...
Area | Configuration | Link/Description | General Configuration | Research Configuration |
---|---|---|---|---|
Security/Network | Cornell standard Virtual Private Network configured | See specifics below. See also the blog article The Cornell “Standard” AWS VPC. | y | ? |
Security/Network | AWS VPC connected to on-campus network | Private on-campus subnets are connected to AWS VPC subnets using an AWS Direct Connect connection from campus to AWS. http://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html Network traffic egress from AWS using the Direct Connect will be billed at a lower rate than egress over the public internet. That rate is the same rate that AWS charges for AWS region-to-region traffic. | y | ? |
Security/Network | AWS VPC subnets are assigned to managed, private IP spaces | This ensures that Cornell private subnets (on-campus and in AWS) do not overlap and that private subnets are transparently and securely routed to AWS VPC subnets. https://confluence.cornell.edu/display/CLOUD/10+Space+Allocation | y | ? |
Security/Network | private AWS VPC subnets are provisioned with a NAT Gateway | This provides a secure route to the public internet so that AWS EC2 instances can retrieve software updates and remain un-exposed to the public internet. (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html) | y | ? |
Security/Network | AWS VPC are provisioned with AWS Internet Gateways | This provides AWS EC2 instances running in public VPC subnets access to the internet and vice versa. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html | y | ? |
Security/Network | Baseline Network ACL configured for all subnets | The baseline NACL allows full access between 10-space and Cornell public IPs, but limits access from the world to ports above 1024 and to 22, 80,443. | y | ? |
Security/Business | AWS account integrated with CloudCheckr | CloudCheckr reports provide suggestions for improving security, reducing costs. It also supports detailed reporting based on AWS labels to e.g., divide account charges to multiple Cornell financial accounts within a single Cornell unit. http://support.cloudcheckr.com/reports/best-practice-report/ | y | y |
Security | AWS CloudTrail enabled for all activity in all regions | CloudTrail logs all AWS API calls in all regions for auditing purposes. (https://aws.amazon.com/documentation/cloudtrail/) | y | y |
Security | AWS Config enabled | Config rules monitor infrastructure and will alarm if, e.g., CloudTrail becomes disabled for an account. (https://aws.amazon.com/documentation/config/) | y | y |
Security | access to AWS account by ITSO in cases of security issues | y | y | |
Security | AWS root account protected with multifactor authentication | root account should not be used for regular administration and the MFA key should be locked in secure location | y | y |
Security | no access keys associated with root account | y | y | |
Security | user access controlled by Cornell AD group membership and integrated with Cornell Shibboleth | http://www.it.cornell.edu/services/shibboleth/; Shibboleth at Cornell Page | y | ? |
Security | access for users with administrative privileges utilize Cornell Duo for authentication | IAM users can be used for service/programmatic access. Cornell Duo (aka Two-Step Login): http://www.it.cornell.edu/cms/services/twostep/howto/twostep_login.cfm | y | y |
Security | baseline IAM password policy configured | The password policy will enforce complex passwords in the rare instances when an IAM user requires a password. | y | y |
Security | RO role for AWS resources | This role allows the Cloudification Team to view Cornell AWS accounts while troubleshooting and offering assistance, while ensuring that account owners maintain account integrity. | y | y |