Landing Zone Accelerator on AWS

Support for specific regions and industries

• Regional configurations

  We built the following geographical region-specific configurations for the Landing Zone Accelerator on AWS solution to align with AWS best practices and country-specific compliance frameworks. Select your desired geographical region for deployment instructions.

  Note: Details about security of the cloud are contained in AWS third-party security and compliance reports in AWS Artifact.

  • United States
  • United Kingdom (UK)
  • Canada

  • United States

  • United States (US)
    

    See our implementation guide for instructions on how to deploy this solution in our AWS GovCloud (US) Regions. Doing so can help you align with:
    

    • Federal Risk and Authorization Management Program (FedRAMP) High
      
    • Department of Defense (DoD) Cloud Computing Security Requirements Guide (CC SRG) for hosting Impact Level (IL)4 and IL5 workloads
    • DoD Cybersecurity Maturity Model Certification (CMMC) readiness
    • M-21-31 logging and retention requirements

    If you wish to deploy in one of our US East or US West AWS Regions, follow the general deployment instructions in our implementation guide.
    
  • United Kingdom (UK)

  • United Kingdom (UK)
    

    The National Cyber Security Centre (NCSC) published cloud security guidance to allow cloud users to store and process data in the cloud, or use cloud platforms to build and host their own services securely. Select one of the principles below to see how the Landing Zone Accelerator on AWS sample configuration can help you meet these requirements.
    

    • Principle 1: Data in transit protection
      To meet Principle 1 requirements, you can implement the following controls in addition to the solution’s best practices sample configuration:

      • Amazon S3 only – Enforce a minimum of Transport Layer Security (TLS) 1.2 through a service control policy (SCP) that denies all actions if s3:TLSVersion is less than 1.2.
      • Amazon S3 Object Lambda only – Enforce a minimum of TLS 1.2 through an SCP that that denies all actions if s3-object-lambda:TlsVersion is less than 1.2.
      • Amazon ElastiCache only – Enforce TLS for CreateReplicationGroup operation through an SCP that denies the action if elasticache:TransitEncryptionEnabled is false.
        
    • Principle 2: Asset protection and resilience
      This solution’s best practices sample configuration meets the requirements of Principle 2 through the following controls:

      • Configure AWS Control Tower to prohibit access to AWS services in certain Regions (for example, Regions located in geographies with no data access agreement with the UK).
      • AWS Control Tower allows and configures AWS Config to track the deployment and configuration of AWS resources. Providing a configuration management database that customers can use for visibility and undertaking specific automated audits can help ensure compliance.
      • This solution implements detective compliance controls to ensure alignment to asset protection (for example, controls such as identifying unencrypted storage and load balancers not configured to export access logs to the central archive account or endpoints without TLS encryption).
        

       

      For additional security, you can implement the following controls:

      • Disallow certain AWS artificial intelligence (AI) services to store and use customer content processed by those services for the development and continuous improvement of other AWS services.
      • Enforce encryption at rest by denying creation of or updates to certain resources unless they’re encrypted. You can do this by adding the following conditions to the SCPs:
        • Amazon EC2 by setting "ec2:Encrypted": "true" 
        • Amazon EFS by setting "elasticfilesystem:Encrypted": "true" 
        • Amazon RDS by setting "rds:StorageEncrypted": "true" 
        • Amazon S3 by setting "s3:x-amz-server-side-encryption": "aws:kms" 
        • Amazon ElastiCache by setting "elasticache:AtRestEncryptionEnabled": "true"
          

       

    • Principle 3: Separation between customers

      AWS configuration for security of the cloud can help you meet Principle 3 requirements. We recommend reviewing the Logical Separation on AWS whitepaper for details on implementation. More information is contained within AWS security and compliance documents, such as AWS International Organization for Standardization (ISO) certifications, Payment Card Industry (PCI) certifications, and System and Organization Control (SOC) reports. You can download these reports through AWS Artifact.
      

    • Principle 4: Governance framework
      To understand the broader governance that AWS implements for its service management, see AWS security and compliance documents, such as AWS ISO and PCI certifications and SOC reports. You can download these reports through AWS Artifact.

       

      Governance is equally important within your environment when meeting Principle 4 requirements. We designed the prescriptive architecture (separation of security, logging, and core networking functions into isolated accounts) and controls (refer to Principle 5) implemented by this solution to help you gain visibility into your AWS resources, centrally implement automated controls, and establish and enforce governance across your cloud environments.
    • Principle 5: Operational security
      This solution’s best practices sample configuration meets Principle 5 requirements by creating a centralised security account, known as a delegated security account. This account receives information from the security services that the solution activates by default, including the following:

      • Amazon GuardDuty to continuously monitor, analyse, and process the following data sources across all accounts within the solution environment:
        • Amazon VPC Flow Logs
        • AWS CloudTrail management event logs
        • AWS CloudTrail S3 data event logs
        • Amazon EKS audit logs
        • AWS DNS logs
      • Amazon Macie to support discovery, monitoring, and protection of sensitive data in Amazon S3 using machine learning and pattern matching.
      • AWS Config to provide:
        • Detailed view of the configuration of AWS resources in all accounts in the solution environment
        • Audit resources against compliance rules (for example, identifying storage that isn’t encrypted at rest)
        • Compliance rules to check for non-conformance
      • AWS Security Hub to provide a single dashboard to view feeds from the preceding services. This allows an organisations security team to see an aggregated view of their threat detection and compliance control status to mitigate threats in a single place.
      • AWS Audit Manager to support compliance reporting across the organization.
      • Amazon Detective to help with security incident investigations.
        
    • Principle 6: Personnel security

      This solution doesn’t provide specific configurations to support Principle 6. However, AWS configuration for security of the cloud helps you meet the requirements of this principle. More information is contained within AWS security and compliance documents, such as AWS ISO and PCI certifications and SOC reports. You can download these reports through AWS Artifact.
      

    • Principle 7: Secure development

      To support Principle 7, this solution provides architecture that has been vetted by AWS solutions architects as a well-architected, robust, complete, best-practice, prescriptive, real-world solution. This solution can save you time and effort with self-service and automated installation and deployment when building on AWS.
      

       

    • Principle 8: Supply chain security

      This solution doesn’t provide specific configurations to support Principle 8. However, AWS configuration for security of the cloud helps you meet the requirements of this principle. More information is contained within AWS security and compliance documents, such as AWS ISO and PCI certifications and SOC reports. You can download these reports through AWS Artifact.
      

    • Principle 9: Secure user management
      This solution’s best practices sample configuration meets the requirements of Principle 9 through the following controls:

      • Set up AWS IAM Identity Center to help you manage access and user permissions across all your AWS accounts within the solution environment.
      • Delete existing access keys for the root user of the solution management account.
      • Enforce AWS Identity and Access Management (IAM).
        
      • Allow IAM Access Analyzer to report on overly permissive access and help generate least privilege access policies.
        

      This solution helps you deploy IAM policies based on access analyzer suggestions. A walkthrough is available on AWS Security Blog.
      

    • Principle 10: Identity and authentication

      This solution doesn’t provide specific configurations to support Principle 10. However, AWS configuration for security of the cloud helps you meet the requirements of this principle. More information is contained within AWS security and compliance documents, such as AWS ISO and PCI certifications and SOC reports. You can download these reports through AWS Artifact.
      

    • Principle 11: External interface protection
      This solution’s best practices sample configuration meets Principle 11 requirements through the following controls:

      • Set up AWS PrivateLink to ensure traffic between AWS services doesn’t traverse the public internet.
    • Principle 12: Secure service administration

      This solution doesn’t provide specific configurations to support Principle 12. However, AWS configuration for security of the cloud helps you meet the requirements of this principle. More information is contained within AWS security and compliance documents, such as AWS ISO and PCI certifications and SOC reports. You can download these reports through AWS Artifact.
      

    • Principle 13: Audit information and alerting

      This solution’s best practices sample configuration meets the requirements of Principle 13 through the following controls:

      • Set up AWS CloudTrail to record—and securely store for 365 days—all actions taken by a user, role, or AWS service across all accounts within the solution environment.
      • Store CloudTrail logs in a separate AWS account with restricted read-only access as a safeguard against unauthorized modification.
      • Send email alerts when AWS Security Hub detects an event at the following severity levels:
        • Low
        • Medium
        • High
          
    • Principle 14: Secure use of the service

      To support Principle 14, we offer this solution to help customers wanting to adopt prescriptive security best practices with AWS. You can use this solution with other resources and services such as the AWS Well Architected framework and AWS Trusted Advisor to help you rapidly implement secure-by-design architectures.
      

       

  • Canada

  • Canada
    

    We built the Canadian Centre for Cyber Security (CCCS) Cloud Medium (formerly Protected B, Medium Integrity, Medium Availability [PBMM]) configuration to deploy an opinionated and prescriptive architecture. We designed this architecture to help customers address controls required to receive an Authority to Operate (ATO) as described in ITSP.50.105.
    

    Deploying this configuration can help you reduce the time required to implement CCCS Cloud Medium controls from 90+ days to 2 days. Inheriting controls covered by CCCS Cloud Medium assessment, along with using the Landing Zone Accelerator on AWS solution to address common controls that are the responsibility for the customer, can accelerate a Security Assessment & Authorization (SA&A) process.

    You can also meet the Government of Canada (GC)'s minimum guardrails as part of the GC Cloud Operationalization Framework. Meeting the minimum guardrails with the Landing Zone Accelerator on AWS solution also helps you support CCCS Cloud Medium controls if the sensitivity of your workload changes. Tuning the parameters within the configuration file allows you to deploy customized architectures to meet requirements of a range of governments and public sector organizations.

    To install this configuration, use the Landing Zone Accelerator for CCCS Cloud Medium sample configuration file and instructions on GitHub.

    Note: The Landing Zone Accelerator on AWS solution is now the recommended solution for public sector organizations seeking to deploy an AWS Environment in alignment with the requirements of the CCCS Cloud Medium Profile. Previously, Canadian public sector customers that sought alignment with the CCCS Cloud Medium profile deployed the AWS Secure Environment Accelerator to address controls that are the responsibility of the customer in the shared responsibility model. Release versions 1.3.0 and above of the Landing Zone Accelerator on AWS solution provide the same control coverage as the AWS Secure Environment Accelerator solution. If you're currently using the AWS Secure Environment Accelerator solution, there isn’t currently a deadline to migrate to the Landing Zone Accelerator on AWS solution.

• Industry configurations

  We built the following industry-specific configurations for the Landing Zone Accelerator on AWS solution to align with AWS best practices and industry-specific compliance frameworks. Select your desired industry for deployment instructions.

  Note: Details about security of the cloud are contained in AWS third-party security and compliance reports in AWS Artifact.

  • Aerospace
  • Central IT (US state and local government)
  • Education
  • Finance (Tax)
  • Healthcare
  • National security, defence, and national law enforcement (outside the US)

  • Aerospace
  • Video

    Close

    AWS Summit DC 2022 - Scaling automated governance with Landing Zone Accelerator on AWS

    Watch the video 

    Aerospace (US)
    

    To support aerospace use cases in the US, see our implementation guide for instructions on how to deploy this solution in our AWS GovCloud (US) Regions. Doing so can help you align with:
    

    • Federal Risk and Authorization Management Program (FedRAMP) High
      
    • Department of Defense (DoD) Cloud Computing Security Requirements Guide (CC SRG) for hosting Impact Level (IL)4 and IL5 workloads
    • DoD Cybersecurity Maturity Model Certification (CMMC) readiness
    • M-21-31 logging and retention requirements

    If you wish to deploy in one of our US East or US West AWS Regions, follow the general deployment instructions in our implementation guide.
    
  • Central IT (US state and local government)

  • Central IT (US state and local government)
    

    We built the US state and local government Central IT configuration to provide guardrails to help mitigate the threats faced by central IT organizations. To support these organizations, this configuration uses controls from the following frameworks:
    

    • AWS controls from the National Institute of Standards and Technology (NIST) Cybersecurity Framework
    • Optional Health Insurance Portability and Accountability Act (HIPAA)-aligned control configurations
      

    Step 1. Launch the stack

    Launch the AWS CloudFormation template into your AWS account. Review the template parameters and enter or adjust the default values as needed. See the solution implementation guide for more detailed instructions.

    Step 2. Await initial environment deployment

    Await successful completion of the AWSAccelerator-Pipeline pipeline.

    Steps 3 and 4. Copy and update the configuration files
    

    Follow Steps 3 and 4 in the Deployment Overview for the Landing Zone Accelerator on AWS for State and Local Government Central IT sample configuration on GitHub.

  • Education

  • Education
    

    We built the Education configuration to provide guardrails to help mitigate the threats faced by education organizations. To support these organizations, this configuration uses controls from the following frameworks:

    • International Traffic in Arms Regulations (ITAR)
    • National Institute of Standards and Technology (NIST) 800-171
    • NIST 800-53
    • Cybersecurity Maturity Model Certification (CMMC)
      

    Step 1. Launch the stack

    Launch the AWS CloudFormation template into your AWS account. Review the template parameters and enter or adjust the default values as needed. See the solution implementation guide for more detailed instructions.

    Step 2. Await initial environment deployment

    Await successful completion of the AWSAccelerator-Pipeline pipeline.

    Steps 3 and 4. Copy and update the configuration files

    Follow Step 3 and Step 4 in the Deployment Overview for the Landing Zone Accelerator on AWS for Education sample configuration on GitHub.

  • Finance (Tax)

  • Finance (tax)
    

    We built the Finance (tax) configuration to deploy an account structure commonly used with tax workloads along with security controls and network configurations to secure Federal Tax Information (FTI) data. This configuration aligns with the Internal Revenue Service (IRS)-1075 requirements to encrypt Amazon S3, Amazon EBS, and Amazon FSx hosting FTI data using Customer Managed Keys (CMK) under customer control.
    

    Step 1. Launch the stack

    Launch the AWS CloudFormation template into your AWS account. Review the template parameters and enter or adjust the default values as needed. See the solution implementation guide for more detailed instructions.

    Step 2. Await initial environment deployment

    Await successful completion of the AWSAccelerator-Pipeline pipeline.

    Steps 3 and 4. Copy and update the configuration files

    Follow Step 3 and Step 4 in the Deployment Overview for the Landing Zone Accelerator on AWS for Finance (Tax) sample configuration on GitHub.

  • Healthcare

  • Healthcare
    

    We built the Healthcare configuration to provide guardrails to help mitigate the threats faced by healthcare organizations. To support these organizations, this configuration uses controls from the following frameworks:
    

    • Health Insurance Portability and Accountability Act (HIPAA)
    • National Cyber Security Centre (NCSC)
    • Esquema Nacional de Seguridad (ENS) High
    • Cloud Computing Compliance Controls Catalog (C5)
    • Fascicolo Sanitario Elettronico
      

    Step 1. Launch the stack

    Launch the AWS CloudFormation template into your AWS account. Review the template parameters and enter or adjust the default values as needed. See the solution implementation guide for more detailed instructions.

    Step 2. Await initial environment deployment

    Await successful completion of the AWSAccelerator-Pipeline pipeline.

    Steps 3 and 4. Copy and update the configuration files

    Follow Step 3 and Step 4 in the Deployment Overview for the Landing Zone Accelerator on AWS for Healthcare sample configuration on GitHub.

  • National security, defence, and national law enforcement (outside the US)

  • National security, defence, and national law enforcement (outside the US)
    

    National security, defence, and national law enforcement organizations around the world need the scale, global footprint, agility, and services that cloud brings to their critical missions—all while they’re required to meet stringent security and compliance requirements for their data. Increasingly, these organizations leverage the AWS global hyper-scale cloud to deliver their missions while keeping their sensitive data and workloads secure.
    

    To help you accelerate these sensitive missions in the cloud, we developed Trusted Secure Enclaves Sensitive Edition (TSE-SE) for National Security, Defence, and National Law Enforcement. The TSE-SE Reference Architecture is a comprehensive, multi-account AWS cloud architecture targeting sensitive level workloads. We designed this architecture in collaboration with our national security; defence; national law enforcement; and federal, provincial, and municipal government customers to accelerate compliance with strict and unique security and compliance requirements.
    

    We designed this architecture to help customers address central identity and access management, governance, data security, comprehensive logging, and network design and segmentation in alignment with security frameworks such as National Institute of Standards and Technology (NIST) 800-53, Information Technology Standards Guidance (ITSG)-33, Federal Risk and Authorization Management Program (FedRAMP) Moderate, Information Security Registered Assessors Program (IRAP), and other Sensitive, Protected, or Medium level security profiles.
    

    We developed this reference architecture using the following design principles:
    

    • Deliver security outcomes aligned with a medium level security control profile.
    • Maximize agility, scalability, and availability, while minimizing cost.
    • Allow the full capabilities of the AWS Cloud.
    • Remain open to supporting and incorporating the AWS pace of innovation and the latest technological capabilities.
    • Allow for seamless auto-scaling and provide unbounded bandwidth as bandwidth requirements increase (or decrease) based on actual customer load (a key aspect of the value proposition of cloud computing).
    • Architect for high availability: the design uses multiple AWS Availability Zones, such that the loss of one Availability Zone doesn’t impact application availability.
    • Operate as least privilege: all principals in the accounts are intended to operate with the lowest-feasible permission set.
    • Help address customer data sovereignty considerations.

    For architectural details, refer to the TSE-SE Reference Architecture. Use the configuration file and instructions to install the architecture.

• AWS opt-in Regions

  Some AWS Regions are not activated by default. To deploy the Landing Zone Accelerator on AWS solution into one of these AWS Regions, see our implementation guide.

  Note: Details about security of the cloud are contained in AWS third-party security and compliance reports in AWS Artifact.