Objectives

In this course, you will learn to:

  • Establish a landing zone with AWS Control Tower
  • Configure AWS Organizations to create a multi-account environment
  • Implement identity management using AWS Single Sign-On users and groups
  • Federate access using AWS SSO
  • Enforce policies using prepackaged guardrails
  • Centralize logging using AWS CloudTrail and AWS Config
  • Enable cross-account security audits using AWS Identity and Access Management (IAM)
  • Define workflows for provisioning accounts using AWS Service Catalog and AWS Security Hub

Audience

This course is intended for:

• Solutions architects, security DevOps, and security engineers

Prerequisites

Before attending this course, participants should have completed the following:

Required:

• AWS Security Fundamentals course

AWS Security Essentials course

Optional:

• AWS Cloud Management Assessment

• Introduction to AWS Control Tower course

• Automated Landing Zone course

• Introduction to AWS Service Catalog course

Duration

One day

 

Outline for AWS Security Governance at Scale Training

Course Introduction

  • Instructor introduction
  • Learning objectives
  • Course structure and objectives
  • Course logistics and agenda

Module 1: Governance at Scale

  • Governance at scale focal points
  • Business and Technical Challenges

Module 2: Governance Automation

  • Multi-account strategies, guidance, and architecture
  • Environments for agility and governance at scale
  • Governance with AWS Control Tower
  • Use cases for governance at scale

Module 3: Preventive Controls

  • Enterprise environment challenges for developers
  • AWS Service Catalog
  • Resource creation
  • Workflows for provisioning accounts
  • Preventive cost and security governance
  • Self-service with existing IT service management (ITSM) tools
  • Lab 1: Deploy Resources for AWS Catalog
  • Create a new AWS Service Catalog portfolio and product.
  • Add an IAM role to a launch constraint to limit the actions the product can perform.
  • Grant access for an IAM role to view the catalog items.
  • Deploy an S3 bucket from an AWS Service Catalog product.

Module 4: Detective Controls

  • Operations aspect of governance at scale
  • Resource monitoring
  • Configuration rules for auditing
  • Operational insights
  • Remediation
  • Clean up accounts
  • Lab 2: Compliance and Security Automation with AWS Config
  • Apply Managed Rules through AWS Config to selected resources
  • Automate remediation based on AWS Config rules
  • Investigate the Amazon Config dashboard and verify resources and rule compliance
  • Lab 3: Taking Action with AWS Systems Manager
  • Setup Resource Groups for various resources based on common requirements
  • Perform automated actions against targeted Resource Groups

Module 5: Resources

  • Explore additional resources for security governance at scale