ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Auto-sync: 2026-04-29 00:02

Browse Source
This commit is contained in:
weishen
2026-04-29 00:02:51 +08:00
parent 0e548ce5dc
commit 74d02d0df2
80 changed files with 3450 additions and 382 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
wiki/entities/AWS-Landing-Zone.md Normal file
View File

@@ -0,0 +1,40 @@
---
title: "AWS Landing Zone"
type: entity
tags: ["AWS", "Landing-Zone", "Multi-Account", "Architecture"]
sources: ["ctp-topic-31-network-segregation-and-secure-access-to-the-new-aws-landing-zones", "ctp-topic-10-aws-landing-zone-lz-data-collection-tagging-related-security"]
last_updated: 2026-04-28
---
## Overview
AWS Landing Zone 是 AWS 推荐的多账户架构框架用于建立安全、可扩展、合规的云基础架构基础。Micro Focus 采用基于 Gruntwork 的 Landing Zone 参考架构,通过 Terraform/Terragrunt 管理所有资源。
## Core Components
- **Shared Services Account**:托管 Jenkins、AD、Route 53 私有 DNS 等共享基础设施
- **Network Account**Transit Gateway + Checkpoint 防火墙管理所有互联网流量
- **Security Account**联邦用户、跨账户访问、IAM Role 集中管理
- **Logs Account**CloudTrail、Config 日志集中存储
- **Product/SaaS Accounts**:业务负载运行的账户
## Network Isolation Challenges
在 [[ctp-topic-31-network-segregation-and-secure-access-to-the-new-aws-landing-zones]] 中描述的安全挑战:
- On-prem 系统和 VPN 用户因共享网络配置可直接访问生产工作负载
- 解决路径Checkpoint SPIDefault Deny+ AWS SSM 替代 VPN
## Tag-Based Security Architecture
在 [[ctp-topic-10-aws-landing-zone-lz-data-collection-tagging-related-security]] 中Steve Jarman 和 Pradeep 深入阐述了基于标签的云原生安全架构:
- **SCPSecurity Control Policy强制标签规范**:通过「显式拒绝」逻辑防止用户通过篡改标签绕过审计,确保资源创建时即具备正确的 BU/产品/环境归属;普通 ADM 用户无法擅自将标签改为 ITOM
- **OU 分层架构**:通过多层 OU 检查标签值,确保正确的标记和必要的安全控制
- **标签体系**涵盖机器名、所有者PDL、类型、业务单元、产品、环境、服务器角色等维度是云迁移规划的前提
- **Checkpoint 标签驱动策略**:从基于 IP 地址的传统防火墙规则转向利用 AWS 标签作为安全凭证,实现动态云环境
## Aliases
- Landing Zone
- LZ
- AWS LZ
## Connections
- [[Network-Segmentation]] — 网络隔离是 LZ 安全架构核心
- [[AWS-SSM]] — SSM 提供 LZ 内安全远程访问
- [[ctp-topic-31-network-segregation-and-secure-access-to-the-new-aws-landing-zones]]