Executive Summary

Zero&One started with the vision that cloud computing would change the world and Amazon Web Services would power that change. With that belief, we assembled a team of passionate technologists that were big believers in this new mindset and honed our skills.

Today, as a homegrown AWS Premier Tier Services Partners in the MENA region, we stay true to this belief as we forge forward, tapping into promising opportunities in technology for to help our customers achieve their goals. Zero&One delivers technology services focused on cloud adoption and transformation, data engineering and science, artificial intelligence, serverless application development, application modernization, and the Internet of Things. Through our partnership with Amazon Web Services, we enable our customers to achieve extraordinary things and shape how the world innovates. Zero&One operates multiple AWS accounts for internal use, including POCs, development, and production projects, each with its own billing and access management, leading to operational complexity. Managing access control at the network level becomes challenging, as deploying separate OpenVPN servers for each account is inefficient and difficult to maintain.

Why Amazon Web Services?

As a homegrown AWS Premier Consulting Partner in the MENA region, Zero&One features a team of highly skilled, AWS-certified engineers, architects, and developers, bringing extensive expertise and a wealth of industry-recognized certifications.

The Challenge

Optimizing Account Distribution, Budgeting, and Network Access

Zero&One internal accounts are spread across multiple organizations— Redington01, SPP02, and SPP03—without a structured allocation strategy. This fragmented setup requires urgent attention to establish a more organized and efficient distribution plan.

Additionally, Customer Proof of Concept (POC) accounts are being created arbitrarily across various organizations, lacking proper budget allocation and financial oversight. This disorganization makes it challenging to track and monitor account usage effectively.

Furthermore, network access is managed in a decentralized manner, leading to the creation of multiple client VPNs for each employee, further complicating access control and management.

Partner Solution

Streamlining AWS Account Management, Security, and Cost Control

We have integrated AWS IAM Identity Center with our O365 Entra to manage user access across all accounts. To enforce consistency and governance, we have deployed AWS Control Tower as the foundation of our Landing Zone, ensuring standardized account provisioning, guardrails, and centralized governance across all environments. This provides automation while allowing customization of our broader Landing Zone to meet internal and customer-specific requirements.

A dedicated network account is used to control connectivity, with AWS Transit Gateway routing traffic between accounts. An OpenVPN server is deployed in the network account to provide secure access across environments. Through the Landing Zone’s shared services model within Control Tower, networking, identity, and logging services are centrally managed and consistently secured.

Multiple Organizational Units (OUs) have been created within the Control Tower Landing Zone framework for our workloads, including internal projects, customer POCs, sandbox environments, and company accounts (which require a refined naming convention). These OUs are governed by Control Tower preventive and detective guardrails, ensuring compliance and security baselines across accounts.

Security Hub and AWS Config are integrated into the Landing Zone, ensuring security findings, compliance posture, and configuration changes are monitored consistently across the environment. Tagging enforcement is applied through Service Control Policies (SCPs) and Control Tower guardrails, enabling the finance team to generate accurate cost center reports.

Finally, a backup and disaster recovery (DR) strategy is embedded into the Landing Zone governance model, ensuring consistent resilience across accounts, with policies and frameworks centrally enforced.

Use Case

Zero&One implemented AWS Control Tower as part of their Landing Zone with a dedicated transit account to streamline governance across multiple AWS accounts. By utilizing AWS Control Tower's centralized management, they established standardized account configurations and automated account provisioning within the Landing Zone. The solution integrated AWS Config for continuous monitoring and compliance checks, ensuring resources adhered to best practices. Security Hub was enabled to provide a comprehensive view of the security posture, aggregating findings from various security services to identify and address vulnerabilities. Additionally, AWS Single Sign-On (SSO) integration with O365 Entra was deployed to simplify access management, enabling secure and seamless user authentication across accounts. This cohesive Landing Zone and Control Tower setup allowed Zero&One to maintain consistent governance, enhance security monitoring, and improve operational efficiency across all their AWS resources.

Solution Architecture

Outcome

The implemented solution provided centralized compliance enforcement while maintaining the flexibility needed for efficient project management and scalability. Zero&One successfully managed their accounts and resources with enhanced security, operational flexibility, and scalability, effectively addressing initial concerns about chaotic account distribution and access levels.