使用aws转换系统安全性、简化流程并自动化ci/cd流

Build a FedRAMP compliant environment, enhance security protocols, improvemulti-account setup, and automate processes using Landing Zone, AWS ControlTower, and AWS Organizations. While cloud security is essentialto any company working in thecloud, it’s especially paramount forhealthcare. If you’re dealing with people’ssensitive personal and health data, youwant to ensure that your system is secure.Our client—a global virtual healthcaretechnology company—wanted to expandits business into the governmental sector.To do that, they needed to ensure an evenhigher level of cloud security protocols thanbefore. Having previously designed andimplemented greenfield concepts toenhance security, automate and standardizeprocesses, and improve customer workloads,our SoftServe team was confident that theycould handle this project. Our experts knew that this type ofsetup required a Landing Zone—a well-architected AWS Organization structurethat allows multiple customizable AWSaccounts and organizational units. Theyalso knew that AWS Control Tower wasthe best way to create this Landing Zone.To deliver on the client’s goals, such anenvironment also required a hybrid cross-region network setup with on-premisesdata centers and a large set of guardrailsand Service Control Policies (SCP). Lastly,the client needed a centralized AWSsecurity services-integrated loggingsolution to best comply with the FedRAMPsecurity program protocols. When working with the government andproviding cloud-based services, one ofthe best ways to meet their high levelof standards and security is to obtain aFedRAMP Authorization. FedRAMP is aU.S. government program that “providesa standardized security framework forall cloud products and services” and isrecognized by all federal agencies withinthe executive branch. To ensure their solutions and servicesmet this standard, our client approachedSoftServe to help build a FedRAMP-compliant cloud environment and CI/CDflow. The client also wanted to improveoverall multi-account and multi-regionusability, repeatability, and consistency,as well as create centralized networking,security, and logging solutions. Once our SoftServe team understood thesize and scope of this project, they dividedit into three phases. In the first phase, SoftServe built outthe greenfield multi-account AWSenvironment. This ensured that theframework complied with the FedRAMPsecurity standards from the very beginning.To start, our experts created a LandingZone managed by AWS Control Tower.Using the Control Tower customizationorchestrator, CloudFormation templates,and AWS security control policies, our teamcustomized the Landing Zone baseline toprovide each new AWS account enrollmenta set of AWS resources and services. Since the highest levels of securitywere needed to meet the FedRAMPstandards, SoftServe integrated numerouscomponents into the Landing Zone thatwould automatically deploy with eachnew AWS account. First, the AWS SecurityHub and AWS GuardDuty services wereset up on the AWS Organization withan administrator/member relationship.AWS Security acts as an administratorand serves as a central place for securitymanagement. All other accounts areconsidered member accounts andtherefore cannot disassociate themselvesfrom the administrator account, ensuringthe same level of security throughout. Having routinely partnered with AWS, ourexperts know that AWS Organizations—aservice that lets you centrally managemultiple accounts—is the foundationof a well-architected multi-accountenvironment. The Landing Zone built bythe SoftServe team required a properAWS Organization and nested accountsstructure that included centralized logging,security, and networks, a managementaccount, and more. Next, an AWS Logging account wasprovided as a central place for storingvarious logs from different accounts, suchas AWS data and management logs likeAWS CloudTrail, VPC flow logs, DNS, andmore. A set of SCPs that met the FedRAMPrequirements were also implemented,meaning the system would deny unusedregions and services or non-compliantparameters and options as securitymeasures. As the SoftServe engineers wereconstructing these elements, they realizedthat the client needed a complex networktopology as well. At the time, the client’snetwork account contained shared VPCsand was meant to centrally manage thenetwork components. In order to improvesecurity and usability, our team of expertsestablished complex network connectionsbetween AWS VPCs, branch offices, andon-premises servers using AWS TransitGateway (TGW), VPN, VPC endpoints, edgerouters, and multiple other components. The SoftServe team also created a customAWS Config Conformance Pack thatincluded both FedRAMP and Control Towerrules and deployed it across the entireorganization. Lastly, they integrated theAWS Single Sign-On (AWS SSO) servicewith the client’s OKTA identity provider.This synchronized with the client’s ActiveDirectory and enabled a single usermanagement system at the organizationlevel,