Managed Services¶
The concept of managed services, in the Game Warden context, is three-fold:
- Amazon Web Services (AWS) with an emphasis on Backup, DynamoDB, ElastiCache, Elastic File Storage, Elastic Kubernetes Service (EKS), Relational Database Service (RDS), Simple Email Service (SES), and Simple Storage Service. OpenSearch and API Gateway are on our radar.
- Big Bang services such as HashiCorp Vault and Istio.
- Game Warden managed services, which might involve pulling images from Iron Bank – a Department of Defense (DoD)-approved image registry – to run in your Kubernetes cluster.
As clients, you neither provide images nor resolve or justify Common Vulnerabilities and Exposures (CVEs) relative to managed services. The Game Warden team manages this process via policy, manual efforts, or pipelines.
AWS¶
Game Warden operates in AWS GovCloud East.
The table below depicts our commonly supported services, and their availablity at each Impact Level (IL):
| Service Name | IL2 | IL4 | IL5 | IL6 |
|---|---|---|---|---|
| EBS (Elastic Block Storage) | Yes | Yes | Yes | Yes |
| EC2 (Elastic CLoud Compute) | Yes | Yes | Yes | Yes |
| EFS (Elastic File Storage) | Yes | Yes | Yes | Yes |
| EKS (Elastic Kubernetes Service) | Yes | Yes | Yes | Yes |
| IAM (Identity and Access Management) | Yes | Yes | Yes | Yes |
| KMS (Key Management Service) | Yes | Yes | Yes | Yes |
| RDS (Relational Database Service) | Yes | Yes | Yes | Yes |
| SQS (Simple Queue Service) | Yes | Yes | Yes | Yes |
| S3 (Simple Storage Service) | Yes | Yes | Yes | Yes |
| VPC (Virtual Private Cloud) | Yes | Yes | Yes | Yes |
| SES (Simple Email Service) | Yes | Yes | Yes | Yes |
| Transit Gateway | Yes | Yes | Yes | Yes |
| Backup | Yes | Yes | Yes | Yes |
| DynamoDB | Yes | Yes | Yes | Yes |
| ElastiCache | Yes | Yes | Yes | Yes |
For Hi-Side deployments (Top Secret), only EKS, RDS and S3 services are currently avaialble.
Check back regularly to see what new services we offer. If you'd like an AWS service not currently listed, we can generate a feature request on your behalf but cannot guarantee a timeline.
AWS provides a List which includes additional AWS services that we may be able to support. Game Warden operates in AWS GovCloud (US-East) - ensure the Region dropdown is selected to AWS GovCloud (US - East). Currently, we do not support each service; however, with advanced notice (from Sales, for example) coupled with Game Warden leadership approval, our team might be able to support some services on the list.
We can support certain services within the Kubernetes cluster where your applications reside. Ideally, your applications reside within your Kubernetes cluster in a specific container. All AWS services, however, operate outside of your Kubernetes cluster.
Big Bang¶
Big Bang is the architecture upon which Game Warden is built and upon which our applications run, enabling our team to use a DoD-approved architecture and set of services. Big Bang runs inside the Kubernetes cluster provisioned via AWS, where your application resides.
Currently, we do not have customers who use Big Bang managed services. The process for deploying these services would be similar to establishing any external AWS service. In this case, however, we would configure the Big Bang managed service to run within your Kubernetes cluster. These services might include, for example, HashiCorp Vault and Istio.
Iron Bank¶
Iron Bank is a DoD service and registry that automates, secures, and accelerates the approval process of commercial and open source images to be used within the DoD with DoD-wide reciprocity. Iron Bank can be a source for containers that can provide managed services. As an example, a Game Warden client might need a Redis service (Remote Dictionary Server) for caching. In this circumstance, the Game Warden team might access Iron Bank and deploy images on your behalf to meet your managed service needs. We will only pull and deploy approved Iron Bank images that meet Acceptance Baseline Criteria (ABC).
Support and Deployment¶
The Game Warden team does not proactively recommend managed services. Should you require managed services, you must request them as early as possible. We recommend that you provide your use case, perhaps as part of your Authorization Boundary Diagram or earlier. You also might mention this request during pre-Sales or Sales meetings. The Game Warden team should be aware of this request before we deploy any applications. If you need managed services suddenly or unexpectedly, you can make this request via Slack or by contacting your designated Customer Operations member.
For Backup, DynamoDB, ElastiCache, Elastic File Storage, Elastic Kubernetes Service (EKS), Relational Database Service (RDS), Simple Email Service (SES), and Simple Storage Service, the Game Warden team uses Infrastructure as Code (IaC) to provision the needed infrastructure, then connects these resources to the Kubernetes cluster where your application is deployed. These services, therefore, do not run within the cluster. For example, our team can establish an S3 bucket for you before configuring your cluster to communicate with this service. RDS, S3, and EFS managed services deployments are seamless to clients and end-users, and we can deploy these services at each Impact Level (IL).
For most other managed services, the Game Warden team must first determine the exact service and if this service is allowed at each Impact Level (IL), as policies may apply. This process might require Game Warden leadership involvement. For IL4+, there are policies and technologies in place that require government approval.