About the Company

One of Real Estate Investment companies in Redwood City, California. The company is a leader in global colocation data center market share, with 210 data centers in 25 countries on five continents. It connects the world’s leading businesses to their customers, employees and partners inside the most-interconnected data centers. On this global platform for digital business, companies come together across continents to reach everywhere, interconnect everyone and integrate everything they need to create their digital futures.

The Challenge

The company had the need to move business critical applications from on premise to cloud. Objective was to build immutable infrastructure with end to end automation and embedded security. Which will allow it to scale rapidly and securely to fulfil increasing global demand. Along with this need to make sure the right DR strategy is in place to cope up with unplanned incidents.


Kapstone proposed and implemented a solution using Amazon Web Service (AWS) which would meet all the needs of the company. This solution was designed with AWS well architected framework, Implemented multi account strategy with AWS control tower. Designed and implemented IAC using Terraform and Terragrunt to support the objective of immutable infrastructure. Heavily focused on securing the infrastructure, automation done from the point New account provisioned via Control Tower. Bootstrapping steps added to create a service role for CI/CD, Configure Custom AWS Config rules, Apply Custom SCP’s on newly provisioned OU’s. Setup private root certificate per environment, Enable critical logging for core services along with application level auditing. AWS Lambda based event driven automation done to identify and fix non compliance issues. Designed and implemented deployment strategy for microservices based applications.

Detail Solution

1.AWS Control Tower and Organization
Design OU structure per Real Estate Investment product (Application) , Each OU to cover all Prod and Non prod environments. Designed and implemented custom Control Policies per product to cover following requirements

  • Region Restrictions to allow access to only 3 regions
  • Restriction to allow only Golden Image to provision EC2 instance
  • Restriction to use specific EC2 instance type
  • Disallow Human users to stop custom AWS Config rules
  • Disallow Human users to disable VPC flow logs
  • Disallow Human Users to disable ELB access logs
  • Disallow Human/Service account users to delete Core infrastructure resources i.e
    • ELB
    • TGW Attachment
    • Security Groups
    • NACl’s
  • Automation to enable and Disable Certain SCP’s before production deployment and approval flow design and implementation.

Deployment of AWS control Tower and Bootstrapping steps for new provisioned accounts.

  • Create service account Role in newly provisioned account
  • Delete all Default VPC’s from the regions which are not supported by Control Tower
  • Analyzed strongly recommended Detective Guardrails and apply them per OU

AWS SSO integration with Ping Federation, Design custom permission sets and Groups strategy and implementation of it. This implementation was focused on Human user access to AWS environment
AWS IAM : Is used for Service account implementation, We designed to use specific AWS account to provision all service accounts as IAM users, these IAM users designed to assume
service roles in Product specific AWS accounts. Following is high level flow.
3.AWS Config
Identify AWS config rules which are not part of detective guardrails and prepare the final requirement for Config rule setup. All custom AWS config rules were deployed using terraform via Security pipeline. Created a custom aggregator in Audit account to stream all findings to a centralized console. Created custom s3 bucket in centralized logging account to hold finding of config rule.
Designed and implemented private root CA per prod and non prod environment in a shared account. Setup and implemented automation to export and import certificates in product accounts depending on prod and non prod environments.
Also design separate flow to cover host specific certificate requirements.
Designed KMS key’s per service account IAM user, Creation of KMS’s keys is implemented via Security pipeline and restricted usage of KMS key per IAM user.
6.Centralized Logging
We designed and implemented a centralized logging solution for security specific logs.
Type of Logs

  • AWS Services Security Logs
  • Application Specific Security logs
  • Other Applications logs
  • Operational Metrics
  • AWS Specific Security Logs

Following is logging and bucket structure
For application Specific logs we target following types of logs and implemented the solution to stream these logs to centralized logging accounts.

  • EC2 ( /var/log/secure )
  • RDS ( Audit Logs )

7.SIEM integration
We did the integration of a centralized logging bucket with the SIEM tool. We did the integration with Securonix with the same approach we did the POC for Exabeam SIEM tool.

8.Compliance Tool ( Prisma Cloud ) implementation and Automation
We implemented the prisma cloud solution for compliance. This implementation was also done via CI/CD pipeline and with this we are able to generate the non compliance resources list per compliance framework.

The Benefits

As a result, successfully implemented a multi account strategy with zero trust architecture. End to end automation achieved to build immutable infrastructure with minimum end user interaction. Logging and auditing framework implemented per compliance requirement.