This article applies to: Cloudification
The Cloudification service provides the following:
- Consultation on cost of cloud infrastructure for applications or services moving to the cloud
- Standard offerings and common solutions for authentication, AD group sync, logging, monitoring, and disaster recovery practices
- Consultation on configuration and best practices
- Training and consultation on containerization using Docker
- Reusable automation for deploys, builds, and other tools to simplify operations
- Enterprise repository of application containers
- Consultation on building ongoing support practices for applications in the cloud
- Methods to ensure the IT Security Office has visibility and access to perform incident response and forensics in the event of a security incident
- Configuration of tools and services in AWS that help monitor and alert on high usage, which should be utilized to prevent unexpected AWS charges
Cloud Master Account Onboarding Requirements
- Shibboleth for authentication
- Multi-factor authentication to the Console using Duo
- Cloudcheckr – a 3rd party usage monitor
- AWS Config
- Review and understand shared security model
- Application Security is the responsibility of the account/application owner.
- Patching Base OS is the responsibility of the account owner. For more information on how you can automate this process, see our Blog post on patching the base OS. The cloudification team is also available to help consult on this.
Docker Trusted Registry
Cornell has purchased Docker Trusted Registry. Campus is encourage to take advantage of this service. Contact the cloudification team with questions and processes for getting started. If you are using supported containers in Docker, it is the account owner’s responsibility to pull new versions from the registry, updated components will not be pushed to your AWS accounts. Please contact the cloudification team for more information on this.
Firewalls and Network Configuration
- Cloud Services will set up initial firewalls and network within your VPC
- Cloud Services Team is available for consultation and questions on network and firewall configuration
- The Account Owner is responsible for changes made within their account.
- Must use Multi-Factor Authentication (MFA) on your root account
- Reinforce do not use root account
- The Department is financially responsible for all activity that occurs under its sub account. The Cloudification Team is available to answer questions and to discuss methods for lowering costs.