Cloud Platform
How to setup a cloud platform from scratch
Identity and Access Management (IAM)
- Set up User Directory
- Set up Admin Account and separate it from the root account
- Set up Multi-Factor Authentication (MFA) / security key
- Set up Password Policy
- Set up Role Based Access Control (RBAC)
- define roles
- assign roles to users
- Audit
- regular audit of IAM
- Set up User Directory
Resource Management
- Project and Resource Hierarchy
- Access Management and Policy
- Naming Convention and Tagging
- Provisioning and De-provisioning, Infrastructure as Code
- Cost Management:
- keep cost transparent and make cost-conscious decisions
- FinOps: inform, optimize, operate
- Budgets, Alerts
Network
- Design VPC and Subnets
- Hub and Spoke design (VPC peering)
- by environment (dev, test, prod, common services)
- by business unit (Data, Infrastructure, Application, Common Services)
- the fewer the better (keep it simple and reduce maintainance overhead)
- Routing and Firewall
- rules might not be applicable for Kubernetes clusters considering the dynamic nature and scale of the cluster (service mesh would be a better option)
- DNS
- private DNS vs public DNS Zone
- DNS forwarding between cloud and on-premises
- Design VPC and Subnets
Observability
- High-level Strategy: Goals, Metrics, KPIs
- Lifecycle: collect, store, analyze, export, visualize, alert
- collect: resource metrics, logs, traces
- store: retention policy, cost optimization
- analyze: query, aggregation, correlation, tracing, security analysis (threat detection)
Security
- NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover
- Layered Security
- System:
- SIEM (Security Information and Event Management)
- WAF (Web Application Firewall)
- IDS (Intrusion Detection System) and IPS (Intrusion Prevention System)
- DLP (Data Loss Prevention)