Amazon Web Services Landing Zone

Before you migrate applications to or build next-gen applications on Amazon Web Services (AWS), you need to ensure that you have a landing zone in place. The landing zone concept is a key component of cloud operational maturity as part of your enterprise multi-account environment strategy.

A landing zone should enable self-service for developers and engineers through the use of policy guardrails. These policy guardrails should be in place before migration, during migration, and post-migration. After all, security and compliance cannot be a one-time effort. They must be a continuous process in order to minimize the risk of misconfigurations or policy violations.

InsightCloudSec delivers several key components to ensure policy guardrails are automated:

  • Unified security and compliance policies in multi-account environments mapped back to industry standards or your organization’s standards
  • Monitoring of policy violations across multiple-account environments
  • Real-time, user-driven, automated remediation of policy violations to minimize and mitigate risk
  • Reporting to verify security and compliance to peers, executives, and auditors and to build trust in CloudOps and CloudSecOps

We recommend at a minimum using policies associated with the following standards pre-migration to build your landing zone:

  • CIS AWS Benchmark
  • CIS Kubernetes Benchmark (applies to AWS EKS)
  • NIST Cybersecurity Framework

InsightCloudSec also offers policies mapped to the following additional standards for your deployment pre-migration:

  • NIST 800-53
  • SOC 2
  • ISO 27001
  • GDPR

You can create custom standards in InsightCloudSec that include policies from one or more of the out-of-the-box standards, and also build your own unique custom policies from scratch.

By deploying InsightCloudSec pre-migration, you can test each application to be migrated against these policies and avoid situations in which the application is out of- ompliance from its inception in AWS. This avoids immediate security and compliance issues and solves for challenging rework after the application has been promoted to production.

During migration InsightCloudSec ensures that as developers and engineers leverage self-service capabilities to make changes these changes don’t violate security and compliance policies, and if they do they are immediately identified and corrected. This ensures that post-migration there are no surprises, and again, minimizes rework.

Post migration, InsightCloudSec plays an important role in ensuring that any drift that occurs from the initial configuration does not violate policy and delivers maturity to CloudOps and CloudSecOps teams. InsightCloudSec’s ability to monitor, remediate, and report on security and compliance means that these teams can keep up with the incredible pace of cloud and rest easy.