...
Area | Configuration | Link/Description | General Configuration | Research Configuration |
---|---|---|---|---|
Security/Network | Cornell standard Virtual Private Network configured | See specifics below. | y | ? |
Security/Network | AWS VPC connected to on-campus network | Private on-campus subnets are connected to AWS VPC subnets through a transparent secure connection (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html). AWS Virtual Private Gateways and Customer (Cornell) Gateways are provisioned and configured appropriately. Ultimately this connectivity will be routed through an AWS Direct Connect connection from campus to AWS. http://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html | y | ? |
Security/Network | AWS VPC subnets are assigned to managed, private IP spaces | This ensures that Cornell private subnets (on-campus and in AWS) do not overlap and that private subnets are transparently and securely routed to AWS VPC subnets. https://confluence.cornell.edu/display/CLOUD/10+Space+Allocation | y | ? |
Security/Network | private AWS VPC subnets are provisioned with a NAT Gateway | This provides a secure route to the public internet so that AWS EC2 instances can retrieve software updates and remain un-exposed to the public internet. (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html) | y | ? |
Security/Network | AWS VPC are provisioned with AWS Internet Gateways | This provides AWS EC2 instances running in public VPC subnets access to the internet and vice versa. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html | y | ? |
Security/Business | AWS account integrated with CloudCheckr | CloudCheckr reports provide suggestions for improving security, reducing costs. It also supports detailed reporting based on AWS labels to e.g., divide account charges to multiple Cornell financial accounts within a single Cornell unit. http://support.cloudcheckr.com/reports/best-practice-report/ | y | ?y |
Security | AWS CloudTrail enabled for all activity in all regions | CloudTrail logs all AWS API calls in all regions for auditing purposes | y | y |
Security | AWS Config enabled | Config rules monitor infrastructure and will alarm if, e.g., CloudTrail becomes disabled for an account. | y | y |
Security | access to AWS account by ITSO in cases of security issues | y | y | |
Security | AWS root account protected with multifactor authentication | root account should not be used for regular administration and the MFA key should be locked in secure location | y | y |
Security | no access keys associated with root account | y | y | |
Security | user access controlled by Cornell AD group membership and integrated with Cornell Shibboleth | y | ? | |
Security | access for users with administrative privileges utilize Cornell Duo for authentication | IAM users can be used for service/programmatic access. | y | y |