A Cloud Landing Zone is a well-architected, scalable and secure cloud adaptation
Understanding the roles of Workload Identities, Cluster Service Accounts, IAM Policies, and IAM Roles in managing access controls within AWS environments.
Exploring real-world use cases to illustrate the importance of effective IAM policy management in securing multi-tenant environments and aligning access controls with business requirements.
Comparing manual IAM policy management with streamlined approaches, such as Wayfinder's Package Workload Identities, to highlight the benefits of automation and centralised policy management.
ABOUT THIS POST: In this blog post series we're delving into the essential components of Cloud Landing Zones in both Azure and AWS.
Cloud landing zones are essential for organisations navigating their cloud journey. This pivotal framework, advocated by leading cloud providers such as AWS, Microsoft Azure, and Google Cloud Platform, serves as a cornerstone for achieving optimal cloud adoption.
This blog covers:
A Cloud Landing Zone is a well-architected, scalable and secure cloud adaptation. It serves as a set of principles and guidelines, leading through a cloud journey, and ensuring optimal and efficient cloud adoption. It provides a foundational architecture to set up resources, manage identities, enforce security controls, and ensure compliance requirements. In simple terms, it’s like setting up a secure and compliant foundation that will enable you to build on top of and scale appropriately as your organisation grows.
Without a strong foundation in place, companies often find themselves spending precious time and resources redesigning and rearchitecting their initial setups later down the line, due to changing requirements.
Major Cloud Providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) have introduced their own versions of landing zones to help their customers set up well-architected and standardised cloud environments.
Landing zones provide a comprehensive set of standards across several pillars:
Reliability
This is the system's ability to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.
This covers things such as:
Security
This encompasses a broad range of best practices, configurations, and tools to ensure that cloud resources and data remain protected. It provides the mechanisms to restrict access, encrypt assets, enforce policies to industry standards such as CIS/NIST as well as provide insights into security vulnerabilities. From a high level it covers:
Performance Efficiency
Focuses on ensuring that cloud resources and workloads are optimised to deliver the best performance for the given requirements, without incurring unnecessary costs. It's all about ensuring the right resources are available for the workload at the right time and in the right configuration. While specifics can vary based on the cloud provider and individual organisational needs, some common elements within the Performance Efficiency pillar of a cloud landing zone include:
Cost Optimisation
Ensures that an organisation is gaining maximum value from its cloud investments while minimising unnecessary expenses. The aim is to strike a balance between performance and cost, ensuring that you're not overspending for the resources and services you're using. This often includes:
Operational Excellence
Is focused on procedures, best practices, ways of working and tools to ensure seamless and efficient operations. The operational excellence pillar is about how your teams work in regard to the cloud and often contains:
A Cloud Landing Zone is not industry-specific but suited more to those with more complex needs. The types of organisations that would benefit from one would be:
Large Enterprises: These entities often have complex IT requirements, multiple departments, and a plethora of applications. A landing zone helps in setting a standard for every department to follow, ensuring consistency.
Regulated Industries: Financial, healthcare, or government organisations, for instance, require stringent compliance standards. Landing zones tailored for these industries ensure that these requirements are met from day one.
Startups Scaling Rapidly: For startups experiencing rapid growth, a structured cloud environment is essential. Landing zones provide the flexibility to scale while ensuring security and compliance.
Multi-Cloud Adopters: Companies using more than one cloud service provider can benefit from landing zones to maintain a consistent operational model across multiple clouds.
There are several key components which should be considered when designing the perfect cloud setup. Some of these are:
Account and resource organisation
For instance, AWS suggests creating a multi-account setup with several accounts for workloads and separate accounts for shared workloads- such as security or network accounts. Azure suggests separate subscriptions for platform components and different products and environments to also allow for data and application isolation.
Identity and Access Management
Identity and Access Management (IAM) is a core aspect of cloud security and governance that ensures only authenticated and authorised users can access resources within the cloud environment that they should be able to.
There are several parts of identity and access management: the identity of users themselves, which should be backed into your identity provider be it Active Directory, Gmail or other identity provider solutions and the management of the roles of those users and the policies that those roles are associated with to provide the right level of permissions to perform specific actions against specific cloud resources.
It is often broken down into:
Network architecture
There are quite a few things to consider, such as global network segmentation, CIDR allocation and how the organisation would like their network to be shared.
Initial security and compliance baseline. It is essential to consider the nature of policies that the organisation might require, including but not limited to: encryption, network security, access security and other rules which would apply on an organisational level.
Logging, account monitoring and auditing
With the best guidelines, organisations are able to analyse the best logging strategy, allowing for the essential analysis of logs and activities.
These are just some of the main components of Cloud Landing Zones, however, there are more, depending on organisational needs, all designed to help you consider crucial design elements to get the most out of your cloud setup.
Once satisfied with the approaches to setting up a Cloud Landing Zone, the next step is to consider organisationally appropriate implementation.
There are two ways of implementing Cloud Landing Zones either by using pre-packaged solutions, offered by cloud providers, or, opting for a more flexible, custom implementation.
Pre-built solutions
Ready-to-use solutions provided by cloud providers, such as Azure Landing Zone CAF, AWS Landing Zone Accelerator or AWS Control Tower.
Custom solutions
Custom implementation of landing zones, depending on your needs can be done via additional tools such as CloudFormation, Bicep or Terraform. What an organisation decides to adopt in terms of cloud management tools can differ from company to company. However, the most widely used tools will provide the most reusable assets for you to consume and learn from via the community that underpins them.
A Cloud Landing Zone is fundamental in the efficient and secure adoption of cloud. It provides a structured framework that guides organisations through their cloud journey, emphasising the importance of strong initial setups to avoid future redesigns due to changing requirements and industry standards. Key elements to consider in a Cloud Landing Zone include account and resource organisation, access management, network architecture, security and compliance baselines, and logging and monitoring. While there are standard components, the specific needs can vary based on the organisation.
