Virtual Data Center Security Stack
The purpose of the Virtual Data Center Security Stack (VDSS) is to protect DOD
mission-owner applications that are hosted in AWS. The VDSS provides an enclave for
security services. The VDSS performs the bulk of the security operations in the SCCA.
This component contains security and network services, such as inbound connectivity
access controls and perimeter protections services, including web application firewalls,
DDOS protection, load balancers, and networking routing resources. The VDSS can reside
in the cloud infrastructure or on premises, in your data center. AWS or third-party
vendors can provide VDSS capabilities through infrastructure as a service (IaaS), or
AWS can offer these capabilities through software as a service (SaaS) solutions. For
more information about the VDSS, see the DoD Cloud Computing Security
Requirements Guide
The following table contains the minimum requirements for the VDSS. It explains whether the LZA addresses each requirement and which AWS services you can use to meet these requirements.
| ID | VDSS security requirement | AWS technologies | Additional resources | Covered by LZA |
|---|---|---|---|---|
| 2.1.2.1 | The VDSS shall maintain virtual separation of all management, user, and data traffic. | Isolate VPCs | Covered | |
| 2.1.2.2 | The VDSS shall allow the use of encryption for segmentation of management traffic. | Amazon VPC (Encrypt traffic between instances) |
Encryption best practices for Amazon VPC | Covered |
| 2.1.2.3 | The VDSS shall provide a reverse proxy capability to handle access requests from client systems. | N/A | Serving content using a fully managed reverse proxy |
Not covered |
| 2.1.2.4 | The VDSS shall provide a capability to inspect and filter application layer conversations based on a predefined set of rules (including HTTP) to identify and block malicious content. | Partially covered | ||
| 2.1.2.5 | The VDSS shall provide a capability that can distinguish and block unauthorized application layer traffic. | AWS WAF | How to use Amazon GuardDuty and AWS WAF to automatically block
suspicious hosts |
Not covered |
| 2.1.2.6 | The VDSS shall provide a capability that monitors network and system activities to detect and report malicious activities for traffic entering and exiting Mission Owner virtual private networks/enclaves. | AWS
Nitro Enclaves workshop |
Partially covered | |
| 2.1.2.7 | The VDSS shall provide a capability that monitors network and system activities to stop or block detected malicious activity. | N/A | Partially covered | |
| 2.1.2.8 | The VDSS shall inspect and filter traffic traversing between mission owner virtual private networks/enclaves. | Network Firewall | Deploy centralized traffic filtering |
Covered |
| 2.1.2.9 | The VDSS shall perform break and inspection of SSL/TLS communication traffic supporting single and dual authentication for traffic destined to systems hosted within the CSE. | Network Firewall | Deployment models for Network Firewall |
Covered |
| 2.1.2.10 | The VDSS shall provide an interface to conduct ports, protocols, and service management (PPSM) activities in order to provide control for MCD operators. | Network Firewall | Deployment models for Network Firewall |
Covered |
| 2.1.2.11 | The VDSS shall provide a monitoring capability that captures log files and event data for cybersecurity analysis. | Logging for security incident response | Covered | |
| 2.1.2.12 | The VDSS shall provide or feed security information and event data to an allocated archiving system for common collection, storage, and access to event logs by privileged users performing Boundary and Mission CND activities. | Amazon CloudWatch Logs | Security in CloudWatch Logs | Covered |
| 2.1.2.13 | The VDSS shall provide a FIPS-140-2 compliant encryption key management system for storage of DoD generated and assigned server private encryption key credentials for access and use by the Web Application Firewall (WAF) in the execution of SSL/TLS break and inspection of encrypted communication sessions. | Enhance Amazon CloudFront origin security with AWS WAF and
Secrets Manager |
Not covered | |
| 2.1.2.14 | The VDSS shall provide the capability to detect and identify application session hijacking. | N/A | N/A | Not covered |
| 2.1.2.15 | The VDSS shall provide a DoD DMZ Extension to support to support Internet Facing Applications (IFAs). | N/A | N/A | Not covered |
| 2.1.2.16 | The VDSS shall provide full packet capture (FPC) or cloud service equivalent FPC capability for recording and interpreting traversing communications. | N/A | Covered | |
| 2.1.2.17 | The VDSS shall provide network packet flow metrics and statistics for all traversing communications. | CloudWatch | Monitor network throughput of interface VPC endpoints using
CloudWatch |
Covered |
| 2.1.2.18 | The VDSS shall provide for the inspection of traffic entering and exiting each mission owner virtual private network. | Network Firewall | Deploy centralized traffic filtering |
Covered |
There are components of the CAP that you define and that are not covered in this guide because each agency has their own CAP connection to AWS. You can supplement the components of the VDSS with the LZA in order to help inspect the traffic coming into AWS. The services used in the LZA provide boundary and internal traffic scanning to help secure your environment. In order to continue building a VDSS, there are some additional infrastructure components that are not included in the LZA.
By using virtual private cloud (VPCs), you can establish boundaries in each AWS account to help adhere to the SCCA standards. This isn't configured as part of the LZA because VPCs, IP addressing, and routing are components that you must set up as needed for your infrastructure. You can implement components such as Domain Name System Security Extensions (DNSSEC) in Amazon RouteĀ 53. You can also add AWS WAF or third-party, commercial WAFs to help you achieve necessary standards.
Additionally, to support requirement 2.1.2.7in the DISA SCCA, you can use GuardDuty and Network Firewall to help secure and monitor the environment for malicious traffic.
