# Plan your deployment Plan your deployment This section describes the [cost](cost.md), [security](security1.md), [Regions](#supported-aws-regions) and other considerations before deploying the solution. ## Supported AWS Regions MCS is available in the following AWS Regions: | **Region name** | | | --- | --- | | US East (Ohio) | Asia Pacific (Tokyo) | | US East (N. Virginia) | Canada (Central) | | US West (Northern California) | Europe (Frankfurt) | | US West (Oregon) | Europe (Ireland) | | Asia Pacific (Mumbai) | Europe (London) | | Asia Pacific (Seoul) | Europe (Paris) | | Asia Pacific (Singapore) | Europe (Stockholm) | | Asia Pacific (Sydney) | South America (São Paulo) | Third-Party Modules may be available in different Regions. Refer to the module’s manifest data to view its supported Regions. # Cost You are responsible for the cost of the AWS services used while running this solution. As of this revision, the cost for running this solution with the default settings in the US East (N. Virginia) Region is approximately **\$1591.55 per month** when deploying the main stack, Managed VPC module, Managed Active Directory module, and FSx for Windows File Server module in the hub Region. These costs are for the resources shown in the [Sample cost table](#sample-cost-table). **Note** Third-Party modules' costs are not included in the monthly cost estimate, including Leostream workstation management modules and storage partner modules. We recommend creating a [budget](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html) through [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/) to help manage costs. Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this solution. ## Sample cost table Total cost varies depending on how many modules and Regions you deploy. The following tables give a sample cost breakdown for deploying this solution and internal hub modules with the default parameters in the US East (N. Virginia) Region for one month. **MCS stack deployment** | **AWS service** | **Dimensions** | **Cost [USD]** | | --- | --- | --- | | **Amazon API Gateway** | First 333 million REST API calls per month | \$1 3.50 | | **Amazon Cognito** | 1,000 active users per month without the advanced security feature | \$1 0.00 | | **Amazon CloudFront** | 1,000,000 HTTPS requests | \$1 1.00 | | **Amazon S3** | <1 GB storage for web assets and logging | \$1 0.023 | | **AWS Lambda** | Modules = 5 Requests = <1,000,000 = \$1 0.20 Enable module = 3,000 ms duration x \$1 \$1 0.0000000021 per ms *\$1 0.20 \$1 (3,000 x \$1 0.0000000021) x 5 = \$10.2000315* | \$1 0.20 | | **Systems Manager Parameter Store** | Standard parameters and throughput | \$10.00 | | **Amazon DynamoDB** | <1 GB storage, <1M write request units (WRUs) and read request units (RRUs) | \$1 1.75 | | **AWS Service Catalog** | <1,000 API calls | \$1 0.70 | | **Amazon EventBridge Event Bus** | AWS default service events | \$1 0.00 | | **Amazon EventBridge Pipe** | <1M requests after filtering per month | \$1 0.40 | | **Amazon EventBridge API Destination** | <1M requests per month | \$1 0.20 | | **Amazon Simple Queue Service** | Standard queue with <1M requests per month | \$1 0.00 | | **AWS Step Functions** | <4,000 state transitions AWS Free Tier | \$1 0.00 | | **Amazon CloudWatch** | AWS Free Tier | \$1 0.00 | | | **Total:** | **\$1 7.77 [USD] / month** | **Managed VPC module** | **AWS service** | **Dimensions** | **Cost [USD]** | | --- | --- | --- | | **Amazon VPC** | Public IPv4 address NAT Gateway cost is highly variable depending on modules deployed | \$1 3.65 | | **Systems Manager Parameter Store** | Standard parameters and throughput | \$1 0.00 | | **Amazon CloudWatch** | AWS Free Tier | \$1 0.00 | | | **Total:** | **\$1 3.65 [USD] / month** | **Managed Active Directory module** | **AWS service** | **Dimensions** | **Cost [USD]** | | --- | --- | --- | | **AWS Directory Service** | \$10.12 per hour | \$1 87.60 | | **Systems Manager Parameter Store** | Standard parameters and throughput | \$1 0.00 | | **AWS Secrets Manager** | 1 secret | \$1 0.45 | | **Amazon CloudWatch** | AWS Free Tier | \$1 0.00 | | **EC2** | t3.micro (5 minute deployment) | <\$1 0.01 | | | **Total:** | **\$1 88.05 [USD] / month** | **FSx for Windows File Server module** | **AWS service** | **Dimensions** | **Cost [USD]** | | --- | --- | --- | | **Amazon FSx for Windows File Server** | 256 GiB SSD storage capacity, 64 MBps throughput | \$1 288.28 | | **Systems Manager Parameter Store** | Standard parameters and throughput | \$1 0.00 | | **Amazon CloudWatch** | AWS Free Tier | \$1 0.00 | | | **Total:** | **\$1 288.28 [USD] / month** | **FSx for Lustre File Server module** | **AWS service** | **Dimensions** | **Cost [USD]** | | --- | --- | --- | | **Amazon FSx for Lustre File Server** | 1,200 GiB SSD storage capacity, LZ4 Compression Disabled | \$1 168.19 | | **Systems Manager Parameter Store** | Standard parameters and throughput | \$1 0.00 | | **Amazon CloudWatch** | AWS Free Tier | \$1 0.00 | | | **Total:** | **\$1 168.19 [USD] / month** | ## Third-Party modules cost This solution includes Third-Party Leostream workstation management modules available for deployment, and storage partner modules available for registration and deployment. **Note** Refer to the [Leostream documentation](https://support.leostream.com/support/solutions/articles/66000513448-leostream-platform-quick-starts-and-guides) or contact Leostream for more detailed and up-to-date Leostream module costs. Refer to individual Third-Party module support page or contact partners for their respective costs. Here is a **simplified cost table** for core AWS services in the hub region for Leostream modules using default settings. Actual costs may vary depending on your configuration and chosen modules: **Leostream Broker module** | **AWS service** | **Dimensions** | **Cost [USD]** | | --- | --- | --- | | **Amazon RDS** | db.r6g.large (Aurora Postgresql) | \$1 229.95 | | **Application Load Balancer** | | \$1 16.51 | | **EC2** | t3.large (min 2 by default): (\$10.112 / hour) \$1 24 hour \$1 31 days \$1 2 = \$1166.66 | \$1 166.66 | | **EC2** | g4dn.xlarge with Windows OS (\$10.71 / hour) \$1 24 hour \$1 31 days = \$1528.24 | \$1 528.24 | | **EC2** | g4dn.xlarge with Linux OS (\$10.584 / hour) \$1 24 hour \$1 31 days = \$1434.50 | \$1 434.50 | | **Route 53** | Hosted Zone (per-request cost assumed to be negligible) | \$1 0.50 | | | **Total:** | **\$1 1376.36 [USD] / month** | **Leostream Gateway module** | **AWS service** | **Dimensions** | **Cost [USD]** | | --- | --- | --- | | **Application Load Balancer** | | \$1 16.51 | | **EC2** | m5.xlarge (min 2 by default) with RHEL OS (\$10.269 / hour) \$1 24 hour \$1 31 days \$12 = \$1400.27 | \$1 400.27 | | **AWS Global Accelerator** | Standard | \$1 18 | | **AWS Global Accelerator Data Transfer** | Varies depending on regions used | \$1 \$1 0.015 per GB | | **EC2 Egress** | First 100 GB per month is free | \$1 \$1 0.09 per GB | | **EC2 Elastic IP Address** | 2 used by Global Accelerator | \$1 7.32 | | | **Total (excluding data transfer costs):** | **\$1 442.10 [USD] / month** | # Security When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit [AWS Cloud Security](http://aws.amazon.com/security/). ## IAM roles This solution creates IAM roles that grant the solution’s Lambda functions access to create Regional resources. These Lambda functions are invoked when: + The solution creates custom resources during stack deployments + The MCS API is called + AWS Step Functions run when registering and de-registering modules A stack set execution IAM role is required to provision and terminate Service Catalog products when enabling and disabling modules. This role has [PowerUserAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/PowerUserAccess.html), allowing it to create and update IAM roles as needed for modules. ## Amazon CloudFront This solution deploys a web console [hosted](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html) in an S3 bucket. To help reduce latency and improve security, this solution includes a CloudFront distribution with an origin access identity, which is a CloudFront user that provides public access to the solution’s website bucket contents. For more information, see [Restricting Access to Amazon S3 Content by Using an Origin Access Identity](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the *Amazon CloudFront Developer Guide*. ### CloudFront and API Gateway minimum TLS version The solution uses a default CloudFront domain, which [sets the minimum allowed TLS version to v1.0 by default](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy). For enhanced security, we recommend to configuring the minimum TLS version to v1.2. To achieve this, you must set up a custom CloudFront domain. Follow the instructions provided in [Set up a custom CloudFront domain](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html) in the *Amazon CloudFront Developer Guide*. The solution also uses a default API Gateway domain, which sets the minimum allowed TLS version to v1.0 by default. For more information, see [Choose a security policy for your REST API custom domain in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html) in the *Amazon API Gateway Developer Guide*. ## Security groups The solution creates security groups designed to control and isolate network traffic between the module resources and the VPC created or imported in the [Network modules](network-modules.md). We recommend that you review the security groups and further restrict access as needed after deployment. See [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html) for more information. The following modules create security groups to allow traffic to/from the VPC: + **Managed Active Directory module** - Allow the default virtual private network (VPN) Domain Name System (DNS) to resolve names from Microsoft Active Directory + **Leostream Broker module** - Environment configuration and AMI pipelines + **Leostream Gateway module** - Automation and Application Load Balancers + **FSx for Windows File Server module** - FSx file system ## Secrets Manager AWS Secrets Manager securely stores and manages sensitive credentials generated by MCS modules. This service provides automatic encryption, access control, and audit logging for all stored secrets. ### Secrets created by modules The following modules automatically create and manage secrets in AWS Secrets Manager: **Identity Module (AWS Managed Microsoft AD)** + StudioAdmin user credentials - Default admin user for end-user access + SA\$1AdConnectorUser credentials - Service account for cross-region AD communication + SA\$1McsModulesUser credentials - General service account for module integrations **Leostream Broker Module** + API service user credentials - Authentication for Leostream API operations + Amazon RDS database credentials - Database connection credentials for the Leostream broker ### Password Management + This solution does not provide automatic secrets rotation. Depending on your security requirements, you may consider manually rotating the credentials for your Leostream Connection Broker database. + AWS Managed Microsoft AD passwords expire every 90 days and require manual rotation. + Follow the steps in [Password Rotation](password-rotation.md) to update passwords across all dependent services. ## Security.txt The solution does not include a `security.txt` file in the website files. This file is intended to provide information about the owner or operator of a publicly accessible website, such as security contacts and responsible disclosure policies. Since the Modular Cloud Studio on AWS website is a private, login-protected application that you control, a `security.txt` file isn’t necessary or applicable. The frontend application is only accessible to authorized users of your organization, so there is no need to publicly disclose security information. If you have specific security or responsible disclosure needs for your Modular Cloud Studio on AWS deployment, we recommend managing that information separately from the frontend application. This solution is designed to provide you the flexibility to configure and extend it as needed for your specific requirements. ## Denial-of-service protections The API exposed by the solution has throttling settings configured to limit requests. The maximum number of requests per second is set to 50, with a burst rate of 10 requests. This helps protect the API from abuse or unintended high traffic. For more details on the API throttling configuration, see [Throttle requests to your REST APIs for better throughput in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html) in the *Amazon API Gateway Developer Guide*. AWS Global Accelerator is protected by AWS Shield Standard by default. This means AWS Shield automatically enforces rate limiting on resources the Global Accelerator sends traffic to. For more details, see [AWS Shield mitigation logic for AWS Global Accelerator standard accelerators](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-event-mitigation-logic-gax.html) in the *AWS WAF Developer Guide*. ## Configuring Amazon EBS snapshot encryption Before deploying the solution, you must configure your AWS account to encrypt [Amazon Elastic Block Store](https://aws.amazon.com/ebs/) (Amazon EBS) snapshots automatically. This helps ensure that all Amazon EBS snapshots created during the process of building the Leostream AMIs are encrypted for enhanced security and compliance. For detailed instructions on how to enable default encryption for Amazon EBS snapshots in your account, see [Encrypt EBS snapshots by default](https://docs.aws.amazon.com/ebs/latest/userguide/work-with-ebs-encr.html#encryption-by-default) in the *Amazon EBS User Guide*. ## Leostream database user When you deploy the solution, the Leostream Broker module creates and then connects to a dedicated Amazon RDS database cluster. The Leostream Broker process uses the default `postgres` database user to access this Amazon RDS cluster. **Important** The default `postgres` user has superuser privileges, which grants it full administrative access to the database. We recommend reviewing your security and compliance requirements to determine if using the default `postgres` superuser account is appropriate for your environment. This database is only used by the Leostream Broker, and many actions a superuser can normally take against a PostgreSQL database aren’t possible in a managed database on Amazon RDS. ## API Gateway Security The API Gateway used in this solution defaults to allowing TLS 1.0 and above. For enhanced security, we recommend configuring a custom domain with a higher minimum TLS version. See the [Enhanced TLS Security](enhanced-tls-security.md) section in the "Use the solution" chapter for guidance on setting up a custom domain with TLS 1.2\$1. ## Content Security Policy The solution deploys a CloudFront Distribution with preset Content Security Policies. One of these policies has the value `https://*.amazonaws.com`, which is used to connect with the solution’s resources. If this policy grants broader permissions than required for your use case, consider restricting access to specific domains by configuring CloudFront distribution settings through the AWS Management Console. # Quotas Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. ## Quotas for AWS services in this solution Make sure you have sufficient quota for each of the [services implemented in this solution](architecture-details.md#aws-services-in-this-solution). For more information, see [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). To view the service quotas for all AWS services in the documentation without switching pages, view the information in the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-service-information) page in the PDF instead. ## AWS CloudFormation quotas Your AWS account has CloudFormation quotas that you should be aware of when [launching the stack](launch-the-stack.md) in this solution. By understanding these quotas, you can avoid limitation errors that would prevent you from deploying this solution successfully. For more information, see [AWS CloudFormation quotas](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) in the in the *AWS CloudFormation User’s Guide*.