AWS - Machine Learning

Fernando Honig

Last Update há 2 anos

StackZone Machine Learning Setup includes the necessary components enabled to support and build compliance according to workloads using ML/AI Ops

Components Created:

  • Shared Services Account:
    • Amazon VPC including Private and Public Subnets distributed in 2 availability zones in the primary region
  • Log-Archive Account:
    • Shared Amazon S3 Bucket with a lifecycle policy to store logs up to 7 years
  • Security Account:
    • Aggregated SNS Security Topic (your email distribution list or account must be configured after the initial setup to start receiving the notifications)
    • Central Amazon GuardDuty detector
    • Central AWS Config global aggregator to visualise your compliance from a single place for your entire Organization
  • Primary Account:
    • Security Services Delegation to the Security Account
      • AWS Security Hub (if enabled)
      • Amazon S3 Storage Lens
      • AWS License Manager
      • AWS Systems Manager
      • Amazon Macie
      • AWS IAM Access Analyzer
    • Custom AWS Budget Actions: Every 24 hours scans each account consumption and based on the tags applied to the account it could attach the stackzone-restrict-all-guardrails to avoid new resources to be launched.
    • AWS Compute Optimizer: It enables this service in all accounts in the Organization
    • Amazon Macie Aggregator: Configures Amazon Macie in all accounts and centralizes in the Security Account the results
  • Service Control Policies
    • Core OU Mandatory Preventive GuardRails
    • Workloads OU Mandatory Preventive GuardRails
    • StackZone Deny Preventive GuardRails
    • StackZone Allow Enabled Regions GuardRails
    • StackZone Allowed Tags Preventive GuardRails
    • StackZone Deny Networking Preventive GuardRails
    • StackZone Machine Learning Services Preventive GuardRails
  • Baseline Services (Applied to every account managed by StackZone)
    • Lambda Helper: (required Lambda functions for StackZone to operate)
    • SNS Helper: (required to forward Security SNS Notifications from all accounts to the Security Account)
    • Key Management Service: Creates AWS KMS Keys for Amazon EBS Volumes, CloudWatch Logs and SNS Topics to be encrypted to maintain compliance.
    • Amazon CloudTrail: Enables a multi-region, encrypted Trail in every account in the primary region that logs every action to the Amazon S3 Bucket in the Log-Archive Account and locally to an Amazon CloudWatch LogGroup.
    • AWS Config:
      • Creates an AWS IAM Role to run AWS Config Rules and Remediations.
      • Enables AWS Config local aggregator in each account in the primary region
      • Enables these global AWS Config rules in all accounts:
        • StackZone-AccountPartofOrganizationsCheck
        • StackZone-SSOEnabledCheck
        • StackZone-CheckForRootMfa
        • StackZone-CheckForIamPasswordPolicy
        • StackZone-CheckForIAMUserMFA
        • StackZone-AccessKeysRotated
        • StackZone-IAMRootAccessKeyCheck
        • StackZone-IAMGroupNoUsersCheck
        • StackZone-IAMPolicyNoAdminCheck
        • StackZone-IamUserGroupMembershipCheck
      • Enables Automatic Remediation for:
        • CheckForIamPasswordPolicyRemediation
          • Require Lowercase
          • Require Uppercase
          • Require Symbols
          • Require Numbers
          • Minimum Password Length: 14
          • Maximum Password Age: 90 days
          • Password reuse prevention: 24
      • Enables these regional AWS config Rules in all accounts:
        • StackZone-CheckForEFSEncrypted
        • StackZone-CheckForEBSEncrypted
        • StackZone-CloudWatchRetentionPeriod
        • StackZone-CloudwatchLogGroupEncrypted
        • StackZone-CloudtrailEnabledCheck
        • StackZone-CloudTrailSecurityTrailEnabled
        • StackZone-MultiRegionCloudTrailEnabled
        • StackZone-CloudTrailLogFileValidationEnabled
        • StackZone-CloudTrailEncryptionEnabled
        • StackZone-GuardDutyEnabled
        • StackZone-CheckForS3PublicRead
        • StackZone-CheckForS3PublicWrite
        • StackZone-VPCFlowLogsEnabled
        • StackZone-VPCS3EndpointCheck
        • StackZone-SagemakerNotebookNoDirectInternetAccessCheck
        • StackZone-SagemakerEndpointConfigKmsKeyConfiguredCheck
        • StackZone-SagemakerNotebookInstanceKmsKeyConfiguredCheck
      • Enables Automatic Remediation for:
        • StackZone-CloudWatchRetentionPeriod
          • Set 14 days retention
        • StackZone-CloudwatchLogGroupEncrypted
          • Encrypts using the local KMS Key
        • StackZone-CloudTrailLogFileValidationEnabled
          • Enables LogFileValidation for CloudTrail
        • StackZone-MultiRegionCloudTrailEnabled
          • Enables MultiRegion for CloudTrail
        • StackZone-VPCFlowLogsEnabled
          • Enables VPCFlowLogs to all VPCs
        • StackZone-VPCS3EndpointCheck
          • Creates a VPC S3 Endpoint to all VPCs
    • Amazon CloudWatch alarms:
      • Amazon CloudTrail changes alarm
      • AWS Console failed sign-in alarm
      • AWS IAM Policy changes alarm
      • AWS IAM root login alarm
      • AWS Console sign-in no MFA alarm
      • Amazon Macie findings alarm
      • AWS IAM Access Analyzer findings alarm
    • AWS Service Catalog:
      • Creates Network Portfolio with VPC and Endpoints products
      • Creates Security Portfolio with KMS and WAF products
      • Creates SageMaker Portfolio with SageMaker-Studio product

Average Time to deploy: 2hs (including the creation of all AWS accounts) 


Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us