The AWS Accelerator is a tool designed to help deploy and operate secure multi-account, multi-region AWS environments on an ongoing basis. The power of the solution is the configuration file that drives the architecture deployed by the tool. This enables extensive flexibility and for the completely automated deployment of a customized architecture within AWS without changing a single line of code.
While flexible, the AWS Accelerator is delivered with a sample configuration file which deploys an opinionated and prescriptive architecture designed to help meet the security and operational requirements of many governments around the world (initial focus was the Government of Canada). Tuning the parameters within the configuration file allows for the deployment of customized architectures and enables the solution to help meet the multitude of requirements of a broad range of governments and public sector organizations.
The installation of the provided prescriptive architecture is reasonably simple, deploying a customized architecture does require extensive understanding of the AWS platform.
What specifically does the Accelerator deploy and manage?
A common misconception is that the AWS Secure Environment Accelerator only deploys security services, not true. The Accelerator is capable of deploying a complete end-to-end hybrid enterprise multi-region cloud environment.
Additionally, while the Accelerator is initially responsible for deploying a prescribed architecture, it more importantly allows for organizations to operate, evolve, and maintain their cloud architecture and security controls over time and as they grow, with minimal effort, often using native AWS tools. Customers don't have to change the way they operate in AWS.
Specifically the accelerator deploys and manages the following functionality, both at initial accelerator deployment and as new accounts are created, added, or onboarded in a completely automated but customizable manner:
Creates AWS Account
Core Accounts - as many or as few as your organization requires, using the naming you desire. These accounts are used to centralize core capabilities across the organization and provide Control Panel like capabilities across the environment. Common core accounts include:
Shared Network
Operations
Perimeter
Log-Archive
Security-Audit
Workload Accounts - automated concurrent mass account creation or use AWS organizations to scale one account at a time. These accounts are used to host a customer's workloads and applications.
Scalable to 1000's of AWS accounts
Supports AWS Organizations nested ou's and importing existing AWS accounts
Performs 'account warming' to establish initial limits, when required
Automatically submits limit increases, when required (complies with initial limits until increased)
Creates Networking
Transit Gateways and TGW route tables (incl. inter-region TGW peering)
Deploys an rsyslog auto-scaling cluster behind a NLB, all syslogs forwarded to CloudWatch Logs
Centralized access to "Cloud Security Service" Consoles from designated AWS account
Centralizes logging to a single centralized S3 bucket (enables, configures and centralizes)
VPC Flow logs w/Enhanced metadata fields (also sent to CWL)
Organizational Cost and Usage Reports
CloudTrail Logs including S3 Data Plane Logs (also sent to CWL)
All CloudWatch Logs (includes rsyslog logs)
Config History and Snapshots
Route 53 Public Zone Logs (also sent to CWL)
GuardDuty Findings
Macie Discovery results
ALB Logs
SSM Session Logs (also sent to CWL)
Resolver Query Logs (also sent to CWL)
Relationship with AWS Landing Zone Solution (ALZ)
The ALZ is an AWS Solution designed to deploy a multi-account AWS architecture for customers based on best practices and lessons learned from some of AWS' largest customers. The AWS Accelerator draws on design patterns from the Landing Zone, and re-uses several concepts and nomenclature, but it is not directly derived from it, nor does it leverage any code from the ALZ. The initial versions of the AWS Accelerator presupposed the existence of an AWS Landing Zone Solution in the AWS Organization; this requirement has since been removed as of release v1.1.0.
The Accelerator is now a completely standalone solution.
Relationship with AWS Control Tower
AWS Control Tower is the successor to the ALZ, but offered as an AWS managed service.
When appropriate, it is envisioned that the AWS Accelerator will add the capability to be deployed on top of AWS Control Tower, as we initially allowed with the ALZ.
Accelerator Deployment Process (Summary)
This summarizes the installation process, the full installation document can be found in the documentation section below.
Create a config.json (or config.yaml) file to represent your organizations requirements (several samples provided)
Create a Secrets Manager Secret which contains a GitHub token that provides access to the Accelerator code repo
Create a unique S3 input bucket and place your config.json and any additional custom config files in the bucket
Download and execute the latest installer CloudFormation template in your root accounts preferred 'primary' / 'home' region
Wait for:
CloudFormation to deploy and start the Code Pipeline (~5 mins)
Code Pipeline to download the Accelerator codebase and install the Accelerator State Machine (~20 mins)
The Accelerator State Machine to finish execution (~1.5 hrs)
terraform-aws-secure-baseline Terraform Module Registry A terraform module to set up your AWS account with the reasonably secure configuration baseline.Most configurations are based on CIS Amazon Web
secure.py secure.py �� is a lightweight package that adds optional security headers for Python web frameworks. Supported Python web frameworks aiohttp, Bottle, CherryPy, Django, Falcon, FastAPI, Flask
Environment Meteor.isClient Anywhere Boolean variable. True if running in client environment. Meteor.isServer Anywhere Boolean variable. True if running in server environment. Meteor.isServer可以用来限制代码的
This module implements a cookie that is not alterable from the client because it adds a checksum the server checks for. You can use it as session replacement if all you have is a user id or something