DEV Community: Blaise Shu The latest articles on DEV Community by Blaise Shu (@snblaise). https://dev.to/snblaise https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1330438%2F4b65cc88-0f1f-4fba-acbb-e93353afc07a.jpg DEV Community: Blaise Shu https://dev.to/snblaise en Automate AWS Landing Zone Deployment Blaise Shu Mon, 06 Jan 2025 12:08:50 +0000 https://dev.to/snblaise/automate-aws-landing-zone-deployment-2flj https://dev.to/snblaise/automate-aws-landing-zone-deployment-2flj <h3> Discover the benefits of using Infrastructure as Code (IaC) and AWS CloudFormation to automate and simplify the deployment of your AWS Landing Zone. Ensure a secure, scalable, and well-governed environment with consistent and repeatable setups. </h3> <h3> Introduction </h3> <p>Establishing a secure, scalable, and well-governed environment is crucial for organizations in today's cloud-centric world. This is where a landing zone comes into play. A landing zone is a pre-configured, secure, multi-account AWS environment that adheres to best practices. It provides a foundation for your AWS infrastructure, ensuring compliance, security, and efficient management.</p> <p>For more information on landing zones, you can refer to the <a href="https://docs.aws.amazon.com/prescriptive-guidance/latest/migration-aws-environment/understanding-landing-zones.html" rel="noopener noreferrer">AWS Prescriptive Guidance</a>.</p> <h3> Why the Landing Zone </h3> <p>A landing zone is essential for several reasons:</p> <ul> <li> <strong>Security and Compliance</strong>: It ensures that your AWS environment adheres to security and compliance standards.</li> <li> <strong>Scalability</strong>: It provides a scalable foundation for your AWS resources.</li> <li> <strong>Governance</strong>: It helps in managing and governing multiple AWS accounts efficiently.</li> <li> <strong>Cost Management</strong>: It aids in tracking and managing costs across different accounts.</li> </ul> <h3> How a Landing Zone is Created </h3> <p>Creating a landing zone involves several steps and best practices to ensure a secure and scalable environment. Here's a high-level overview of the process:</p> <ol> <li><p><strong>Use AWS Organizations</strong>: Leverage <a href="https://aws.amazon.com/organizations/" rel="noopener noreferrer">AWS Organizations</a> to create and manage multiple AWS accounts. This helps in isolating workloads and managing permissions effectively.</p></li> <li><p><strong>Implement Security Controls</strong>: Use <a href="https://aws.amazon.com/controltower/" rel="noopener noreferrer">AWS Control Tower</a> to enforce security policies and guardrails. AWS Control Tower automates the setup of a secure, well-architected multi-account AWS environment based on AWS best practices.</p></li> <li><p><strong>Centralize Logging and Monitoring</strong>: Set up centralized logging and monitoring using <a href="https://aws.amazon.com/cloudtrail/" rel="noopener noreferrer">AWS CloudTrail</a> and <a href="https://aws.amazon.com/cloudwatch/" rel="noopener noreferrer">Amazon CloudWatch</a>. AWS CloudTrail records AWS API calls for your account and delivers log files to you, while Amazon CloudWatch monitors your AWS resources and applications in real-time. This ensures that all activities are logged and monitored for security and compliance purposes.</p></li> <li><p><strong>Automate with Infrastructure as Code</strong>: Use <a href="https://aws.amazon.com/cloudformation/" rel="noopener noreferrer">AWS CloudFormation</a> to automate the provisioning of your landing zone. AWS CloudFormation allows you to model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications. CloudFormation templates allow you to define your infrastructure as code, making it easy to replicate and manage.</p></li> <li><p><strong>Regular Audits and Compliance Checks</strong>: Conduct regular audits and compliance checks using <a href="https://aws.amazon.com/config/" rel="noopener noreferrer">AWS Config</a> and <a href="https://aws.amazon.com/security-hub/" rel="noopener noreferrer">AWS Security Hub</a>. AWS Config provides a detailed view of the configuration of AWS resources in your account, while AWS Security Hub aggregates, organizes, and prioritizes security alerts and findings from multiple AWS services. These services help you maintain compliance with industry standards and best practices.</p></li> </ol> <p>For detailed guidance on building a landing zone, check out the <a href="https://docs.aws.amazon.com/prescriptive-guidance/latest/migration-aws-environment/building-landing-zones.html" rel="noopener noreferrer">AWS Prescriptive Guidance on Building a Landing Zone</a>.</p> <h3> AWS Landing Zone Organizational Structure </h3> <p>Here's a sample structured organization for our AWS landing zone:</p> <ol> <li> <p><strong>Security Organizational Unit (OU)</strong></p> <ul> <li> <strong>Centralized Logging</strong>: This unit is responsible for aggregating and storing logs from various AWS accounts and services. It ensures that all activities are logged for security and compliance purposes.</li> <li> <strong>Security Roles</strong>: This unit manages roles and permissions related to security, ensuring that security policies and guardrails are enforced across the organization.</li> </ul> </li> <li> <p><strong>Sandbox OU</strong></p> <ul> <li> <strong>For Experimentation and Testing</strong>: This unit provides a safe environment for developers and teams to experiment with new services, features, and configurations without affecting production environments. It allows for innovation and testing of new ideas.</li> </ul> </li> <li> <p><strong>Development OU</strong></p> <ul> <li> <strong>For Development Environments</strong>: This unit hosts development environments where application development takes place. It provides isolated environments for developers to build and test their applications before moving to higher environments.</li> </ul> </li> <li> <p><strong>UAT (User Acceptance Testing) OU</strong></p> <ul> <li> <strong>For Testing Environments</strong>: This unit is dedicated to user acceptance testing. It allows stakeholders and end-users to test and validate the applications in an environment that closely resembles production, ensuring that the applications meet the required standards and specifications.</li> </ul> </li> <li> <p><strong>Production OU</strong></p> <ul> <li> <strong>For Production Environments</strong>: This unit hosts the production environments where live applications and services run. It ensures high availability, reliability, and performance for end-users. Strict security and compliance measures are enforced in this unit.</li> </ul> </li> <li> <p><strong>Shared Resources OU</strong></p> <ul> <li> <strong>For Shared Services and Resources</strong>: This unit manages shared services and resources that are used across multiple accounts and environments. It includes services like networking, directory services, and other common infrastructure components that need to be centrally managed.</li> </ul> </li> </ol> <p>This structured organization helps in maintaining a clear separation of responsibilities, enhances security, and ensures efficient management of AWS resources across different stages of the application lifecycle.</p> <h3> Creating a Landing Zone Using AWS CloudFormation </h3> <p>AWS CloudFormation is a service that allows you to define and provision AWS infrastructure as code. By using CloudFormation templates, you can automate the creation of your landing zone.</p> <h4> Step 1: Define the CloudFormation Template </h4> <p>First, you need to define a CloudFormation template that specifies the resources and configurations for your landing zone. In the following section, we will break down our template written in YAML language to understand the various sections in detail.</p> <h4> CloudFormation Template Breakdown </h4> <p>A CloudFormation template is a JSON or YAML formatted text file that describes the AWS infrastructure needed to deploy your landing zone. The template consists of several key sections:</p> <ol> <li><p><strong>Parameters</strong>: This section defines the inputs required for the template. Parameters allow you to customize aspects of your template at runtime. For example, you can specify the names of organizational units, account IDs, and retention periods.</p></li> <li><p><strong>Resources</strong>: This is the most critical section of the template. It defines the AWS resources that CloudFormation will create and manage. In our case, this includes the landing zone setup, IAM roles, and role attachments.</p></li> <li><p><strong>Outputs</strong>: This optional section declares output values that you can import into other stacks or view on the CloudFormation console. Outputs can include resource IDs, IP addresses, or any other information you might need after the stack is created.</p></li> <li><p><strong>Mappings</strong>: This section allows you to create custom mappings like region-specific AMIs, which can be used to conditionally set values in your template.</p></li> <li><p><strong>Conditions</strong>: Conditions enable you to control whether certain resources are created or certain properties are assigned based on input parameter values.</p></li> <li><p><strong>Metadata</strong>: This section is used to include additional information about the template. It can be helpful for documentation purposes.</p></li> </ol> <p>Below is an example of a CloudFormation template that sets up a landing zone with various organizational units and IAM roles:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">AWS Landing Zone Setup with User Roles and Attachments</span> <span class="c1"># Metadata section</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">AWS::CloudFormation::Interface</span><span class="pi">:</span> <span class="na">ParameterGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Label</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Organizational</span><span class="nv"> </span><span class="s">Units"</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">SecurityOuName</span> <span class="pi">-</span> <span class="s">SandboxOuName</span> <span class="pi">-</span> <span class="s">DevelopmentOuName</span> <span class="pi">-</span> <span class="s">UatOuName</span> <span class="pi">-</span> <span class="s">ProductionOuName</span> <span class="pi">-</span> <span class="s">SharedResourcesOuName</span> <span class="pi">-</span> <span class="na">Label</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Account</span><span class="nv"> </span><span class="s">IDs"</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CentralizedLoggingAccountId</span> <span class="pi">-</span> <span class="s">SecurityAccountId</span> <span class="pi">-</span> <span class="na">Label</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Retention</span><span class="nv"> </span><span class="s">Periods"</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">LoggingBucketRetentionPeriod</span> <span class="pi">-</span> <span class="s">AccessLoggingBucketRetentionPeriod</span> <span class="pi">-</span> <span class="na">Label</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">KMS</span><span class="nv"> </span><span class="s">Key"</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">KMSKey</span> <span class="c1"># Mappings section</span> <span class="na">Mappings</span><span class="pi">:</span> <span class="na">RegionMap</span><span class="pi">:</span> <span class="na">us-east-1</span><span class="pi">:</span> <span class="na">AMI</span><span class="pi">:</span> <span class="s">ami-0axxxxxxxxxxxx</span> <span class="na">us-west-2</span><span class="pi">:</span> <span class="na">AMI</span><span class="pi">:</span> <span class="s">ami-0axxxxxxxxxxxx</span> <span class="c1"># Conditions section</span> <span class="na">Conditions</span><span class="pi">:</span> <span class="na">IsUSEast1</span><span class="pi">:</span> <span class="kt">!Equals</span> <span class="pi">[</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">AWS::Region"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">us-east-1"</span> <span class="pi">]</span> <span class="na">IsUSWest2</span><span class="pi">:</span> <span class="kt">!Equals</span> <span class="pi">[</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">AWS::Region"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">us-west-2"</span> <span class="pi">]</span> <span class="c1"># Parameters section </span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">GovernedRegions</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">List</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">List of governed regions</span> <span class="na">SecurityOuName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The security Organizational Unit name</span> <span class="na">SandboxOuName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The sandbox Organizational Unit name</span> <span class="na">DevelopmentOuName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The development Organizational Unit name</span> <span class="na">UatOuName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The UAT Organizational Unit name</span> <span class="na">ProductionOuName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The production Organizational Unit name</span> <span class="na">SharedResourcesOuName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The shared resources Organizational Unit name</span> <span class="na">CentralizedLoggingAccountId</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The AWS account ID for centralized logging</span> <span class="na">SecurityAccountId</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The AWS account ID for security roles</span> <span class="na">LoggingBucketRetentionPeriod</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Retention period for centralized logging bucket</span> <span class="na">AccessLoggingBucketRetentionPeriod</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Retention period for access logging bucket</span> <span class="na">KMSKey</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The ARN of the KMS key for encryption</span> <span class="c1"># Resources section</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">MyLandingZone</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::ControlTower::LandingZone'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1.0'</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Environment'</span> <span class="err"> </span><span class="na">Value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Production'</span> <span class="na">Manifest</span><span class="pi">:</span> <span class="na">governedRegions</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">GovernedRegions</span> <span class="na">organizationStructure</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SecurityOuName</span> <span class="na">sandbox</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SandboxOuName</span> <span class="na">development</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DevelopmentOuName</span> <span class="na">uat</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">UatOuName</span> <span class="na">production</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ProductionOuName</span> <span class="na">sharedResources</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SharedResourcesOuName</span> <span class="na">centralizedLogging</span><span class="pi">:</span> <span class="na">accountId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CentralizedLoggingAccountId</span> <span class="na">configurations</span><span class="pi">:</span> <span class="na">loggingBucket</span><span class="pi">:</span> <span class="na">retentionDays</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">LoggingBucketRetentionPeriod</span> <span class="na">accessLoggingBucket</span><span class="pi">:</span> <span class="na">retentionDays</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AccessLoggingBucketRetentionPeriod</span> <span class="na">kmsKeyArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">KMSKey</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">securityRoles</span><span class="pi">:</span> <span class="na">accountId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SecurityAccountId</span> <span class="na">accessManagement</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ManagementRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::IAM::Role'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ManagementRoleName</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">Action</span><span class="pi">:</span> <span class="s1">'</span><span class="s">sts:AssumeRole'</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">ManagementPolicy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ec2:*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">s3:*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">cloudwatch:*'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">DeveloperRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::IAM::Role'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DeveloperRoleName</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">Action</span><span class="pi">:</span> <span class="s1">'</span><span class="s">sts:AssumeRole'</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">DeveloperPolicy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ec2:*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">s3:*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">cloudwatch:*'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">SalesRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::IAM::Role'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SalesRoleName</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">Action</span><span class="pi">:</span> <span class="s1">'</span><span class="s">sts:AssumeRole'</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">SalesPolicy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">s3:*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">cloudwatch:*'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">AttachManagementRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::IAM::RolePolicyAttachment'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ManagementRoleArn</span> <span class="na">PolicyArn</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">arn:aws:iam::${ManagementAccountId}:policy/ManagementPolicy'</span> <span class="na">AttachDeveloperRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::IAM::RolePolicyAttachment'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DeveloperRoleArn</span> <span class="na">PolicyArn</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">arn:aws:iam::${DeveloperAccountId}:policy/DeveloperPolicy'</span> <span class="na">AttachSalesRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::IAM::RolePolicyAttachment'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SalesRoleArn</span> <span class="na">PolicyArn</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">arn:aws:iam::${SalesAccountId}:policy/SalesPolicy'</span> <span class="c1"># Outputs section</span> <span class="na">Outputs</span><span class="pi">:</span> <span class="na">LandingZoneId</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">The</span><span class="nv"> </span><span class="s">ID</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">created</span><span class="nv"> </span><span class="s">landing</span><span class="nv"> </span><span class="s">zone"</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyLandingZone</span> <span class="na">ManagementRoleArn</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">The</span><span class="nv"> </span><span class="s">ARN</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">Management</span><span class="nv"> </span><span class="s">IAM</span><span class="nv"> </span><span class="s">Role"</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">ManagementRole.Arn</span> <span class="na">DeveloperRoleArn</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">The</span><span class="nv"> </span><span class="s">ARN</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">Developer</span><span class="nv"> </span><span class="s">IAM</span><span class="nv"> </span><span class="s">Role"</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">DeveloperRole.Arn</span> <span class="na">SalesRoleArn</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">The</span><span class="nv"> </span><span class="s">ARN</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">Sales</span><span class="nv"> </span><span class="s">IAM</span><span class="nv"> </span><span class="s">Role"</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">SalesRole.Arn</span> <span class="na">CentralizedLoggingBucket</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">The</span><span class="nv"> </span><span class="s">name</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">centralized</span><span class="nv"> </span><span class="s">logging</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">bucket"</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CentralizedLoggingBucket</span> <span class="na">AccessLoggingBucket</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">The</span><span class="nv"> </span><span class="s">name</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">access</span><span class="nv"> </span><span class="s">logging</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">bucket"</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AccessLoggingBucket</span> </code></pre> </div> <p>This template provides a comprehensive setup for an AWS landing zone, including organizational units, centralized logging, and IAM roles. By defining your infrastructure as code, you can ensure consistency and repeatability across your AWS environments. </p> <h4> Additional Roles and Responsibilities Note </h4> <p>More roles and their responsibilities can be added based on the needs and responsibilities following the least privilege rules for employees of the company e.g DevSecOps roles, cloud engineer role etc. </p> <p>For more detailed information on setting up a landing zone, refer to the <a href="https://docs.aws.amazon.com/prescriptive-guidance/latest/designing-control-tower-landing-zone/setup.html" rel="noopener noreferrer">AWS Prescriptive Guidance on Setting Up a Landing Zone</a>.</p> <h4> Step 2: Deploy the AWS CloudFormation Stack Using AWS CLI </h4> <p>To deploy the CloudFormation stack using the AWS CLI, follow these steps:</p> <p><strong>Install AWS CLI</strong>: If you haven't already, install the AWS CLI by following the instructions <a href="https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html" rel="noopener noreferrer">here</a>.</p> <p><strong>Configure AWS CLI</strong>: Configure the AWS CLI with your credentials by running the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws configure </code></pre> </div> <p>You'll be prompted to enter your AWS Access Key ID, Secret Access Key, region, and output format.</p> <p><strong>Deploy the CloudFormation Stack</strong>: Use the following command to deploy the CloudFormation stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws cloudformation create-stack <span class="nt">--stack-name</span> MyLandingZoneStack <span class="nt">--template-body</span> file://C:<span class="se">\U</span>sers<span class="se">\b</span>laise<span class="se">\D</span>ocument<span class="se">\P</span>rojects<span class="se">\l</span>andingzone<span class="se">\l</span>andingzonetemplate.yaml <span class="nt">--parameters</span> file://C:<span class="se">\U</span>sers<span class="se">\b</span>laise<span class="se">\D</span>ocument<span class="se">\P</span>rojects<span class="se">\l</span>andingzone<span class="se">\p</span>arameters.json </code></pre> </div> <h4> Step 3: Verify the Created Template and Its Resources Using AWS CLI </h4> <p>After deploying the CloudFormation stack, it's essential to verify that the template and its resources have been created correctly. Follow these steps to ensure everything is set up as expected using the AWS CLI:</p> <p><strong>Check Stack Status</strong>:<br> - Use the following command to check the status of your CloudFormation stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ```sh aws cloudformation describe-stacks --stack-name MyLandingZoneStack ``` </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>- Ensure the stack status is `CREATE_COMPLETE`. If the status is `CREATE_FAILED`, review the events and logs to identify and resolve any issues. </code></pre> </div> <p><strong>List Stack Resources</strong>:<br> - Use the following command to list all resources created by the stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ```sh aws cloudformation list-stack-resources --stack-name MyLandingZoneStack ``` </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>- Verify that all expected resources (e.g., organizational units, IAM roles, logging configurations) have been created. </code></pre> </div> <p><strong>Describe IAM Roles</strong>:<br> - Use the following command to describe the IAM roles created by the CloudFormation stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ```sh aws iam get-role --role-name ManagementRole aws iam get-role --role-name DeveloperRole aws iam get-role --role-name SalesRole ``` </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>- Ensure that the roles have the correct policies attached and that they are assigned to the appropriate accounts. </code></pre> </div> <p><strong>Verify Logging and Monitoring</strong>:</p> <ul> <li> <p>Use the following command to check the status of CloudTrail:<br> </p> <pre class="highlight shell"><code> aws cloudtrail describe-trails </code></pre> </li> <li><p>Ensure that CloudTrail is logging events for all specified regions.</p></li> <li> <p>Use the following command to check CloudWatch metrics:<br> </p> <pre class="highlight shell"><code> aws cloudwatch list-metrics </code></pre> </li> <li><p>Verify that CloudWatch is monitoring the necessary metrics.</p></li> </ul> <p><strong>Test Access and Permissions</strong>:</p> <ul> <li> <p>Use the following command to assume the created IAM roles and test their access and permissions:<br> </p> <pre class="highlight shell"><code> aws sts assume-role <span class="nt">--role-arn</span> arn:aws:iam::xxxxxxxxx012:role/ManagementRole <span class="nt">--role-session-name</span> ManagementSession aws sts assume-role <span class="nt">--role-arn</span> arn:aws:iam::xxxxxxxxx012:role/DeveloperRole <span class="nt">--role-session-name</span> DeveloperSession aws sts assume-role <span class="nt">--role-arn</span> arn:aws:iam::xxxxxxxxx012:role/SalesRole <span class="nt">--role-session-name</span> SalesSession </code></pre> </li> <li><p>Verify that users in different departments (e.g., management, developers, sales) can assume their respective roles and perform the necessary actions.</p></li> </ul> <h3> Conclusion </h3> <p>Automating your AWS landing zone setup with CloudFormation ensures a secure, scalable, and well-governed environment. Leverage CloudFormation templates for consistency, compliance, and efficient management of AWS resources.</p> <p>For more information, refer to the <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html" rel="noopener noreferrer">AWS CLI User Guide</a>.</p> aws cloud security cloudcomputing