AWS-Multi-Account Structure and Security Automation: A Case Study from the Public Mobility Sector

The Client

Our public sector customer operates large critical infrastructures and currently manages a cloud environment with a single AWS account as a proof of concept (PoC). The goal of the project is to modernize a cloud-native application environment to meet Critical Infrastructure Review (KRITIS) requirements.

This modernization involves migrating the current components to a newly built cloud environment. The new environment will take into account applicable security, compliance, operations, and spend management policies.

The Requirements

The main focus of this cooperation is to advise on upcoming audits. The requirements are as follows

  • Automated logging to ensure security, process visibility and compliance.
  • Easily set up and manage scalable and secure accounts that meet the customer’s needs.
  • Prepare for a smooth migration of all applications to an AWS Control Tower monitored account without disrupting ongoing business operations.

The Challenge

Challenges in implementing the project include:

  • Plan and implement an organizational structure (AWS Organizational Units) that cleanly separates critical tasks and data from work environments
  • Develop and apply an automated set of rules to maintain security standards
  • Develop a centralized network design that seamlessly integrates with the account and endpoint structure and meets security requirements across multiple accounts. This was accomplished using AWS Control Tower.
  • Transition clusters and applications with minimal or no disruption to business operations.


The Benefits

AWS-Multi-Account Structure for Separation of Access Rights

Set up, structure, test, and implement an AWS-multi-account structure to separate access rights and isolate different workloads.

Use AWS Control Tower and AWS Organizations to implement centrally managed security and compliance policies to enforce KRITIS security requirements for all created resources.

AWS Account Factory ensures that centrally created AWS environments within the organization comply with defined security and compliance rules. It can also be used to enable internal standards for each account via IaC.

This solution also enables centralized financial management and billing.

Centralized IaC Template Management via AWS Service Catalog

Centrally managed IaC templates are made available through the AWS Service Catalog.

These can be integrated when creating a new AWS account via the AWS Account Factory. Member accounts can later automatically create and delete required AWS resources through a defined product portfolio.

Centralized provisioning of IaC templates ensures that only resources that meet internal compliance requirements are created.

Define and Automate security standards

To comply with KRITIS-required security rules, AWS GuardRail rules are activated through the AWS Control Tower and AWS Organizations and centrally rolled out to all created AWS accounts.

AWS Service Control Policies are also centrally managed and used to define which AWS services can be used in which regions for the created accounts.

PROTOS Workshops and Trainings

PROTOS provides support through workshops and training sessions to work with the customer to find and implement a customized solution that meets current security requirements. We use agile methods to monitor and organize the continuous progress of the implementation and the entire project.

Have questions about this project or are you looking to modernize your own cloud infrastructure?

Contact our cloud expert Robert Hackenfort.