Checklist end-of-deployment

Checklist end-of-deployment

Statement of Work

All deliverables listed have been delivered in accordance with the project.
Send an email to the onboarding team requesting that the new client's SSO infrastructure be created.

Network

If CIDR is customised, ensure that the CIDR between VPCs does not share the same address pool.
What is it?
Where is it set up?

Monitoring

If GuardDuty Alarms was disabled, make sure this is correct.
What is it?
Where is it set up?

Security

Default VPC is deleted on all accounts and regions.
What is it?
How to delete a default VPC?
Root user hardware-MFA has enabled all accounts [⚠️ Warning customer if it is not enabled].

SSO

IAM Identity Center (SSO) is enabled and setup for the customer.
Groups and Permission sets are created for AdministratorAccess and ViewOnlyAccess.

Billing Alerts

Billing Alerts is enabled in the Management account.
Where is it set up?

Developer experience

We recommend a NX1 showcase to customers.
We recommend that the customer team has been invited to NX1 Tenant.

Compliance

The following items are only required when the customer is aiming for compliance.

Default Security Group All Rules are deleted on all accounts.
Route53 query logs are enabled in production accounts (Optional).
SecurityHub: CIS AWS Foundations Benchmark:
There are no "Critical" failed checks.
"High" and "Medium" failed checks are justifiable.
SecurityHub: AWS Foundational Security Best Practices:
There are no "Critical" failed checks.
"High" and "Medium" failed checks are justifiable.
All relevant SCPs are deployed to the Master account:
What is it?
How to enable SCP?
Region-lock
scp-region
Audit-security-lock
audit-security-lock