Case Study | AWS Control Tower: Best Practices in Managing Multiple AWS Accounts | Zebit

About Zebit

Zebit is an eCommerce/Fintech company changing the purchasing power of millions of U.S. credit-challenged consumers by giving them access to products using long-term payment plans without any hidden fees or penalties.  

Founded in 2015, Zebit has earned accolades in and beyond their industry for Best Places to Work in San Diego, Fastest Growing Private Companies, Benzinga Global Fintech Awards, and The Future of Monet and Technology– Winning Startup.

Website: https://zebit.com

Challenges

Zebit grappled with challenges stemming from the way they manage their AWS account. Their core issue was a single AWS account hosting multiple environment workloads, with various operations users, DevOps users, and developers all having IAM users within the same account. As Zebit grew, this lack of segregation complicated governance and created a web of complexities around enforcement of AWS IAM policies.

Coupled with this, Zebit sought to improve their security, business continuity, and disaster recovery. Their PCI DSS Level 2 certification obligates them to secure their production workloads, which proved challenging due to the intertwined structure of their AWS account. Their production workloads were scattered across multiple Virtual Private Clouds (VPCs), making it difficult to enforce stringent security measures. Furthermore, their internal tools were mixed within the same AWS VPC as their production workloads, so Zebit wanted to address these issues around separation and potential cross-contamination of data.

Why AWS and Stratus10

AWS provided a robust foundation for Zebit's cloud infrastructure needs, offering a wide range of services and tools to support their IT operations. With AWS Organizations, Zebit gained centralized management and governance of multiple AWS accounts, enabling streamlined administration and improved security controls. AWS SSO further enhanced the access management process by providing a unified single sign-on experience for users across AWS accounts. This integration allowed for consistent user authentication and authorization, simplifying access management and reducing administrative overhead. AWS Control Tower enabled Zebit to centrally manage and create additional account resources according to AWS best practices.

As an AWS Advanced Consulting Partner with a team of certified cloud engineers, Stratus10 was the ideal partner to successfully restructure Zebit’s cloud infrastructure, leveraging the right AWS services and implementing best practices to meet all security, performance, and compliance goals. 

Solution Delivered

The solution to Zebit's challenges was primarily delivered through the effective use of AWS services including AWS Control Tower, AWS Identity Center (SSO), AWS VPC, AWS CloudTrail, AWS Config, and AWS IAM.

AWS Control Tower
As the backbone of the solution, AWS Control Tower provided an easy way to set up and govern a new, secure, multi-account AWS environment based on best practices. AWS Control Tower was employed to create a Landing Zone with an Identity Center. The Landing Zone is an architecture that provides a secure, multi-account AWS environment or landing zone, while the Identity Center is a single sign-on (SSO) service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications.

Account Segregation with AWS Identity Center (SSO)
Six separate AWS accounts were created, each designated for a specific environment and function. This brought not only structure and organization to Zebit's AWS account management, but also reduced the risk of cross-contamination and simplified governance. The clear separation of accounts made the enforcement of IAM policies more efficient and less error-prone. AWS Identity Center (SSO) was employed to manage users and access across these accounts. It offered the ability to easily manage SSO access and user permissions to all of Zebit's accounts in AWS Organizations centrally, which significantly simplified user access management.

AWS VPC
In each account, an AWS VPC was created for each specific workload, allowing Zebit to launch AWS resources into a virtual network that they defined. This process effectively segregated workloads and enhanced the security posture of their AWS environment.

AWS CloudTrail & AWS Config
AWS CloudTrail and AWS Config were incorporated for logging and auditing security access. AWS CloudTrail enabled governance, compliance, operational auditing, and risk auditing of Zebit's AWS account, providing visibility into user activity. AWS Config was utilized to assess, audit, and evaluate the configurations of Zebit's AWS resources. It provided a detailed view of the resources associated with Zebit's AWS account, including how they are configured, how they are related to one another, and how the configurations and their relationships have changed over time.

Finally, AWS IAM policies were leveraged to secure user access, offering the ability to manage access to AWS services and resources securely. 

 

Results and Benefits

The implementation of the multi-account AWS environment solution delivered transformative results for Zebit. AWS Control Tower and AWS Identity Center significantly improved their AWS account structure, offering robust governance and reduced risk of data cross-contamination. This reorganization enabled Zebit to manage their AWS resources more efficiently, providing clear boundaries between different environments and functions.

The segregation of workloads into specific AWS VPCs within each account greatly enhanced the security posture of Zebit's AWS environment. AWS CloudTrail and AWS Config provided Zebit with invaluable insights into user activity and resource configuration, enabling proactive management of security and auditing access. These tools bolstered Zebit's security measures, helping to prevent unauthorized access and potential data breaches, while ensuring ongoing compliance with regulatory standards.

Ultimately, the solution alleviated Zebit's initial concerns about security, business continuity, and PCI DSS Level 2 certification requirements. Their improved infrastructure and setup has streamlined the management of their AWS environment, optimized security protocols, and reinforced their compliance posture.

About Stratus10

Stratus10 is an AWS Advanced Consulting Partner helping companies migrate to the cloud or if they are already on AWS we help them implement best practices. Specialty areas include application modernization, DevOps automation, migration, security, and cost optimization to help clients take full advantage of the latest technologies AWS has to offer.
 

Use case: AWS Control Tower
Client: Zebit
Date: June 2023
Category: Security