LEO Pharma needed a secure, scalable, and robust infrastructure platform for running business applications to meet a business requirement for agile software development. The development department also wanted more self-service when setting up IT infrastructure. The choice was an AWS Cloud platform, as AWS offers a comprehensive catalog of cloud services delivered on a globally leading and secure infrastructure. In addition, LEO Pharma wanted to give its developers the ability to auto-provision AWS environments with predefined standard resources under well-defined security policies.
The technical AWS Cloud solution
The overall solution is based on a wide range of AWS services, with the greatest possible use of robust and scalable serverless solutions. The technical solution is designed based on the following design principles:
- Infrastructure as Code, IaC
- AWS Best Practices
- Security policies in line with LEO Pharma’s policies
- Principle of Least Permission (POLP)
- Fully automated
- Cloud First strategy (Saas before Paas, before IaaS)
Conscia addressed the customer’s functional needs by building on AWS Control Tower. Conscia’s overlay contains standard network components in a hub-spoke architecture and the attachment of AD users and groups to newly created AWS accounts.
The solution is based on AWS Step Functions, which can directly integrate with AWS services, make decisions based on user input, and orchestrate the provisioning flow.
About LEO Pharma
LEO Pharma is a Danish pharmaceutical company founded in 1908. LEO Pharma develops, produces, and markets medicinal products for treating dermatological diseases. The company sells its products in over 100 countries and has its head office in Denmark.
The solution is based on the following AWS services:
AWS Step Functions
This serverless service can activate Lambda functions, push messages to SQS queues, and 2000 other integrations. The primary function of Step Functions in this solution is to receive input and perform a series of tasks such as delivering Service Catalog products, activating Lambda, sending email messages, and conducting checks before a task is performed.
AWS Organizations groups AWS accounts under the organization’s root account. In this solution, Organizations is also used to perform checks before a task is performed.
AWS Control Tower
AWS Control Tower ensures continuous compliance, governance, and high security in a multi-account infrastructure. AWS Control Tower is also used in this solution to prepare new accounts and maintain security policies.
AWS Single Sign-On
AWS Single Sign-On controls differentiated access to all accounts in the AWS organization. The rights are controlled/born from LEO Pharma Azure AD using SCIM and SAML integration.
AWS Lambda is used when direct integration from AWS Step Functions is not possible or when the logical operations are too numerous and cannot be used as input to state machine definitions. AWS Lambda is used, for example, to switch roles and deliver a Service Catalog product on another account.
AWS Simple Email Service
AWS Simple Email Service sends emails to end users with information.
AWS Service Catalog
AWS Service Catalog encapsulates IaC components and delivers Service Catalog products in a given environment.
All LEO Pharma user groups are synchronized to Azure AD from on-prem, allowing for SCIM and SAML integration with the AWS SSO service. To assign groups to AWS accounts, groups are assigned to the Azure AD Enterprise Application, which is integrated with AWS.
Partner from design to operation
Conscia’s Cloud team helped LEO Pharma through the idea and design phase and delivered both HLD/LLD design code, and acted throughout the project as a trusted partner to LEO Pharma’s Enterprise Architecture team.