AWS LANDING ZONE

About the customer

The Customer is a financial institution, part of a large banking group, based in Luxembourg, financing small and medium enterprises.

The challenge

A financial institution faced stringent security requirements, particularly concerning the migration of confidential workloads to AWS. Key concerns included mitigating risks related to external data access requests and ensuring control over data security.

The project

Arηs Group partnered with the financial institution to address these challenges by focusing on a secure and compliant AWS Landing Zone. This involved:

• Designing the AWS Landing Zone

  Arηs Group advised on the optimal architecture for the Landing Zone, selecting appropriate AWS managed services and products to meet the strict security and compliance requirements. This design phase considered automated environment provisioning as a key feature following an GitOps approach.

• Implementing the AWS Landing Zone

  Arηs Group implemented and deployed a comprehensive AWS Landing Zone. This implementation leveraged Infrastructure as Code (IaC) using Terraform enabling the automated creation and management of the foundational AWS environment.

• Operating the AWS Landing Zone

  As a Managed Service Provider, Arηs Group took on the responsibility of operating the implemented AWS Landing Zone. This ongoing management ensured the stability, security, compliance and constant evolution of the AWS Landing Zone.

Project Solution

Key Landing Zone Components & Capabilities:

While the case study details various components of the Landing Zone itself, the underlying AWS Services provide a secure and scalable foundation. Key aspects of the Landing Zone that enabled this are:

• 01.

  AWS Organization and Service Control Policies

  One account per environment per application. Organizational units are containers inheriting baseline policies.

• 02.

  Automated Account Provisioning

  The use of AWS Control Tower and Account factory ensured consistency, repeatability, and reduced manual errors in the End-to-End provisioning of new AWS Accounts within the organization.

• 03.

  Network Foundation and Security

  Leveraging a Hub and Spoke Architecture with AWS Transit Gateway at its core to centralize network ingress, egress and allow inspection.

• 04.

  Security Foundation

  The Landing Zone incorporated security best practices and controls aligned with the financial institution's policies, providing a secure environment for deploying business workloads. Usage of AWS IAM Identity Center to streamline access control.

• 05.

  Scalability and High Availability

  The Landing Zone was designed with scalability and high availability for business workloads in mind, leveraging multi-region approach with transversal AWS services like Route 53, Privated Hosted Zones, AWS Network Firewall, VPC Endpoints, CloudTrail, Guard Duty, Macie etc.

Project Results

By focusing on establishing a secure AWS Landing Zone, Arηs Group enabled the financial institution to:

1. Establish a controlled and compliant environment for handling sensitive data in the AWS Cloud which can be operated at-scale
2. Automate the provisioning of Accounts within the Landing zone for Business Units to accelerate time-to-market
3. Build-In resilience leveraging AWS Services and a multi-region model for transversal services
4. Benefit from ongoing operational support, ensuring the continued security and stability of their AWS environment while leveraging cloud-native technologies to reduce Opex

Success factors

Arηs Group's expertise in designing, implementing, and operating AWS Landing Zones, combined with their understanding of the financial industry's stringent security requirements, were crucial to the success of this project. Their ability to provide end-to-end services, from initial architecture design to ongoing managed services, ensured a secure and robust foundation for the customer's AWS Landing Zone.