Date: Thu, 28 Mar 2024 14:01:25 +0000 (UTC) Message-ID: <1484110402.6485.1711634485675@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6484_1659579685.1711634485672" ------=_Part_6484_1659579685.1711634485672 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Infrastructure security (whether in t= he cloud or not) is tightly bound to accounts, roles and identities.=
There are multiple questions to consi= der when deciding on a cloud account strategy. Some examples include:=
Billing - How will resource uti= lization and consumption be measured and reported. Will there need to be in= ternal chargebacks?
Business models - Will central IT act as an institutional service provider f= or cloud infrastructure, or will there be multiple accounts across distribu= ted IT and research groups? How will financial responsibility be dist= ributed across different uses of cloud infrastructure?
Governance - = How will resources be allocated, secured, controlled and audited?
Operationa= l - <= span style=3D"color: rgb(0,0,0);">How will operational management, enterpri= se integration, network integration and AWS service limits be architected a= nd managed?
Recommenda= tions
The following should be considered as= some best practices for account strategy and be adapted to meet the organi= zational needs:
This information has moved here.=
We are just getting started but we ar= e looking at Landing Zone and Control Tower (https://aws.amazon.com/controlto= wer/) as one way to implement auditing and compliance for workloads in = AWS for our institution. Specifically, we are looking for a way to manage a= ccounts, monitor the accounts, and set baseline policies for the accounts t= hat are created for researchers or departments. We are also looking into Tr= ansit Gateway (https://aws.amazon.com/transit-gateway/) to manage netw= ork connections within AWS and back to campus. I expect many of you are alr= eady using Organizations (https://docs.aws.amazon.com/organiz= ations/index.html) along with service control and/or AWS Config.=
Just as the practice of syslogg= ing events to a separate host is standard in on-premise environment, loggin= g in cloud environments is also a good practice. In AWS, a technology= called CloudTrail enables the ability to log any change to the infrastruct= ure. Coupled with IAM policies, this functionality can ensure that a compro= mise of the environment can not be hidden.