Managed Services¶
The concept of managed services, in the Game Warden context, is three-fold:
- Amazon Web Services (AWS) with an emphasis on Backup, DynamoDB, ElastiCache, Elastic File Storage, Elastic Kubernetes Service (EKS), Relational Database Service (RDS), Simple Email Service (SES), and Simple Storage Service.
- Big Bang services such as HashiCorp Vault and Istio.
- Game Warden managed services, which might involve pulling images from Iron Bank – a Department of Defense (DoD)-approved image registry – to run in your Kubernetes cluster.
As clients, you neither provide images nor resolve or justify Common Vulnerabilities and Exposures (CVEs) relative to managed services. The Game Warden team manages this process via policy, manual efforts, or pipelines.
Amazon Web Services (AWS)¶
Game Warden operates in AWS GovCloud East.
The table below depicts our commonly supported services on AWS, and their availablity at each Impact Level (IL). Check back regularly to see what new services we offer. If you'd like an AWS service not currently listed, we can generate a feature request on your behalf but cannot guarantee a timeline.
| Service Name | IL2 | IL4 | IL5 |
|---|---|---|---|
| EBS (Elastic Block Store) | Yes | Yes | Yes |
| EC2 (Elastic CLoud Compute) | Yes | Yes | Yes |
| EFS (Elastic File Storage) | Yes | Yes | Yes |
| EKS (Elastic Kubernetes Service) | Yes | Yes | Yes |
| IAM (Identity and Access Management) | Yes | Yes | Yes |
| KMS (Key Management Service) | Yes | Yes | Yes |
| RDS (Relational Database Service) | Yes | Yes | Yes |
| SQS (Simple Queue Service) | Yes | Yes | Yes |
| S3 (Simple Storage Service) | Yes | Yes | Yes |
| VPC (Virtual Private Cloud) | Yes | Yes | Yes |
| SES (Simple Email Service) | Yes | Yes | Yes |
| Transit Gateway | Yes | Yes | Yes |
| Backup | Yes | Yes | Yes |
| DynamoDB | Yes | Yes | Yes |
| ElastiCache | Yes | Yes | Yes |
For High-Side deployments (Top Secret), only EKS, RDS and S3 services are currently available.
Lambda
Lambda is a security risk not currently approved in Game Warden's Authority to Operate (ATO). Similarly, S3 extensions are not permitted either.
As an alternative, we recommend containerizing the features needed vice using AWS Lambda. Another option could be exploring Knative as a Kubernetes-compatible serverless function alternative.
AWS provides a List which includes additional AWS services that we may be able to support.
- Game Warden operates in AWS GovCloud (US-East) - ensure the Region dropdown is selected to AWS GovCloud (US - East).
- Currently, we do not support each service; however, with advanced notice (from Sales, for example) coupled with Game Warden leadership approval, our team might be able to support some services on the list.
We can support certain services within the Kubernetes cluster where your applications reside. Ideally, your applications reside within your Kubernetes cluster in a specific container. All AWS services, however, operate outside of your Kubernetes cluster.
Google Cloud Platform (GCP)¶
The table below depicts popular GCP services, their associated support status on Game Warden, and their availablity at each Impact Level (IL):
| Service Name | Status | IL2 | IL4 | IL5 |
|---|---|---|---|---|
| BigQuery | Supported | Yes | Yes | Yes |
| Cloud HSM (Hardware Security Module) | Can Support | Yes | Yes | Yes |
| Cloud Identity | Supported | Yes | Yes | Yes |
| Cloud Logging | Can Support | Yes | Yes | Yes |
| Cloud Key Management Service | Not Yet Supported | No | No | No |
| Cloud Storage | Can Support | Yes | Yes | Yes |
| Compute Engine | Supported | Yes | Yes | Yes |
| Dataflow | Cannot Support | No | No | No |
| Google Kubernetes Engine | Supported | Yes | Yes | Yes |
| Persistent Disk | Cannot Support | No | No | No |
| Virtual Private Cloud | Supported | Yes | Yes | Yes |
| Cloud Logging | Can Support | Yes | Yes | Yes |
| Cloud Monitoring | Can Support | Yes | Yes | No |
| Cloud Pub/Sub | Can Support | Yes | Yes | No |
| Cloud SQL | Can Support | Yes | Yes | No |
GCP does not currently support IL6 or Hi-Side deployments.
Service Status:
-
Supported: Game Warden is currently supporting this service for customers.
-
Can Support: Game Warden is able to support this service. Contact our team to confirm availablity.
-
Not Yet Supported: Game Warden does not currently support this service, but may in the future if the need arises.
- Cannot Support: Game Warden cannot support this service.
Big Bang¶
Big Bang is the architecture upon which Game Warden is built and upon which our applications run, enabling our team to use a DoD-approved architecture and set of services. Big Bang runs inside the Kubernetes cluster provisioned via AWS, where your application resides.
Currently, we do not have customers who use Big Bang managed services. The process for deploying these services would be similar to establishing any external AWS service. In this case, however, we would configure the Big Bang managed service to run within your Kubernetes cluster. These services might include, for example, HashiCorp Vault and Istio.
Iron Bank¶
Iron Bank is a DoD service and registry that automates, secures, and accelerates the approval process of commercial and open source images to be used within the DoD with DoD-wide reciprocity. Iron Bank can be a source for containers that can provide managed services. As an example, a Game Warden client might need a Redis service (Remote Dictionary Server) for caching. In this circumstance, the Game Warden team might access Iron Bank and deploy images on your behalf to meet your managed service needs. We will only pull and deploy approved Iron Bank images that meet Acceptance Baseline Criteria (ABC).
Support and Deployment¶
The Game Warden team does not proactively recommend managed services. Should you require managed services, you must request them as early as possible. We recommend that you provide your use case, perhaps as part of your Authorization Boundary Diagram or earlier. You also might mention this request during pre-Sales or Sales meetings. The Game Warden team should be aware of this request before we deploy any applications. If you need managed services suddenly or unexpectedly, you can make this request via Slack or by contacting your designated Customer Operations member.
For Backup, DynamoDB, ElastiCache, Elastic File Storage, Elastic Kubernetes Service (EKS), Relational Database Service (RDS), Simple Email Service (SES), and Simple Storage Service, the Game Warden team uses Infrastructure as Code (IaC) to provision the needed infrastructure, then connects these resources to the Kubernetes cluster where your application is deployed. These services, therefore, do not run within the cluster. For example, our team can establish an S3 bucket for you before configuring your cluster to communicate with this service. RDS, S3, and EFS managed services deployments are seamless to clients and end-users, and we can deploy these services at each Impact Level (IL).
For most other managed services, the Game Warden team must first determine the exact service and if this service is allowed at each Impact Level (IL), as policies may apply. This process might require Game Warden leadership involvement. For IL4+, there are policies and technologies in place that require government approval.