From 86a57f52d9c49ca1b360e5fc67e530bff7b11b4d Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 16 Sep 2025 12:02:31 -0400 Subject: [PATCH 1/4] add lab details --- aws/documentation/overview.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/aws/documentation/overview.md b/aws/documentation/overview.md index 2f982345..c1d2c804 100644 --- a/aws/documentation/overview.md +++ b/aws/documentation/overview.md @@ -24,7 +24,7 @@ future direction. Links to other more details descriptions will be provided. # Introduction -Our environments, which you could call enclaves, are based on our enterprise data segmentation approach and align closely with the SDL. Some definitions are here: https://github.it.census.gov/badra001/public-stuff/blob/master/environments.md +Our environments, which you could call enclaves, are based on our enterprise data segmentation approach and align closely with the SDL. Some definitions are here: https://github.it.census.gov/badra001/public-stuff/blob/master/environments.md. These are all available in the Enterprise ent-gov organization AWS _Internal_ accounts. 1. common, services, shared * this environment is reachable by all other environments @@ -52,6 +52,24 @@ Our environments, which you could call enclaves, are based on our enterprise dat Keep in mind this segmentation. While s3 buckets are global, they are to be restricted by environment. Meaning, a dev bucket cannot be used by any other environment (except common/shared/services). +For the AWS _DMZ_ accounts, still part of the ent-gov organization, the `dev` SDLC capabilities do not exist. + +In the Lab lab-gov organization, which is isolated from the Census production network, we have only these environments available: + +1. common, services, shared +1. dev +1. test + +There is no stage or prod environments, as the lab has some significant restrictions on what can be done. + +* The Lab, aka the IT Lab, the CAT Lab, or the VLAB, is isolated from the Census production networks. +* In order to use resources in the lab, one must be provisioned into the lab, through `AWS Workspaces` Windows systems (VDI capabilities). +* There is currently no internet access in the Lab. There is a Lab _DMZ_ setup in progress. +* No protected data are permitted in the Lab. This includes, but is not limited to, PII, BII, Title 26, Title 13, and other CUI sensitive data. +* No production operations are to be conducated +* For use as a proof of concept (POC) setup, once the POC is complete, all resoures are to be destroyed and if it moves forward, it must do so in the production accounts. +* Full adminstrative access will not be granted. We still follow the least-privilege approach, even in the Lab, through AWS Identity Center. + We are leveraging a number of technologies and concepts to improve the timing, costs, and efficiency overall. * organizations @@ -149,3 +167,6 @@ We are leveraging a number of technologies and concepts to improve the timing, c * 1.0.1 -- 2023-08-03 - add draft text from email message + +* 1.1.0 -- 2025-09-16 + - added lab details From bc1751b45e12a4d6e245a25be7760f868fb7ad56 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 16 Sep 2025 12:05:33 -0400 Subject: [PATCH 2/4] update --- aws/documentation/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/documentation/overview.md b/aws/documentation/overview.md index c1d2c804..f3bd7430 100644 --- a/aws/documentation/overview.md +++ b/aws/documentation/overview.md @@ -60,7 +60,7 @@ In the Lab lab-gov organization, which is isolated from the Census production ne 1. dev 1. test -There is no stage or prod environments, as the lab has some significant restrictions on what can be done. +There is no stage or prod environments, as the lab has some significant restrictions on what can be done. As listed above, the same environment connection segmentation exists. * The Lab, aka the IT Lab, the CAT Lab, or the VLAB, is isolated from the Census production networks. * In order to use resources in the lab, one must be provisioned into the lab, through `AWS Workspaces` Windows systems (VDI capabilities). From 4c7d84d5dbab047e2de9f2801db1a1ee635fb6b5 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 16 Sep 2025 12:32:31 -0400 Subject: [PATCH 3/4] fix --- aws/documentation/overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/documentation/overview.md b/aws/documentation/overview.md index f3bd7430..1440a477 100644 --- a/aws/documentation/overview.md +++ b/aws/documentation/overview.md @@ -63,11 +63,11 @@ In the Lab lab-gov organization, which is isolated from the Census production ne There is no stage or prod environments, as the lab has some significant restrictions on what can be done. As listed above, the same environment connection segmentation exists. * The Lab, aka the IT Lab, the CAT Lab, or the VLAB, is isolated from the Census production networks. -* In order to use resources in the lab, one must be provisioned into the lab, through `AWS Workspaces` Windows systems (VDI capabilities). +* In order to use resources in the lab, one must be provisioned into the lab, through AWS Workspaces Windows systems (VDI capabilities). * There is currently no internet access in the Lab. There is a Lab _DMZ_ setup in progress. * No protected data are permitted in the Lab. This includes, but is not limited to, PII, BII, Title 26, Title 13, and other CUI sensitive data. * No production operations are to be conducated -* For use as a proof of concept (POC) setup, once the POC is complete, all resoures are to be destroyed and if it moves forward, it must do so in the production accounts. +* For use as a proof of concept (POC) setup, once the POC is complete, all resources are to be destroyed and if it moves forward, it must do so in the production accounts. * Full adminstrative access will not be granted. We still follow the least-privilege approach, even in the Lab, through AWS Identity Center. We are leveraging a number of technologies and concepts to improve the timing, costs, and efficiency overall. From 995245dd25355aeeff548fd4d943cf8acd1acfdf Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 16 Sep 2025 14:18:42 -0400 Subject: [PATCH 4/4] update --- aws/documentation/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/documentation/overview.md b/aws/documentation/overview.md index 1440a477..254dc460 100644 --- a/aws/documentation/overview.md +++ b/aws/documentation/overview.md @@ -64,7 +64,7 @@ There is no stage or prod environments, as the lab has some significant restrict * The Lab, aka the IT Lab, the CAT Lab, or the VLAB, is isolated from the Census production networks. * In order to use resources in the lab, one must be provisioned into the lab, through AWS Workspaces Windows systems (VDI capabilities). -* There is currently no internet access in the Lab. There is a Lab _DMZ_ setup in progress. +* There is currently no direct outbound internet access in the Lab. One must use the HTTP proxy to get to the internet. There is no inbound internet access into AWS. * No protected data are permitted in the Lab. This includes, but is not limited to, PII, BII, Title 26, Title 13, and other CUI sensitive data. * No production operations are to be conducated * For use as a proof of concept (POC) setup, once the POC is complete, all resources are to be destroyed and if it moves forward, it must do so in the production accounts.