Phase 1 – Disaster Recovery Environment Foundation eCloud will perform a detailed infrastructure buildout on AWS following the AWS well-architected framework. The buildout will consist of developing the foundational AWS Virtual Private Cloud (VPC) infrastructure, security monitoring, and user access upon which resources delivered in subsequent phases will be built. This phase includes: • AWS account setup and initial setup (Organizations) • Master, Production & Logging Account setup with Consolidated Billing • Production environment buildout using Infrastructure as Code (CloudFormation) • Create AWS end-user accounts with console access (IAM) and roles for: o Administrator o Power User o Read Only o View Only • Implement Virtual Private Cloud (VPC) including: o Network address space assignment o 2 public subnets (for internet facing instances) o 2 private subnets (for private instances) o Internet Gateways for inbound/outbound access to public internet o NAT Gateways for outbound access to internet from private subnets o Routing tables • Deploy security best practices & continuous monitoring, including: o Implement security best practices as described in CIS AWS Fundamentals Benchmark o Enable centralized logging of all AWS API events for security monitoring & debugging (CloudTrail) o Configure automated reporting of AWS resource inventory and configuration

Phase 2 – Elastic Compute Capabilities eCloud will perform a detailed infrastructure buildout on AWS following the AWS well-architected framework. The buildout will consist of deploying a load balanced and auto-scaling 3-tiered application architecture. Design will be implemented as Infrastructure as Code (IaC) to permit the creation of additional identical environments (e.g. for development, testing, staging, or redundancy). This phase includes: • Creation of Application Load Balancer for routing inbound request to correct web hosts • Generation or import & association of SSL certs with ALBs • Configuration of all ALB, EC2, and RDS instances to publish system logs to CloudWatch • Configure CloudWatch Alarms to alert on unresponsive health checks • Configuration & creation of EC2 instances • Configuration & creation of RDS database resources • Creation of IAM Roles to permit EC2 instances to access other AWS resources • Creation of Security Groups (stateful software firewall rules) to permit network traffic between resources

Phase 3 – Security Hardening & Monitoring eCloud will implement “best practices” security hardening and monitoring capabilities to the environments built in Phase 1 of this SOW. These services are required to enable eCloud to provide ongoing security monitoring at a later date.
This phase includes: • Implementation of Web Application Firewall with the following rulesets: o Managed Rules: AWS managed core rules provide protection against exploitation of a wide range of common application vulnerabilities or other unwanted traffic. o Manual IP lists: creates two specific AWS WAF to manually block/allow specific IP addresses o SQL Injection and XSS: configuration of two native AWS WAF rules that are designed to protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request. o HTTP flood: This component protects against attacks that consist of a large number of requests from a particular IP address, such as a web-layer DDoS attack or a brute-force login attempt. o Scanners and Probes: This component parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. It then blocks those suspicious source IP addresses for a customer-defined period of time. o IP Reputation Lists: This component is the IP Lists Parser AWS Lambda function which checks third-party IP reputation lists hourly for new ranges to block. o Bad Bots: This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack. • Deployment of “best practices” controls defined in the CIS AWS Foundation Benchmark for basic hardening of the AWS environment. • Enable AWS SecurityHub to monitor all account security configuration and consolidate results in a single dashboard • Enable AWS GuardDuty for continuous automated monitoring and identification of potential security issues and intrusion attempts