The bank is gearing up to move to the cloud, with the ultimate goal of having multi-cloud capabilities. To get started on their journey, they asked OSS Group to build an Amazon Web Service (AWS) Landing Zone. Although the bank has an AWS presence, they wanted to create the AWS Landing Zone from scratch according to a new high-level design. This environment would allow for new sets of accounts to be stood up that meet the rigid security and auditability standards and that include the range of AWS services available to the bank. Once constructed, the AWS Landing Zone would connect with the on-prem network and the existing AWS accounts and applications would be moved to the new environment.
The environment also needed to be designed with flexibility and compatibility in mind. This is because the bank is relatively new to the cloud and is unsure what applications will be developed and run in the future. This means that compatibility with third party tools was a must, as was built-in flexibility to allow developers to act autonomously and not involve platform support every time a change was required.
AWS is the ideal platform provider in this use case. Not only does the AWS Landing Zone solution facilitate the set-up of a secure, multi-account environment based on AWS best practices, it is also compatible with automation, it provides numerous APIs and the assumptions and designs can be tested quickly. Amazon tools like AWS Transit Gateway make it easy to connect the bank’s existing Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. Furthermore, the compatibility of AWS with third-party tool means that careful design choices will make it the least expensive platform option.
OSS Group is building this new environment with automation in mind from the start. By using Terraform as an automation engine, all of the bank’s requirements, including security and firewall requirements, can be qualified. This will allow the bank to have a single source of truth about the configuration, allowing for an easy auditing process made even easier by using AWS CloudTrail as an auditing and compliance service.
AWS CloudTrail will also be used for monitoring and log storage. User access control will be with AWS IAM. The OSS Group team is integrating the bank’s on-prem active directory with AWS, allowing developers access to AWS without needing to provide them with additional user accounts and passwords. This way, developers will simply use their bank user account and password to access the specific AWS environments and accounts that they are allowed.
The build of the landing zone is currently in progress. OSS Group has completed the basic scaffolding and are working through the security and encryption requirements. All of the basic service accounts have been created, like the log in account and the security account. These accounts have been pre-configured, but are waiting signoff to be trusted by the broader network.
The next big step will be the transit VPC, which will connect the network pieces from the different existing AWS accounts together and will connect to the on-prem environment. OSS Group will use AWS Transit Gateway to create this connection. After testing the connections, OSS Group will configure the CI/CD pipeline and automatic deployment strategies. This will allow the bank to automate the provisioning of new accounts. For example, if a team is developing a new product and needs access to the AWS environment, separate accounts can be created for that specific team. These accounts will still be connected to the master account, will have the same security features and auditability and will have access to shared services like user directories and repositories. However, the new accounts will not be allowed to view or change work that is outside of its jurisdiction.
While the project officially started in April, the team was only given permission to start a month ago. There are still changes being made to the high-level designs, including changes to security and compliance requirements. However, the project is well under way, and once the bank allows connection to the broader network, progress will accelerate. The OSS Group team expects the project will be done well before the end of the year. The bank will then have all the tools they need to create new accounts, provision them and onboard new applications and new teams with ease.