The customer is a leading financial entity, with a comprehensive range of investment and savings products. These products enable wealth and income creation opportunities for large institutions and retail businesses. The customer works with a diverse set of distribution partners through their network of over 200 branches.
To become a digital, data-driven business with a robust security posture was of paramount importance for the customer. Already on their cloud journey, they wanted to improve their security for greater scalability and resilience vis-à-vis growing demand for digital financing. Key challenges faced by the customer included
- Direct flow of the traffic to applications without being filtered by any security device
- Unorganized IAM users in multiple accounts
- Difficulties in monitoring permissions of IAM users
- Absence of a central portal for monitoring the compliance level of all AWS accounts
- Absence of a central portal for monitoring security events
- Unorganized logs in every AWS account
Blazeclan proposed a solution that involved setting up an AWS multi-account structure for enabling all landing zone services in existing accounts. AWS SSO was enabled for IAM user management. This was because AWS SSO enables single sign-on functionality for all users who require access to applications or resources in the same or different account. These have further been mapped with AWS SSO application, with appropriate policies and roles attached to the user SAML identity provider.
The solution comprised
- Creating a new security account for hosting security components
- Integration of all accounts with AWS Security Hub for providing a uniplanar view of security alerts from the central security hub account
- Creating a central logging account for collecting logs from all accounts and storing them in the central S3 bucket encrypted with AWS KMS.
The customer was in need to establish an agile and scalable system, as this was the first AWS implementation for identity and access management. A completely new account was created for single sign-on, which was not part of the vendor’s landing zone. All users were provided the SAML-federated access using AWS SSO. According to the permissions and roles, the external AWS application was created and assigned to relevant users. The IAM users were created directly on AWS along with AWS SSO implementation. This ensured single sign-on to all AWS services and integrating with the customer’ active directory.
Amazon security groups, which act as virtual firewalls for EC2 instances, were used to protect AWS VPCs and resources. This provided a good control over both inbound and outbound traffic. The security groups were designed and added in alignment to workloads running in the instances, including the application, web, or database. Moreover, log management services, such as VPC Flow Logs, Amazon S3, AWS Firewall Manager, NACLs, and CDN have been utilized for respective resources.
Benefits Achieved by the Customer
- A clean and completely controlled architecture was achieved for the customers applications.
- An optimal cost consumption model was implemented along with effective leverage of native cloud services.
- All security events were effectively monitoring without any human intervention.
- Automation ensured the security status of the customer’s environment is always visible, without any significant increase in cost.
|AWS Security Hub
|AWS Identity and Access Management (IAM)