AWS CONTROL TOWER, NETWORKING, AND ACCOUNT PROVISIONING AUTOMATION
“The end result of this project is what we hope to accomplish with every project: it went very well. Hours were budgeted well, the consultant was ready to go each day, and communication was excellent. 1Strategy brought the right combination of technical ability and interpersonal skills. We made progress every single day.”
– Randall Autry, SVP of Architecture and Cloud Strategy, MasterControl
Everything MasterControl does is designed to help life sciences organizations develop, manufacture, and commercialize products that help people live longer, healthier, and more enjoyable lives. MasterControl solutions are used by five of the largest regulatory and applied research bodies in the United States. A leading software-as-a-service (SaaS) provider, MasterControl’s mission is to bring life-changing products to more people sooner. It does this by providing cloud-based solutions that help organizations digitize, automate and connect quality and compliance processes across the regulated product development life cycle.
MasterControl wanted to maximize innovation while minimizing exposure to risk. They needed a solution to give their developers the option to explore and learn within AWS without adding security risks or breaking existing infrastructure or applications. MasterControl was also looking to simplify account management in AWS and have better visibility into costs.
Why Amazon Web Services and 1Strategy
MasterControl had a team that researched which cloud provider best fit their feature and fault tolerance requirements. They determined that AWS offers the most tools and services that MasterControl could leverage for their products. MasterControl was also impressed by how much AWS invests in their customers.
MasterControl was introduced to 1Strategy by previous 1Strategy customers in Utah. They ultimately decided to work with 1Strategy because of their reputation for deep AWS expertise and delivering high quality projects. “1Strategy stepped in and helped us get where we need to be. We’ve worked with other consultants in the past and the level of dedication that 1Strategy had was amazing,” said Randall Autry, SVP of Architecture and Cloud Strategy at MasterControl.
Wanting to give developers freedom to explore, build, and develop on AWS, 1Strategy designed a multi-account platform. AWS Control Tower, AWS Organizations, AWS Service Catalog, AWS Step Functions, AWS Lambda, and AWS CloudFormation provide the basis for the platform. This multi-account structure allows developers to utilize individual accounts and provides greater flexibility and enhanced security. “Control Tower is brand-new, and it’s a solid product, overall, for being so new. We experienced some minor setbacks, but the AWS team has done a great job fixing little nuances and bugs quickly,” said Jared James, Site Reliability Engineer at MasterControl.
Diagram representing AWS Control Tower, AWS Organizations, and AWS SSO configurations. Accounts are organized into separate Organizational Units (OUs). Each OU has various Control Tower Guard Rails and Service Control Policies in place to enhance the security of accounts in their respective OUs.
Using AWS Service Catalog, AWS Step Functions, and AWS Lambda, the 1Strategy team was able to provide an account vending machine to provision new AWS accounts through Control Tower’s Account Factory. The account vending machine allows AWS administrators to provide a list of users that need accounts as input and then the vending machine provisions accounts for those users automatically with necessary guard rails, restrictions, and core networking components in place.
1Strategy assisted with the creation of standardized networking infrastructure for MasterControl’s AWS environment. Utilizing AWS CloudFormation stack sets and custom resources backed by AWS Lambda, unique IP ranges are assigned to each VPC in newly created accounts. Amazon Route 53 hosted zones are created for specific subdomains delegated to each developer account. The root domain hosted zone lives in a shared networking account that the network team controls. This allows developers the option to control their own DNS records for development purposes, but still gives the network team centralized control of the root domains. All accounts also utilize the AWS Serverless Transit Network Orchestrator solution to provide easy access to the AWS Transit Gateway configured in a shared networking account.
AWS Single Sign-On (SSO) has allowed MasterControl to have a single-entry point for developers, and a place to control IAM role access for all accounts. 1Strategy helped MasterControl integrate Okta into AWS SSO for authentication and create IAM roles and policies with appropriate levels of access. Developers have the autonomy to explore and build in their individual and team accounts, but still have sufficient guardrails and restrictions in place to reduce spending and to protect themselves and the company from unnecessary risk.
MasterControl management has better visibility into their AWS spending thanks to consolidated billing and AWS Cost Explorer reports. Visibility into costs has decreased overhead for tracking specific service costs. It has made unusual charges easier to identify quickly. “We don’t just pay the bill anymore. We are more aware of where costs are coming from,” said Chris Gibbons, Development Operations Manager at MasterControl.
Additionally, the multi-account structure has significantly reduced the usage of a single, less restrictive AWS account and has increased platform security by reducing the blast radius to individual developer accounts, rather than one large account. With the help of 1Strategy, some AWS Config rules were implemented to help to continuously monitor for out-of-compliance infrastructure, such as overly permissive IAM roles. Service control policies (part of AWS Organizations) serve as additional safety nets to limit permissions. During a recent security game day, MasterControl was able to put their new platform to the test. “Control Tower and AWS SSO has given us tremendous visibility and control during a simulated event that could have been catastrophic,” said Gibbons. “It took 15 minutes to lock down 60 accounts.” MasterControl reports that the new platform has made the organization more security conscious and it has had a positive effect on security culture and focus.
“Normally, I’d expect to step in and redirect the project every so often to make sure things were on track, but I didn’t have to do that at all for this project,” said Autry. “Focus was really good with the scope and 1Strategy was great at sticking to the objectives.”
“The end result of this project is what we hope to accomplish with every project: it went very well. Hours were budgeted well, the consultant was ready to go each day, and communication was excellent. 1Strategy brought the right combination of technical ability and interpersonal skills. We made progress every single day,” said Autry. This new platform gives MasterControl a solid AWS foundation to build from and allows them to continue to push forward with their cloud initiatives and goals in a secure way.
1Strategy is an AWS Partner Network (APN) Premier Consulting Partner, focusing exclusively on Amazon Web Services (AWS). 1Strategy helps businesses architect, migrate, and optimize their workloads on AWS, creating scalable, cost-effective, secure, and reliable solutions. 1Strategy also helps customers get real value from their data using comprehensive machine learning models and artificial intelligence. 1Strategy holds the AWS DevOps, Migration, Data & Analytics, and Machine Learning Competencies, and is a partner of the AWS Public Sector Program and the AWS Well-Architected Program. With experts having deployed AWS solutions since 2007, 1Strategy is a leader in custom training—providing customers with the knowledge, tools, and best practices to manage those solutions over time. 1Strategy is a TEKsystems Global Services company with teams in Seattle and Salt Lake City, supporting customers throughout the US and across every vertical.