== Post-deployment steps

After deployment, upload the current DISA STIG GPO package to the GPO S3 bucket. For more information on this process, read the DISA STIG GPO Import Process documentation, located in the docs/gpo-import.md file in the https://fwd.aws/jbg4A[GitHub repository]. Uploading the package starts the process that imports the GPO backups into Active Directory. You must do this manual process only once after initial deployment.

From then on, you can use a Lambda function to check the DISA website for a new package on a defined schedule and send an SNS notification when a package is found or when it has not been found but should have been available.

== Security
// Provide post-deployment best practices for using the technology on AWS, including considerations such as migrating data, backups, ensuring high performance, high availability, etc. Link to software documentation for detailed information.

AWS provides a set of building blocks (including the Amazon EC2 and Amazon VPC services) that you can use to provision infrastructure for your applications. In this model, some security capabilities such as physical security are the responsibility of AWS and are highlighted in the https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf[AWS Security Best Practices^] whitepaper. Other capabilities, such as controlling access to applications, are the responsibility of the application developer and the tools provided in the Microsoft platform.

If you have followed the automated deployment options in this guide, the necessary security groups are configured for you by the provided AWS CloudFormation template and are listed here for your reference.

[cols=",,,",options="header",]
|========================================================================================================================================================================================================================================
|Security group |Associated with |Inbound source |Ports
|DomainControllerSG |DC1, DC2 |VPCCIDR |TCP5985, TCP53, UDP53, TCP80, TCP3389
| | |DomainControllerSG |IpProtocol-1, FromPort-1, ToPort-1
| | |DomainMemberSG |UDP123, TCP135, UDP138, UDP137, TCP139, TCP445, UDP445, TCP464, UDP464, TCP49152-65535, UDP49152-65535, TCP389, UDP389, TCP636, TCP3268, TCP3269, TCP88, UDP88, UDP67, UDP2535, TCP9389, TCP5722, UDP5355, (ICMP -1)
|DomainMemberSG |RDGW1, RDGW2 a|
ADServer1PrivateIp,

ADServer2PrivateIp

 |UDP88, TCP88, TCP445, UDP445, TCP49152-65535, UDP49152-65535, TCP389, UDP389, TCP636
|RDGWSecurityGroup |RDGW1, RDGW2 |RDGWCIDR* |TCP3389, TCP3391, TCP443
|CASurityGroup |RootCA, SubordinateCA |VPCID* |All traffic
|========================================================================================================================================================================================================================================

NOTE: *Important* Never open RDP to the entire internet, not even temporarily or for testing purposes. For more information, see the http://aws.amazon.com/security/security-bulletins/morto-worm-spreading-via-remote-desktop-protocol/[Morto Worm Spreading via Remote Desktop Protocol^] Amazon security bulletin. Always restrict ports and source traffic to the minimum necessary to support the functionality of the application. For more about securing Remote Desktop Gateway, see the https://d1.awsstatic.com/whitepapers/aws-microsoft-platform-security.pdf[Securing the Microsoft Platform on Amazon Web Services^] whitepaper.