Landing Zone Management
The Landing Zone Management service includes up to two (2) Landing Zone upgrades per annum, to provide effective security, and compliance. We apply Landing Zone Management and upgrades to all SoftwareOne provisioned Landing Zones.
You can request configuration changes to the Landing Zone Management directly using the Core change catalog. If the change is not listed in the Core change catalog, you can request it using Operations on Demand.
The Landing Zone Management service module helps you create your presence in AWS in a secure environment based on AWS best practices. With the large number of design choices, setting up a well architected environment can take a significant amount of time, involve the configuration of multiple accounts and services, and require a deep understanding of AWS services.
This service can help save time by automating the set-up of an environment for running secure and scalable workloads, tailored to your organisation and industry requirements.
We cover:
Account Setup and Management | Setup of organisational structure, with a single master account and multi-account setup for networking, logging, shared services, to support principle of least privilege. |
Identity & Access Management | Creation of cross account roles, admin, security, finance, networking, and read-only. Integration with SSO and identity provider. |
Security & Governance | Enabling and configuration of logging aggregation across all accounts, Identity and Access Management password policies align with CIS. Encryption at rest and in transit enabled by default. GuardDuty and Security Hub enables across all accounts. |
Networking | Creation of VPCs and subnet zones per account, creation of Transit Gateway in networking account and DNS resolver setup for Shared Services Account. |
Account Vending | On-demand account creation unified with the organisational, multi-account setup with provisioned security baseline, logging, networking and IAM conforming to Landing Zone rules. |
Architecture
Built using the class leading Infrastructure as Code (IaC) platform Terraform, SoftwareOne’s Landing Zone gets you up and and running from a zero footprint to be ready for your first AWS workload deployment in a matter of weeks. Our Landing Zone is structured around AWS Organisational Units, which are then further segregated into a number of separate accounts. An account AVM allows you to setup account blueprints to create your workload accounts. The accounts shown here are an example of the account structure you might create, the account structure you can create is totally flexible.
By laying the foundations for strong identity management and implementing according to the principle of least privilege we enforce separation of duties with appropriate authorisation for each interaction with your AWS resources.
Landing Zone deployment pipeline architecture
SoftwareOne maintains the LZ baseline code in Bitbucket. When we deliver a LZ implementation we take a copy of the released software version for you and make any necessary changes to the code, giving you a specific baseline for your Landing Zone. The changes are propagated through into your master account, through a SoftwareOne production account.
There is also a CI/CD pipeline for workloads supplied with the Landing Zone rather than a pipeline for the Landing Zone deployment itself.
