AWS Control Tower Strategy For EyeControl

Overview

EyeControl is a leading medical tech company focusing on new ways to help people communicate, especially when they have special healthcare needs. They use advanced AI technology to help patients, nurses, and families stay connected easily, which helps in making better health decisions.

EyeControl has created a system that lets patients wearing a special headset communicate directly with nurses and their families, no matter the distance. This system uses real-time data to help improve patient care and is changing the way we think about talking in healthcare.

They also help patients who are moving from hospitals to home care, and those who can’t speak, by keeping them connected all the time. This technology makes life better by giving them a way to express themselves anytime.

Opportunities  | EyeControl’s Multi-Account Management Challenges

EyeControl’s engineering team faced challenges in handling many AWS accounts while keeping environments separate, upholding strict security, and following rules. They needed to manage healthcare data safely and comply with laws easily.

We developed a solution using AWS Control Tower, which offers a central place to manage multiple AWS accounts effectively. With AWS Control Tower, EyeControl can create safe, separate spaces for their healthcare communication tools, making sure they meet industry standards. This system comes with built-in security rules and the ability to automate tasks, helping EyeControl apply best practices everywhere, cut down on manual work, and run more smoothly.

Solutions | Overcoming Multi-Account Challenges in Medical Technology with AWS Control Tower

Control Tower

The solution was implemented through the adoption of AWS Control Tower for the setup and management of an AWS multi-account environment in accordance with best practices. This integration effectively utilized AWS Organizations, AWS Service Catalog, and IAM Identity Center (the successor to AWS Single Sign-On) to establish a landing zone. This approach facilitated efficient management and governance of AWS accounts while ensuring compliance with industry standards. It empowered EyeControl to focus on innovation while AWS Control Tower handles the complexities of multi-account management, security, and governance with fluidity.

Implemented a  Landing Zone with customized security measures for consistent compliance across all AWS accounts within our organization.

Landing Zone Configuration

Landing zones are fundamental AWS environments adhering to security, compliance, and operational standards, facilitated by Control Tower for efficient management.

Configuration consists of: 

1. Regions: Total of 10 AWS Regions are selected for governance, with US East (N. Virginia) as the home region.
2. AWS Account Access: AWS Control Tower sets up AWS account access with IAM Identity Center.
3. Logging: Control Tower utilizes AWS CloudTrail to automatically create trails, capturing every API call made within the managed environment for comprehensive auditing and traceability.
4. Networking Configuration: Default VPC is deleted by the Control Tower while provisioning a new AWS Account. Here Control Tower is not responsible for creating VPC but instead networking is managed by a centralized networking aws account after provisioning of new aws account is completed.
5. Preventive Controls: The SCP (Service Control Policy) is configured to deny certain actions across various AWS services within the managed environment, ensuring compliance and security. Specifically, it prohibits the creation, modification, or deletion of critical resources such as internet gateways, NAT gateways, VPCs, subnets, VPN connections, and IAM login profiles. The SCP applies to all resources (*) except for specific roles specified in the “Condition” section, ensuring that only authorized entities can perform these actions.
6. Detective Controls: These guardrails in Control Tower provisioned new AWS accounts with configuration rules ensuring instances are securely launched within VPCs, ELBs are logging enabled, DynamoDB tables are encrypted, EIPs are attached, ALBs have WAF enabled, EBS volumes are in use, DynamoDB has PITR enabled, and database backups are enabled, enhancing security and compliance. Eyecontrol uses aws Security Hub as well which creates more config rules.
7. Initial security baseline which is deployed to each environment of Eyecontrol by the Control Tower includes:
   1. AWS CloudTrail data is sent to the Logging Account’s centrally managed S3 bucket.
   2. In addition, the AWS Config log is sent to a centrally managed S3 bucket in the Logging Account.

Control Tower in Action: How it Facilitates Management and Governance of AWS Environments

Outcomes | Rapid Setup and Enhance Security

1. Rapid Setup customized for Eyecontrol: Leveraging Control Tower’s Landing Zone, Eyecontrol is able to swiftly establish a secure, multi-account AWS environment, aligning with their unique requirements. Automated setup expedites deployment while adhering to AWS best practices, ensuring a robust foundation from the outset.
2. Customize Best Practices Integration: Eyecontrol benefits from Control Tower’s integration of AWS best practices, ensuring security, compliance, and operational excellence are ingrained within their landing zone configuration. By tailoring these practices to Eyecontrol’s specific needs, the risk of misconfiguration is minimized, bolstering overall resilience.
3. Enhanced Security and Compliance Governance: Control Tower’s Landing Zone enforces security and compliance policies tailored to Eyecontrol’s industry standards and regulatory obligations. Through predefined guardrails, non-compliant actions are mitigated, ensuring a consistent security posture across all accounts within the environment.
4. Streamlined Account Management for Eyecontrol: The automation provided by the Landing Zone simplified AWS Accounts management for Eyecontrol. Tasks such as provisioning, configuration, and lifecycle management are seamlessly orchestrated and reduce administrative overhead.
5. Logging with AWS CloudTrail Integration: Eyecontrol leveraged AWS Control Tower’s AWS CloudTrail integration, enhancing logging across all AWS accounts and services. This tailored approach ensured comprehensive visibility and traceability, bolstering security and compliance.
6. Cost Optimization: Through Control Tower, Eyecontrol realized significant cost optimization benefits by seamlessly implementing tagging policies, budget alerts, and resource usage tracking across all accounts. This streamlined approach empowered Eyecontrol to efficiently manage expenses, ensuring optimal resource allocation and budget adherence.

Conclusion

SquareOps’s implementation of AWS Control Tower for EyeControl exemplifies how strategic cloud management can revolutionize operations in the healthcare technology sector. By establishing a secure, compliant multi-account AWS environment, EyeControl has enhanced its innovative communication solutions, providing uninterrupted services in patient care.

For organizations aiming to refine their cloud infrastructure with strong security and efficiency, SquareOps can help you optimize your operations through the intricacies of AWS Control Tower.

Contact Us today to learn how we can transform your cloud strategy.