AWS Control Tower for Enterprise Governance, Provisioning & Management of multiple AWS accounts

• Lack of visibility for central governance, management & monitoring
• No self-services capabilities
• Limited scalability based on current hardware infrastructure
• Decentralized Governance and Compliance with State polices and Federal requirements (IRS 1075, HIPAA, PCI..)
• Tracking renewal costs of hardware and software
• Inability to chargeback costs to Agencies for Shared Services

Partner Solution

Working with the client, A&T’s staff implemented AWS Control Tower with multi-account environments and Landing Zone features based on Well-Architected Framework (WAF) best practices, State policies and compliance requirements. This approach enables:

• Ability to orchestrate multiple AWS accounts and multiple organization units (OU)
• AWS Organizations and Security OUs for each Agency
• Three AWS Account(s) for each Agency (Development, Staging, and Production environments)
• Each account is governed as separate OUs
• Each account is billed as separate accounts for cost allocation & chargebacks
• Centrally manage Service Control Policies (SCPs) and Key Management Services (KMS)
• Managed Federated access using Single Sign-On (SSO) with client’s Active Directory (AD)
• User groups with specific policies based on role-based access using AWS IAM & Identities
• Automated ongoing policy management
• Using clients naming conventions
• AWS Config rules for permitting detective guardrails
• Central account logging and auditing using AWS CloudTrail and Amazon CloudWatch
• Dashboard of AWS accounts health status in conjunction with notifications

For secure Site-to-Site connectivity, A&T staff deployed AWS Transit Gateway to achieve:

• Secure VPN connectivity from on-premises network to AWS account(s)
• Central Transit-Account from a redundant VPN tunnel with States Trusted Internet Connection (TIC)
• Manage security for all VPN tunnel traffic using AWS Guard Duty, AWS Firewall and Security Groups

Results and Benefits

The State Agency client has a single point of view for provisioning, managing, monitoring in secure AWS environments to extend to their customers for governance, accounting and chargeback. AWS Control Tower provides automated security compliance and enforcement of best practices and policies from the start of the migration process.

Additional benefits includes:

• Standardized provisioning of new accounts conforming to established governance security policies
• Self-service resource provisioning using database automated Account Factory
• New database accounts provisioned will have appropriate security ports disabled
• Automated changes to access controls for new/departing users
• Secure environments that meet compliance of State polices and Federal requirements
• Secure data in-transit from on-premises to AWS accounts
• Framework in place for future transition to AWS Direct Connect

About the Partner

A&T Systems is an AWS Advanced Consulting Partner and an Authorized Government Reseller Partner. A&T is an authorized AWS Public Sector partner, Govt Services partner, Public Sector Solutions Provider and Partner Transformation Program (PTP) graduate.

A&T Systems has been a trusted advisor to the Government for almost four (4) decades, holds several ISO certifications and has been an AWS Advanced Consulting Partner for over nine years. Clients find that A&T is Flexible, Responsive, Innovative, Stable, and Cost-efficient (FRISC).