Skip to content

Commit

Permalink
Merge branch 'master' into adrm-ces
Browse files Browse the repository at this point in the history
  • Loading branch information
@dwara001
dwara001 committed Sep 17, 2025
2 parents 8fc5be8 + 995245d commit 4f3b248
Showing 1 changed file with 22 additions and 1 deletion.
23 changes: 22 additions & 1 deletion aws/documentation/overview.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ future direction. Links to other more details descriptions will be provided.

# Introduction

Our environments, which you could call enclaves, are based on our enterprise data segmentation approach and align closely with the SDL. Some definitions are here: https://github.it.census.gov/badra001/public-stuff/blob/master/environments.md
Our environments, which you could call enclaves, are based on our enterprise data segmentation approach and align closely with the SDL. Some definitions are here: https://github.it.census.gov/badra001/public-stuff/blob/master/environments.md. These are all available in the Enterprise ent-gov organization AWS _Internal_ accounts.

1. common, services, shared
* this environment is reachable by all other environments
Expand Down Expand Up @@ -52,6 +52,24 @@ Our environments, which you could call enclaves, are based on our enterprise dat

Keep in mind this segmentation. While s3 buckets are global, they are to be restricted by environment. Meaning, a dev bucket cannot be used by any other environment (except common/shared/services).

For the AWS _DMZ_ accounts, still part of the ent-gov organization, the `dev` SDLC capabilities do not exist.

In the Lab lab-gov organization, which is isolated from the Census production network, we have only these environments available:

1. common, services, shared
1. dev
1. test

There is no stage or prod environments, as the lab has some significant restrictions on what can be done. As listed above, the same environment connection segmentation exists.

* The Lab, aka the IT Lab, the CAT Lab, or the VLAB, is isolated from the Census production networks.
* In order to use resources in the lab, one must be provisioned into the lab, through AWS Workspaces Windows systems (VDI capabilities).
* There is currently no direct outbound internet access in the Lab. One must use the HTTP proxy to get to the internet. There is no inbound internet access into AWS.
* No protected data are permitted in the Lab. This includes, but is not limited to, PII, BII, Title 26, Title 13, and other CUI sensitive data.
* No production operations are to be conducated
* For use as a proof of concept (POC) setup, once the POC is complete, all resources are to be destroyed and if it moves forward, it must do so in the production accounts.
* Full adminstrative access will not be granted. We still follow the least-privilege approach, even in the Lab, through AWS Identity Center.

We are leveraging a number of technologies and concepts to improve the timing, costs, and efficiency overall.

* organizations
Expand Down Expand Up @@ -149,3 +167,6 @@ We are leveraging a number of technologies and concepts to improve the timing, c

* 1.0.1 -- 2023-08-03
- add draft text from email message

* 1.1.0 -- 2025-09-16
- added lab details

0 comments on commit 4f3b248

Please sign in to comment.