Enterprise scale cloud landing zone to design, provision, operate, manage and dispose a multi-account AWS Cloud environment

Cloud computing is one of the fastest growing and evolving sector in the IT market, we see an increasing number of business migrating core part of their applications to cloud solutions. Storm Reply is the Reply company which focalizes on designing and implementing cloud-based solutions and services on Amazon Web Services(AWS). In order to remain competitive in the current market there is a need to increase the security posture, standardize and possibly automate procedure allowing the employees to focus on innovating, reducing overhead related to managing a large organization. Storm Reply manages over 200 AWS accounts and the previous solution was limited to grouping them for billing purposes but there was no centralized management, security policies on each account where left to manual intervention from the single employee that created the account. An important issue was that cross-account observability of the security practices was non-existent. The work carried out in this thesis was to design and implement a solution tailored to meet the requirements set by the market, in compliance to the most recent solutions suggested by the cloud provider as well as the standard required by ISO/IEC 27001 in terms of information security management and risk management process. The solution was articulated in three steps: centralize the organization management, define baseline and automate account provisioning, analysis and visualization of resources compliance status across all the accounts. The first step was achieved deploying AWS Control Tower as an abstraction of the existing organization, this allowed to easily apply security check on all accounts and centralize logs and results. The second part aimed at simplifying the overhead for the provisioning of new accounts, using a devops approach, automation was achieved through the use of AWS Codepipeline, as a CI/CD pipeline. The pipeline executes python and bash scripts to directly interact with the APIs of the cloud provider and execute Terraform files, the chosen infrastructure as code tool, to create cloud resources. Finally it was developed a custom solution using AWS Lambda for centralizing,elaborating and enriching the security check results and a Streamlit application deployed on a Kubernetes cluster to offer a unique dashboard to display them. The developed solution showed the weakness of the previous one, allowing the discovery of accounts drifts, the planning of the remediation and the monitoring of the progress. Account provisioning automation reduced the accounts drift at creation time, removing the human error and standardizing the baseline. Ultimately the active time required to provision a new account was greatly reduced.