Customer-Deployed Foundational Technical Review
This is the summary of the Reflectance Processor FTR for ECSreview based on AWS guidelines
Introduction
Req code | Requirement description | Content |
INT-001 | Introductory material must contain use cases for the software. | This is covered in the Reflectance Datacube processor section. |
INT-002 | Introductory material contains an overview of a typical customer deployment, including lists of all resources that are set up when the deployment is complete. | This is covered in the Reflectance Datacube processor section on the architecture diagram. |
INT-003 | Introductory material contains a description of all deployment options discussed in the user guide (e.g. single-AZ, multi-AZ or multi-region), if applicable. | There is only one deployment method documented at this point. Please let us know if you need support to create new deployment pipelines. |
INT-004 | Introductory material contains the expected amount of time to complete the deployment. | Code packaging and publication to ECS is usually completed in less than 5 min. More info available in the ECS deployment section |
INT-005 | Introductory material contains the regions supported. | There is no limitation on region supported for this service. |
Pre requisites and requirements
Req code | Requirement description | Content |
PRQ-001 | All technical prerequisites and requirements to complete the deployment process are listed (e.g. required OS, database type and storage requirements). | This is covered in the Prerequisites section. |
PRQ-002 | The deployment guide lists all prerequisite skills or specialized knowledge (for example, familiarity with AWS, specific AWS services, or a scripting or programming language). | This is covered in the Prerequisites section. |
PRQ-003 | The deployment guide lists the environment configuration that is needed for the deployment (e.g. an AWS account, a specific operating system, licensing, DNS). | This is covered in the Prerequisites section. |
Architecture diagrams
Req code | Requirement description | Content |
ARCH-001 | Architecture diagrams must include all AWS services and resources deployed by the solution and illustrate how the services and resources connect with each other in a typical customer environment. | This is covered in the Reflectance Datacube processor section |
ARCH-004 | Architecture diagrams use official AWS Architecture Icons. | Reflectance Datacube processor section includes a diagram with official AWS Icon coming from here |
ARCH-005 | Network diagrams demonstrate virtual private clouds (VPCs) and subnets. | Reflectance Datacube processor section includes a diagram with VPC |
ARCH-006 | Architecture diagrams show integration points, including third-party assets/APIs and on-premises/hybrid assets. | Reflectance Datacube processor section includes a diagram with link to EarthPlatform (third party data infrastructure running on AWS) |
Security
Req code | Requirement description | Content |
DSEC-002 | The application does not require the use of AWS account root privileges for deployment or operation. | As detailed in the prerequisites section, access to AWS ressoures is based on OIDC with specific role and specific trust relationship. |
DSEC-003 | The deployment guide provides prescriptive guidance on following the policy of least privilege for all access granted as part of the deployment. | As defined in the provisioning section, deployment and execution is based on a specific role enforcing the least privilege principle. |
DSEC-004 | The deployment guide clearly documents any public resources (e.g. Amazon S3 buckets with bucket policies allowing public access). | The deployment guide is not using public resources. |
DSEC-006 | The deployment guide describes the purpose of each AWS Identity and Access Management (IAM) role and IAM policy the user is instructed to create. | The deployment guide includes a specific chapter on IAM configuration and OIDC setup. |
DSEC-007 | The deployment guide provides clear instruction on maintaining any stored secrets such as database credentials stored in AWS Secrets Manager. | The deployment guide is not leveraging AWS Secrets Manager, but Github repository secrets as detailed here. |
DSEC-008 | The deployment guide includes details on where customer sensitive data are stored | The deployment guide is enforcing AWS security guideline for Gitaction deployments and is only leveraging private resources, |
DSEC-009 | The deployment guide must explain all data encryption configuration (for example. Amazon Simple Storage Service (Amazon S3) server-side encryption, Amazon Elastic Block Store (Amazon EBS) encryption, and Linux Unified Key Setup (LUKS)) | Asset published by the Reflectance datacube processor are not encrypted. The non sensitive nature of the data (pixel from satellite images) does not require to leverage encryption |
DSEC-010 | For deployments involving more than a single element, include network configuration (for example, VPCs, subnets, security groups, network access control lists (network ACLs), and route tables) in the deployment guide. | The proposed service is a single container deployment. The only specific VPC configuration is detailed in the |
DSEC-011 | The solution must support the ability for the customer to disable Instance Metadata Service Version 1 (IMDSv1). | AWS Fargate does not offer direct control over the Instance Metadata Service (IMDS). To mitigate risk linked with IMDS we are using the least privilege principle with a specific role for task execution and specific security group and VPC to control network access to Fargate tasks. |
Costs
Req code | Requirement description | Content |
CST-001 | The deployment guide includes a list of billable services and guidance on whether each service is mandatory or optional. | |
CST-002 | The deployment guide includes the cost model and licensing costs. |
Sizing
Req code | Requirement description | Content |
SIZ-001 | Either provide scripts to provision required resources or provide guidance for type and size selection for resources. | The deployment guide includes step by step procedure to provision AWS resources and a script to automatically deploy assets to AWS |
Deployment assets
Req code | Requirement description | Content |
DAS-001 | The deployment guide provides step-by-step instructions for deploying the workload on AWS according to the typical deployment architecture. | The deployment guide includes step by step procedure to provision AWS resources and a script to automatically deploy assets to AWS |
DAS-004 | The deployment guide contains prescriptive guidance for testing and troubleshooting. | The deployment guide contains a user guide section. |
Health Check
Req code | Requirement description | Content |
HLCH-001 | The deployment guide provides step-by-step instructions for how to assess and monitor the health and proper function of the application. | This is detailed in the lifecycle management section. |
Back up and recovery
Req code | Requirement description | Content |
BAR-001 | Identify the data stores and the configurations to be backed up. If any of the data stores are proprietary, provide step-by-step instructions for backup and recovery. | This is detailed in the lifecycle management section. |
Routine Maintenance
Req code | Requirement description | Content |
RM-001 | The deployment guide provides step-by-step instructions for rotating programmatic system credentials and cryptographic keys. | Deployment pipeline is using OIDC with short term tokens. Regarding EarthPlatform authentication we are using OAuth 2.0 with short term tokens. Credentials will be updated based on EarthPlatform security guidelines. |
RM-002 | The deployment guide provides prescriptive guidance for software patches and upgrades. | Processor update will be delivered on the public GitHub repo. It is strongly recommended for customers to run regression testing before deploying this release. |
RM-003 | The deployment guide provides prescriptive guidance on managing licenses. | Users need to comply with EarthDaily EULA and services quotas on data access based on service agreement executed between parties. |
RM-004 | The deployment guide provides prescriptive guidance on managing AWS service limits. | This is detailed in the lifecycle management section. |
Emergency Maintenance
Req code | Requirement description | Content |
EMER-001 | The deployment guide provides step-by-step instructions on handling fault conditions. | This is detailed lifecycle management section. |
EMER-002 | The deployment guide provides step-by-step instructions on how to recover the software. | This is detailed lifecycle management section. |
Support
Req code | Requirement description | Content |
SUP-001 | The deployment guide provides details on how to receive support. | User support is described here |
SUP-002 | The deployment guide provides details on technical support tiers. | Processor update will be delivered on the public GitHub repo. It is strongly recommended for customers to run regression testing before deploying this release. |
SUP-003 | The deployment guide provides prescriptive guidance on managing licenses. | Users need to comply with EarthDaily EULA and services quotas on data access based on service agreement executed between parties. |