Checklist end-of-deployment

Checklist end-of-deployment

Statement of Work

All deliverables listed have been delivered in accordance with the project.
Send an email to the onboarding team requesting that the new client's SSO infrastructure be created.

Network

If CIDR is customised, ensure that the CIDR between VPCs does not share the same address pool.
What is it?

CIDR blocks in AWS Virtual Private Cloud (VPC) cannot share the same address. Subnets in a VPC are defined using CIDR (Classless Inter-Domain Routing) blocks, and each subnet must have its own unique CIDR block within the overall VPC CIDR range. Because overlapping CIDR blocks result in conflicting network addresses, the CIDR blocks must not overlap.

The CIDR (Classless Inter-Domain Routing) block is a range of IP addresses assigned to a VPC that determines the structure and size of the subnet.

Consider the following when selecting an address for your VPC CIDR block:

The size of your network: A /16 CIDR block can hold 65,536 IP addresses, whereas a /28 block can only hold 16. Choose a CIDR block size that allows for the number of IP addresses required for your resources.

Where is it set up?

While creating an environment, in the Advanced Options menu, you can set a CIDR IP address for your VPC.

  1. Navigate to http://app.citadel.run and select Environment in the menu;
  2. Create a new Environment;
  3. Enter Environment Name;
  4. Enter AWS Account ID;
  5. Select the Region;
  6. Select Advanced Options;
  7. Enter your custom CIDR IP address.
  8. Sample:

    vpc_cidr_block: 10.10.0.0/16

Monitoring

If GuardDuty Alarms was disabled, make sure this is correct.
What is it?

AWS GuardDuty is a security service that detects threats in your Amazon Web Services infrastructure. GuardDuty's alarms are an important feature of the service because they notify you of potential security threats and provide detailed information about the threat, allowing you to take action to prevent further damage.

GuardDuty alarms can assist you in quickly identifying and responding to security incidents, improving the overall security of your AWS infrastructure. By providing auditable information about security incidents, the alarms can also assist you in complying with security regulations and standards.

Where is it set up?
  1. Navigate to http://app.citadel.run and select Management in the menu;
  2. Select Security Events in the left menu;
  3. Enable or disable Guardduty and Save.

Security

Default VPC is deleted on all accounts and regions.
What is it?

AWS creates a default VPC in every region to provide convenience, consistency, and security to its customers.

Convenience: In each region, a default VPC is created automatically, making it easier for new AWS customers to get started with the cloud. Customers can use the default VPC to launch EC2 instances, RDS databases, and other AWS resources without having to build their own network infrastructure.

Consistency: Having a default VPC in each region aids in AWS environment consistency. Customers can expect the same basic network infrastructure in each region, making application deployment across multiple regions easier.

Security: The default VPC provides customers with a secure and isolated environment in which to deploy their resources, protecting them from potential security threats. Customers can also manage network security through security groups, network ACLs, and VPC peering with the default VPC.

How to delete a default VPC?

To delete a default VPC, you can follow these steps:

  1. Go to the AWS Console;
  2. Choose a region (top right corner of the console);
  3. Check that no EC2 instances or other resources are running in the VPC you want to delete;
  4. Navigate to the AWS Management Console's VPC dashboard;
  5. Choose the VPC you want to delete;
  6. Select "Delete VPC" from the "Actions" drop-down menu;
  7. Follow instructions and click "Yes, Delete" to confirm the deletion.
  8. Follow these steps to delete all default VPC in all accounts.

Note: It is not recommended to delete the default VPC if this may have an impact on other services that use the VPC. Before deleting a default VPC, make sure you understand the implications and that no resources or services rely on it.

Furthermore, the impact on other services, such as Elastic IP addresses, subnets, security groups, and VPC peering connections, must be considered. When you delete the default VPC, these resources are also deleted. If you want to keep any resources in the default VPC, you should create a new VPC before deleting the default VPC.

Root user hardware-MFA has enabled all accounts [⚠️ Warning customer if it is not enabled].

SSO

IAM Identity Center (SSO) is enabled and setup for the customer.
Groups and Permission sets are created for AdministratorAccess and ViewOnlyAccess.

Billing Alerts

Billing Alerts is enabled in the Management account.
Where is it set up?

Follow the instructions of how to enable it in the Billing Alerts documentation.

Billing Alerts
Billing Alerts

Developer experience

We recommend a NX1 showcase to customers.
We recommend that the customer team has been invited to NX1 Tenant.

Compliance

The following items are only required when the customer is aiming for compliance.

Default Security Group All Rules are deleted on all accounts.
Route53 query logs are enabled in production accounts (Optional).
SecurityHub: CIS AWS Foundations Benchmark:
There are no "Critical" failed checks.
"High" and "Medium" failed checks are justifiable.

SecurityHub: AWS Foundational Security Best Practices:
There are no "Critical" failed checks.
"High" and "Medium" failed checks are justifiable.

All relevant SCPs are deployed to the Master account:
What is it?

SCPs are a type of organisational policy that you can use to manage permissions in your organisation. SCPs provide centralised control over all accounts in your organization's maximum available permissions. SCPs assist you in ensuring that your accounts adhere to your organization's access control policies. SCPs are only available in organisations that have all features enabled. If your organisation has only enabled the consolidated billing features, SCPs are not available. Enabling and disabling policy types contains instructions for enabling SCPs.

How to enable SCP?

To enable the SPC, follow these steps:

  1. Go to the AWS Console;
  2. Select the resource AWS Organizations;
  3. In the AWS Organizations, select Policies in the left menu;
  4. Select Service control policies and enable it;
  5. Click em Create policy;
  6. Create the two policies listed below.
Region-lock
scp-region
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "DenyAllOutsideAU",
          "Effect": "Deny",
          "NotAction": [
              "a4b:*",
              "acm:*",
              "aws-marketplace-management:*",
              "aws-marketplace:*",
              "aws-portal:*",
              "budgets:*",
              "ce:*",
              "chime:*",
              "cloudfront:*",
              "config:*",
              "cur:*",
              "directconnect:*",
              "ec2:DescribeRegions",
              "ec2:DescribeTransitGateways",
              "ec2:DescribeVpnGateways",
              "fms:*",
              "globalaccelerator:*",
              "health:*",
              "iam:*",
              "importexport:*",
              "kms:*",
              "mobileanalytics:*",
              "networkmanager:*",
              "organizations:*",
              "pricing:*",
              "route53:*",
              "route53domains:*",
              "s3:GetAccountPublic*",
              "s3:ListAllMyBuckets",
              "s3:PutAccountPublic*",
              "shield:*",
              "sts:*",
              "support:*",
              "trustedadvisor:*",
              "waf-regional:*",
              "waf:*",
              "wafv2:*",
              "wellarchitected:*"
          ],
          "Resource": "*",
          "Condition": {
              "StringNotEquals": {
                  "aws:RequestedRegion": [
                      "ap-southeast-2"
                  ]
              },
              "ArnNotLike": {
                  "aws:PrincipalARN": []
              }
          }
      }
  ]
}
Audit-security-lock
audit-security-lock
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AuditS3DeleteLock",
			"Effect": "Deny",
			"Action": [
				"s3:DeleteObject",
				"s3:DeleteObjectVersion"
			],
			"Resource": [
				"arn:aws:s3:::archive-*/*"
			]
		},
		{
			"Sid": "GuarddutyLock",
			"Effect": "Deny",
			"Action": [
				"guardduty:AcceptInvitation",
				"guardduty:ArchiveFindings",
				"guardduty:CreateDetector",
				"guardduty:CreateFilter",
				"guardduty:CreateIPSet",
				"guardduty:CreateMembers",
				"guardduty:CreatePublishingDestination",
				"guardduty:CreateSampleFindings",
				"guardduty:CreateThreatIntelSet",
				"guardduty:DeclineInvitations",
				"guardduty:DeleteDetector",
				"guardduty:DeleteFilter",
				"guardduty:DeleteInvitations",
				"guardduty:DeleteIPSet",
				"guardduty:DeleteMembers",
				"guardduty:DeletePublishingDestination",
				"guardduty:DeleteThreatIntelSet",
				"guardduty:DisassociateFromMasterAccount",
				"guardduty:DisassociateMembers",
				"guardduty:InviteMembers",
				"guardduty:StartMonitoringMembers",
				"guardduty:StopMonitoringMembers",
				"guardduty:TagResource",
				"guardduty:UnarchiveFindings",
				"guardduty:UntagResource",
				"guardduty:UpdateDetector",
				"guardduty:UpdateFilter",
				"guardduty:UpdateFindingsFeedback",
				"guardduty:UpdateIPSet",
				"guardduty:UpdatePublishingDestination",
				"guardduty:UpdateThreatIntelSet"
			],
			"Resource": "*"
		},
		{
			"Sid": "ConfigLock",
			"Effect": "Deny",
			"Action": [
				"config:DeleteConfigRule",
				"config:DeleteConfigurationRecorder",
				"config:DeleteDeliveryChannel",
				"config:StopConfigurationRecorder"
			],
			"Resource": "*"
		},
		{
			"Sid": "OrgLock",
			"Effect": "Deny",
			"Action": [
				"organizations:LeaveOrganization"
			],
			"Resource": "*"
		},
		{
			"Sid": "CloudtrailLock",
			"Action": [
				"cloudtrail:StopLogging",
				"cloudtrail:DeleteTrail"
			],
			"Resource": "*",
			"Effect": "Deny"
		}
	]
}