CSI – AWS Landing Zone
The opportunity at a glance
CSI engaged Cevo to build an AWS Landing Zone to help set out a best practice framework for deploying a scalable, secure multi-account AWS environment.
The Centre for Social Impact (CSI) is an independent, not-for-profit, collaborative network of researchers, teachers and social change innovators at three leading universities: University of New South Wales, Swinburne University of Technology, and the University of Western Australia.
CSI develops and brings together knowledge to understand current social challenges and opportunities to create a better world. CSI work ethically and with rigour, across disciplines and by ensuring people, community and organisations are central.
Their new Amplify Online product is a suite of online reports and tools designed to support organisations improve their evidence-based decision making, program evaluation and ultimately their social impact.
CSI has had an organically grown presence in AWS with a small number of web-facing workloads that were not currently aligned to industry standard practices around security, governance and observability.
With the upcoming release of the flagship Amplify Online project, CSI required a secure and scalable environment to be provisioned into. Amplify Online has a significantly larger footprint and, most importantly, additional data security requirements. CSI was seeking to address these concerns by adopting a number of recommendations from the AWS Well-Architected Framework in a lean as possible way to maximise the return on investment for the current Amplify project and others in the future.
CSI also identified the need to clearly define and implement an operating model incorporating cloud operations best practices for security, billing and account governance.
As with many organisations in the not-for-profit sector, CSI did not have the internal capacity or capability to implement and operate a well-architected AWS platform and asked Cevo for assistance to:
- Develop a cloud operating model that aligns to recommendations set out in the AWS Well-Architected Framework
- Design and implement an AWS platform that enables partners to manage workloads that adhere to CSI security and governance requirements
- Design and implement Continuous Integration and Continuous Delivery (CI/CD), of the Amplify Online project
- Operate and maintain the AWS platform so that it continues to hold well-architected status.
To meet the timelines for the first drop of the Amplify application, Cevo worked with CSI, AWS and API-Geeks (application developers) to stand up the foundation infrastructure within an initial period of 6 weeks.
An AWS Landing Zone was used to build a scalable, secure multi-account AWS environment. The Landing Zone solution aligned with best practice and designed an agnostic application that provides a secure management foundation for landing applications in AWS.
As part of the Landing Zone, an automated account provisioning process was also developed. The Account Vending Machine has been used successfully to create five accounts on demand for Amplify Online. These accounts have been created with security and compliances in mind and followed the best practices set up as part of the Landing Zone deployment.
While implementing the Landing Zone, Amplify Online was able to be deployed into the provisioned environment. An automated CI/CD process for multi-accounts environment was also built and deployed.
As a result of the successful project delivery, CSI signed up for on-going Managed Delivery services from Cevo to proactively manage and maintain this environment as the various production workloads are rolled out.
With the deployment of the landing zone, CSI were able to successfully provision Amplify Online into the new, secure environment. In addition, the work completed within this project resulted in the following outcomes:
- The time taken to deploy AWS environments into the CSI environment has been reduced from days to hours
- CSI now have a unified view of all their AWS accounts, and better control of their billing across multiple accounts
- The Landing Zone, especially the automated account provisioning, will also allow CSI to grow and scale easily in the future
- Cevo’s assistance allowed CSI to align Amplify Online with their security and compliance principles. Security guardrails aligned with University policies are automatically monitored and deployed to reduce operational risk and the potential attack surface area for cyber incidents
- Account security was also enforced so that it now follows AWS well architectured principles
- CI/CD for the multi-account environment within the Landing Zone was successfully implemented. The CI/CD process allows Amplify Online and any future projects to have a continuous and smaller increment of code deployment, while minimising risk and smaller fault isolation
- Internal CSI teams now have a much better understanding about AWS, cloud technology, cloud security, and compliances in AWS cloud environment.