Cloud Engineering weeknotes, 11 March 2022

It was Groundhog week for wordpress issues on the website, but after a lot of cross-team cooperation it has now been resolved.  WordPress as a whole will hopefully become less of a strain on the team as we have a meeting with a specialist in WordPress to go over the current state and work out a way forward with it.

Some work has been done to start centralising Cloudwatch logs from every account, aggregating them into a single logging account. Control Tower does some of that for us but there are areas which aren’t covered by this. Centralising the logs in this way will provide a base for us to eventually provide some kind of centralised monitoring and alerting across the whole platform so it is a useful building block for the future.

Some housekeeping has been done on the Palo Alto firewalls, removing some configuration which was no longer needed or was left over from testing. More work has been done to make the access to the management dashboard of the firewalls far more secure, implementing a VPN which further tightens the security around a vital part of the AWS platform. Finally in firewall-land, more work has been done to get Panorama up and running which will give us a tool that can manage our three firewall environments in one place whilst also giving us faster disaster recovery options.

Work is still ongoing to migrate the GIS systems to their own, dedicated account. This work is important to ensure some order to how our accounts are organised, whilst also making it possible for us to finish off the work to migrate our “legacy” accounts to our final network architecture.

We’re still closely collaborating with the security team, having had a very productive meeting around potential vulnerabilities in our setup and how we can provide their team with more direct access to AWS so they will be able to see for themselves where we have issues.

Beyond that there has been the usual support and guidance that we provide around AWS access requests, 1Password requests (which is another orphaned service we’ve taken on) and cross account communication for some of the ongoing data recovery activities.

+ posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.