AWS Multi-Account Structure and SSO help secure customer infrastructure

About Customer

The customer is a leading financial entity, with a comprehensive range of investment and savings products. These products enable wealth and income creation opportunities for large institutions and retail businesses. The customer works with a diverse set of distribution partners through their network of over 200 branches.

The Challenge

To become a digital, data-driven business with a robust security posture was of paramount importance for the customer. Already on their cloud journey, they wanted to improve their security for greater scalability and resilience vis-à-vis growing demand for digital financing. Key challenges faced by the customer included

Direct flow of the traffic to applications without being filtered by any security device
Unorganized IAM users in multiple accounts
Difficulties in monitoring permissions of IAM users
Absence of a central portal for monitoring the compliance level of all AWS accounts
Absence of a central portal for monitoring security events
Unorganized logs in every AWS account

The Solution

Blazeclan proposed a solution that involved setting up an AWS multi-account structure for enabling all landing zone services in existing accounts. AWS SSO was enabled for IAM user management. This was because AWS SSO enables single sign-on functionality for all users who require access to applications or resources in the same or different account. These have further been mapped with AWS SSO application, with appropriate policies and roles attached to the user SAML identity provider.

The solution comprised

Creating a new security account for hosting security components
Integration of all accounts with AWS Security Hub for providing a uniplanar view of security alerts from the central security hub account
Creating a central logging account for collecting logs from all accounts and storing them in the central S3 bucket encrypted with AWS KMS.

The customer was in need to establish an agile and scalable system, as this was the first AWS implementation for identity and access management. A completely new account was created for single sign-on, which was not part of the vendor’s landing zone. All users were provided the SAML-federated access using AWS SSO. According to the permissions and roles, the external AWS application was created and assigned to relevant users. The IAM users were created directly on AWS along with AWS SSO implementation. This ensured single sign-on to all AWS services and integrating with the customer’ active directory.

Amazon security groups, which act as virtual firewalls for EC2 instances, were used to protect AWS VPCs and resources. This provided a good control over both inbound and outbound traffic. The security groups were designed and added in alignment to workloads running in the instances, including the application, web, or database. Moreover, log management services, such as VPC Flow Logs, Amazon S3, AWS Firewall Manager, NACLs, and CDN have been utilized for respective resources.

Benefits Achieved by the Customer

A clean and completely controlled architecture was achieved for the customers applications.
An optimal cost consumption model was implemented along with effective leverage of native cloud services.
All security events were effectively monitoring without any human intervention.
Automation ensured the security status of the customer’s environment is always visible, without any significant increase in cost.

Tech Stack

AWS Security Hub	AWS Identity and Access Management (IAM)	AWS Config
Amazon SNS	Amazon S3	Amazon CloudWatch
AWS Lambda	AWS KMS	Amazon VPC
Checkpoint	AWS CloudTrail	F5 WAF

Categories

Cloud Security, Security
Service Tags

Automated Security, automation, Cloud, Cloud Security, Compliance, Security

Cloud Consulting, Strategy, and Migration

DevSecOps

Cloud Security Engineering

Application Assessment

Cloud Native Application Development & Testing

SaaS Product & Platform Development

Data Strategy

Data Governance and Engineering

Advanced Analytics

Cloud Governance & Reporting

Cloud Discovery & Optimization

DevOps Transformation (DoT)

cAssure

cSecure

SaaS Factory Model

BlazePulse

cSaver

Cloud and Platform Modernization

Cloud Security Operations

Conversational AI

Application Maintenance & Enhancement

Application Modernization

Managed Analytics

BI Modernization

Cloud Managed Services

How Analytics Helps Businesses Better Serve their Customers

Building Capabilities of Incident Response/Disaster Recovery on the Cloud

Impactful Cloud Computing Trends to Look For in 2022

Blazeclan Helps AIMS Migrate and Optimize its SaaS Application on AWS

Expect Me Launches A Revolutionary SaaS Room Selection Platform

Cloud-based Big Data and Analytics Platform Helped hub.brussels Achieve Seamless Data Consolidation and Accessibility

Ebooks & Whitepapers

Augment Your Deployment Velocity With Terraform

Back to Business as Usual - Rightsizing Your AWS Cloud Cost

Call Us

Email Us

Financial Services

Banking & Insurance

Media & Entertainment

Telecom

Technology

iGaming

About Us

Our Leadership

Customer Speaks

Strategic Partners

OneClan Life

Clouditects

Work With Us

Thought Leadership

Awards and Recognition

Media Coverage