This page is to give a brief overview of some of the guardrails implemented in the Science Program's AWS tenant and how they can impact you.
The AWS tenant was setup using the AWS Secure Environment Accelerator (ASEA) in order to meet the GC Cloud guardrail requirements that all GoC cloud environments must follow.
The ASEA is also used each time we create a client's account (equivalent to a Subscription in Azure) in order to scaffold necessary resources and policies for the account to be compliant with the guardrails.
Most resource types must be built in Canada (ca-central-1) with the exception of “global” resources (in the back end, AWS builds those in us-east-1). One example of a Global Resource is an S3 bucket.
When we use the ASEA to provision a client account, it will automatically create a key to encrypt EC2 and EBS volumes. This key is automatically applied to all volumes created via the use of Service Control Policies (SCP) in effect. The key used can be seen in the volume view in the EC2 pane and in the KMS pane.
When we use the ASEA to provision a client account, client specific VPCs (using a 172.16.x.y address) with ITSG22 & ITSG38 compliant subnets (Web, App, Data & Mgmt) are created.
A set of baseline Network Security Groups are created by ASEA and applied to the below subnets (decribed in GR06) as follows:
Typically you would use a bastion or jump server in the mgmt subnet which would be restricted to only trusted IPs and from that server connect to your other servers in the other subnets.