Abstract

The client is a mobility services company in the Nordics, part of a group of companies focused on sustainable transportation in cities. A heterogenous set of applications, vendors, and AWS accounts made it difficult to manage and control security requirements. When a decision was made to take back governance of these, Omegapoint was engaged as the technical partner to assist, educate, and execute the required changes together with the client's existing technical team. Omegapoint has delivered a stable and secure governance structure in accordance with best practices, helping our client to full control and ownership of their cloud environment. 

Background

Over a period of fast-paced innovation and experimentation, a number of application services had been developed and maintained in AWS by different service providers that were using different operating models. This heterogenous set-up made it difficult to control and manage security requirements, SLA:s, and cost. 

The client had set a strategic goal to consolidate ownership and governance of the complete set of applications. However, the client lacked the knowledge and ability to drive this transformation and sought a partner for immediate assistance to plan and execute the change, the end goal being to lay the foundation for an in-house team to take over the operational governance.  

There was a need to map out everything from account structure, to access management, to network setup. Next after that, evaluate and correct for industry best practices.  

The Solution

The Omegapoint AWS solution to consolidate and centralize governance, security, monitoring, and cost control is built on AWS Control Tower and AWS Organizations. To meet security requirements, services such as AWS Security Hub, Amazon Macie, Amazon Inspector, Amazon Guard Duty, and AWS Config are employed. Copies of all logs in the organization are collected and stored using Amazon S3 and Amazon CloudWatch. Dynamic budgets and budget alarms are configured in AWS Budgets. 

On top of the AWS security services, additional security tooling was built to enhance the monitoring and issue tracking: a custom AWS Lambda function gathers data from AWS Security Hub, populates a custom dashboard, and builds a weekly report for the client. AWS Automatic Security Response from AWS Solutions Library is deployed throughout the organization.  

Applications are segregated into AWS-accounts by workload and environment. There are also isolated sandbox accounts for the development teams for experimentation. To provision access to the accounts, AWS IAM (Identity and Access Management) Identity Center is used with a connection to Azure Active Directory for single sign-on. A selection of assumable IAM roles is available based job role and privilege. Service roles for CI/CD pipelines to enable fast-paced development are also provisioned. 

The solution follows the guidelines of the AWS Security Reference Architecture. 

Results and benefits

A thorough governance overhaul has been made and the client is now in complete control over its AWS environment, with a dedicated cloud operations team. The client is continuously monitoring its cloud environment and cost together with automated alarms for anomalies, misconfigurations, and unprivileged access. Omegapoint remains engaged as a strategic advisor and a technical partner.