1
00:00:00,450 --> 00:00:03,250
‫Okay, so, let's talk about control tower.

2
00:00:03,250 --> 00:00:06,460
‫And a control tower is a way to set up a multi-account

3
00:00:06,460 --> 00:00:09,050
‫AWS environment with the best practices.

4
00:00:09,050 --> 00:00:10,910
‫And so as such it's going to be automated setup,

5
00:00:10,910 --> 00:00:12,140
‫we're gonna have policy management,

6
00:00:12,140 --> 00:00:13,900
‫and a dashboard for visibility.

7
00:00:13,900 --> 00:00:15,250
‫You don't pay for control tower,

8
00:00:15,250 --> 00:00:17,680
‫but you're going to pay obviously for all the accounts

9
00:00:17,680 --> 00:00:20,590
‫and services that are enabled by control tower.

10
00:00:20,590 --> 00:00:22,630
‫So let's go ahead and set up our landing zone.

11
00:00:22,630 --> 00:00:25,080
‫And, a landing zone is a way to have multiple accounts.

12
00:00:25,080 --> 00:00:27,210
‫So, there is shared accounts

13
00:00:27,210 --> 00:00:28,690
‫and there are three accounts

14
00:00:28,690 --> 00:00:30,780
‫according to control tower best practices.

15
00:00:30,780 --> 00:00:32,330
‫We're going to have a master account,

16
00:00:32,330 --> 00:00:35,290
‫to use your account email right now that you have

17
00:00:35,290 --> 00:00:36,123
‫and create the selling zone.

18
00:00:36,123 --> 00:00:38,360
‫And by the way, you don't have to follow along this hands-on

19
00:00:38,360 --> 00:00:39,570
‫because it's going to show you a lot of things

20
00:00:39,570 --> 00:00:40,550
‫that you probably don't need,

21
00:00:40,550 --> 00:00:43,150
‫but I will do it just to demo it to you.

22
00:00:43,150 --> 00:00:45,140
‫Then we have a log archive account.

23
00:00:45,140 --> 00:00:48,050
‫So this is an account dedicated to receive logs,

24
00:00:48,050 --> 00:00:49,810
‫and is best security practice

25
00:00:49,810 --> 00:00:51,660
‫to separate your master account

26
00:00:51,660 --> 00:00:54,593
‫and your log archive account, so I can have.

27
00:01:00,180 --> 00:01:02,250
‫And then an audit account so as...

28
00:01:07,940 --> 00:01:12,070
‫So I'm just creating different accounts for control tower.

29
00:01:12,070 --> 00:01:14,220
‫And then for service permissions

30
00:01:14,220 --> 00:01:16,330
‫we can learn more about permissions right here,

31
00:01:16,330 --> 00:01:17,750
‫and you can learn more about guidance.

32
00:01:17,750 --> 00:01:20,200
‫And guidance is how you should manage your accounts

33
00:01:20,200 --> 00:01:21,690
‫once you've enabled control tower.

34
00:01:21,690 --> 00:01:23,370
‫So, I'm not going to read it out to you,

35
00:01:23,370 --> 00:01:27,520
‫but if you do intend to use control tower in your enterprise

36
00:01:27,520 --> 00:01:29,670
‫please read this guidance because it do provide

37
00:01:29,670 --> 00:01:32,380
‫very strong guidances around what you can and cannot do,

38
00:01:32,380 --> 00:01:34,420
‫and what you should and shouldn't do.

39
00:01:34,420 --> 00:01:36,580
‫And then where you're happy, you say, "Yes, I'm happy,"

40
00:01:36,580 --> 00:01:38,910
‫and I set up my landing zone.

41
00:01:38,910 --> 00:01:40,800
‫And this is going to go ahead and set up

42
00:01:40,800 --> 00:01:43,870
‫all these different accounts on top of your organization,

43
00:01:43,870 --> 00:01:46,723
‫to get you started with control tower.

44
00:01:47,920 --> 00:01:49,330
‫So as you can see the setup

45
00:01:49,330 --> 00:01:50,820
‫is going to take about 60 minutes,

46
00:01:50,820 --> 00:01:52,180
‫and it's going to take a long time,

47
00:01:52,180 --> 00:01:53,840
‫it's going to set up two OU,

48
00:01:53,840 --> 00:01:56,140
‫three shared accounts, a native cloud directory

49
00:01:56,140 --> 00:01:58,230
‫with pre-configured groups and single sign-on access,

50
00:01:58,230 --> 00:02:00,730
‫and 20 preventive guardrails to enforce policies

51
00:02:00,730 --> 00:02:01,920
‫and two detective guardrails

52
00:02:01,920 --> 00:02:03,720
‫to detect configuration violations.

53
00:02:03,720 --> 00:02:05,060
‫So, a lot of things are being set up,

54
00:02:05,060 --> 00:02:08,290
‫I'm just going to wait a little bit until this is done.

55
00:02:08,290 --> 00:02:10,810
‫Okay, so my landing zone is now available,

56
00:02:10,810 --> 00:02:13,750
‫and it has set up two things, two organizational units,

57
00:02:13,750 --> 00:02:16,810
‫three shared accounts with a master accounts

58
00:02:16,810 --> 00:02:19,400
‫and isolated accounts for log archive and security audits,

59
00:02:19,400 --> 00:02:22,150
‫there's a native cloud directory with single sign-on access,

60
00:02:22,150 --> 00:02:23,360
‫and I'll show you this in a second,

61
00:02:23,360 --> 00:02:26,060
‫and then 20 preventive guardrails to enforce policies

62
00:02:26,060 --> 00:02:27,360
‫and two detective guardrails

63
00:02:27,360 --> 00:02:29,370
‫to detect configuration violations.

64
00:02:29,370 --> 00:02:33,090
‫So, a lot of things was created using control tower,

65
00:02:33,090 --> 00:02:35,610
‫and if I go to organizations right now,

66
00:02:35,610 --> 00:02:38,230
‫I can show you right away what was created.

67
00:02:38,230 --> 00:02:39,320
‫So as we can see here

68
00:02:39,320 --> 00:02:42,110
‫we have the three accounts already in my organization,

69
00:02:42,110 --> 00:02:43,810
‫and if I look through organize accounts,

70
00:02:43,810 --> 00:02:46,620
‫we see there's custom and core organizational units,

71
00:02:46,620 --> 00:02:49,500
‫so in core we have the audits and archive,

72
00:02:49,500 --> 00:02:52,220
‫and in the custom we currently have no accounts, okay.

73
00:02:52,220 --> 00:02:54,060
‫So, we shouldn't manage the account

74
00:02:54,060 --> 00:02:54,980
‫through organizations though,

75
00:02:54,980 --> 00:02:57,160
‫we should every time manage the account

76
00:02:57,160 --> 00:02:58,490
‫through control tower.

77
00:02:58,490 --> 00:03:00,440
‫And so here are some recommended actions.

78
00:03:00,440 --> 00:03:02,540
‫So, add or register OUs,

79
00:03:02,540 --> 00:03:04,940
‫configure your account factory, more guardrails,

80
00:03:04,940 --> 00:03:06,550
‫and review users and access,

81
00:03:06,550 --> 00:03:07,750
‫and then review shared accounts.

82
00:03:07,750 --> 00:03:10,400
‫So, a lot of things are happening here in this dashboard,

83
00:03:10,400 --> 00:03:12,440
‫we get also access to noncompliant resources

84
00:03:12,440 --> 00:03:14,760
‫based on the rules that we have defined,

85
00:03:14,760 --> 00:03:18,342
‫we get some information around the registered OU

86
00:03:18,342 --> 00:03:19,175
‫that have been created

87
00:03:19,175 --> 00:03:21,550
‫and whether or not they're compliant so that's perfect,

88
00:03:21,550 --> 00:03:24,970
‫as well as all the enrolled accounts into my account,

89
00:03:24,970 --> 00:03:25,920
‫and for the guardrails

90
00:03:25,920 --> 00:03:28,350
‫we can view all the guardrails right here

91
00:03:28,350 --> 00:03:29,183
‫if there's only a few guardrails.

92
00:03:29,183 --> 00:03:32,613
‫And so here we get the information around all the rules

93
00:03:32,613 --> 00:03:36,720
‫that are enforced on OUs for example.

94
00:03:36,720 --> 00:03:39,450
‫Disallow the deletion of log archive,

95
00:03:39,450 --> 00:03:41,140
‫obviously that makes a lot of sense,

96
00:03:41,140 --> 00:03:44,240
‫disallow public read access to log archive and so on,

97
00:03:44,240 --> 00:03:46,100
‫disallow configuration changes to CloudTrail,

98
00:03:46,100 --> 00:03:47,960
‫all these kinda things are excellent to have

99
00:03:47,960 --> 00:03:50,140
‫and are set up by control tower

100
00:03:50,140 --> 00:03:52,680
‫according to best practices, okay.

101
00:03:52,680 --> 00:03:55,020
‫You could always create accounts right here,

102
00:03:55,020 --> 00:03:56,980
‫so you can view all the accounts here,

103
00:03:56,980 --> 00:03:59,720
‫and then in the OU you can finish on your OU

104
00:03:59,720 --> 00:04:01,800
‫and add an OU if you wanted to.

105
00:04:01,800 --> 00:04:03,780
‫And, here is the guardrails.

106
00:04:03,780 --> 00:04:06,780
‫The account factory is how you enroll an account

107
00:04:06,780 --> 00:04:09,950
‫into your control tower which is great.

108
00:04:09,950 --> 00:04:13,210
‫Users and access, so this is how you manage the user access

109
00:04:13,210 --> 00:04:16,060
‫to your whole account sets.

110
00:04:16,060 --> 00:04:17,890
‫So we have single sign-on right here,

111
00:04:17,890 --> 00:04:20,530
‫and there is a user portal URL right here.

112
00:04:20,530 --> 00:04:23,190
‫And the way to handle a user identity management right now

113
00:04:23,190 --> 00:04:25,120
‫is with single sign-on.

114
00:04:25,120 --> 00:04:26,730
‫It is a service by AWS.

115
00:04:26,730 --> 00:04:28,150
‫Shared accounts are here,

116
00:04:28,150 --> 00:04:29,480
‫landing zone settings and so and so,

117
00:04:29,480 --> 00:04:31,730
‫as you can see this is a full management suite

118
00:04:31,730 --> 00:04:33,010
‫for multiple accounts.

119
00:04:33,010 --> 00:04:36,830
‫And so if we go into the SSO portal,

120
00:04:36,830 --> 00:04:38,800
‫as you can see here there's a second button,

121
00:04:38,800 --> 00:04:40,630
‫and then there's a password that I have to share,

122
00:04:40,630 --> 00:04:42,560
‫so I'll just use the password that I have right here

123
00:04:42,560 --> 00:04:44,290
‫that I've created from before,

124
00:04:44,290 --> 00:04:48,440
‫and I sign in, and now I am into my SSO,

125
00:04:48,440 --> 00:04:51,820
‫and I'm able to login into any of my three AWS accounts.

126
00:04:51,820 --> 00:04:54,030
‫So we have the audit account, the log archive account,

127
00:04:54,030 --> 00:04:55,570
‫and this defense CCP account

128
00:04:55,570 --> 00:04:57,900
‫directly accessible from this UI.

129
00:04:57,900 --> 00:04:59,650
‫So for example, if I want you to go into the audits

130
00:04:59,650 --> 00:05:02,250
‫I can click here to go into the management console

131
00:05:02,250 --> 00:05:03,700
‫of this audit account,

132
00:05:03,700 --> 00:05:06,890
‫or click here for get command line or programmatic access.

133
00:05:06,890 --> 00:05:09,410
‫So it is really, really neat, and here we go,

134
00:05:09,410 --> 00:05:11,380
‫I am into my audit account right now.

135
00:05:11,380 --> 00:05:13,610
‫So, it really shows you the power of control tower,

136
00:05:13,610 --> 00:05:16,120
‫no, it's not something that you would do on your own

137
00:05:16,120 --> 00:05:20,330
‫obviously, and now that I've moved away from my accounts

138
00:05:20,330 --> 00:05:21,790
‫and then to (speaks faintly) my screen but...

139
00:05:21,790 --> 00:05:24,400
‫This is to show you that yeah, it's quite handy,

140
00:05:24,400 --> 00:05:26,690
‫I would say so I'm just going to login

141
00:05:26,690 --> 00:05:27,900
‫back into my CCP account.

142
00:05:27,900 --> 00:05:31,020
‫It's quite handy to use control tower in your account

143
00:05:31,020 --> 00:05:33,110
‫to set up multiple accounts that aren't your best practices

144
00:05:33,110 --> 00:05:34,110
‫and manage it from there.

145
00:05:34,110 --> 00:05:35,970
‫So, if you are an organization

146
00:05:35,970 --> 00:05:39,080
‫that wants to have a multiple best practice AWS set up,

147
00:05:39,080 --> 00:05:40,870
‫then please use control tower.

148
00:05:40,870 --> 00:05:42,480
‫Okay, that's it, I hope you like this lecture,

149
00:05:42,480 --> 00:05:44,430
‫and I will see you in the next lecture.