A&T Sysyems Inc.
AWS Control Tower for Enterprise Governance, Provisioning & Management of multiple AWS accounts Banner

AWS Control Tower for Enterprise Governance, Provisioning & Management of multiple AWS accounts

Deploying AWS Control Tower for Enterprise Governance, Provisioning & Management of multiple AWS accounts

About the Customer

A U.S. State Information Technology Agency that provides Enterprise Portfolios and Programs that include a range of centralized Shared Cloud, Infrastructure, Network and Security Services to other State agencies.

Customer Challenges:

The State Agency’s challenge of managing legacy systems ranges from costs, security, compliance, end-of-life, monitoring and maintaining while supporting Agencies operations. The below challenges were shared as driving factors for migrating to the Cloud:

  • Lack of visibility for central governance, management & monitoring
  • No self-services capabilities
  • Limited scalability based on current hardware infrastructure
  • Decentralized Governance and Compliance with State polices and Federal requirements (IRS 1075, HIPAA, PCI..)
  • Tracking renewal costs of hardware and software
  • Inability to chargeback costs to Agencies for Shared Services

Partner Solution

Working with the client, A&T’s staff implemented AWS Control Tower with multi-account environments and Landing Zone features based on Well-Architected Framework (WAF) best practices, State policies and compliance requirements. This approach enables:

  • Ability to orchestrate multiple AWS accounts and multiple organization units (OU)
  • AWS Organizations and Security OUs for each Agency
  • Three AWS Account(s) for each Agency (Development, Staging, and Production environments)
  • Each account is governed as separate OUs
  • Each account is billed as separate accounts for cost allocation & chargebacks
  • Centrally manage Service Control Policies (SCPs) and Key Management Services (KMS)
  • Managed Federated access using Single Sign-On (SSO) with client’s Active Directory (AD)
  • User groups with specific policies based on role-based access using AWS IAM & Identities
  • Automated ongoing policy management
  • Using clients naming conventions
  • AWS Config rules for permitting detective guardrails
  • Central account logging and auditing using AWS CloudTrail and Amazon CloudWatch
  • Dashboard of AWS accounts health status in conjunction with notifications

For secure Site-to-Site connectivity, A&T staff deployed AWS Transit Gateway to achieve:

  • Secure VPN connectivity from on-premises network to AWS account(s)
  • Central Transit-Account from a redundant VPN tunnel with States Trusted Internet Connection (TIC)
  • Manage security for all VPN tunnel traffic using AWS Guard Duty, AWS Firewall and Security Groups

Amazon Web Service (AWS) Applications

Amazon Control Tower AWS Organizations AWS Transit Gateway AWS Config
AWS S3 AWS Identities Amazon CloudWatch AWS CloudTrail

Results and Benefits

The State Agency client has a single point of view for provisioning, managing, monitoring in secure AWS environments to extend to their customers for governance, accounting and chargeback. AWS Control Tower provides automated security compliance and enforcement of best practices and policies from the start of the migration process.

Additional benefits includes:

  • Standardized provisioning of new accounts conforming to established governance security policies
  • Self-service resource provisioning using database automated Account Factory
  • New database accounts provisioned will have appropriate security ports disabled
  • Automated changes to access controls for new/departing users
  • Secure environments that meet compliance of State polices and Federal requirements
  • Secure data in-transit from on-premises to AWS accounts
  • Framework in place for future transition to AWS Direct Connect

About the Partner

A&T Systems is an AWS Advanced Consulting Partner and an Authorized Government Reseller Partner. A&T is an authorized AWS Public Sector partner, Govt Services partner, Public Sector Solutions Provider and Partner Transformation Program (PTP) graduate.

A&T Systems has been a trusted advisor to the Government for almost four (4) decades, holds several ISO certifications and has been an AWS Advanced Consulting Partner for over nine years. Clients find that A&T is Flexible, Responsive, Innovative, Stable, and Cost-efficient (FRISC).