Environments (AWS accounts) security
This document should be read in conjunction with the MOJ Security Guidance - Baseline for Amazon Web Services accounts.
As part of our offering in the Modernisation Platform, we secure all environments (AWS accounts) to mitigate risk and protect teams from common security concerns.
AWS services for secure baselines
We enable the following AWS services for you in all accounts, as part of our secure baselines:
Tagging policies
The MOJ has its own tagging standard.
All accounts within the Modernisation Platform inherit the tag policy that includes these tags, which you can view as part of the AWS Resource Groups: Tag Policies service. You must ensure that your resources are tagged in accordance to the policy.
We can see an overview of compliance across the Modernisation Platform and we will help you in meeting this requirement if needed.
Regional restrictions
We restrict the regional usage of accounts that sit within the Modernisation Platform. We use a Service Control Policy (SCP) to do this.
In accordance with the Security Guidance, you should only use EU AWS regions.
All accounts within the Modernisation Platform can only use:
Regional services
You can use all services in these regions:
eu-central-1- Europe (Frankfurt)eu-west-1- Europe (Ireland)eu-west-2- Europe (London)
You should use eu-west-2 for everything, by default.
Global services
Global services are backed by us-east-1 in AWS.
You should use us-east-1 for global services only.
Transit Gateway Network Manager
Transit Gateway Network Manager is backed by us-west-2 in AWS.
You should use us-west-2 for Transit Gateway Network Manager only.
Enabling other regions for service-specific use
If you think you need another region for a particular service, let us know in the #ask-modernisation-platform Slack channel.
More information
The modernisation-platform-terraform-baselines Terraform module implements further reasonable security, identity, and compliance services.