Landing zone guardrails
We use built-in guardrails to ensure the B.C. government AWS landing zone meets B.C. government privacy and security standards. Guardrails are set up in the landing zone and are automatically applied to all project sets.
These guardrails control which tools and services you can use while working in the public cloud. They also restrict where you can host your data.
Every service available in AWS must undergo a Security Threat and Risk Assessment (STRA) and Privacy Impact Assessment (PIA). Guardrails prevent you from using any tool or service that doesn’t successfully pass these assessments.
Tools and services
Several AWS tools and services are available for use. You don’t need to complete STRAs or PIAs for these services. If you want to use a service that isn’t pre-approved, you must complete a STRA and PIA. The privacy and security contacts you identified during onboarding can support you with these assessments. Once complete, please send a copy of each assessment to the public cloud security team.
You can also submit a request to our team to have us complete the necessary assessments for you. We complete these requests on a best-effort basis and can’t guarantee that the request will be completed within a certain timeframe. If you need access to a service in a short timeframe, we recommend you complete the assessments yourself with the help of your privacy and security contacts.
There are cases where we can’t approve the use of certain services. This is due to guardrails that can’t be changed without compromising the compliance of the entire B.C. government AWS landing zone environment.
In compliance with the B.C. government’s security and privacy standards, data and applications in the B.C. government AWS landing zone are hosted in data centers located in Canada. You can only access AWS services that are available in the AWS Canada (Central) region. There are guardrails in place in the B.C. government landing zone that prevent you from using any service that isn’t available in this region. To find services available in Canada (Central), go to the AWS regional product list and select “Canada (Central)” in the “Region” drop-down menu.
Security and privacy assessments
Security Threat and Risk Assessment (STRA)
AWS has undergone a STRA assessment to ensure that it’s compliant with the B.C. government’s information security policies. We also complete STRAs for services available in AWS on an ongoing basis.
In order to meet and maintain STRA requirements, we:
- Completed an initial STRA during the procurement of AWS as a public cloud service provider for the B.C. government
- Maintain a review schedule to ensure STRA updates are conducted periodically
Privacy Impact Assessment (PIA)
We completed a PIA for AWS. We also complete PIAs for services available in AWS on an ongoing basis.
In order to meet and maintain PIA requirements, we:
- Completed an initial PIA during the procurement of AWS as a public cloud service provider for the B.C. government
- Conduct additional privacy assessments as needed when changes to the service impact the use, disclosure or collection of information
Information security classification
The B.C. government AWS landing zone meets the requirements for hosting information up to and including Protected B classification.
The B.C. government AWS Landing Zone meets requirements for the Government of Canada’s Protected B Medium Integrity Medium Availability (PBMM) security category, in compliance with the Security Control Profile for Cloud-based GC Services. This also meets requirements for the B.C. government’s Protected B information security classification.
You cannot host Protected C information in the public cloud.
Requirements for security and privacy
STRA and PIA requirements
You must complete a STRA and PIA for every new project you provision in AWS.
You must also complete a STRA and PIA for any service in AWS that has not been pre-approved by our team. We have a list of pre-approved services in AWS. Services with the label “Basic Checks Completed” have successfully passed a set of privacy and security reviews. If you want to use a tool or service that’s not labeled “Basic Checks Completed,” you must complete a STRA and PIA with the support of your ministry security and privacy officers.
Application and data security
You are responsible for ensuring that your applications and data meet security and privacy standards in the B.C. government. There are tools available in the B.C. government AWS landing zone that you can use to identify vulnerabilities and keep your applications secure, including:
- AWS Security Hub. Security posture management service that performs security best practice checks, aggregates alerts and enables automated remediation
- AWS Key Management Service (AWS KMS). Create, manage and control cryptographic keys across your applications and AWS services
- AWS Secrets Manager. Manage, retrieve and rotate database credentials, API keys and other secrets throughout their lifecycles
- AWS Certificate Manager (ACM). Provision, manage and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. ACM removes the time-consuming manual process of purchasing, uploading and renewing SSL/TLS certificates
- AWS CloudWatch. Collects and visualizes real-time logs, metrics and event data in automated dashboards to streamline your infrastructure and application maintenance
- AWS CloudTrail. Monitors and records account activity across your AWS infrastructure, giving you control over storage, analysis and remediation actions
- AWS WAF. Protect against common web exploits and bots that can affect availability, compromise security or consume excessive resources
- AWS Detective. Simplifies the investigative process and helps security teams conduct faster and more effective investigations. With the Amazon Detective prebuilt data aggregations, summaries and context, you can quickly analyze and determine the nature and extent of possible security issues
When you onboard to the public cloud, you must identify a Ministry Information Security Officer (MISO) and a Ministry Privacy Officer (MPO) who will provide the required security and privacy support for your project. These contacts will be responsible for reviewing and approving your project privacy and security assessments (PIA and STRA). They will also provide support for any additional PIAs and STRAs you require while working in the public cloud.
You cannot onboard to the public cloud without identifying security and privacy contacts.