AWS res documentation change
Summary
Minor grammatical improvements and consistency fixes in IAM and Auto Scaling sections
Security assessment
Textual clarifications without security implications or feature changes
Diff
diff --git a/res/archive/release-minus-4/ug/plan-your-deployment.md b/res/archive/release-minus-4/ug/plan-your-deployment.md index 82357e640..1c0666f1d 100644 --- a//res/archive/release-minus-4/ug/plan-your-deployment.md +++ b//res/archive/release-minus-4/ug/plan-your-deployment.md @@ -8,0 +9,2 @@ Cost SecurityQuotasSupported AWS Regions +This section contains information on cost, security, supported regions, and quotas that can help you plan your deployment of Research and Engineering Studio on AWS. + @@ -21 +23,12 @@ We recommend creating a [budget](https://docs.aws.amazon.com/cost-management/lat -When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit [AWS Cloud Security](https://aws.amazon.com/security/). +Cloud security at AWS is the highest priority. As an AWS customer, you benefit from data centers and network architectures that are built to meet the requirements of the most security-sensitive organizations. + +Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security _of_ the cloud and security _in_ the cloud: + + * **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/) . To learn about the compliance programs that apply to Research and Engineering Studio on AWS, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) . + + * **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations. + + + + +To understand how to apply the shared responsibility model with the AWS services used by Research and Engineering Studio, see Security considerations for services in this product. For more information about AWS security, visit [AWS Cloud Security](https://aws.amazon.com/security/). @@ -27 +40 @@ AWS Identity and Access Management (IAM) roles allow customers to assign granula -RES supports identity-based policies within IAM. When deployed, RES creates policies to define the administrator permission and access. The administrator implementing the product creates and manages end users and project leaders within the existing customer Active Directory integrated with RES. For more information, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the _AWS Identity and Access Management User Guide_. +RES supports identity-based policies within IAM. When deployed, RES creates policies to define the administrator permission and access. The administrator who implements the product creates and manages end users and project leaders within the existing customer Active Directory integrated with RES. For more information, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the _AWS Identity and Access Management User Guide_. @@ -40,0 +54,29 @@ RES encrypts customer data in transit using SSL/TLS. We require TLS 1.2, but rec +### Security considerations for services in this product + +For more detailed information regarding security considerations for the services used by Research and Engineering Studio, follow the links in this table: + +AWS service security info | Service type | How the service is used in RES +---|---|--- +[Amazon Elastic Compute Cloud](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security.html) | Core | Provides the underlying compute services to create virtual desktops with their chosen operating system and software stack. +[Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security.html) | Core | Bastion, cluster-manager, and VDI hosts are created in Auto Scaling groups behind the load balancer. ELB balances traffic from the web portal across RES hosts. +[Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/security.html) | Core | All core product components are created within your VPC. +[Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/security.html) | Core | Manages user identities and authentication. Active Directory users are mapped to Amazon Cognito users and groups to authenticate access levels. +[Amazon Elastic File System](https://docs.aws.amazon.com/efs/latest/ug/security-considerations.html) | Core | Provides the `/home` file system for the file browser and VDI hosts, as well as shared external file systems. +[Amazon DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html) | Core | Stores configuration data such as users, groups, projects, file systems, and component settings. +[AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/security.html) | Core | Stores documents for performing commands for VDI session management. +[AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/lambda-security.html) | Core | Supports product functionalities such as updating settings within the DynamoDB table, starting Active Directory sync workflows, and updating the prefix list. +[Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/security.html) | Supporting | Provides metrics and activity logs for all Amazon EC2 hosts and Lambda functions. +[Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security.html) | Supporting | Stores application binaries for host bootstrapping and configuration. +[AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/kms-security.html) | Supporting | Used for encryption at rest with Amazon SQS queues, DynamoDB tables, and Amazon SNS topics. +[AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security.html) | Supporting | Stores service account credentials in Active Directory and self-signed certificates for VDIs. +[AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security.html) | Supporting | Provides a deployment mechanism for the product. +[AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/security.html) | Supporting | Restricts the access level for hosts. +[Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/security.html) | Supporting | Creates private hosted zone for resolving the internal load balancer and the bastion host domain name. +[Amazon Simple Queue Service](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security.html) | Supporting | Creates task queues to support asynchronous executions. +[Amazon Simple Notification Service](https://docs.aws.amazon.com/sns/latest/dg/sns-security.html) | Supporting | Supports the publication-subscriber model between VDI components such as the controller and hosts. +[AWS Fargate](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-fargate.html) | Supporting | Installs, updates, and deletes environments using Fargate tasks. +[Amazon FSx File Gateway](https://docs.aws.amazon.com/filegateway/latest/filefsxw/security.html) | Optional | Provides external shared file system. +[Amazon FSx for NetApp ONTAP](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/security.html) | Optional | Provides external shared file system. +[AWS Certificate Manager](https://docs.aws.amazon.com/acm/latest/userguide/security.html) | Optional | Generates a trusted certificate for your custom domain. +[AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html) | Optional | Offers backup capabilities for Amazon EC2 hosts, file systems, and DynamoDB. + @@ -68 +110 @@ The product deploys a default infrastructure with the minimum number and size of -ASG settings can be customized within the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). The product creates four ASGs by default with each name ending with `-asg`. You can change the minimum and desired values to an amount appropriate for your production environment. Choose the group you want to modify, and then choose **Actions** and **Edit**. For more information on ASGs, see [Scale the size of your Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/scale-your-group.html) in the _Amazon EC2 Auto Scaling User Guide_. +ASG settings can be customized within the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). The product creates four ASGs by default with each name ending with `-asg`. You can change the minimum and desired values to an amount appropriate for your production environment. Select the group you want to modify, and then choose **Actions** and select **Edit**. For more information on ASGs, see [Scale the size of your Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/scale-your-group.html) in the _Amazon EC2 Auto Scaling User Guide_. @@ -76 +118 @@ Research and Engineering Studio on AWS is supported in the following AWS Regions -Region name | Region | Release 2024.06 and earlier | Release 2024.08 +Region name | Region | Previous versions | Latest version (2024.10) @@ -95 +137 @@ Israel (Tel Aviv) | il-central-1 | yes | yes -AWS GovCloud (US-West) | us-gov-west-1 | yes | no +AWS GovCloud (US-West) | us-gov-west-1 | yes | yes