be created for application and services.
- With increased maturity of applications' Infrastructure-as-Code practices, additional permissions may be needed for individual team members, code pipelines and AWS services employed by applications. Make sure that a process exists for requesting, getting approvals and timely implementation of changes to IAM.
AWS Virtual Private Cloud
AWS Virtual Private Cloud (VPC) is a family of managed services that provide virtual networking capabilities for applications. Some of the capabilities are integrated with AWS Control Tower Account Vending Machines (provisioning of an initial VPC), others are relying on AWS Organizations through AWS Resource Access Manager, yet some of them require additional efforts from the Cloud Operations and other teams - for example, establishing interconnectivity between VPCs in different AWS account, providing Wide-Area Network connectivity to on-premise resources, VPN connections to third-party SaaS and managing secure access to the Internet with Intrusion Detection.
- AWS Control Tower-provisioned VPC having sufficient IP space, using expected number of subnets and AWS Availability Zones
- Restrictions on the Internet access being allowed to/from your VPC directly or directed through a shared technology stack that it managed by a separate team.
- Ability to access Enterprise Shared Services (in the Cloud and on-premise)
- Ability to access application-level resources (dependencies), especially if the new AWS Region for the application makes such communications go through longer network paths and additional devices that limit available bandwidth.
- Procedures and SLA for requesting firewall exceptions and network connectivity
AWS Cloud Financial Management
AWS Cloud Financial Management is a family of services to plan, collect and report on resource utilization. Having access to cost metrics and AI-driven recommendations on resource allocation tune-up is a key for lowering the Total Cost of Ownership for the Cloud workloads.
Non-AWS Enterprise Tools
Enterprises take different paths for arriving to the Cloud and they sometimes bring "technological luggage" in a process - you may or may not see the same tools that have been used in the on-premise environment. Some will be replaced with AWS-Managed services or third-party SaaS, but others will still be managed from physical datacenters.
There is a vast variety of options for endpoint protection, log management, monitoring and reporting, do not leave these questions unanswered!
As an Enterprise line of business application owner you need to make sure that your team has a clear understanding of:
- Overall Cloud strategy of your organization
- Cloud resources and capabilities needed for your applications
- Impacts of the current Enterprise Cloud Landing Zone design, security policies, automation maturity and onboarding procedures on anticipated migration timelines
- Needs to bring additional skillsets into your team through training or contracting with AWS Consulting Partners like Deloitte.
The views and opinions expressed by authors and contributors are solely their own and do not reflect opinions of Deloitte.
Happy Cloud Sailing!