Example worksheet
This example worksheet represents a typical mapping of attributes to types of workload hosting environments. This example is meant to spur discussion and comparison to both your current on-premises conventions and your expectations for working on AWS.
Table 3 — Example worksheet - Attributes of workload hosting environment types
| Attribute | Corporate desktops | Sandbox | Development | Data-oriented Development | Test | Production |
|---|---|---|---|---|---|---|
| Owners /tenants | Individual | Individual | Team | Team | Same as Production | Depends on operating model |
| Tolerance to extended outages | Low | High | Low to medium | Low to medium | Low | Extremely low |
| Internet access |
Outbound requests subject to proxying and filtering controls No inbound requests |
Outbound and inbound requests |
Outbound requests subject to proxying and filtering controls No inbound requests |
Given the presence of production data, outbound requests will likely be more controlled than development environments. No inbound requests |
Same as production |
Workload-specific outbound and inbound requests Proxy-based access to external services |
| Internal network access |
Shared development and infrastructure services Other development workloads Corporate services |
No connectivity to corporate and data center services No connectivity to shared development and infrastructure services |
Shared development and infrastructure services Other development workloads No access to business production services |
Shared development and infrastructure services Access to defined production data sources |
Shared development and infrastructure services Other test services |
Shared infrastructure services Other production services |
| Data |
Intellectual property (IP) Test data |
Public data only Public test data (no Intellectual property) |
IP Test data No access to production data |
IP Production data |
IP Test data Typically avoid use of production sensitive data unless sanitized |
IP Production data |
| Third-party software and cloud services | Installation of approved software |
Access to broad set of AWS services Installation of approved software |
Access to enterprise standardized AWS services Controlled access to AWS services undergoing standardization for the purposes of testing Installation of approved software |
Access to enterprise standardized AWS services Controlled access to AWS services undergoing standardization for the purposes of testing Installation of approved software |
Access to enterprise standardized AWS services Access to AWS services undergoing standardization Installation of approved software |
Access to enterprise standardized AWS services Installation of approved software. |
| Degree of access | Limited OS configuration |
Wide ranging administrative cloud resource write access Some limits of modifying foundation resources |
Wide ranging access including write access to develop and test workload-specific IAM service roles and policies Some limits of modifying foundation resources |
Given the presence of production data, likely more limited access to cloud resource write access than in development | Same as production |
Least privileged access Strictly controlled access based on operating model that is in effect Service-to-service access based on authorization. |
| Lifespan of resources | Up to builder to manage | Temporary | Up to owning teams to manage | Up to owning teams to manage | Same as production | Depends on business need |
| Direct human write access to workload resources | Yes | Yes | Yes | Yes | Same as production | No |
| Automated workload provisioning | Limited | Limited | Mix of manual and automated | Mix of manual and automated | Same as production | Yes |
| Formal change management for workloads | No | No | No | No | Same as production | Yes |
| Degree of centrally managed foundation | As appropriate for corporate desktops | Sufficient to ensure overall security | Typical foundation resources centrally managed | Typical foundation resources centrally managed | Same as production | Typical foundation resources centrally managed |
| Common enterprise guardrails | Desktop specific |
Yes Guardrails to prevent write access to baseline security monitoring services and configuration |
Yes Guardrails to prevent write access to foundation resources |
Yes Guardrails might be a hybrid of those used for development and production environments |
Same as production | Yes |
