AWS Platform Guide
Landing Zone Prerequisites
Create 1Password for credentials (To be completed by the Client)
If not already available, create an external Identity provider for SSO and store credentials in 1Password. Sample AWS supported options include Azure AD, CyberArk, JumpCloud, Okta, Onelogin, Ping Identity. Once a preferred SSO provider is chosen, the SSO management account should be created by the client. Note, the AWS default SSO option could also be chosen for a start pending when the client is willing to subscribe to an external identity provider.
Create AWS root account and store root credentials in 1Password. If possible, account should be created using a group email address, e.g aws-management@example.com.
The Google Group must be set up to allow anyone on the web to post to the group.
General
→Who Can Post
→Anyone on the web
Otherwise, the verification email from AWS will not go through. If your group settings do allow anyone to post, but you still do not see the AWS email, check under Conversations > Pending in Google Groups.
Create the following group emails to be used for other dependency accounts in AWS (To be completed by the Client), to use the below email address naming convention, the
ACCOUNT_EMAIL_PREFIX
in your landing-zone configuration file should beaws-
;- aws-management@example.com
- aws-identity@example.com
- aws-audit@example.com
- aws-backup@example.com
- aws-report@example.com
- aws-log-archive@example.com
- aws-network@example.com
- aws-operations@example.com
- aws-sandbox@example.com
- aws-production@example.com
- sso-management@example.com
Create a Github organisation (To be completed by the Client).
Create necessary repositories on GitHub.
Login to AWS and enable MFA on the root account for AWS, then you can link the MFA to 1Password.
AWS Platform Guide
The guide for building and maintaining production-grade Kubernetes clusters with built-in support for SRE best practices.
Source available on GitHub.