There are five parts to this guide:
- Prerequisites - This includes gathering information, external dependencies for the initial deployment and the initial AWS Organizations management account setup.
- LZA Deployment
- TSE-SE reference architecture deployment and customization
- Post deployment steps
This reference architecture uses Landing Zone Accelerator on AWS (LZA) as its deployment engine. We therefore assume foundational knowledge of Landing Zone Accelerator on AWS (LZA). If you are not familiar with LZA we recommend you work through the LZA immersion day prior to deploying the reference architecture.
To support the LZA and reference architecture deployments, you will need to identify the following parameters and resources.
The home AWS Region will be the Region in which you will most often operate in.
You will need to provision the following 7 unique email addresses for the accounts that the reference architecture will create.
| Account | Purpose | Example email |
|---|---|---|
| Management Account | This account is designated when first creating an AWS Organizations organization. It is a privileged account where all AWS Organizations global configuration management and billing consolidation occurs. The account will be used to create the other two mandatory accounts required by LZA. | [email protected] |
| Security Account | This account is used to centralize all security operations and management activities. This account is typically used as a delegated administrator of centralized security services such as Amazon Macie, Amazon GuardDuty, and AWS Security Hub. NOTE: The LZA configuration files refer to this as the Audit account, but it serves the function of the Security Tooling account. | [email protected] |
| Log Archive Account | This account is used for centralized logging of AWS service logs. | [email protected] |
| Network Account | This account is used for centralized networking that allows network administrators to govern shared networks and internally shared network services for the organization. For example, access to on-premises services via a VPN. | [email protected] |
| Operations Account | This account is used for centralized IT Operational resources (Active Directory, traditional syslog tooling, ITSM, etc.). | [email protected] |
| Perimeter Account | This account is used to centralize access to external networks, e.g. third-party SaaS or internet connectivity. | [email protected] |
| Sandbox/Workload Accounts | These accounts are where the workloads are deployed. As a minimum we recommend creating a development workload account to test the reference architecture deployment. | [email protected] |
Additionally, you will need to allocate the following 5 email addresses used for operational notification purposes.
| Name | Purpose | Example email |
|---|---|---|
| High security events | Events marked as CRITICAL or HIGH will be sent to this email address. | [email protected] |
| Medium security events | Events marked as MEDIUM will be sent to this email address. | [email protected] |
| Low security events | Events marked as LOW will be sent to this email address. | [email protected] |
| AWS budgets alerts | Any alerts related to the spending limits applied to the accounts will be sent to this email address. | [email protected] |
| LZ operators | Any events related to the operation of the landing zone will be sent to this email, for example change approval for landing zone updates. | [email protected] |
| Name | Purpose | Example |
|---|---|---|
| Active Directory Domain | Root domain suffix for the managed active directory controller | example.com |
| adconnector-user email | Domain user to be created to allow AD Connector setup for centralized IAM authentication | [email protected] |
| AD Admin User | AWS Managed Active Directory User for Admin tasks | [email protected] |
| AD ReadOnly User | AWS Managed Active Directory User for read only tasks | [email protected] |
If you are using the GitHub source for the LZA code, you will need a GitHub account to generate a GitHub API key in a later step.
You will need to create a new AWS Account for the reference architecture deployment. You can follow the AWS guidance on setting up a new AWS account.
To run the installation in new accounts you need to pre-warm the account so that AWS automatically sets the correct quotas. To do this, launch small EC2 instance t3.medium for 15 minutes. Then terminate the instance and delete its security group.
Follow the guidance on configuring account level contacts to set the security and billing information. You can either use the email addresses you allocated above for "High security events", "LZ operators" and "AWS budgets alerts" or define additional contacts.
After creating the account e-mail is sent to the root user with the request to verify the e-mail address. Confirm by clicking the link in the email.
We recommend that you use a hardware multi-factor authentication (MFA) device. Follow the guidance on restricting the use of the root user to configure MFA on the root user.
- Configure console access for each user - you only need to follow the steps to create a local IAM user
- Require MFA to login - note: You only need to configure the IAM user you created when restricting root user access, with MFA (In the post deployment steps you will configure your IdP where you can govern MFA access)
If your deployment will have more than 10 AWS, access the service quota console for AWS Organizations, to request an increase to the default maximum number of accounts.
In the Service quota console look for Service = Lambda and verify that quota on Concurrent executions = 1000. If it is smaller or 'not available' make sure you executed steps from point 1.5.1. If it did not help use the button 'Request increase at account-level' to request 1000. If it is not increased after 24 hours please contact Support Center.
Follow the prerequisite step to update AWS CodeBuild concurrency quota.
Follow the prerequisite step to ensure your global region is accessible.
Following the guidance on enabling AWS Cost Explorer.
If you are using the GitHub source for the LZA code, you will need to follow the prerequisite step to store a github token in secrets manager
We recommend you first read the LZA guidance on troubleshooting and known issues prior to running the installation.
Before deploying the Landing Zone Accelerator on AWS, you need to choose a method to centralize the management of resources provisioned by this solution. You can use either AWS Control Tower or AWS Organizations for the management capabilities.
Use the following steps to deploy the LZA solution.