Well-managed Cloud starts with cloud accounts that conform to your company’s security, compliance and cost standards and are continuously governed. Well-managed accounts are a shared responsibility between you, your cloud provider and your users. Creating cloud accounts that meet your company’s standards and continuously enforcing those standards is hard. In this blog, Ganapathy Pullera, writes how you can automate the steps and enable your users and developers to provision AWS Accounts on-demand with the Desired Account State Blueprint. This blueprint built to AWS Well-Architected standards available through DAY2™ Well Managed Cloud.
– Sabrinath S. Rao
Provisioning secure cloud accounts requires deep cloud expertise
Recently, I worked with Jain Group of Institutions (JGI) – a premier University based out of Bangalore, India, to onboard their exam application onto AWS. JGI, like any other customer started off with creating AWS accounts. AWS accounts can be a useful boundary for isolating application resources. However, as we found out, to provision secure and compliant accounts CloudOps administrators implement several steps, including:
- Configure the right AWS Identity & Access Management (IAM) policies and IAM Groups.
- Enable AWS CloudTrail in all the regions and storing the logs in a secure Amazon S3 bucket.
- Enable AWS Config to detect any drift from the defined rules.
- Setup appropriate alerts to notify unauthorized access and security events.
- Enable budget notification to ensure that you get notified when you reach a limit.
- Setup Tagging policies.
As you can see, Implementing the above steps across multiple AWS services, requires deep AWS expertise and scripting skills, and can sometimes take days to months to implement.
Well-managed cloud accounts are fundamental to organizations surviving and thriving in the cloud. Delivering well-managed accounts is a shared responsibility of customers and cloud providers. There are lots of moving parts that customers constantly need to stay on top of to just keep up.
Managing cloud accounts is hard and time consuming. Simple misconfigurations can easily lead to crucial security breaches, compliance violations and cost overruns. Customers spend a lot of time and money to achieve this, and still can feel they are constantly running on treadmill, as new cloud accounts are added to their organizations cloud footprint.
MontyCloud’s DAY2™ Well-Managed Cloud includes a Desired Account State blueprint. This blueprint is designed to help you as an enterprise IT/cloud administrator to enable your users to provision and maintain compliant accounts on-demand through a self-service portal. In just a few clicks you can easily turn on compliance, security, and cost savings related rules to be deployed by at the time an account is created. You can also receive actionable alerts when any of these rules are violated.
With DAY2™ Well-Managed Cloud, you can achieve continuous compliance, improve security, and lower overall cloud TCO. You can now focus on accelerating towards their digital transformation goals, and enable their business, application and CloudSecOps teams to innovate safely and efficiently.
Automation and self-service are critical differentiators
We built DAY2™ Desired Account State Blueprint so CloudOps Admins and Central IT teams at customers such as JGI, can enable their application teams to deploy harden any AWS account with a security and operational baseline, on-demand through a self-service portal. This blueprint enables customers to setup security practices in conformance with principles that are recommended by AWS well-architected practices, and Cloud Security Alliance Guidelines, govern the account from the start with AWS Config Rules, monitor with AWS CloudTrail and set up cost guardrails and billing alerts. With DAY2™ Desired Account State Blueprint, JGI was able to provision their cloud account with the appropriate cost, governance, and security guardrails in about 15 minutes.
With DAY2™ customers can achieve their well-managed cloud goals in just a few-clicks, and in under 15 minutes
DAY2™ Desired Account State Blueprint in action
With the DAY2™ Desired Account State Blueprint you can:
- Govern accounts through centralized architectural policies for governance, security and compliance. You can automatically enable CloudTrail and AWS Config Rules to assess, audit, and evaluate the configurations of AWS resources and workloads. For e.g. you can automatically setup password policy for IAM users, setup rules to ensure S3 buckets are not public and are encrypted, check whether MFA is enabled for root user, check if Security Groups are not open to the world and automatically perform many other security and compliance checks.
- Set up security notifications through AWS CloudWatch Alarms. You can send alert notifications to application and security admins in case of any unintended configuration changes, unauthorized API calls, security breaches or even send a notification every time a root user logs in. You can also make the alerts specific to events impacting specific resources such as VPC and Security Groups.
- Control costs by Enable billing alerts to report and take remediation actions through AWS Budgets and Billing Alarms to monitor and report in case of.
- Continuously monitor and detect threats through AWS Guard Duty. You can continuously monitor malicious activity and prevent unauthorized behaviours.
- Establish and enforce use rights and entitlements by automatically setting up IAM security policies user groups for different levels of access.
- Setup a secure virtual private cloud for environment isolation and establish connectivity between on premise data centre to AWS.
- Achieve your compliance goals with full fidelity audit trails and logs.
DAY2™ Desired Account State blueprint helps you drive speedy and cost-effective cloud transformation as well as achieve your compliance and audit goals.
Give it a try and accelerate your Cloud adoption
DAY2™ Desired Account State Blueprint is available through DAY2™ Well-Managed Cloud blueprints library. Get started today with a free trial at https://app.montycloud.com.