diff --git a/aws/documentation/overview.md b/aws/documentation/overview.md index 2f982345..254dc460 100644 --- a/aws/documentation/overview.md +++ b/aws/documentation/overview.md @@ -24,7 +24,7 @@ future direction. Links to other more details descriptions will be provided. # Introduction -Our environments, which you could call enclaves, are based on our enterprise data segmentation approach and align closely with the SDL. Some definitions are here: https://github.it.census.gov/badra001/public-stuff/blob/master/environments.md +Our environments, which you could call enclaves, are based on our enterprise data segmentation approach and align closely with the SDL. Some definitions are here: https://github.it.census.gov/badra001/public-stuff/blob/master/environments.md. These are all available in the Enterprise ent-gov organization AWS _Internal_ accounts. 1. common, services, shared * this environment is reachable by all other environments @@ -52,6 +52,24 @@ Our environments, which you could call enclaves, are based on our enterprise dat Keep in mind this segmentation. While s3 buckets are global, they are to be restricted by environment. Meaning, a dev bucket cannot be used by any other environment (except common/shared/services). +For the AWS _DMZ_ accounts, still part of the ent-gov organization, the `dev` SDLC capabilities do not exist. + +In the Lab lab-gov organization, which is isolated from the Census production network, we have only these environments available: + +1. common, services, shared +1. dev +1. test + +There is no stage or prod environments, as the lab has some significant restrictions on what can be done. As listed above, the same environment connection segmentation exists. + +* The Lab, aka the IT Lab, the CAT Lab, or the VLAB, is isolated from the Census production networks. +* In order to use resources in the lab, one must be provisioned into the lab, through AWS Workspaces Windows systems (VDI capabilities). +* There is currently no direct outbound internet access in the Lab. One must use the HTTP proxy to get to the internet. There is no inbound internet access into AWS. +* No protected data are permitted in the Lab. This includes, but is not limited to, PII, BII, Title 26, Title 13, and other CUI sensitive data. +* No production operations are to be conducated +* For use as a proof of concept (POC) setup, once the POC is complete, all resources are to be destroyed and if it moves forward, it must do so in the production accounts. +* Full adminstrative access will not be granted. We still follow the least-privilege approach, even in the Lab, through AWS Identity Center. + We are leveraging a number of technologies and concepts to improve the timing, costs, and efficiency overall. * organizations @@ -149,3 +167,6 @@ We are leveraging a number of technologies and concepts to improve the timing, c * 1.0.1 -- 2023-08-03 - add draft text from email message + +* 1.1.0 -- 2025-09-16 + - added lab details