# Plan your deployment Plan your deployment This section describes the [cost](cost.md), [architecture](architecture-overview.md), [network security](security.md), and other considerations before deploying the solution. # Cost You are responsible for the cost of the AWS services used while running this solution. As of this revision, the cost for running this solution with the default settings in the US East (N. Virginia) Region is approximately **\$185.22 a month**. These costs are for the resources shown in the [Sample cost table](#sample-cost-table). See the pricing webpage for each AWS service used in this solution. We recommend creating a [budget](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html) through [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/) to help manage costs. Prices are subject to change. For full details, see the pricing webpage for each AWS service used in this solution. ## Sample cost table The following table provides a sample cost breakdown for deploying this solution with the default parameters in the US East (N. Virginia) Region for one month. This cost estimate assumes the following: + The solution manages two VPCs attached to one transit gateway, with each VPC containing two subnets in different Availability Zones. + The solution makes automated queries to DynamoDB from an actively running web UI every five minutes. This estimate does not include manual queries. + One GB of data a month travels between the two VPCs through the transit gateway. + The number of requests to the GraphQL API is 10,000 a month. | AWS service | Dimensions | Cost [USD] | | --- | --- | --- | | **Variable Costs** | | | | Transit Gateway | Hourly charge (containing two VPC attachments) | \$172.00 | | Transit Gateway | Data processing charge (data transfer of 1 GB from two attached VPCs) | \$10.60 | | Transit Gateway | Data processing and outbound inter-Region transfer charge (data transfer of 1 GB between two inter-Region peered transit gateways) | \$10.40 | | Amazon DynamoDB | Includes automated queries only | \$13.27 | | AWS AppSync | Includes auto approval workflow only | \$11.23 | | **Fixed Costs** | | | | Amazon EventBridge | | < \$1 0.01 | | AWS WAF | | \$1 7.61 | | AWS Step Functions | State transitions: 100-120 transitions per month (5-6 workflow executions × 20 transitions each). State machine has 20 Task states that invoke Lambda | < \$1 0.01 | | AWS Lambda | Duration: 700-850 GB-seconds per month (StateMachineLambdaFunction: 100-120 invocations at 4 sec with 1.5 GB, CustomResourceLambda: 2-4 invocations at 10 sec with 1.5 GB, MetricsCollectorLambda: 30 invocations at 5 sec with 0.5 GB) | < \$1 0.01 | | AWS X-Ray | 100,000 Traces recorded for 2 services (Step Functions and AppSync) with default 5% sampling rate | < \$1 0.10 | | | **Total:** | \$1 \$185.22 / month | **Note** AWS Step Functions state transitions and AWS Lambda duration charges are included in this estimate. With the assumed usage pattern (5-6 workflow executions per month for 2 VPCs with minimal tag changes), both services operate within AWS Free Tier limits (4,000 state transitions/month and 400,000 GB-seconds/month), resulting in negligible charges. For environments with more frequent network changes, costs may increase proportionally but remain minimal. # Security When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit [AWS Cloud Security](https://aws.amazon.com/security/). ## IAM roles IAM roles allow customers to assign granular access policies and permissions to services and users on AWS. This solution creates IAM roles and sets permissions in the respective accounts. This allows the solution to assume a defined role in the spoke and management account to make changes when necessary. The hub account assumes role in the Management account and spoke accounts. ## AWS WAF AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a web ACL that allows, blocks, or counts web requests based on configurable web security rules and conditions that you define. For more information, refer to [How AWS WAF Works](https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html). You can use AWS WAF to protect AWS AppSync from common security events, such as SQL injection and XSS. These types of security events could affect API availability and performance, compromise security, or consume excessive resources. For example, you can create rules to allow or block requests from specified IP address ranges, requests from Classless Inter-Domain Routing (CIDR) blocks, requests that originate from a specific country or Region, requests that contain malicious SQL code, or requests that contain malicious script. ## Amazon CloudFront This solution deploys a static website [hosted](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html) in an S3 bucket. To help reduce latency and improve security, this solution includes an Amazon CloudFront distribution with an origin access identity. This identity is a CloudFront user that helps provide public access to the solution’s website bucket contents. For more information, refer to [Restricting access to an Amazon S3 origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html). ## Amazon Cognito This solution creates Amazon Cognito user accounts for signing in to the web UI. The solution also grants the administrator and the read-only users with the appropriate permissions to control user access to data. **Important** If you connect an external identity provider through SAML, every user from your identity provider will have read access to the web UI. To prevent giving read access to all users by default, modify the `cognito-trigger` Lambda function deployed by this solution. For more information, see [Configuring Lambda function options](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html). ## Supported AWS Regions This solution uses the AWS services that aren’t currently available in all AWS Regions. You must launch this solution in an AWS Region where [these services](architecture-details.md#aws-services-in-this-solution) available. For the most current availability of AWS services by Region, see the [AWS Regional Services List](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/). This solution is available in the following AWS Regions: | Region name | | | --- | --- | | US East (Ohio) | Canada (Central) | | US East (N. Virginia) | China (Beijing) | | US West (Northern California) | China (Ningxia) | | US West (Oregon) | Europe (Frankfurt) | | Asia Pacific (Mumbai) | Europe (Ireland) | | Asia Pacific (Seoul) | Europe (London) | | Asia Pacific (Singapore) | Europe (Paris) | | Asia Pacific (Sydney) | Europe (Stockholm) | | Asia Pacific (Tokyo) | South America (Sao Paulo) | # AWS accounts for multi-account environments To deploy a multi-account environment, we recommend the following AWS account guidelines for each stack: + **Hub stack** - Deploy to a member account in your AWS Organization, preferably where you have an existing transit gateway or plan to create a new one, or in a dedicated [network account](concepts-and-definitions.md) where you plan to create a new transit gateway. It can’t be the Organizations management account. + **Spoke stack** - Deploy to all the member accounts in your AWS Organization that have a VPC that you plan to attach to the transit gateway hub account. You must deploy it in the hub account if you want to attach VPCs in the hub account. + **Organization role stack** - Optionally deploy in the Organizations management account to allow the solution to add Organizational Unit paths in the attachment name to help you identify the VPC location. # Quotas Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. ## Quotas for AWS services in this solution Make sure you have sufficient quota for each of the [services implemented in this solution](architecture-details.md#aws-services-in-this-solution). For more information, refer to [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). Select one of the following links to go to the page for that service. To see the service quotas for all AWS services in the documentation without switching pages, view the information in the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-service-information) page in the *AWS General Reference guide* PDF instead. | | | | --- |--- | | [Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html) | [AWS X-Ray](https://docs.aws.amazon.com/general/latest/gr/xray.html) | | [Lambda](https://docs.aws.amazon.com/general/latest/gr/lambda-service.html) | [Amazon SNS](https://docs.aws.amazon.com/general/latest/gr/sns.html) | | [Step Functions](https://docs.aws.amazon.com/general/latest/gr/step-functions.html) | [Amazon Cognito](https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html) | | [DynamoDB](https://docs.aws.amazon.com/general/latest/gr/ddb.html) | [AWS AppSync](https://docs.aws.amazon.com/general/latest/gr/appsync.html) | | [EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-quota.html) | [Amazon S3](https://docs.aws.amazon.com/general/latest/gr/s3.html) | | [AWS WAF](https://docs.aws.amazon.com/general/latest/gr/waf.html) | [CloudFront](https://docs.aws.amazon.com/general/latest/gr/cf_region.html) | ## CloudFormation quotas Your AWS account has [CloudFormation](https://aws.amazon.com/cloudformation/) quotas that you must be aware of when launching the stacks for this solution. By understanding these quotas, you can avoid limitation errors that can prevent you from deploying this solution successfully. For more information, refer to [AWS CloudFormation quotas](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) in the *AWS CloudFormation Users Guide*. ## Lambda quotas In the hub account, the state machine invokes Lambda functions to run the scan in parallel depending on the VPCs and subnets tagged across multiple accounts in your organization. [Review](https://docs.aws.amazon.com/servicequotas/latest/userguide/gs-request-quota.html) and [increase](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html) your Lambda invocation limit to avoid throttling. ## Transit Gateway quotas The solution creates a new transit gateway for each hub stack deployment unless you provide an existing transit gateway in the hub template parameter **(Optional) Do you wish to use an existing transit gateway? If yes, you must provide the transit gateway id below.** Your account has a default Transit Gateway quota of five. ## AWS Transit Gateway Network Manager quotas The solution creates a new [global network](https://docs.aws.amazon.com/network-manager/latest/tgwnm/what-are-global-networks.html) for each hub stack deployment unless you provide an existing global network ID in the hub template parameter **(Optional) Do you wish to use an existing global network? If yes, you must provide the global network id below.** Your account has default global network quota of five. Only one global network is recommended for all the other deployments in different AWS Regions in the hub account. Provide the global network ID created by the first deployment in the other deployments in different AWS Regions.