AWS ControlTower US (LZA)ยถ
TOCยถ
- Log Archive Account
- Audit Account
- AWS ControlTower (LZA) - Additional Accounts
- AWS ControlTower (LZA) - Mandatory Accounts
- AWS ControlTower (LZA) - Shared Accounts
AWS Mandatory Accountsยถ
Log Archive Account:ยถ
The log archive shared account is set up automatically when you create your landing zone. This account contains a central Amazon S3 bucket for storing a copy of all AWS CloudTrail and AWS Config log files for all other accounts in your landing zone.
Audit Account:ยถ
This shared account is set up automatically when you create your landing zone. The audit account should be restricted to security and compliance teams with auditor (read-only) and administrator (full-access) cross-account roles to all accounts in the landing zone. These roles are intended to be used by security and compliance teams to:
- Perform audits through AWS mechanisms, such as hosting custom AWS Config rule Lambda functions.
- Perform automated security operations, such as remediation actions.
AWS ControlTower LZA - Mandatory Accountsยถ
Log Archive Account:ยถ
The log archive shared account is set up automatically when you create your landing zone. This account contains a central Amazon S3 bucket for storing a copy of all AWS CloudTrail and AWS Config log files for all other accounts in your landing zone.
Audit Account:ยถ
This shared account is set up automatically when you create your landing zone. The audit account should be restricted to security and compliance teams with auditor (read-only) and administrator (full-access) cross-account roles to all accounts in the landing zone. These roles are intended to be used by security and compliance teams to:
- Perform audits through AWS mechanisms, such as hosting custom AWS Config rule Lambda functions.
- Perform automated security operations, such as remediation actions.
AWS ControlTower LZA - Shared Accountsยถ
Network Account:ยถ
This account provides network services, such as VPC's, NAT G/W, Private Links ,Network F/W, IPSEC connections and DNS services (Route53). Network elements are shared via RAM, Cloudwatch is also used for metric such as F/W metrics.
DevOps Account:ยถ
This account provides DevOps resources, such as ECR's, S3 store for IAC.
Workload_SIA Account:ยถ
Main workload account, for unibeam services. * EKS * S3 * ALB/NLB/EIP * Cache Service (REDIS OSS) - IL
External Services:ยถ
- CloudAtlas - MongoDB - DEV, IZZI, IL, Indosat
- RedisLabs - Redis KEY/VALUE - ATnT
- Scytel AI - Audit tool, subscription based on ATnT
AWS Services Usage:ยถ
- AWS Network F/W - deployed for "Prod ENVs"
- S3 - used for log-storage/metrics (Loki, Prom-Stack, IAC)
- ECR - docker image store
- VPC - network stack, IPSEC done by AWS or by F/W Mikrotik
- ALB/NLB - Every external API/Dashboard gets ALB with certificate, every NLB get EIP (SIM-SERVICE)
- ACM - Certificate generation and imported certificate store
Note
In LZA (ControlTower) accounts, region us-east-1 should be enabled by default. In Indosat/ATnT Network F/W is deployed as single for each leg, SEC-Spoke and main WL-VPC
ATnT - USยถ
Regions: us-east-1, us-west-2ยถ
| Account Name | Account ID | AWS-Services | |
|---|---|---|---|
| Audit | 337909738532 | aws-audit-us@unibeam.com | Cloudtrail, S3 |
| Unibeam_Workload_SIA_Prod | 345594589655 | aws-workload-sia-prod-us@unibeam.com | EKS,ALB,NLB,EIP |
| Unibeam_DevOps | 710271914112 | aws-devops-prod-us@unibeam.com | ECR |
| Unibeam_Infrastructure_Network | 216989095515 | aws-network-us@unibeam.com | VPC,F/W,Route53,EIP |
| LoggingArchive | 796973503691 | aws-security-us@unibeam.com | Cloudtrail, S3 |
| Unibeam_payer | 412381733189 | aws-general-us@unibeam.com | SCP's,AWS Org, Control-Tower |
| Unibeam DEV Account | 226177691629 | devops@unibeam.com | |
| IOT-IL-Test | 743863807499 | iot-il@unibeam.com |
Note
Scytel Subscription is enabled on Unibeam_payer 412381733189
Indosat - BigHen - Closed/InCloser Processยถ
Regions: us-east-1, ap-southeast-3ยถ
| Account Name | Account ID | AWS-Services | |
|---|---|---|---|
| Audit | 533267302446 | aws-audit@unibeam.com | Cloudtrail, S3 |
| Unibeam_Workload_SIA_Prod | 590183700505 | aws-workload-sia-prod@unibeam.com | ECR |
| Unibeam_Workload_SIA_Sandbox | 533267049792 | aws-workload-sandbox@unibeam.com | NON |
| Unibeam_DevOps_PROD | 471112734062 | aws-devops-prod@unibeam.com | EKS,ALB,NLB |
| Unibeam_Infrastructure_Shared | 339712950638 | aws-infra-shared@unibeam.com | NON |
| Unibeam_Infrastructure_Network | 851725457858 | aws-network@unibeam.com | VPC,F/W,Route53,NAT |
| LoggingArchive | 637423490630 | aws-security@unibeam.com | Cloudtrail, S3 |
| unibeam | 381492071054 | Bighen_payer@cldze.com | SCP's,AWS Org, Control-Tower |
Warning
In Closer process
IL - Verifyhubยถ
Regions: us-east-1, il-central-1ยถ
| Account Name | Account ID | AWS-Services | |
|---|---|---|---|
| Unibeam_Security_Audit | 767397835464 | AWS_Security_Audit@verify-hub.com | Cloudtrail, S3 |
| Unibeam_Workload_SIA_Prod | 767397835464 | AWS_Workload_SIA_Prod@verify-hub.com | ECR |
| Unibeam_Workload_SIA_Staging | 730335414305 | AWS_Workload_SIA_Staging@verify-hub.com | NON |
| Unibeam_DevOps_PROD | 730335470979 | AWS_DevOps_PROD@verify-hub.com | EKS,ALB,NLB |
| Unibeam_Infrastructure_SharedNetwork | 654654342414 | AWS_Infrastructure_SharedNetwork@verify-hub.com | NON |
| Network | 975049927378 | AWS_Infrastructure_Network@verify-hub.com | VPC,F/W,Route53,NAT |
| Unibeam_Security_LoggingArchive | 767397835464 | AWS_Security_Audit@verify-hub.com | Cloudtrail, S3 |
| MidLink Verify-Hub | 891377272948 | midlinkmgmt+verify-hub@midlink.co.il | SCP's,AWS Org |
Warning
Billing is managed by VerifyHub
AWS DEV Account:ยถ
Regions: us-east-1, us-west-1ยถ
| Account Name | Account ID | AWS-Services | |
|---|---|---|---|
| DEV-US | 226177691629 | AWS_Security_Audit@verify-hub.com | EKS, S3, ECR, NLB, ALB, EIP, VPC's |
- AWS Account contains multiple workloads for EKS, and on Prod (IZZI)
- POC's environments, are deployed to EKS dev-us, every POC gets 3 workers (t3a.large or t3a.xlarge)
| EKS Cluster | ENV's | Region | Notes |
|---|---|---|---|
| dev-us | mtn-poc, orange-sp-poc, orange-poc, telefonica-poc | us-east-1 | |
| atandt-poc | us-east-1 | ||
| tim-poc | us-east-1 | ||
| izzi-eks-prod | IZZI | us-west-1 | In Decommission |
| demo | us-east-1 |
POC
Some POC's env's can't be migrated to DEV-US EKS since there are network constrains, IPSEC is already configured and connected to: tim-poc, telcel-poc, atnt-poc
Billing:ยถ
ATnT - US and DEV-US accounts are currently connected to Cloudhealth https://apps.cloudhealthtech.com/ IL - VerifyHub billing is managed by VerifyHub