The Challenge

The customer started the AWS journey two years ago when they sought an alternative solution for the local Network Attached Storage NAS devices to fulfil the 7-year Achieve compliance. AWS Simple Storage Service S3 Glacier has been a good fit for the organisation. However, Their infrastructure was lack of disaster recovery capabilities. Whenever the applications were down in the private data centre, the service would be offline until the problem had been resolved.

In addition, the customer did not have a clear disaster recovery plan whenever an incident occurred. The customer may end up wasting hours on fixing the problem.

The Solution

To improve the customer's disaster recovery capabilities, Westcon ran through a security audit on their AWS infrastructure in the below aspects:

• The customer had a large amount of data for migration. 2x AWS snowball was used for the initial migration of the existing 140 TB achieving data. The Veeam AWS integration with AWS S3 glacier has been the ongoing achieving backup solution for the last two years. Westcon discussed with them on how S3 could be used to sync the data and how to secure the S3 using security best practices.
• The customer also adopted AWS disaster recovery service to minimise downtime and data loss with the fast, reliable recovery of on-premises and cloud-based applications using affordable storage, minimal computing, and point-in-time recovery.
• The critical servers like AD domain servers and other business applications have been permanently running on AWS EC2 reserved instances. Direct connect and transit gateway support the smooth communication between the private data centre and cloud VPCs and maintain the same user experience. Westcon reviewed and audited the network securities such as transit gateway, security groups, VPC etc.
• AWS organisation is established to facilitate further DC migration and scalability. Westcon recommended customised IAM policies and AWS CloudTrail, and the customer implemented them to improve the overall cloud environment security posture.

Below AWS services are the core components included in this project:

• AWS Organisation: providing consolidated billing and centralised account management.
• AWS Organisation SCP: organisation-level service control for all AWS accounts.
• IAM: key components for the solution to fulfil multiple needs.
• Centralised IAM user AWS account for user access control
• Fully RBAC - all users need to assume IAM roles in the workload AWS accounts to perform tasks
• MFA enforce - all IAM roles can only be assumed when the user is MFA authenticated
• Password policy - all IAM users are following the centralised password policies
• AWS Direct Connect: providing a secure tunnel from on-prem to AWS.
• AWS Transit Gateway: providing cross VPC account for multiple AWS accounts and providing endpoints for all VPCs to use the Direct Connect service.

The Benefit

The customer had an incident in the private data centre two weeks ago. One of the business applications was out of service. The AWS DRS kicked in and achieved RTO 10mins after 6 hours of trying to bring the plication back online in the private data centre.

The customer was satisfied with the services and decided to change the DR procedure for future incidents, which is bringing AWS DR service online first before troubleshooting the office services.

Westcon have highly experienced AWS Certified Professionals who can assist you with your AWS infrastructure, and help you recommend, analyse and secure your workloads. If you have any questions or concerns about AWS cloud environment security, please do not hesitate to contact the Partner Success centre at

NZ Cloud Sales:    +64 9 477 7211              Email:  [email protected]
AU Cloud Sales:    +61 2 8412 1212              Email:  [email protected]
SG Cloud Sales:    +65 6424 0570              Email:   [email protected]
ID  Cloud Sales:    +62 21 8062 1470          Email:   [email protected]