Skip to content

Commit

Permalink
Updates and reviews
Browse files Browse the repository at this point in the history
  • Loading branch information
@Pilargit12
Pilargit12 committed Oct 16, 2024
1 parent 6fcca3e commit 92c8a0f
Show file tree
Hide file tree
Showing 20 changed files with 125 additions and 118 deletions.
4 changes: 2 additions & 2 deletions docs/aws/design-build-and-deploy-an-application/sample-apps.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# AWS Sample Applications
# AWS Sample applications

Last updated: **October 8, 2024**
Last updated: **October 16, 2024**

We have several example applications to help you get started with building and deploying applications in the AWS Landing Zone.

Expand Down
96 changes: 49 additions & 47 deletions docs/aws/design-build-and-deploy-an-application/security-guardrails.md
View file
Original file line number Diff line number Diff line change
@@ -1,91 +1,93 @@
# AWS Security & Compliance Guardrails
# AWS Security and compliance guardrails

Last updated: **September 26, 2024**
Last updated: **October 16, 2024**

As a user of our AWS environment, it's important to understand the restrictions and guidelines in place to ensure security and compliance. This document outlines the key points you need to know when working with your AWS account.
As an AWS user, you must understand the restrictions and guidelines to ensure security and compliance. This document outlines the key points you need to know when using your AWS account.

## Supported Regions
## Supported regions

You can only use AWS services in the following regions:

- Canada (Central) - ca-central-1
- US East (N. Virginia) - us-east-1
* Canada (Central) - ca-central-1
* US East (N. Virginia) - us-east-1

Most actions and resource creations outside these regions will be blocked. This means:
Most actions and resource creation outside these regions will be blocked. This means:

- You must deploy all your applications and services in these two regions.
- Traditional multi-region architectures for disaster recovery or global applications may not be possible. Discuss alternatives with the central team for critical applications that might need such capabilities.
- While most services are restricted to these regions, some global services (like IAM, CloudFront, Route 53) can still be used, although your actions within these services might be limited.
* Deploy all your applications and services in these two regions
* Traditional multi-region architectures for disaster recovery or global applications may not be possible. Discuss alternatives with the central team for critical applications that might need such capabilities
* Some global services (such as IAM, CloudFront, Route 53) are still available, but your actions may be limited

## Protected Resources
## Protected resources

Some resources in your account are managed by our central team and are protected from modification. You can identify these resources by:

- Names beginning with "PBMM"
- The tag "Accelerator: PBMM"
* Names beginning with "PBMM"
* The tag "Accelerator: PBMM"

You cannot modify, delete, or in some cases even interact with these protected resources. This includes items such as certain CloudFormation stacks, IAM roles, S3 buckets, and network components.
You can't change, delete, or in some cases even interact with these protected resources, such as certain CloudFormation stacks, IAM roles, S3 buckets, and network components.

This means:

- If your application needs to interact with protected resources (prefixed with PBMM), you may need to request special permissions or assistance from the central team.
- You can't modify the encryption settings of existing PBMM-tagged storage resources.
- While you can view security findings from services like GuardDuty or Security Hub, you might not be able to dismiss or modify these findings directly if they're related to protected resources.
* If your application needs to interact with PBMM-protected resources, you may need to request permissions or assistance from the central team
* You can't change the encryption settings of existing PBMM-tagged storage resources
* While you can view security findings from services like GuardDuty or Security Hub, you might not be able to dismiss or change these findings directly if they're related to protected resources

## Network and Infrastructure
## Network and infrastructure

- You cannot create, modify, or delete core networking components like VPCs, subnets, internet gateways, and NAT gateways.
- You cannot create or modify VPC endpoints, except for the PrivateLink endpoints for API Gateway.
- You can add routes to existing routes tables, but you cannot modify or delete the routes. So be cautious when adding routes.
* You can't create, modify, or delete core networking components like VPCs, subnets, internet gateways, and NAT gateways
* You can't create or modify VPC endpoints, except for the PrivateLink endpoints for API Gateway
* You can add routes to existing routes tables, but you can't modify or delete the routes. So be cautious when adding routes

This means:

- You can't create new VPCs or modify existing ones that are part of the protected infrastructure. Plan your resource deployments within the existing network structure.
- Resources deployed in your VPCs are not directly accessible from the internet. If your application requires internet access, you'll need to use an API Gateway with PrivateLink or route your traffic through the landing zone's perimeter network using a public ALB. For more information, see [Exposing Services to the Internet](../design-build-and-deploy-an-application/networking.md#exposing-services-to-the-internet).
* You can't create new VPCs or modify existing ones that are part of the protected infrastructure. Plan your resource deployments within the existing network structure
* Resources deployed in your VPCs are not directly accessible from the internet. If your application requires internet access, you'll need to use an API Gateway with PrivateLink or route your traffic through the landing zone's perimeter network using a public ALB. For more information, see [Exposing Services to the Internet](../design-build-and-deploy-an-application/networking.md#exposing-services-to-the-internet)

## Security and Compliance
## Security and compliance

1. Encryption:
- Encryption is mandatory for services like EBS volumes, RDS instances, and EFS file systems.
- You cannot disable encryption on resources that require it.
- Encryption is mandatory for services like EBS volumes, RDS instances, and EFS file systems
- You can't disable encryption on resources that require it

This means:

- When creating new S3 buckets, EBS volumes, or RDS instances, you must ensure they are encrypted. The system will enforce this, but be aware that you can't create unencrypted storage resources.
- When creating new S3 buckets, EBS volumes, or RDS instances, you must ensure they are encrypted. The system will enforce this, but be aware that you can't create unencrypted storage resources

2. Security Services:
2. Security services:
- You have limited ability to modify settings for services like GuardDuty, Security Hub, and Macie.

3. Logging and Monitoring:
- You cannot modify or delete CloudWatch logs, alarms, and dashboards related to our managed infrastructure.
- You can create your own CloudWatch alarms and dashboards, but you can't modify ones that are part of the protected infrastructure.
3. Logging and monitoring:
- You can't modify or delete CloudWatch logs, alarms, and dashboards related to our managed infrastructure
- You can create your own CloudWatch alarms and dashboards, but you can't modify ones that are part of the protected infrastructure

## Account Management
## Account management

- You cannot perform high-level account actions such as leaving the AWS organization or closing the account.
- Creation of new IAM users and groups is restricted. A limited custom service is deployed in your accounts to create IAM users. See [IAM User Service](./iam-user-service.md) for more information.
- You can't perform high-level account actions such as leaving the AWS organization or closing the account
- Creation of new IAM users and groups is restricted. A limited custom service is deployed in your accounts to create IAM users. See [IAM User Service](./iam-user-service.md) for more information

Implications:

- You can't create new IAM users or groups. If you need to onboard new team members or create new roles, you can do that using the [Product Registry](https://registry.developer.gov.bc.ca). See [BC Gov's Product Registry - User management documentation](./user-management.md) for more information.
- Be cautious when attaching policies that grant broad permissions. Use the least privilege principle when assigning permissions.
- You can't create new IAM users or groups. If you need to onboard new team members or create new roles, you can do that using the [Product Registry](https://registry.developer.gov.bc.ca). See [BC Gov's Product Registry - User management documentation](./user-management.md) for more information
- Be cautious when attaching policies that grant broad permissions. Use the least privilege principle when assigning permissions

## Service Restrictions
## Service restrictions

- Access to AWS Marketplace is limited. Please contact the central team if you need software or services from the Marketplace.
Access to AWS Marketplace is limited. Please contact the central team if you need software or services from the Marketplace

Implications:

- Some AWS services might be entirely restricted. Always check if you can access a service before planning to use it in your projects.
- For services that are available, you might find that certain actions within those services are restricted.
- If you need specific software or tools from AWS Marketplace, you'll need to request it through the central team. Plan ahead for any software needs in your projects.
* Some AWS services might be entirely restricted. Always check if you can access a service before planning to use it in your projects
* For services that are available, you might find that certain actions within those services are restricted
* If you need specific software or tools from AWS Marketplace, you'll need to request it through the central team. Plan ahead for any software needs in your projects

## Cost Management
## Cost management

- You do not have direct access to billing information or the ability to set up detailed cost allocation tags. However, you can view your account's total spend and associated costs using the AWS Cost Explorer service.
- Budgets and notifications have been pre-configured for your accounts to alert you when your spend is approaching limits. The values are configured in the [Product Registry](https://registry.developer.gov.bc.ca). You may also configure additional budgets and alerts as needed.
- In order to provide a centralized view of costs across all accounts and projects, the Public Cloud team has created a centralized Cost Explorer dashboard. This dashboard is used to track and analyze costs for all projects and accounts. See [AWS billing and cost management dashboards](../understanding-your-aws-bill/aws-billing-and-cost-management-dashboard-via-quicksight.md) for more information.
You don't have direct access to billing information or the ability to set up detailed cost allocation tags. However, you can view your total spend and associated costs using AWS Cost Explorer.

By following these guidelines, you help maintain the security and compliance of our AWS environment. Remember, these restrictions are in place to maintain a secure and compliant environment. If you find that these limitations significantly impact your work, don't hesitate to discuss your needs with the Public Cloud team. They can provide guidance, suggest workarounds, or, if necessary, help you request exceptions for critical business needs.
Budgets and notifications are pre-configured to alert you when your spend is approaching limits. These values are set in the [Platform Product Registry](https://registry.developer.gov.bc.ca). You may also set up additional budgets and alerts as needed.

If you have any questions or need assistance, please contact the Public Cloud team.
To provide a centralized view of costs across all accounts and projects, the Public Cloud team has created a Cost Explorer dashboard. This dashboard helps track and analyze costs for all projects and accounts. For more details, see [AWS billing and cost management dashboards](../understanding-your-aws-bill/aws-billing-and-cost-management-dashboard-via-quicksight.md).

By following these guidelines, you help maintain the security and compliance of our AWS environment. If these limitations significantly impact your work, contact the Public Cloud team for guidance, workarounds, or to request exceptions for critical business needs.

If you have any questions or need assistance, please contact the Public Cloud team at [email protected].
8 changes: 4 additions & 4 deletions ...rted/bc-govs-aws-landing-zone-overview.md → ...-aws/bc-govs-aws-landing-zone-overview.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# B.C. Government OCIO AWS Landing Zone overview
# B.C. Government OCIO AWS Landing Zone overview

Last updated: **February 5, 2024**

Expand Down Expand Up @@ -32,11 +32,11 @@ Explore a [comprehensive guide](https://digital.gov.bc.ca/cloud/services/public/

In this section, we'll provide a high level overview of the components and features of the OCIO's Landing Zone in AWS.

### Product Registry
### Platform Product Registry

The Product Registry service is a comprehensive solution designed to streamline the process of requesting and creating AWS Project Sets for B.C. government ministry teams. Each Project Set comprises four distinct AWS accounts: Development (dev), Testing (test), Production (prod), and Tools. This service plays a crucial role, not just in setting up the necessary AWS infrastructure, but also in managing various aspects of a product's lifecycle in the cloud.
The Platform Product Registry service is a comprehensive solution designed to streamline the process of requesting and creating AWS Project Sets for B.C. government ministry teams. Each Project Set comprises four distinct AWS accounts: Development (dev), Testing (test), Production (prod), and Tools. This service plays a crucial role, not just in setting up the necessary AWS infrastructure, but also in managing various aspects of a product's lifecycle in the cloud.

### Key Features of the Product Registry Service
### Key Features of the Platform Product Registry Service

1. **AWS Project Set creation**
- Helps create a set of four AWS accounts (Dev, Test, Prod, Tools) customized for different stages of the application development lifecycle
Expand Down
2 changes: 1 addition & 1 deletion docs/aws/index.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Welcome to the Public Cloud AWS Technical Documentation

## Get started
## Get started with AWS

Start here for the first steps on working in our AWS Secure Environment Accelerator (ASEA):

Expand Down
3 changes: 1 addition & 2 deletions docs/aws/support/enterprise-support.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,5 @@

Last updated: **October 8, 2024**

Once your Project Set has been provisioned, the AWS Account will be enrolled in the AWS Enterprise Support.
Once your Project Set has been provisioned, the AWS Account will be enrolled in the AWS Enterprise Support. Only the Production AWS Account will be enrolled in the AWS Enterprise Support.

> Note: Only the Production AWS Account will be enrolled in the AWS Enterprise Support.
22 changes: 11 additions & 11 deletions docs/azure/best-practices/be-mindful.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# Be Mindful
# Be mindful

The following are some things to be aware of when working within the Azure Landing Zone.

## Virtual Network (VNet) Integration
## Virtual Network (VNet) integration

If you are using an [Azure App Service](https://learn.microsoft.com/en-us/azure/app-service/overview), and you plan to [integrate it with an Azure Virtual Network](https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration), it is important to be aware of the following limitation: _You can't delete a subnet that has previously had an integrated App Service, if the integration has not been removed_.

Expand All @@ -22,7 +22,7 @@ However, since the endpoint is private-only, you will not be able to access the

In the future, once [Express Route](../upcoming-features/express-route.md) is available, you will also be able to access these resources from the on-premises network.

## Using Terraform to Create Subnets
## Using Terraform to create Subnets

If you are using Terraform to create your infrastructure, in particular the subnets within your assigned Virtual Network, please be aware of the following challenge.

Expand Down Expand Up @@ -58,31 +58,31 @@ resource "azapi_update_resource" "subnets" {

For further details about this limitation, please refer to the following GitHub Issue: [Example of using the Subnet Association resources with Azure Policy](https://github.com/hashicorp/terraform-provider-azurerm/issues/9022).

## AzAPI Terraform Provider (using `azapi_update_resource`)
## AzAPI Terraform provider (using `azapi_update_resource`)

If you are using the [AzAPI Terraform Provider](https://learn.microsoft.com/en-us/azure/developer/terraform/overview), specifically the [azapi_update_resource](https://registry.terraform.io/providers/azure/azapi/latest/docs/resources/update_resource) resource, be aware of the following limitation: _When you delete `azapi_update_resource`, no operation will be performed, and these properties will stay unchanged. If you want to restore the modified properties to some values, you must apply the restored properties before deleting_.

This means, changes to the `azapi_update_resource` resource may _appear_ to apply changes (ie. remove properties/configurations previous added according to the `terraform plan` output), but this doesn't actually apply those changes in Azure.

## Working with Resource Locks
## Working with resource locks

As part of our security and governance measures, resource locks are automatically applied to critical infrastructure components, particularly networking resources like Virtual Networks (VNets). While these locks provide an important safeguard against accidental deletion, they can sometimes interfere with legitimate resource management tasks.

### Deleting Resources Protected by Locks
### Deleting resources protected by locks

If you encounter issues when trying to delete a resource you've created (such as a VM) due to a lock on the parent resource (like a VNet), follow these steps:

1. **Identify the Lock**: Locate the resource lock on the parent resource (usually the VNet).
1. **Identify the lock**: Locate the resource lock on the parent resource (usually the VNet).

2. **Remove the Lock**: You have permissions to remove these locks when necessary. To do so:
2. **Remove the lock**: You have permissions to remove these locks when necessary. To do so:
- Navigate to the VNet in the Azure portal
- Go to the "Locks" section
- Delete the lock that's preventing the operation

3. **Perform Your Operation**: Once the lock is removed, you should be able to delete your resource as needed.
3. **Perform your operation**: Once the lock is removed, you should be able to delete your resource as needed.

4. **Be Aware of Automation**: Our automation systems will periodically reapply these locks to ensure ongoing protection. If you need the lock to remain off for an extended period, please contact the Cloud Pathfinder team.
4. **Be aware of automation**: Our automation systems will periodically reapply these locks to ensure ongoing protection. If you need the lock to remain off for an extended period, please contact the Cloud Pathfinder team.

5. **Best Practice**: After completing your task, if the automation hasn't yet reapplied the lock, consider manually reapplying it to maintain security.
5. **Best practice**: After completing your task, if the automation hasn't yet reapplied the lock, consider manually reapplying it to maintain security.

Remember, these locks are in place for good reason. Always double-check that you're deleting the correct resources and understand the implications before removing any locks.
2 changes: 1 addition & 1 deletion docs/azure/best-practices/ci-cd.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# CI/CD Best Practices
# CI/CD Best practices

## GitHub Actions

Expand Down
2 changes: 1 addition & 1 deletion docs/azure/design-build-deploy/deploy-to-the-azure-landing-zone.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ Last updated: **September 24, 2024**

There are multiple ways to deploy your application to the Azure Landing Zone. This document outlines a few examples at a high-level, but it is up to each team to determine the best approach for their application.

## Azure Portal (UI)
## Azure portal (UI)

The Azure Portal is a web-based application that allows you to manage your Azure resources. You can deploy your application to the Azure Landing Zone using the Azure Portal by following these steps:

Expand Down
Loading

0 comments on commit 92c8a0f

Please sign in to comment.