Configure Vanta compliance controls for your DuploCloud Tenants
DuploCloud integrates with Vanta Monitor and AWS GuardDuty to monitor your applications and provide real-time alerts and notifications for compliance issues, security events, and vulnerabilities.
To enable Vanta compliance controls directly from the DuploCloud Portal:
Navigate to Administrator -> Systems Settings.
Click the Compliance Controls tab.
Use the Enable Vanta Controls toggle switch to enable Vanta Monitor. GuardDuty is enabled by default when this setting is enabled.
Enter an email in the GuardDuty Notifications Email field. GuardDuty notifications will be sent to this email address.
From the Select Tenant list box, select the Tenant for which Vanta controls will be enabled.
In the Tenant Settings for YOUR_TENANT_NAME area, enter the Tenant Owner and Description, and indicate whether the Tenant is Production and/or Contains User Data.
Click Save. Vanta compliance controls are enabled for the specified Tenant.
Configure infrastructure Security Settings for Infrastructure and Plan
To configure Plan settings, navigate to Administrator -> Plans in the DuploCloud Portal. Select the name of the Plan that matches the DuploCloud Infrastructure for which you want to configure settings. Click the Capabilities tab to view Plan Settings.
Click the Edit icon ( ) to open the Update Capabilities pane. Enable the settings listed in the table below by clicking the setting switch and clicking Submit.
A Default Value of Enabled in the table below displays a property Value of True in the UI.
A Default Value of Disabled in the table below displays a property Value of False in the UI.
To configure Infrastructure settings, navigate to Administrator -> Infrastructure in the DuploCloud Portal. Select the name of the Infrastructure for which you want to configure the settings. Click the Settings tab to view Infrastructure settings.
A Default Value of Enabled in the table below displays a property value of True in the UI.
A Default Value of Disabled in the table below displays a property value of False in the UI.
Configure Tenant Security settings for specific DuploCloud Tenants
Configure these settings (properties) by navigating to Administrator -> Tenants in the DuploCloud Portal. Select the Tenant for which you want to configure the settings listed below and click the Settings tab. The Tenant Feature Properties are listed in the Name column in the Settings tab.
To edit or remove an existing property, click the icon to the left of the property Name and select Edit Setting or Remove Setting. To add any of these settings, click Add. Select and Enable the feature using the Add Tenant Feature pane.
A Default Value of Enabled in the table below displays a property value of True in the UI.
A Default Value of Disabled in the table below displays a property value of False in the UI.
| Plan Settings | Description | Default Value |
|---|---|---|
To update or remove an existing setting, click the () icon to the left of the setting Name and select Update Setting or Remove Setting. To add any of these settings, click Add. Select and Enable the settings using the Infra- Set Custom Data pane.
| Infrastructure Settings | Description | Default Value |
|---|---|---|
| Tenant Feature Property | Description | Default Value |
|---|
Unrestricted External Load Balancer
Creation of an internet-facing load balancer with non-default listener ports (other than 80 and 443) will be automatically allowed to everyone (0.0.0.0/0) if this setting is enabled. If this detting is disabled, you must manually add a Security Group Ingress rule to access the service
Enabled
EKS Endpoint Visibility
Set as Private to access an EKS Cluster using a private endpoint with DuploCloud VPN enabled.
Public
Enable Encryption at Rest | Configure encryption at rest for AWS resources such as RDS, ElastiCache, ElasticSearch | Disabled |
Block Public Access | Blocks (disables) public access to S3Default | Enabled |
Maximum Session Duration | Configure AWS IAM Role Maximum session duration for the tenant role | 3600 seconds (1 Hour) |
Enforce SSL for ES | Require SSL encryption for AWS Elasticsearch | Enabled |
Enforce SSL for S3 | Require SSL encryption for AWS S3 Buckets | Enabled |
Enable node to node encryption for ES | Enables Node-to-node encryption to protects data transferred between nodes using SSL encryption | Enabled |
Automatically rotate KMS keys | Enables automatic rotation of KMS keys to prevent extensive key reuse | Enabled |
Delete protection | Enabled |
AWS Access Token Validity | AWS Console JIT (Just-In-Time) session token validation time in seconds before time-out | 3600 seconds (1 Hour) |
Restrict Pubic IP for Non-Admin | Restricts Non-Administrators from creating a load balancer that uses a Public IP address | Disabled |
Restrict EC2 instance create in public subnet for non-admin | Restricts Non-Administrators from creating EC2 Instances that use a Public IP address | Disabled |
Restrict non-ssl listener create for non-admin | Restricts Non-Administrators from creating a load balancer without SSL certificates | Disabled |
Configure AWS Account Security settings for the DuploCloud Portal
Use the sections below to get detailed settings and values for various AWS security configurations
Provide input in Hours. Additional details can be found
Protects Tenants from accidental deletion. See
| Settings Name | Description |
|---|---|
To update or remove an existing setting, click the icon to the left of the Config Type and select Update or Delete. To add any of these settings, click Add. Using the Add Config pane, select the Config Type and Key from the table below and enter the appropriate Value.
| System Config Setting (Key) | Description | Config Type |
|---|
Enable Security Hub
Enables AWS Security Hub in all AWS regions managed by DuploCloud
Enable Guard Duty
Enables AWS Guard Duty in all AWS regions managed by DuploCloud
Enable IAM Password Policy
Enables an account-level IAM User password policy, according to these password requirements:
Minimum password length is 14 characters
At least one uppercase letter from the Latin alphabet (A-Z)
At least one lowercase letter from the Latin alphabet (a-z)
At least one number (0-9)
At least one non-alphanumeric character (! @ # $ % ^ & * ( ) _ + - = [ ] { } | ')
Passwords expire in 90 days
Users may change their passwords
The last twenty-four (24) passwords are remembered by the system, to prevent reuse
Enable CloudTrail
Enables a multi-region CloudTrail for an AWS account. Enabling this feature:
Creates and manages a multi-region CloudTrail for the AWS account in DuploCloud.
Creates a CloudWatch log group named /cloudtrail/duplo that receives CloudTrail events.
Creates and manages an S3 bucket that receives CloudTrail log files.
Enable Inspector
Enables AWS Inspector in any region where there is a public cloud infrastructure managed by DuploCloud
Ignore Default EBS Encryption
By default, DuploCloud enables EBS Default Encryption for all regions in which you deploy infrastructure.
Enabling this setting allows DuploCloud to override the EBS Default Encryption settings when creating new Infrastructures. Note that you can still edit the EBS Encryption by Default setting to enable EBS encryption by default for your Infrastructure, for the entire AWS region, if needed.
Enable VPC Flow Logs
Enables VPC flow logs for all VPCs created by DuploCloud
Delete Default NACL Rule(s)
Deletes default NACL rules for all VPCs created by DuploCloud
Delete Default VPC(s)
Deletes default VPCs in all AWS regions managed by DuploCloud
Revoke Default Security Group Rule(s)
Revokes default Security Group rules for all VPCs created by DuploCloud
Globally Block Public Access to S3
Restricts Public access to S3 buckets
Configure SSL Policy to LBs
Contact a DuploCloud Administrator to configure this setting at the AWS system level.
Infrastructure Security
System Security
AWS Account Security
Disable SSH Key Download | Setting Value to True prevents a user from downloading an SSH key | Flags |
Disable Host Creation with Custom AMI | Default is False, allowing host creation with a custom AMI unless you set Value to True. | Flags |
Duplo Managed Tag Keys | App Config |
Block Master VPC CIDR Allow in EKS SG | Setting Value to True prevents a user from adding DuploCloud Master VPC CiDR to an EKS Security Group definition. | Flags |
Allows you to configure for AWS resources that you create from the DuploCloud Portal.
