Getting started
Management
Environments
Compliance
Reference
Troubleshooting
Statement of Work
Network
CIDR blocks in AWS Virtual Private Cloud (VPC) cannot share the same address. Subnets in a VPC are defined using CIDR (Classless Inter-Domain Routing) blocks, and each subnet must have its own unique CIDR block within the overall VPC CIDR range. Because overlapping CIDR blocks result in conflicting network addresses, the CIDR blocks must not overlap.
The CIDR (Classless Inter-Domain Routing) block is a range of IP addresses assigned to a VPC that determines the structure and size of the subnet.
Consider the following when selecting an address for your VPC CIDR block:
The size of your network: A /16 CIDR block can hold 65,536 IP addresses, whereas a /28 block can only hold 16. Choose a CIDR block size that allows for the number of IP addresses required for your resources.
While creating an environment, in the Advanced Options menu, you can set a CIDR IP address for your VPC.
- Navigate to http://app.citadel.run and select Environment in the menu;
- Create a new Environment;
- Enter Environment Name;
- Enter AWS Account ID;
- Select the Region;
- Select Advanced Options;
- Enter your custom CIDR IP address.
Sample:
vpc_cidr_block: 10.10.0.0/16
Monitoring
AWS GuardDuty is a security service that detects threats in your Amazon Web Services infrastructure. GuardDuty's alarms are an important feature of the service because they notify you of potential security threats and provide detailed information about the threat, allowing you to take action to prevent further damage.
GuardDuty alarms can assist you in quickly identifying and responding to security incidents, improving the overall security of your AWS infrastructure. By providing auditable information about security incidents, the alarms can also assist you in complying with security regulations and standards.
- Navigate to http://app.citadel.run and select Management in the menu;
- Select Security Events in the left menu;
- Enable or disable Guardduty and Save.
Security
AWS creates a default VPC in every region to provide convenience, consistency, and security to its customers.
Convenience: In each region, a default VPC is created automatically, making it easier for new AWS customers to get started with the cloud. Customers can use the default VPC to launch EC2 instances, RDS databases, and other AWS resources without having to build their own network infrastructure.
Consistency: Having a default VPC in each region aids in AWS environment consistency. Customers can expect the same basic network infrastructure in each region, making application deployment across multiple regions easier.
Security: The default VPC provides customers with a secure and isolated environment in which to deploy their resources, protecting them from potential security threats. Customers can also manage network security through security groups, network ACLs, and VPC peering with the default VPC.
To delete a default VPC, you can follow these steps:
- Go to the AWS Console;
- Choose a region (top right corner of the console);
- Check that no EC2 instances or other resources are running in the VPC you want to delete;
- Navigate to the AWS Management Console's VPC dashboard;
- Choose the VPC you want to delete;
- Select "Delete VPC" from the "Actions" drop-down menu;
- Follow instructions and click "Yes, Delete" to confirm the deletion.
- Follow these steps to delete all default VPC in all accounts.
Note: It is not recommended to delete the default VPC if this may have an impact on other services that use the VPC. Before deleting a default VPC, make sure you understand the implications and that no resources or services rely on it.
Furthermore, the impact on other services, such as Elastic IP addresses, subnets, security groups, and VPC peering connections, must be considered. When you delete the default VPC, these resources are also deleted. If you want to keep any resources in the default VPC, you should create a new VPC before deleting the default VPC.
SSO
Billing Alerts
Follow the instructions of how to enable it in the Billing Alerts documentation.
Developer experience
Compliance
The following items are only required when the customer is aiming for compliance.
SCPs are a type of organisational policy that you can use to manage permissions in your organisation. SCPs provide centralised control over all accounts in your organization's maximum available permissions. SCPs assist you in ensuring that your accounts adhere to your organization's access control policies. SCPs are only available in organisations that have all features enabled. If your organisation has only enabled the consolidated billing features, SCPs are not available. Enabling and disabling policy types contains instructions for enabling SCPs.
To enable the SPC, follow these steps:
- Go to the AWS Console;
- Select the resource AWS Organizations;
- In the AWS Organizations, select Policies in the left menu;
- Select Service control policies and enable it;
- Click em Create policy;
- Create the two policies listed below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideAU",
"Effect": "Deny",
"NotAction": [
"a4b:*",
"acm:*",
"aws-marketplace-management:*",
"aws-marketplace:*",
"aws-portal:*",
"budgets:*",
"ce:*",
"chime:*",
"cloudfront:*",
"config:*",
"cur:*",
"directconnect:*",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpnGateways",
"fms:*",
"globalaccelerator:*",
"health:*",
"iam:*",
"importexport:*",
"kms:*",
"mobileanalytics:*",
"networkmanager:*",
"organizations:*",
"pricing:*",
"route53:*",
"route53domains:*",
"s3:GetAccountPublic*",
"s3:ListAllMyBuckets",
"s3:PutAccountPublic*",
"shield:*",
"sts:*",
"support:*",
"trustedadvisor:*",
"waf-regional:*",
"waf:*",
"wafv2:*",
"wellarchitected:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"ap-southeast-2"
]
},
"ArnNotLike": {
"aws:PrincipalARN": []
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AuditS3DeleteLock",
"Effect": "Deny",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::archive-*/*"
]
},
{
"Sid": "GuarddutyLock",
"Effect": "Deny",
"Action": [
"guardduty:AcceptInvitation",
"guardduty:ArchiveFindings",
"guardduty:CreateDetector",
"guardduty:CreateFilter",
"guardduty:CreateIPSet",
"guardduty:CreateMembers",
"guardduty:CreatePublishingDestination",
"guardduty:CreateSampleFindings",
"guardduty:CreateThreatIntelSet",
"guardduty:DeclineInvitations",
"guardduty:DeleteDetector",
"guardduty:DeleteFilter",
"guardduty:DeleteInvitations",
"guardduty:DeleteIPSet",
"guardduty:DeleteMembers",
"guardduty:DeletePublishingDestination",
"guardduty:DeleteThreatIntelSet",
"guardduty:DisassociateFromMasterAccount",
"guardduty:DisassociateMembers",
"guardduty:InviteMembers",
"guardduty:StartMonitoringMembers",
"guardduty:StopMonitoringMembers",
"guardduty:TagResource",
"guardduty:UnarchiveFindings",
"guardduty:UntagResource",
"guardduty:UpdateDetector",
"guardduty:UpdateFilter",
"guardduty:UpdateFindingsFeedback",
"guardduty:UpdateIPSet",
"guardduty:UpdatePublishingDestination",
"guardduty:UpdateThreatIntelSet"
],
"Resource": "*"
},
{
"Sid": "ConfigLock",
"Effect": "Deny",
"Action": [
"config:DeleteConfigRule",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:StopConfigurationRecorder"
],
"Resource": "*"
},
{
"Sid": "OrgLock",
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization"
],
"Resource": "*"
},
{
"Sid": "CloudtrailLock",
"Action": [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail"
],
"Resource": "*",
"Effect": "Deny"
}
]
}