For all AWS accounts managed by Rackspace, whether created new via the Fanatical Support for AWS Control Panel or created directly with AWS and transferred to Rackspace, we automatically apply several default settings to the account based on best practices we have developed in cooperation with AWS. You should not change or disable any of these default settings, as they are critical to our delivery of Fanatical Support.
- AWS IAM (Identity and Access Management)
- Setup an IAM role named "Rackspace" for ongoing access to the account (see AWS Identity and Access Management (IAM) for additional details)
- Set the IAM account password policy for all passwords
- At least 12 characters in length
- Contain at least one uppercase character
- Contain at least one lowercase character
- Contain at least one number
- Contain at least one symbol
- Not one of the previous 24 passwords used
- Create an IAM role named "AWSConfig" for use by the AWS Config service
- Create an IAM role named "RackspaceTools" to allow us to provide you with Compass
- Create an IAM role named "RackspaceDefaultEC2Role" along with an attached IAM policy named "RackspaceDefaultEC2Policy" which can be attached to EC2 instances to provide access to AWS Systems Manager and the CloudWatch EC2 Agent.
- Create an IAM role named "rackspace-passport-bastion" with an IAM policy that allows bastion logs to be written to CloudWatch Logs.
- Create an IAM role named "EC2ActionsAccess" for use by CloudWatch alarms to trigger actions on instances.
- Create an EC2 Instance Profile named "rackspace-passport-bastion-instance-profile" with the "rackspace-passport-bastion" role attached.
- AWS S3 (Simple Storage Service)
- Create a bucket named "<account_uuid>-logs" in the US West 2 (Oregon)
- Enable versioning and apply an S3 bucket lifecycle policy to the "<account_uuid>-logs" bucket that expires files after 365 days and permanently removes deleted files after 90 days
- Set an S3 bucket policy on the "<account_uuid>-logs" bucket to allow write access from CloudTrail
- Create a bucket named "<account_uuid>-ssmoutput" in the US West 2
- Apply an S3 bucket lifecycle policy to the "<account_uuid>-ssmoutput" bucket that deletes files after 60 days
- Create a bucket named "<account_uuid>-logs" in the US West 2 (Oregon) region
- AWS CloudTrail
- AWS CloudWatch
- Create a "rackspace-passport-bastion" CloudWatch Logs Group where logs are shipped for Rackspace operational purposes.
- AWS Config
- Configure AWS Config in each AWS region to log to the S3 bucket named "<account_uuid>-logs"
- Configure an SNS topic named "rackspace-awsconfig" in each region and subscribe it to a region-specific Shared Management Services SQS queue for use by Rackspace tooling
- AWS SNS (Simple Notification Service)
- Create SNS topics named "rackspace-support", "rackspace-support-standard", "rackspace-support-urgent", "rackspace-support-emergency" in each region and subscribe it to a region-specific Shared Management Services SQS queue for use by our Rackspace Watchman service