In this course, you will learn to:

• Establish a landing zone with AWS Control Tower
• Configure AWS Organizations to create a multi-account environment
• Implement identity management using AWS Single Sign-On users and groups
• Federate access using AWS SSO
• Enforce policies using prepackaged guardrails
• Centralize logging using AWS CloudTrail and AWS Config
• Enable cross-account security audits using AWS Identity and Access Management (IAM)
• Define workflows for provisioning accounts using AWS Service Catalog and AWS Security Hub

Course Introduction

• Instructor introduction
• Learning objectives
• Course structure and objectives
• Course logistics and agenda

Module 1: Governance at Scale

• Governance at scale focal points
• Business and Technical Challenges

Module 2: Governance Automation

• Multi-account strategies, guidance, and architecture
• Environments for agility and governance at scale
• Governance with AWS Control Tower
• Use cases for governance at scale

Module 3: Preventive Controls

• Enterprise environment challenges for developers
• AWS Service Catalog
• Resource creation
• Workflows for provisioning accounts
• Preventive cost and security governance
• Self-service with existing IT service management (ITSM) tools

Lab 1: Deploy Resources for AWS Catalog

• Create a new AWS Service Catalog portfolio and product.
• Add an IAM role to a launch constraint to limit the actions the product can perform.
• Grant access for an IAM role to view the catalog items.
• Deploy an S3 bucket from an AWS Service Catalog product.

Module 4: Detective Controls

• Operations aspect of governance at scale
• Resource monitoring
• Configuration rules for auditing
• Operational insights
• Remediation
• Clean up accounts

Lab 2: Compliance and Security Automation with AWS Config

• Apply Managed Rules through AWS Config to selected resources
• Automate remediation based on AWS Config rules
• Investigate the Amazon Config dashboard and verify resources and rule compliance

Lab 3: Taking Action with AWS Systems Manager

• Setup Resource Groups for various resources based on common requirements
• Perform automated actions against targeted Resource Groups

Module 5: Resources

• Explore additional resources for security governance at scale

This course is intended for:

• Solutions architects, security DevOps, and security engineers

Before attending this course, participants should have completed the following:

Required:

• AWS Security Fundamentals course
• AWS Security Essentials course

Optional:

• AWS Cloud Management Assessment
• Introduction to AWS Control Tower course
• Automated Landing Zone course
• Introduction to AWS Service Catalog course