generated from ministryofjustice/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 293
/
production-ready-checklist.html.md.erb
51 lines (42 loc) · 2.95 KB
/
production-ready-checklist.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
---
owner_slack: "#modernisation-platform"
title: Production Ready Checklist
weight: 1
last_reviewed_on: 2024-04-02
review_in: 6 months
---
<!-- Google tag (gtag.js) -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-NXTCMQ7ZX6"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-NXTCMQ7ZX6');
</script>
# <%= current_page.data.title %>
Before an application goes into production, the Modernisation Platform team will check that the following steps have been taken on the production account to ensure the high quality of infrastructure on the platform.
You can speed up these checks by preparing as much as possible in advance.
## Checklist
1. For public facing interfaces - [Create DDoS alarms, enable SRT access, enable Layer 7 Mitigation for ELBs](../runbooks/enabling-shield-advanced.html) This is not required if the interface is restricted to internal use only.
1. All EC2 instances have the AWS Systems Manage Session Manager [SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) installed.
1. There are no `CRITICAL` or `HIGH` severity level findings in Security Hub for the production account.
1. Infrastructure code has been reviewed and signed off by a Modernisation Platform engineer.
1. The application runbook (`README.md`` in the application folder in the [modernisation-platform-environments repository](https://github.com/ministryofjustice/modernisation-platform-environments/tree/main/terraform/environments)) has been completed.
1. The application conforms to the [MoJ Technical Guidance](https://technical-guidance.service.justice.gov.uk/) and [MoJ Security Guidance](https://security-guidance.service.justice.gov.uk/)
1. The application has been tested.
1. The applications `go-live-date` date has been updated in the environments folder [here.](https://github.com/ministryofjustice/modernisation-platform/blob/main/environments)
1. Appropriate application monitoring and logging is in place.
1. There is an application support team in place and their contact details are in the application runbook.
1. The Modernisation Platform team are aware of any cutover/migration dates/times and have agreed additional cover if required.
## Infrastructure Review
When reviewing the application infrastructure, the Modernisation Platform team will check for the following things:
1. No hard coded secrets or account numbers.
1. No sensitive data is made public.
1. Secrets are stored in Secrets Manager and rotation is enabled.
1. Security groups are locked down as much as possible.
1. The infrastructure is resilient and spread across availability zones.
1. 3rd party modules or code are not used.
1. The infrastructure is sensibly sized.
1. There is no attempt to escalate privileges or provide access to parties outside of the platform.
1. Data is encrypted at rest and in transit.
1. Code is dry and well written with no commented out blocks.