Cloud Standard

Description

The Library and Technology Services organization has established a Cloud Standard to define how IaaS and PaaS services in the cloud should be architected, designed, secured, and managed. This standard applies to all cloud services such as AWS, Azure, and Google Cloud Platform. This standard is not applicable to SaaS cloud services.

Scope

This procedure applies to the Library and Technology Services organization.
Infrastructure is defined as components needed for cloud services, which includes hardware, abstracted resources, storage, services, and network resources as it relates to IaaS and PaaS.

Infrastructure as Code

Regardless of the cloud service, the use of the cloud console, as known as GUI, should not be used to deploy infrastructure unless the platform does not support doing so programmatically. These include, but not limited to, AWS CloudFormation. Google Cloud Deployment Manager, and Azure Powershell.

• Exceptions for IaC must be vetted through the Cloud Steering Committee via the cloud-steering-committee Slack Channel and documented at https://docs.google.com/document/d/1yTBO9_Er7VXyF1blKcdcV5Ev3ZdGlSGJ00jcCIZD7Og/edit

• All source code must be stored in our approved source control solution Gogs at https://gogs.cc.lehigh.edu

  • Templates should be added under appropriate service category

  • README should be updated with the name of the template and description

  • Template should include comments describing what it does and how to run it via CLI.

• Use naming conventions for the template to indicate which account it was created for

• Utilize tagging for project and cost tracking

• Changes to production should only be made through template updates unless documented by an exception

• Peer review process

  • Utilize Gogs and Slack webhooks to notify when code has been committed

Security

All cloud deployments must comply with the following.

• Least privilege must be followed at all times

• Encryption must be used at all times during transit and at rest in the cloud

• AWS Specific

  • Account must be added a Security Hub Member account

  • CloudTrails for the account must be sent to ELK

  • GuardDuty Enabled

• Compute resources must be set up to be scanned for vulnerabilities

• Approved EDR solution Crowdstrike must be installed on all compute resources

Productionizing an account, solution, or service

When an account, solution, or service moves from sandbox and testing to production, the following must occur and be approved by the steering committee.

• All networking must be set up and approved by the Network Engineering Team

• Must adhere to our Backup Standard

• Must adhere to established Change Management Standard and Procedure

• Develop and document procedures for monitoring the account, solution, or service.

• For AWS, run Prowler and output to be reviewed with the Cloud steering community. All actions from review must be completed or exceptions before production

• HIPAA and secure research deployments must be reviewed and approved by the HDW committee

Related

Detail associated standards and guidances.

Definitions

List any terms used in this standard which need to be defined for the readers understanding

Revision History