GCC+Foundation+Training v1.4

GCC Foundation
Training v1.4
1 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Disclaimer
• This training material is correct as at this point in time. However, as GCC evolves
the training material and documentation will be updated on a regular basis. The
latest version of this training material will be published on the bulk tender website
in Government Intranet.
• Please take note this training material is not meant to be comprehensive and
should be used in conjunction with the following documentation:
• GCC Customer Handbook

CONTENT 1. Introduction
2. GCC Services Overview
3. GCC Services Deep Dive
a) Cloud Management Portal (CMP)
b) Administering GCC Services and CC Services
c) Central Services
d) Reports
e) Service Management (Support Request)
f) Guides and Support
g) CSP Support Plan Subscription
h) Service Levels
i) Billing for GCCS and CSP Services
4. GCC Hosting Considerations
5. Tenant Lifecycle Process
a) Onboarding > Setup > Operation
RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

1. Introduction

Singapore Government Cloud Journey
Panel for public cloud Web Content Management Launch of Government

SaaS offered on G-Cloud Launch of Nectar on Commercial Cloud
service providers
2010 to Nov 2017 2014 2018 2019
2012 2016 2018

Launch of G-Cloud Content Website Launch of Government
Platform Private Cloud

Government on Commercial Cloud (GCC)
• Commercial Cloud is a key initiative of the

Government’s re-engineering of digital
infrastructure to deliver better, faster and
more cost-efficient digital services to
citizens and businesses
• GCC Services (GCCS) provides a framework

for Government to increase adoption of
Commercial Cloud while complying to
governance and security policies for
Government on Commercial Cloud (GCC)

Advantages of GCC for Agencies
Access to Develop better Govt Resource

leading ICT applications for citizens savings
capabilities and businesses
Secure access & Central visibility

connectivity

Government Hosting Environment
Internet Internet
Users
Government
Government on DataCentre (GDC)
Commercial Cloud Government Private Cloud (GPC)
Internet Internet Internet
CSP Systems GCC Systems GPC Systems
Services Intranet Services Intranet Services
Systems Systems Intranet
Systems
Government Network
Intranet Agency
Users Intranet DataCentre
Systems
System classification framework
Old framework New framework
Secret Secret
Confidential Confidential
Amended to permit a
larger number of systems Restricted
on Commercial Cloud
Restricted
Systems eligible to
Official
be hosted on
(Closed)
commercial cloud
Systems eligible Official Unclassified
Unclassified to be hosted on (Open)
commercial cloud

Responsibilities of Different Parties for Hosting on GCC
Agency/Govtech
Infra & App Stack Vendor Responsibilities Responsibilities
Applications Vendor Agency’s responsibility:
Applications
• Maintain codes Agency • Governance and audit for
• Management of Application, Middleware &
Tenant FM Vendor
application & Tenant Operating System layers
• Apply code changes
FM vendor
Tenant FM Vendor • Governance of
Middleware
• Apply middleware patches application,
• Monitor middleware parameters middleware and
operating system
• Audits
Operating Tenant FM Vendor • Compliance
System • Apply OS patches • Ordering of compute
• Monitor OS parameters resources
(e.g. CPU & RAM Utilisation)
Cloud Service Provider GovTech GovTech’s responsibility:

CSP Services
• Ensure availability of Services • Management of CSP EA Management of CSP EA and
GovTech Governance of GCC Services
GCC Contractor
• Governance of GCCS
GCC Services • Ensure availability of GCCS
• Audits
• Provision of CSP accounts
• Compliance
2. GCC Services Overview

Categories of GCC Services (GCCS)
Base Services Add-On Services Value-Added Services
• Base Services includes the • Optional services to support • Optional services to support
following: additional requirements above ongoing operation of Agency
1. Cloud Management Portal the Base Services: systems:
(CMP) 1. Customer Network 1. Facilities Management
2. Access Management Compartment Service (Application,
3. Identity and Authentication 2. Additional Jumphosts Database & Network
Management 3. Account Creation in CSP Server)
4. Network Connectivity & Portal for Administration 2. Monitoring of Web
Security 4. Professional Service for Defacement
5. Central Services CASB
6. Operational Support
What the terms mean:

• CSP - Cloud Service Provider (e.g. AWS, Azure, Google, etc)

GCCS Base Services (1/3)
No Service Name Description
1 Cloud Management • Allow raising and tracking of Service Request (SR) for GCCS
Portal (CMP) • Provide a consolidated view of billing for subscribed CSP services
• Provide dashboard for Agency to view its compliance status (i.e. OS Patch level
status, Jumphost vulnerabilities and violation in CASB policies)
2 Access Management • Provide access accounts to CMP, CSP, CASB, GCCS Jumphosts and CloudCheckr
• Provide VPN accounts (for Internet Devices) for remote administration of
Agency’s subscribed cloud resources and services via GCCS Jumphosts

• CASB - Cloud access security broker used to monitor users’ activities performed on CSP

3 Identity and • Enables Single Sign-on (SSO) for administrators to access cloud hosted systems
Authentication with WOG user credentials
Management • Provides Multi/2 Factor Authentication (MFA/2FA) for administrative access
4 Network • Provide secure connectivity between Government network and GCC for
Connectivity & • Inter-system communication
Security • Agency staff access to Intranet applications hosted on GCC using GSIB
• Provide connectivity for administration of systems from Government
network and Internet
• Provide compartments*, gateways and peering
• Allocation of private IP Addresses
*Compartments will be covered in greater detail in the hosting model section

5 Central Services • Provide a Central Log Storage Repository for Agency to pipe their System and
Event logs
• Perform monitoring for anomalies and malicious activities detected in
Agency CSP accounts
• Provide hardened Jumphosts into Agency’s compartments for remote
administration
• Perform monitoring for changes to Agency’s compartments, OS patch level
status and Jumphost vulnerabilities
6 Operational Support • Provide helpdesk support for incident reporting and resolution of GCC issues

GCCS Add-On Services
1 Compartment Allows raising SRs for compartments
2 Account Creation in CSP Required for administration of systems
Portal for
Administration
3 Additional Jumphost Allows Agencies to subscribe for additional Jumphost on top of the default
number provided in each customer network compartment

GCCS Value-Added Services
Covers the following scope*:
• Server performance and fault monitoring
Facilities Management Service • Log Monitoring
1 (Application, Database and Network • Backup and recovery
Server) • OS and Middleware Patch Management
• Network Configuration and administration
• Cloud resource Management
2 Monitoring of Web Defacement Provides website defacement monitoring

*Details on next slide

Facilities Management Service Scope
Scope Description
Server performance and fault To perform monitoring of Server capacity, performance and availability such
monitoring as utilisation of CPU/ RAM/ Diskspace, latency and heartbeat
Monitor log files generated by applications and devices/ appliances such as
Logs monitoring
servers, network and security for events and incidents.
Backup and recovery Setting up of the backup process and monitoring that the backup is running
OS and Middleware patch
Patching of Operating System and Middleware on monthly basis
management
Network configuration and
Administer and configure network services, appliances, polices and rules
administration
Administer and manage cloud services and resources deployed in Agency's
network compartments such as extraction of files and deployment of scripts
Cloud resource management to cloud services (e.g. SQS, SNS, S3, Lambda, CloudFront, etc). The
management does not include application scripting, application code review
and debugging service.
3. GCC Services Deep Dive

3a. Cloud Management
Portal (CMP)

Cloud Management Portal (CMP)
1 2 3 4
Allows agency to
subscribe and
manage GCC
Services
CMP Portal URL:

https://portal.gc 5 6 7 8
c.gov.sg

CMP Sitemap (1/2)
No. CMP Modules Description
1 Service Request List To view and approve service requests raised
2 User Management • To assign users with rights to perform the various roles in CMP
• To create and manage Cloud ID, VPN ID and Jump Host ID required for
administration of subscribed CSP services*
3 IaaS Management • To set up and manage CSP subscriptions, accounts, roles, compartments,
Jump Hosts
• Assignment of Jump Host IDs and VPN ID users
• To manage Cloud Service Provider account, compartment and Jump Host
4 Central Services (CS) To monitor OS patch level compliance of hosted VMs, and compartment
changes

CMP Sitemap (2/2)
No. CMP Modules Description
5 Report To access centralized report repository. Reports can be download in PDF and/or
CSV format.
6 Billing To manage billing account, reports and current cloud spending
7 Cloud Cost Monitoring To monitor cloud cost optimization and asset inventory
8 Service Management To raise support request and incidents pertaining to GCCS

CMP Roles
No Role Privileges & Permissions
1 Agency Manager (AM) Agency officer who approves requests from Agency Admin
2 Agency Admin (AA) Agency officer who requests for
• CSP account
• Assignment of WOG user for CMP roles to Tenant
• View report, dashboards, billing and current cloud spending
3 Cloud Admin (CA) Agency officer or Tenant FM personnel who raise SRs for
• Creation and assignment of Cloud ID, VPN ID and Jumphost ID
• CSP account, compartment and Jump Host
4 Security Incident Response Agency officer who can
Officer (SIRO) • View compliance reports
• Configure compliance policies
5 Finance Executive (FE) Agency officer who can view & download invoices and billing reports

Who can access which modules in CMP?
No Modules AM AA CA FE SIRO
1 Service Request List ✔ ✔ ✔ ✖ ✖
2 User Management ✔ ✔ ✔ ✖ ✖
3 IaaS Management ✔ ✔ ✔ ✖ ✖
4 Central Services ✔ ✔ ✔ ✖ ✔
5 Report ✔ ✔ ✖ ✖ ✖
6 Billing ✔ ✔ ✖ ✔ ✖
7a Service Management - Support request ✔ ✔ ✔ ✖ ✖
7b Service Management - Incident ✔ ✔ ✔ ✖ ✔

Which CMP roles can be undertaken by same
person?
Primary Roles
Role Agency Agency Finance
Cloud Admin SIRO
Manager Admin Executive
Agency Manager NA No No No No
Additional Roles
Agency Admin No NA Yes No No
Cloud Admin No Yes NA No No
SIRO No No No NA No
Finance Executive No No No No NA

3b. Administering
GCC Services and
CC Services

Differences between GCC and CC services
• GCC Services (GCCS) are services provided by GovTech
• All services mentioned in previous section are GCCS
• GCCS are subscribed through the Cloud Management Portal (CMP)
• Commercial Cloud (CC) Services are services provided by Cloud Service Providers (CSPs) like
AWS, Azure and Google
• CC Services are subscribed through the CSP’s portal

What is needed to access CMP
Device Network Accounts Additional software
GSIB One of the following: Both of the following: Nil
• Government Office Network • WOG User ID
• Government Remote Access • Azure Multifactor
(VPN) Authentication
GoMAX GoMAX VPN Both of the following: Nil

Device • WOG User ID
(e.g. IPAD) • Azure Multifactor
Authentication

• GSIB - Government Standard Image Build. Refers to standard PCs used by Government officers & contractors
• GoMAX – Service which provides access to Government Intranet services on approved tablets and mobile
devices
• WOG User ID – User IDs issued to Government officers & contractors to access Intranet services
What is needed to access CSP Portal
Device Network Accounts Additional software/license
GSIB One of the following: Both of the following: Nil
• Government Office Network • WOG User ID
• Government Remote Access • Azure Multifactor
(VPN) Authentication
Internet GCCS VPN over Internet Both of the following: One of the following:
Device • Cloud ID • Windows 10 Professional /
• VPN ID Enterprise version 1809 and above
• Azure MFA • OS X 10.5 Leopard and above
Both of the following:

• GCCS VPN Client
• Supported Antivirus (Refer to GCC
Customer Handbook Annex A)

Cloud ID, VPN ID and Jumphost ID
No
No TypeType Description Description License Required*
1 Cloud ID ID To subscribe and

Cloud To manage cloud
subscribe andresources
manageand
cloudAAD Premium
resources P2
and
services from Internet
servicesDevice
from Internet Device
2 VPNVPN
ID ID To connect to GCCS VPN from
To connect to Internet DeviceVPNAAD
Government Premium
from P2
Internet
to access to CSP and Jumphost
Device to access to CSP and Jumphost
3 Jumphost ID ID
Jumphost To access to Jumphost to to
To access perform remote
Jumphost Nil remote
to perform
administrationadministration
of workload of workload
* Agency to procure separately via MGLP

MGLP – Microsoft Government Licencing Programme
Administering VMs Hosted In CSPs
Admin from Internet
Internet
VMs are administered using Internet Device
through Jumphosts
Commercial Cloud
There are 2 types of
Jumphosts – Internet Internet Internet Internet
and Intranet Systems VM Jumphost
CSP GCC
The type of Jumphost Services Services
Intranet Intranet Intranet
used depends on
Systems VM Jumphost
where the Admin
connects from (i.e.
Internet or Intranet)
Both Jumphost types Government Network

can access Internet &
Intranet VMs
Admin from
Intranet
using GSIB
What is needed to access Jumphost
Device Network Accounts Software needed on Device
GSIB Government Office • Jumphost ID Teradici PCoIP client
Network • 2 Factor
Authentication
Internet Device GCCS VPN over Internet • VPN ID One of the following:
• Jumphost ID • Windows 10 Professional / Enterprise
• 2 Factor version 1809 and above
Authentication • OS X 10.5 Leopard and above
All of the following:

• GCC VPN Client
• Supported Antivirus
• Teradici PCoIP client

3c. Central Services

GCCS Central Services
Service Description of service
Central Log Provides repository for storage of Agency’s System and Event logs with 1 year
Storage retention period
Repository
Compliance Performs monitoring for changes to Agency’s compartments and OS patch level
Monitoring status for VMs
Jumphost Provides access to Internet or Intranet compartment
Jumphosts are patched and scanned for vulnerabilities monthly
CASB Monitors vulnerabilities and anomalies in administrative activities in Agencies’ CSP
accounts

Central Log Storage
Repository

Central Log Storage Repository (1/2)
• Agencies will be charged for the CSP’s services and resources
CSP Services Function Responsibility
AWS CloudTrail Captures events, audits logs in CSP account GCC’s contractor will pipe this to GCCS
Centralized Log Repository by default
CloudWatch Captures system logs for workload Agencies are required to install CloudWatch
agents and configure log group in
CloudWatch
S3 Bucket Provides Central Log Repository with 1 year retention for Agencies are to run an AWS CLI command to
Agencies to pipe their log files set log group subscription to GCCS
Centralized Log Repository
Azure Activity Logs Provides insight into subscription-level events that have GCC’s contractor will pipe this to GCCS
occurred in Azure Centralized Log Repository by default
Log Analytics • Capture system logs for workload Agencies are required to install Log Analytics
Workspace • Storing of logs in OMS Repository up to 30 days agents, create and configure Log Analytics
Workspace.
Azure Storage Provide Central Log Repository with 1 year retention for Agencies are required to raise SR to GCC’s
Agencies to pipe their log files Contractor to add custom log

Central Log Storage Repository (2/2)
• Agencies will be charged for the CSP’s services and resources
CSP Services Function Responsibility
GCP Cloud Audit GCP maintains three audit logs for each GCC’s contractor will pipe this to GCCS
Logs project (Admin Activity, Data Access & System Centralized Log Repository by default
Event). These logs answer the questions of
“who did what, where, and when” within GCP
resources
Cloud Logging Cloud logging includes storage for logs, a user Agencies are required to install log agents,
interface called logs viewer, and an API to create and configure Logs Router export sink.
manage logs programmatically. Logging lets
you read and write log entries, query your
logs, and control how you route your logs,
including creating export sinks and logs-based
metrics.
Cloud Storage Provides Central Log Repository with 1 year Agencies are required to raise SR to GCC’s
retention for Agencies to pipe their custom Contractor to add custom log
log files

Configuring Central Log Storage Repository
1 2 3 4
Subscribe & Install &
Setup Pipe Configure
CloudWatch custom log CloudWatch Access Logs
Log to S3 Agent & Log
Bucket
Raise SR to
Setup Log pipe Install &
Analytics custom log Configure Access Logs
Workspace to Azure Agent
Storage
Raise SR to
Setup pipe Install &
Stackdriver custom log Configure Access Logs
Logging Cloud Agent
Storage
1. Setup CloudWatch Log
Steps Description
1 Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
2 In the navigation pane, choose Logs.
3 Choose Actions, Create log group.
4 Enter the log group (i.e. cwl-10001003-FlowLogs), and choose Create log group.
Recommended naming convention for LogGroup

i.e. cwl-<Compartment ID>-<Description>
cwl-10001003-FlowLogs

2. Pipe custom logs to Central Log Repository
Run the following command in aws cli to set subscription for the Log Group to GCCS Centralized
Log Repository.
Step Description
1 aws logs put-subscription-filter –log-group-name <<LogGroupName>> --filter-name
<<FilterName>> --filter-pattern <<FilterPattern>> --destination-arn
<<DestinationArn>>
Type Details
Definition of the LogGroupName: Log Group to be piped
variable FilterName: Create Filter Name to filter log
FilterPattern: Set Filter Pattern
DestinationArn: arn:aws:logs:ap-southeast-1:786657745590:destination:cwd-100002-
CentralLog-AllLogs
Example of aws cli aws logs put-subscription-filter –log-group-name “cwl-10001003-FlowLogs” –filter-
name “cwl-10001003-FlowLogs” –filter-pattern “ ” –destination-arn arn:aws:logs:ap-
southeast1:786657745590:destination:cwd-100002-CentralLog-AllLogs
3. Installation of CloudWatch Agent
Steps Description
1 Download the CloudWatch Agent package from AWS
2 Ensure the EC2 instances has IAM roles for CloudWatch Agent
3 Install the package on each EC2 instance

Supported Operating Systems
• Amazon Linux version 2014.03.02 or later • Ubuntu Server versions 18.04, 16.04, and 14.04
• Amazon Linux 2 • SE Linux Enterprise Server (SLES) 12 or later
• CentOS versions 6.5, 7.0 and 7.6 • SUSE Linux Enterprise Server (SLES) 12 or later
• Debian 8.0 • Windows Server 2008, 2012 2016 64-bit versions
• Red Hat Enterprise Linux (RHEL) version 6.5, 7.0,
7.2, 7.4 and 7.5

3. Configuration of CloudWatch Logs
Steps Installation Description
1 Configure CloudWatch Log from AWS Console
2 Configuration Parameter for awscli.conf
<region> - ap-southeast-1
3 Configuration Parameter for awslogs.conf
<file> - Directory of the folder to monitor file log (i.e. /var/log/messages or
D:/logs/messages)
<log_stream_name> - instance_id
<log_group_name> - i.e. cwl-10001003-FlowLogs
4 Restart the CloudWatch log services

4. Access Logs
To access respective logs in GCCS Centralized Log Repository, user would need to perform the
following steps:
Steps Description
1 Upon login to AWS Console using user’s GCC Account, switch Role to AWS Centralize Log Repository
Account using these credentials:
Account: gov-gcc-centralizelog
Role: iamr-U-<<Customer Account Name>>
Example:
Account: gov-gcc-centralizelog
Role: iamr-U-gcc1-aws-08-isk-aws-gcc
2 Access S3 with bucket name as sst-gcci-centralizelog-prod
3 Access Folder with user’s Agency name
4 User is able to view list of logs and download logs under the respective folder

1. Setup Log Analytic Workspace
Steps Description
1 Go to Log Analytics workspaces > Click +Add
2 Select “Create New” and Enter the Log Analytics Workspace Name (i.e
MyWorkSpace)
3 Select the Resource group and Location (Southeast Asia)
4 Go to the Log Analytics workspaces (MyWorkSpace) and click Advanced Settings
5 Go to Data and Select the logs that are required to pipe to Azure Storage

2. Pipe Custom Log to Azure Storage
Raise a support request to add Custom Log that will be piped to GCCS Centralized Log Repository.
Following information are required when raising the support request:
Steps Description
1 Provide the following information when raising the support request

• CSP
• Log Group Name
• Log Analytics Workspace Id
• Log Analytics Workspace Name
• Custom Log Name
• Custom Query (Optional)
2 GCC Contractor will setup to query the logs and pipe to GCCS Centralized Log
Repository.

3. Install Agent
To setup Log Analytic Agent in VM instance to pipe log to Azure Storage, follow the URL link
provided below
Virtual Machines URLs
Windows https://docs.microsoft.com/bs-cyrl-ba/azure/azure-
Computer monitor/learn/quick-collect-windows-computer
Linux Computer https://docs.microsoft.com/bs-cyrl-ba/azure/azure-
monitor/learn/quick-collect-linux-computer
Azure VMs https://docs.microsoft.com/bs-cyrl-ba/azure/azure-
monitor/learn/quick-collect-azurevm

4. Access Log
following steps:
Steps Description
1 Login to Azure portal with user’s GCCS Account.
2 Change Subscription to “GCCI CentralizeLog”. Go to Storage accounts.
3 Go to the storage account with Agencies tenant name e.g. sstgcclgcc1
4 Go to Containers.
5 Choose the subscription folder which user would like to access.
6 User is able to view list of logs and download logs in respective container.

1. Setup Stackdriver Logging
Steps Description
1 Go to Stackdriver logging and click Log Viewer
2 Select “Create Sink” and enter a sink name <logexp-<project-id>-<additional-

descriptive-name>
3 Under Sink Service, select “Custom Destination” from dropdown
4 Under Sink Destination, enter <storage.googleapis.com/<your-centralize-log-bucket-

name>
5 Go to Logs Router, select the sink created in step 2 and create the filter to determine
which logs to send to central logging

2. Pipe Custom log to GCP Cloud Storage
Raise a support request to add Custom Log that will be piped to GCCS Centralized Log Repository.
Following information are required when raising the support request:
Steps Description
1 Provide the following information when raising the support request

• CSP
• Compartment ID
• Log Tag
• Service Account
2 GCC Contractor will setup to query the logs and pipe to GCCS Centralized Log
Repository.

3. Install Agent
To setup Stackdriver Agent in VM instance to pipe log to Google Cloud Storage, follow the URL
link provided below
Virtual Machines Stackdriver agent
Windows https://dl.google.com/cloudagents/windows/StackdriverLogging-v1-
Computer 10.exe
Linux Computer https://dl.google.com/cloudagents/install-logging-agent.sh

4. Access Log
following steps:
Steps Description
1 Login to GCP portal with user’s GCCS Account.
2 Select project GCCI Centralize Log
3 Go to Storage. Select Browser.
4 Search for cloud storage buckets with user’s Agency Name. The name of the bucket
will follow this convention.
sst-gcci-<agency-name>-<project-id>
5 Select project-specific bucket which user would like to access.

Compliance Monitoring

Compliance Monitoring
No Type Description
1 Patch Checks for the following:
Monitoring a. Patch Level of VMs
b. Whether VM is isolated
Lists VM instances that are not scanned due to the following issues:
• Agent is not installed
• Incorrect permission
• Instance has stopped working
2 Compartment Detects any changes in network compartment configurations that does not comply to GCCS
Changes policy
CSPs Network compartment configurations
AWS Network ACLs (NACL)
Route Table
Azure Network Security Group (NSG)
User Defined Routing
GCP Firewall Rule
Route Table
Patch Monitoring Agents (1/2)
Agencies are required to install the following agents on their VM instances in order for Patch
Monitoring service to monitor the VM instance patch status
CSP Agent details
AWS Agent Required: SSM Agent
Refer to below link the setup of SSM agent:

Windows: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-
win.html
Linux: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-
agent-install.html
Azure Agent Required: Security Center Agent
Refer to below link the setup of Security Center agent:

https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-vm-agent

Patch Monitoring Agents (2/2)
Agencies are required to install the following agents on their VM instances in order for Patch
Monitoring service to monitor the VM instance patch status
CSP Agent details
GCP Agent Required: Google Fluentd
Refer to below link the setup of Google Fluentd :

https://cloud.google.com/logging/docs/agent/installation#agent-install-windows

Patch Monitoring Status (1/2)
To view the Patch

status for click on the
action button

Patch Monitoring Status (2/2)
Displays the list of

missing patches

Compartment Change Status (1/2)
View the
Compartment Change
status for AWS, Azure
& GCP, click on the
action button

Compartment Change Status (2/2)
Details of the change

will be displayed
under the Remarks
section.

3d. Reports

GCCS Report Types & Location
• There are 2 type of reports: Regular Report and Ad-Hoc Report
• Regular Report - Generated for each month and will be available for download on the first
day of each month
• Ad-Hoc Report - Generated on-demand by agency. Agency can see the data within their
tenant from the first of the month to the generated date
• Published in a centralised report repository where agency can download the reports in PDF
and/or CSV format

GCCS Reports List (1/3)
No Report name Description Who can Report
access Type
1 Azure Active Directory (AD) List of Cloud ID and VPN ID licenses purchased by
License Allocation Agencies
2 Access Management List of credentials with access to the CMP, CSP,
VPN and Jumphosts
3 Assets List of CSP services subscribed
Azure AD Deleted Groups in Past List of Azure AD group(s) deleted Regular
4 • AM
30 Days &
• AA
Azure AD Deleted Users in Past List of Azure AD user(s) deleted Ad-hoc
5
30 Days
6 Azure AD Disabled Users in Past List of Azure AD user(s) disabled
30 Days
7 Azure AD Group Information List of Azure AD groups
Summary

access Type
8 Azure AD Group Member List List of Azure AD user(s) assigned to each group
9 Azure AD Inactive Accounts in List of inactive Azure AD user(s)

Past 30 Days
10 Azure AD New Groups in Past 30 List of new Azure AD group(s) created
Days Regular
• AM
11 Azure AD New Users in Past 30 List of new Azure AD user(s) created &
• AA
Days Ad-hoc
12 Azure AD Object Changes in Past Information on changes of Azure AD Object (e.g.
30 Days Azure AD New Users List)
13 Azure AD Subscriber List List of WOG IDs and Cloud IDs in Azure AD
14 Azure MFA Failure Report Details of MFA login failures for Azure AD accounts

WOG ID – Credentials used by Government officers and contractors to authenticate to Government Intranet
services
access Type
15 Azure MFA Statistics Summary of MFA logins of Azure AD accounts
16 Azure MFA Success Report Details of successful MFA logins for Azure AD
Regular
accounts • AM
&
17 Customer Adoption Information on newly created projects for the • AA
Ad-hoc
month
18 Jumphost Availability Report Information on GCC provisioned Jumphosts
uptime

How to Access Reports in CMP
1
1. Go to Report >
Regular Report or
Ad Hoc Report
2. Select PDF or CSV

to export the
report under the 2
Action column

3e. Service Management
(Support Request)

Support Requests
• Support Requests are those that are manually fulfilled by GCCS Contractor. The expected
fulfilment time will be within two (2) working days.
• The working hours are Mondays to Fridays from 08:00 AM to 06:00 PM SGT (Excluding
Weekend and Public Holidays)
• For Request with / without approval, approval / submission outside of the working hours
shall be deemed as having been received by the GCCS Contractor at 8:00am on the next
Working Day

Examples of Support Requests Raised by
Agency Admin
S/N Category Support Requests Description
1 CSP Policy • Create CSP Policy Refers to CSP Security Policy which is
Management • Edit CSP Policy baselined in GCC
• Delete CSP Policy
Agencies can use these requests to
manage their own Security Policies on
top of the baseline

Examples of Support Requests Raised by
Cloud Admin
S/N Category Support Requests Description
1 CSP Account / • Terminate CSP Account / To terminate CSP Billing Accounts
Subscription / Subscription / Project
Project
2 Compartment • Increase Compartment Quantity To increase CSP soft limits, eg. EC2
Limit limits for AWS
3 VPC Compartment • Create VPC Endpoint To create and delete Service
Endpoints (AWS) • Delete VPC Endpoint Endpoints in AWS
4 VPC Compartment • Create Peering Connection To create and delete Compartment
Peering • Delete Peering Connection Peering

Support Requests Roles and Permissions
Module/ Services Agency Manager Agency Admin Cloud Admin
Support Request Management
Create Support Request ✖ ✔ ✔
Approve Support Request ✔ ✔

✖
(where raised by AA) (where raised by CA)
View Support Request

✔ ✔ ✔
Update Support Request ✔ ✔ ✔

Create Support Request (1/4)
To create Support
Request, Click Service
Management in CMP

Click on Support
Request > Support
Request for CA or AA

Select the Support

Request type and click
Create
Fill in the required

fields before
submission.
The fields may vary

based depends on the
Support Request type
chosen.

Support Request will

be created.
Requester can add

comments or cancel
the ticket before it is
approved

Approving Support Request (1/3)
Agency Manager or
Agency Admin can
approve the Support
Request by clicking on
the Requests >
Approvals

1. Under the
Approvals
section, click on
the “Waiting for
my approval”
dropdown list
2. Select the request

to be approved

Details of the Request

will be displayed
Click on the ‘Approve’

icon to approve or
“Reject” icon to reject
the selected Request

3f. Guides and Support

GCCS Customer Handbook
Description Location
Provides information on GCC Services (GCCS) and processes as • CMP Portal
follows: • GCCS Bulk Tender Website
• Cloud Management Portal (CMP)
• Central Services
• Reports
• Service Management (Support Request)
• CSP Support Plan Subscription
• Service Levels
• Billing for GCCS and CSP Services
• GCCS Hosting Model
• Tenant Lifecycle Process

GCC Support Channels
Description Support On Who can raise Details
GCCS Queries or Issues on • Agency Manager • Raise Incident in Cloud
Incident GCCS Services • Agency Admin Management Portal
Reporting • Cloud Admin • Email: gccsupport@xtremax.com
• Hotline: 6778 4985 ext. 6
• Hours: 24 x 7
GCCS Billing Queries or Issues on • Agency Manager Email: gccbilling@xtremax.com
GCCS Billing • Agency Admin
• Finance Executive
CSP Incident • Queries or Issues on • Cloud Admin Agencies have to subscribe to
Reporting CSP Services respective CSP Support Plans to
• To raise CSP Service request for technical support through
Limits respective CSP Portals
(Compartments, VM
and etc).

How to Raise Incident for GCCS & CSP
GCCS CMP AWS* Azure* GCP*
• Agency Manger / • Cloud Admin access • Cloud Admin access • Cloud Admin access
Agency Admin / Cloud the AWS Console the Azure Console the GCP Console
Admin access the • Click on Tab Support
GCCS Cloud • Click on Support > • Click on “Help + > Cases
Management Portal Support Center Support”
• To raise incident, click

on “Service • To raise incident,
Management” > • To raise incident, click on “New
“Incident Request” click on “Create support request” • To raise incident,
case” click on “Create
Case”
* Agencies have to subscribe to respective CSP Support Plans to request for technical support through their CSP Portals
3g. CSP Support Plan
Subscription

AWS Support Plan Subscription
• GovTech has established an Enterprise Agreement with AWS, with GovTech holding the Payer
Account and Agencies are Linked Accounts
• This is called the AWS ES Pooled Plan
• No actions are required from Agencies to be on the AWS Enterprise Support Pooled Plan
GCCS
Account
Enterprise Plan
Agency 1 Agency 1 Agency 2 Agency 2 Agency 2

CSP Account 1 CSP Account 2 CSP Account 3 CSP Account 4 CSP Account 5
Enterprise Plan Enterprise Plan Enterprise Plan Enterprise Plan Enterprise Plan
All Agencies will be on AWS Enterprise Support Pooled Plan at no charge to Agencies

Azure Support Plan Subscription
• GCCS subscribes to Pro Direct Plan and all Agencies’ CSP accounts are covered under this plan
by default
• If Agency requires a higher level support, they may choose Premier support plan from MGLP
website
GCCS
Account
Pro Direct Plan
Agency 1 Agency 1 Agency 2 Agency 2 Agency 2

CSP Account 1 CSP Account 2 CSP Account 3 CSP Account 4 CSP Account 5
Premier Plan Pro Direct Plan Premier Plan Pro Direct Plan Premier Plan
Agency need only subscribe to higher support plan if they require it

GCP Support Plan Subscription
• Google has offered to provide GCCS with Enterprise Support Plan.
• All Agencies’ CSP accounts will automatically be covered under the Enterprise Support Plan
until 10 Jun 2021 – free of charge.
GCCS
Account
Enterprise
Agency 1 Agency 1 Agency 2 Agency 2

CSP Account 1 CSP Account 2 CSP Account 3 CSP Account 4
Enterprise Enterprise Enterprise Enterprise
Agency are covered under Enterprise Support Plan till 10 Jan 2021

3h. Service Levels

GCCS - Service Availability
S/N Items Target
1 Cloud Management Portal 99.5% monthly
2 Cloud Access Security Broker 99.5% monthly
3 Identity and Authentication Services 99.5% monthly
4 GCC-Network 99.5% monthly

GCCS - Incident Resolution
Priority Description Expected Expected
Response Time Resolution Time
1 • Unavailability of any component of the GCCS Network Within 15 Within 2 hours
and GCCS-Identity and Authentication Services; or minutes
• Security breach on any part of GCCS
2 • Unavailability of any component of the GCCS Cloud Within 30 Within 4 hours
Management Portal, GCCS-Central Services and M365 minutes
• Security Infrastructure signatures are found to be
outdated by more than 3 days from the latest release
3 • Failure of a GCCS component which does not affect Within 1 hour Within 8 hours
the normal performance of any system or service; or
• Report of unsuccessful attempt to violate information
security or report of unconfirmed security alert or
issue

3i. Billing for GCCS
and CSP Services

Billing Workflow
Charging will commence Agency’s Validation GCCS Contractor to Agency to make
upon: issue invoice to payment to GCCS
Period based on billing Agency Contractor
• Subscription of GCCS report download from
base or CSP services CMP Portal (Within 18 calendar (Within 30 calendar
• Completion of Add-On (5 calendar days)
days after the end days upon receipt of
/ Value-Added Services of each month) the invoice)
Illustration:
• Billing report will be
issue by 8th of every
GCCS Contractor
Service Consumption Period calendar month Agency to make
will issue the
01 Apr 2019 and 30 Apr (e.g. 8 May 2019) payment by 17 Jun
Invoice by 18 May
2019 • Agency are to validate 2019
2019
between 8 and 12
May 2019
Notes:
1. GCCS Contractor will perform the billing to Agency for GCCS and CSP services
2. 1 invoice will be issued per CMP billing account
3. Billing reports are available on CMP portal
CMP – Billing Report Download (1/2)
CMP Portal URL:

https://portal.gcc.gov.
sg
1. Click on Billing tile 1

CMP – Billing Report Download (2/2)
2. Select ‘Billing Report’

2
3. Download report in
*.PDF or *.XLS under
‘Acton’

CMP – Cloud Spending
Agencies can view the

current cost usage for
AWS, Azure and GCP

AWS Account Default Charges (1/2)
Agency will be charged the following CSP services after Account Creation
S/N Services Purpose
1 CloudTrail Collect AWS Account and Compartment activity log data
2 Athena Generate Access Management report
• Daily cron job to check EC2 compartment change and patch level
3 CloudWatch • Cloudtrail Log Group
• Cloudtrail Log Group subscription filter
4 Guard Duty Enable GuardDuty service
• Evaluate Compartment changes against the defined baseline
• Forward Compartment change to centralized logs
5 Lambda
• Check EC2 patch level
• Forward patch level to centralized logs
• Store Cloudtrail logs
6 S3 • Store AWS Config logs
• Data transfer cost for logs
7 AWSStepFunctions Evaluate Compartment changes against the defined baseline
AWS Account Default Charges (2/2)
8 AWS Config Cloudtrail Log Group subscription filter
9 SNS Send notification after the patch level checking is completed
Key Management
10 Cost Saving Checking from CloudCheckr
Service
11 DynamoDB Cost Saving Checking from CloudCheckr
12 IoT Cost Saving Checking from CloudCheckr
13 SQS Cost Saving Checking from CloudCheckr

Azure Account Default Charges
No Services Purpose
1 Operation Insights • Collect and analyse Azure Activity log data
2 Security Send monitoring data to CS Patch monitoring
GCP Account Default Charges

No Services Purpose
1 Stackdriver Logging • Forward Compartment flowlogs and Audit log to
centralized logs
• Forward Compartment change to centralized logs
• Forward patch level to centralized logs
AWS Compartment Default Charges
Agency will be charged the following CSP services after Compartment Creation
1 AWS Config Evaluate Compartment changes against the defined baseline
2 AWS Data Transfer Central Logs Repository transfer charges
3 Virtual Private Cloud Data transfer for network
AWS Transit Gateway Attachment Data

4 Gateway Attachment for Type 1, 2 & 3 Compartment
Transfer and Usage Period
CloudWatch Log group for Type 1, 2 and 3 Compartment

• Jump Host Application, Security, System, Symantec AV Log
5 CloudWatch
• Teradici Log
• VPC Flow log
Elastic Compute Cloud and Elastic Block

6 Internet & Intranet Jump Host for Type 1, 2 & 3 Compartment
Storage

Azure Compartment Default Charges
No Services Purpose
1 Compute • Internet & Intranet Jump Host for Type 1, 2 and 3
Compartment
• Data transfer for network
GCP Compartment Default Charges

No Services Purpose
1 Compute Engine • Internet & Intranet Jump Host for Type 1, 2 and 3
Compartment
• Data transfer for network

Agency Billing Report Sample

Agency Invoice Sample

4. GCC Hosting Considerations

GCC Hosting Considerations
In this section, we will cover:
• Type of Network Compartments
• IP address allocation
• Network connectivity
• GCC System with Integration to GPC SFTP Service
• DNS Lookups
• Using SG-Mail AMR for Intranet systems

The Four Types of Network Compartments
CSP
Compartment Compartment Compartment Compartment

IGW IGW
NAT
Jumphosts Jumphosts Jumphosts

Cloud VGW Cloud VGW Cloud VGW
Admin Admin Admin
Subnet Subnet Subnet
Type 0: Management Type 1: Internet & Type 2: Internet only Type 3: Intranet only
Intranet

Type 0: Management System
LEGEND
Provisioned by GCCS
Provisioned by Agencies

Type 1: Internet/Intranet System
Public Officer access Agency
CSP Internet services from
Compartment Internet using application’s
authentication system
Web Internet Device

Web
Type 1 Subnet Subnet
Compartment
(Intranet & App App IGW
Internet) Subnet Subnet
DB
WWW
VGW DB NAT
Subnet Subnet
Gateway
Subnet Intranet Internet
JH Internet Device
JH AD
Cloud Cloud Mgmt System Administrators to
use AAD Premium P2, VPN,
Admin Intranet Admin Internet Subnet Posture Check and 2FA for
Subnet Jumphost Subnet Jumphost access to Jumphost for
workload administration

Type 2: Internet only System

Type 3: Intranet only System
GSIB Device
Public Officer access Agency

Intranet services from
Intranet

Compartment Terminology used by CSPs
GCCS term AWS term Azure term GCP term

Compartment Virtual Private Cloud Virtual Network (VNET) Virtual Private Cloud
(VPC) (VPC)
Virtual Gateway Virtual Gateway (VGW) Virtual Network Gateway Cloud VPN Gateway
(VGW) - VPN Cloud Router
- ExpressRoute
Internet Gateway Internet Gateway (IGW) Internet route Default-internet-gateway
(IGW) route
Network Translation Network Translation Virtual Network NAT Cloud NAT

Gateway (NAT) Gateway (NAT)

IP Range Allocation per Network Compartment
Compartment Estimated No. of NetMask Usable IPs
Sizes* Virtual Devices
Small (S) <= 27 /27 27
Medium (M) > 27 to <= 59 /26 59
Large (L) > 59 to <= 123 /25 123
Extra-Large (XL) > 123 to <= 251 /24 251
Note : 5 IPs will be reserved per compartment (First 4 and the last IP addresses)
*Agency needs to select the Compartment Size during CSP on-boarding
Agency that require smaller NetMask (i.e. /23, /22 or /21) are required to seek GovTech approval
before raising Support Request in CMP.

Network Connectivity
Private Link
Private Link
Private Link
Cloud
• The Government Enterprise
Exchange Network(GEN) is connected to
GCC the Government Commercial
Clouds using Private Link and
CLZ
Gateway GDC
the Cloud Exchange
Internet Server
Remote User GNOC • The Cloud Landing Zone(CLZ)

using SG-VPN Agency User
via GOMAX
GPC provides a gateway for traffic to
Virtual
Machine
be routed between GEN and
GMNET BMNET GCC
Agency
Biz Partner
Office User using GSIB GEN

Firewall Overview
GNOC Firewalls(FW)
-ManagedbySGCORE(viaSGCOREServiceRequest)
Agency s
Agency s Agency s
Compartment
Compartment Compartment
Agency s or Biz Partner s FW
-ManagedbyAgencyorBizPartnerrespectively
End Point Protection(EPP) FW in GSIB Laptop

Cloud -ManagedbySG-EndPointProtection(SG-EPP)
Exchange
Government Data Centre(GDC) FW
-ManagedbyGDCCFM(viaITSMServiceRequest)
CLZ
Gateway GDC
DMZ FW Government Private Cloud(GPC) FW
Internet Server -ManagedbyGPCCFM(viaGPCServiceRequest)
CLZ FW
BMNET
Remote User FW Government Commercial Cloud(GCC) FW
using SG-VPN Agency User
via GOMAX GNOC GPC AWS-ApplianceFW,NetworkAccessControlList(NACL),SecurityGroup(SG)
AZURE-ApplianceFW,NetworkSecurityGroup(NSG)
Virtual
Google Cloud-ApplianceFW,GoogleFWRules
Machine -ManagedbyGCCcontractor (viaCMPServiceRequest)
GMNET BMNET
Agency s FW @GCC
Agency AWS-ApplianceFW,NetworkAccessControlList(NACL),SecurityGroup(SG)
Biz Partner AZURE-ApplianceFW,NetworkSecurityGroup(NSG)
Google Cloud-ApplianceFW,GoogleFWRules
Office User using GSIB -ManagedbyAgency

Traffic Flow between GEN and GCC
Agency A s Agency B s Agency B s Agency C s Agency D s Agency D s Agency E s Agency F s Agency F s
• Traffic from GEN (eg,
Compartment 1 Compartment 1 Compartment 2 Compartment 1 Compartment 1 Compartment 2 Compartment 1 Compartment 1 Compartment 2
Agency, GDC, GPC) to
GCC is via CLZ
GCC Transit
Hub Gateway
GCC Transit
Hub Gateway
GCC Transit
Hub Gateway
Gateway
Cloud • Traffic from GCC

Exchange compartments in each
clouds traversing to
CLZ
DMZ FW
Gateway GDC
GEN is via the Transit
Internet CLZ FW
Server Hub Gateway
Remote User
using SG-VPN
Agency User GNOC
•
GPC
via GOMAX BMNET FW
Virtual Firewalls need to be
Machine
GMNET BMNET
whitelisted for end-to-
end communications
Agency
Biz Partner
Office User using GSIB

Firewall Matrix – GEN to GCC
To GCC (AWS) Agency's GCC (AZURE) Agency's GCC (Google Cloud)
From Subnets Subnets Agency's Subnets
EPP FW@GSIB EPP FW@GSIB EPP FW@GSIB
Agency's FW@Agency Agency's FW@Agency Agency's FW@Agency
Agency in GMNET
CLZ FW@GNOC CLZ FW@GNOC CLZ FW@GNOC
Agency's FW@AWS Agency's FW@Azure Agency's FW@Google Cloud
Biz Partner's FW Biz Partner's FW Biz Partner's FW
Business Partner in
BMNET FW@GNOC BMNET FW@GNOC BMNET FW@GNOC
BMNET
(incl. G-Cloud) Agency's FW@AWS Agency's FW@Azure Agency's FW@Google Cloud
GPC FW GPC FW GPC FW
Government Private
Cloud (GPC) Agency's FW@AWS Agency's FW@Azure Agency's FW@Google Cloud
GDC FW GDC FW GDC FW
Government Data
Centre (GDC) Agency's FW@AWS Agency's FW@Azure Agency's FW@Google Cloud
DMZ FW@GNOC DMZ FW@GNOC DMZ FW@GNOC
SG-VPN / GOMAX CLZ FW@GNOC CLZ FW@GNOC CLZ FW@GNOC
Agency's FW@AWS Agency's FW@Azure Agency's FW@Google Cloud

GPC SFTP Service for GCC Systems
• Agencies can subscribe to Government Private Cloud’s (GPC) Public and Intranet SFTP Service
to perform small file transfers (up to 2GB per file) between their systems and systems hosted
outside GCC
Procedure
• Agencies that have not previously onboarded to GPC must first do so
• Agencies already onboarded to GPC can register a new system under “co-location” in the GPC
Self-Service Portal (SSP)
• Thereafter subscribe to the GPC SFTP service in the GPC SSP under this new “co-location”
system for your GCC system to consume

GPC SFTP for GCC Internet Application Systems
Scenarios Standalone Public Package
2
No File exchange with
External Internet Application
1 Internet Application system System e.g. Bank System in GCC
hosted in GPC, GDC2 or GDC3 SFTP SFTP
Client Client
2 Internet Application system
hosted in GCC
SFTP (Public) SFTP (Internet) SFTP (Intranet)

Server Server Server
GPC
SFTP
1 Client
Internet Application
System in GPC, GDC2,
GDC3

GPC SFTP for GCC Internet Application Systems
Scenarios Public-Intranet Package
No File exchange with 2
Internet Application Intranet Application
1 Intranet Application system hosted System in GCC System in GCC
in GPC, GDC2, GDC3 or Agency SFTP SFTP
Datacenter Client Client
2 Intranet Application system hosted

in GCC
GPC
SFTP
1 Client
Intranet Application
System in GPC, GDC2,
GDC3, Agency Datacenter

GPC SFTP for GCC Intranet Application Systems
Scenarios Standalone Intranet Package
No File exchange with Intranet Application Intranet Application
1 Intranet Application system hosted System A in GCC System B in GCC
in GPC, GDC2, GDC3 or Agency SFTP SFTP
Client Client
Datacenter

GPC
SFTP SFTP
1 Client Client1
Intranet Application Intranet Application
System A in GPC, System B in GPC,
GDC2, GDC3, Agency GDC2, GDC3, Agency
Datacenter Datacenter

GPC SFTP for GCC Intranet Application Systems
Scenarios Internet-Intranet Package
No File exchange with Intranet Application
1 Intranet Application system hosted System in GCC
in GPC, GDC2, GDC3 or Agency SFTP
Client
Datacenter
2 Internet Application system hosted
in GPC, GDC2 or GDC3 SFTP (Internet)
SFTP (Public) SFTP (Intranet)
GPC
SFTP SFTP
2 Internet
Client 1 Client
Intranet Application
Application System System in GPC, GDC2,
in GPC, GDC2, GDC3 GDC3, Agency Datacenter

DNS Lookup Service
No Type DNS Lookup Service Compartment
1 Internet System CSP DNS Service (Default) Type 1 or 2 compartments
CSP DNS
VM
Service
No Type DNS Lookup Service Compartment

2 Intranet System 1) Proj DNS Type 1 or 3 compartments
2) GCCS DNS Forwarder
Proj GCCS DNS
VM
DNS Forwarder
LEGEND
Provisioned by Agencies Provided by GCC Provided by CSP

SG-Mail AMR SMTP Service for Intranet Systems
• Agencies must subscribe to SG-Mail AMR Service for SMTP Gateway service for
Intranet systems
• Agencies can subscribe SG-Mail AMR Service by raising a Purchase Order and submit
to GeBiz

SG-Mail AMR SMTP Service for Intranet Systems
Agencies who:
• Subscribe to
Type 1 or 3
compartments
• Subscribe to SG-
Mail AMR
Services

5. Tenant Lifecycle Process

Tenant Lifecycle Process
Onboarding Setup/Testing/Go-Live Operation
• Agency Onboarding • System Setup • To appoint FM to manage

• To get Agency Manager & Agency System
Agency Admin account • System Testing
• To get connectivity to CMP
• To commerce handover to
• To create CMP billing account
• System Go-Live appointed FM 2 to 4 weeks
• CMP Onboarding prior to start of system
• To assign roles in CMP operation
• To setup Multi Factor
Authentication (MFA)
• CSP Onboarding
• To create CSP billing account
• To access to CSP Portal and
Jumphost

Agency On-boarding

Agency On-boarding Process
This is a one-time process for Agency to onboard to GCCS
Step Action
1. Submit the completed GCCS Onboarding form to GCCSUPPORT@xtremax.com and cc
GCC_Operations@tech.gov.sg to create 1x Agency Manager and 1x Agency Admin
account
2. Submit Service Requests in WOG ITSM for
a. Opening of Agencies LAN Firewall Rules (Agency Firewall Rules Service Request)
b. Deploying SG-Surf Proxy PAC file (SG-Surf Proxy PAC Service Request)
c. Configure Proxy Settings on the endpoints (Base Service Request for Group Policy
Object)
d. Agencies using their own Proxy PAC (SG-Surf’s Service Request)
3. Test accessibility to GCCS Portals
4. Create new CMP billing account

Test accessibility to GCCS Portals (1/3)
To test connectivity, access This is the outcome

the following URLs via GSIB
1) Cloud Management
Portal (CMP)
https://portal.gcc.gov.sg

2) Microsoft myapps
It allows Agencies to access

the supported Cloud Service
Provider (CSP)
https://myapps.microsoft.com

3) GCCS Authentication
To test if the Agency has

applied the correct firewall
rules for authentication,
Agencies are to test their
connectivity, for
authentication using web
browser by accessing
https://sts.gcc.gov.sg/adfs/ls/
idpinitiatedsignon

Create New CMP Billing Account (1/2)
Go to Services - 1
Billing
1. Click on CMP
Billing Account
2. Click on 2
“+Create”

Create New CMP Billing Account (2/2)
3. Key in Name
3
4. Select the
Department 4
5. Click on
Request
Service Request will

be routed to AA for
approval
5

CMP On-boarding

CMP On-boarding Process (1/2)
• AM & AA created in Agency onboarding step will now assign personnel for the CMP roles
(AM, AA, CA, FE and SIRO role). Assigned personnel require Government Active Directory
accounts
GCCS Cloud Management Portal Administer via GSIB

User Management
1a 1b
AA assigns users to CMP Role User sets up MFA to access CMP

CMP On-boarding Process (2/2)
Steps Description Things to take Note
1a Agency Admin (AA) assigns users to CMP roles • Agency Manager (AM) and AA are onboarded to
CMP via the GCCS Onboarding form submitted by
Agency
1b User sets up MFA to access CMP • Must use GSIB or GoMAX device to access CMP
• SE2 users are to use GoMAX devices or provision
a GSIB without SE2 to access CMP
• Access to CMP will require MFA to be setup

1a. Assign role to WOG user (1/2)
1
Go to User
Management and
Click on WOG User
1. Search for WOG

User
2. Click the Action

Button for
Selected WOG 2
user

1a. Assign role to WOG user (2/2)
3. Assign Role for

WOG user by
clicking on
Role(s) to be
assigned
4. Click on Request
Service Request will

be routed to AM for
approval 3
4

1b. Setup MFA (1/3)
Using Internet Explorer

or Chrome browser on
GSIB or Safari on
GoMax
Login to CMP URL

https://portal.gcc.gov.s 1
g

1b. Setup MFA (2/3)
It will redirect to
ADFS(Active
Directory Federation
Service) Page to
setup MFA code.
2
2. Select “Mobile
app” 3
3. Select either one
4. Click Set up
4

1b. Setup MFA (3/3)
5
Download and
Launch Microsoft
Authenticator App 6
5. Click + Add 7
account
6. Select “work
account”
7. Scan the QR
code appear on
ADFS Page

CSP On-boarding

CSP Onboarding Process Flow (Internet Device)
GCCS Cloud Management Portal
User Management IaaS Management
1
AA creates CSP Billing
account. Assigns CA to CSP
Billing account
2
CA creates CSP
3 Agency procures Microsoft AAD Premium P2
Compartment & Jumphost License For Internet Device
4a 4b 4c Administer via Internet Device

CA creates Cloud ID CA assigns Cloud ID user to User sets up Cloud
user CSP Billing account ID password
5a CA creates VPN ID 5c 5d User sets up Cloud
5b CA assigns VPN ID user to User sets up VPN & 4d
ID password & MFA
user CSP Billing Account updates Antivirus
to access CSP portal
6a 6c User sets up 6dUser access Jumphost
CA creates Jumphost 6bCA assigns Jumphost ID user Jumphost ID
to administer
ID user to CSP Billing Account password & MFA.
workload in CSP
Install PCoIP
CSP Onboarding Process for Internet Device (1/3)
1 a) AA creates CSP Billing account. Assigns • Access CMP using GSIB without SE2 or GoMAX device
CA to CSP Billing account • Agency is required to add CA to WOG AD Security
Group “<AgencyCode>-USR-CSPCloudAdmin-GG” in
order to access CSP Portal
• CA is to use WOG ID to access to CSP Portal and set up
MFA if using GSIB (Non-SE2). CA is to use Cloud ID if
using Internet Device (See step 5d)
2 CA creates CSP Compartment & Jumphost • CSP default compartment soft limit is 5. To increase,
agency would need to raise support ticket to CSP
• To login to Jumphost, user needs to use their Jumphost
ID
3 Agency procures Microsoft AAD Premium P2 • Agency is to procure the Microsoft AAD Premium P2
license for Internet Device license prior to creation of Cloud ID and VPN ID

4 a) CA creates Cloud ID user • Procurement of Microsoft AAD Premium P2 license

b) CA assigns Cloud ID user to CSP Billing is required before performing Cloud ID creation
account • Cloud ID user will receive an email to setup the
c) User sets up Cloud ID password Cloud ID password
• Setup of Cloud ID user password is to be performed
within 24 hours upon receiving the email with the
password link and has to complete within 15
minutes
5 a) CA creates VPN ID user • Procurement of Microsoft AAD Premium P2 license
b) CA assigns VPN ID user to CSP Billing is required before performing VPN ID creation
Account • VPN Internet Device enrolment activation requires
c) User enrols Internet Device, sets up VPN lead time of 2 working days (Microsoft’s backend
& updates Antivirus process)
d) User sets up Cloud ID password & MFA
to access CSP portal

6 a) CA creates Jumphost ID user • Jumphost ID is required to access Jumphost
b) CA assigns Jumphost ID user to CSP Billing • User needs to set up MFA for Jumphost
Account • To install PCOIP on Internet Device, follow the link
c) User sets up Jumphost ID password & MFA. in the notification email set to set up Jumphost
Install PCOIP
d) User access Jumphost to administer
workload in CSP

CSP Onboarding Process Flow (GSIB)
GCCS Cloud Management Portal Administer via GSIB (Non-SE2)

User Management IaaS Management
1a 1b 1c
AA creates CSP Billing Ageny adds CA to Cloud Admin (using
account. Assigns CA to CSP WOG AD Security WOG ID) access to CSP
Billing account Group Portal & sets up MFA
2
CA creates CSP
Compartment & Jumphost
Administer via GSIB (Non-SE2)
3d 3e
3a 3b User sets up User access
CA creates Jumphost CA assigns Jumphost ID user Jumphost ID Jumphost to
ID user to CSP Billing Account password & MFA. administer
Install PCoIP workload in CSP

CSP Onboarding Process for GSIB (1/2)
1 a) AA creates CSP Billing account. Assigns • Access CMP using GSIB without SE2 or GoMAX device
CA to CSP Billing account • Agency is required to add CA to WOG AD Security
b) Agency adds CA to WOG AD Security Group “<AgencyCode>-USR-CSPCloudAdmin-GG” in
Group order to access CSP Portal
c) Cloud Admin (using WOG ID) access to • CA is to use WOG ID to access to CSP Portal and set up
CSP Portal & sets up MFA [Note step 1c MFA if using GSIB (Non-SE2).
for GSIB (Non-SE2)]
2 CA creates CSP Compartment & Jumphost • CSP default compartment soft limit is 5. To increase,
agency would need to raise support ticket to CSP
• To login to Jumphost, user needs to use their Jumphost
ID

CSP Onboarding Process for GSIB (2/2)
3 a) CA creates Jumphost ID user • Jumphost ID is required to access Jumphost
b) CA assigns Jumphost ID user to CSP Billing • User needs to set up MFA for Jumphost
Account • To install PCOIP on GSIB:
c) User sets up Jumphost ID password & MFA. • Submits ITSM SR to ATFM to deploy PCoIP
Install PCOIP tools by providing WOG ID and GSIB
d) User access Jumphost to administer Computer Name
workload in CSP • Submit “Configure Firewalls for GSIB
Workstation to access GCC” SR in ITSM
which will open
• Agency Firewall
• CLZ firewall
• EPP (Whitelist of PCoIP)

Create New CSP Billing Account (1/2)
Go to Services – IaaS
Management, Click on
either AWS or Azure >
Account
1. Key in Billing
Account Name
2. Key in CSP Billing 1

Account Email
2
3. Choose existing 3
CMP Billing
Account
4. Enter the Monthly 4

Financial Alert Limit

Create New CSP Billing Account (2/2)
5. Key in Alert Recipient
6. Select Data Sensitivity 5

(Sensitive High, Sensitive
Low, No Sensitive) 6
7. Select Data Classification 7

(Official Open, Official
Close, Restricted)
8. Enter the Existing

Environment Platform
information 8
9. Click on Request
Service Request will be 9

routed to AM for approval
CMP Billing Acct Linked to CSP Billing Acct
After Service
Request has been
approved by AM,
CSP Billing Account
will be displayed as
“Active” under CMP
Billing Account.

User assigned to CSP Billing Account (AWS)
Go to Services > IaaS

Management > AWS 1
1. Click on User
2. User List will

display the users
and roles
assigned to
manage the
respective CSP
2
billing account(s)

User assigned to CSP Billing Account (Azure)
Go to Services >
IaaS Management >
Azure
1. Click on
Subscriber
2. Subscriber List
will display the
Name,
WOG/Cloud ID
1
and Role of
2
Subscriber.

Compartment provisioned in CSP Billing Account
Management >
AWS/Azure
1. Click on
Compartment
2. Compartment will
1
display the
Compartment ID,
Compartment
2
Name,
Compartment Type
and Status
provisioned in the
respective CSP
billing account(s)

Create Cloud ID User
Go to Services > User
Management > Cloud ID
User
1. Select User Type (

WOG or Other )
1
2. Enter Microsoft
Order Number 2
3. Enter CMP Billing 3

Account Number
4. Enter WOG Email 4
5. Cloud ID Email is 5
auto generated 6
6. Click Create
Assign Cloud ID User

Management >
AWS/Azure > User
1. Select the “AWS 1

Billing Account
Name”,
“WOG/Cloud ID”
2. Select Cloud Admin
Role and click 2
Request.
The SR will be
provisioned once
Agency Manager
approved the request.

Create VPN ID User (1/2)
Go to Services > User 1

Management
1. Click on VPN ID
User 2
2. Click on Create

Create VPN ID User (2/2)
3. Enter Microsoft
Order Number
4. Enter CMP Billing

Account Number
3
5. Enter Cloud ID
4
email
6. Click on Request
5
Username will be auto-
generated
Service Request is
6
routed to AA for
approval

Assign VPN ID User
Management >
AWS/Azure
1. Click on VPN ID
User Assignment
2. Key in CSP Billing

Account Name 2
3. Key in 1 3
Compartment ID
4
4. Key in VPN ID
username

Setup VPN ID User (1/2)
Once SR is approved, VPN ID user
will receive email link with info.
1. Enter VPN username
2. Enter New Password and 1

Confirm New Password
3. Select Device Type (MacOS / 2

Windows)
4. Install WindowsAutoPilotInfo
to generate Device 3
Registration ID and Upload
output.csv for Device
Registration ID 4
* Only 1 Internet device can

register to one VPN ID
Setup VPN ID User (2/2)
Once Password has

been successfully set
up.
5. Download the VPN

Client
6. Copy down 6
Passphrase for VPN
and download the
Client Certificate
5 6

VPN ID User Login (1/2)
Launch the
GlobalProtect VPN
Client
2
1. Select VPN portal
and click Connect
2. Login in with
assigned VPN User
ID

VPN ID User Login (2/2)
1. After Password is
authenticated, GCC
VPN Hub will
prompt to select a
certificate, Click OK 2
2. The VPN
connection is
established
1

Create Jumphost ID User (1/2)
1
Go to Services > User
Management
1. Click on Jumphost 2
ID User
2. Click on Create

Create Jumphost ID User (2/2)
3. Key in Cloud ID
Email 3
4. Click on Request
Jumphost Username
will be auto generated 4
Service Request will be

routed to AA for
approval

Assign Jumphost ID User

Management >
AWS/Azure
1. Click on Jump Host

User Assignment
2. Key in Username
and Click Filter
1
Dashboard will list the
Username, 2
Compartment ID under
respective CSP billing
account

Setup Jumphost ID User (1/4)
User will receive email

with set up account link
which is valid for 24
hours
1. Click on Set Up
Account using
Internet Device 1
The link is only available

for next 24 hours and
you have 15 minutes to
complete the setup

2. Key in Jumphost 1
Username <Jumphost ID>
2
3. Key in New
Password and
Confirm new
Password
3
4. Click on Set
Password

Follow instructions on
screen to download and
install Google
Authenticator to setup
MFA

Follow the instructions

on screen to download
and setup PCoIP clients
App (Teradici)

Information on Jumphosts
• GCCS provides two types of Jumphosts, Internet and Intranet, for Type 1 to 3 compartments
• The Jumphost Operating Systems are Windows 2016 Server Datacenter or RedHat Linux with
Restricted Bash (RBASH) and are hardened in reference to CIS standards
• To access Windows Jumphosts, Terradici client is required for PCoIP protocol. Please note that
each Windows Jumphost support a single user at any one time
• To access Linux Jumphosts, SSH client (Putty) is required. Multiple concurrent sessions are
supported on Linux Jumphosts
• The Jumphost can be managed via the following methods

Operation AWS GCP Azure
Start and Stop Jumphost Execute in AWS Console Execute in GCP Console Execute in CMP

Types of Jumphosts
No CSP Type of VM Operating OS Version Configuration
System
1 AWS T3.Large Windows Windows Server • 2 vCPU, 8 GB RAM
2016 Datacenter • 100 GB EBS
2 AWS T3.small Linux Redhat 7.5 • 2 vCPU, 2 GB RAM
• 80 GB EBS
3 Azure Standard B3ms Windows Windows Server • 2 vCPU, 8 GB RAM
2016 Datacenter • 127 GB (Premium SSD)
4 Azure Standard B2s Linux Redhat 7.7 • 2 vCPU, 4 GB RAM
• 32 GB (Premium SSD)
5 GCP n1-standard-2 Windows Windows Server • 2 vCPU, 7.5 GB RAM
2016 Datacenter • 100 GB (Standard Persistent boot disk)
6 GCP n1-standard-1 Linux Redhat 7.5 • 1 vCPU, 3.75 GB RAM
• 60 GB (Standard Persistent boot disk)

Accessing to Windows Jumphost (1/4)
After VPN connection is
established.
1. To access Windows
Jumphost, launch
Teradicli client and
key in the
1
Jumphost IP, 2 <Jumphost ID>
Connection Name
and Click Next
2. Select the correct
domain, Key in
User ID and
Password and Click
LOGIN.
Note: One concurrent

session supported by
Windows Jumphost

3. Click on the Default

View, Desktop and 3
Click CONNECT.
4. Remote Windows
Jumphost will
prompt the Login 4
Banner, Click OK

System will prompt for
OpenOTP password
5. Key in OpenOTP
password and Click
->
System will prompt for

OpenOTP token
<Jumphost ID>
6. Key in OpenOTP 6
5
token and Click
Enter or ->

Teradicli Client will

present the windows
desktop once all
authentication is
validated

Accessing to Linux Jumphost (1/3)

established.
1. To access Linux
Jumphost, launch
SSH client and key
in the Jumphost IP,
and Click Next
2. Key in User ID and
Password and Click
LOGIN.


established.
1. To access Linux
Jumphost, launch
SSH client and key
in the Jumphost IP,
and Click Next
2. Key in User ID and
Password and Click
LOGIN.

SSH Client will present

the Linux Shell once all
authentication is
validated

Setup/Testing/Go-Live

System Setup, Testing and Go-Live
System Setup
Agency-appoint supplier setup system on GCC
System Testing
Agency-appoint supplier perform load-tests and security tests on Agency
system
System Go-Live
Agency to prepare the system go-live on GCC as per migration schedule

Operation

During Operation Phase
• Agency shall perform a handover of the current Systems to the appointed FM
which includes
• Knowledge transfer
• System documentation
• Operations and support documentation
• Agency shall create user accounts through CMP for appointed FM to perform
remote admin and subscribe CSP services

Thank You
www.tech.gov.sg
@GovTechSG
Facebook.com/GovTechSG
RESTRICTED – Do not forward/distribute. For Internal Government Use Only.


GCC+Foundation+Training v1.4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GCC+Foundation+Training v1.4

Uploaded by

Copyright:

Available Formats

GCC Foundation

1 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

2 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

4 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

Panel for public cloud Web Content Management Launch of Government

2012 2016 2018

5 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

• Commercial Cloud is a key initiative of the

• GCC Services (GCCS) provides a framework

6 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

Access to Develop better Govt Resource

Secure access & Central visibility

7 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

9 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

Cloud Service Provider GovTech GovTech’s responsibility:

11 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

What the terms mean:

12 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

What the terms mean:

13 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

*Compartments will be covered in greater detail in the hosting model section

14 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

15 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

16 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

2 Monitoring of Web Defacement Provides website defacement monitoring

17 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

19 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

20 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

CMP Portal URL:

21 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

22 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

6 Billing To manage billing account, reports and current cloud spending

8 Service Management To raise support request and incidents pertaining to GCCS

23 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

24 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

7b Service Management - Incident ✔ ✔ ✔ ✖ ✔

25 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

Agency Admin No NA Yes No No

Cloud Admin No Yes NA No No

26 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

27 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

28 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

GoMAX GoMAX VPN Both of the following: Nil

What the terms mean:

Both of the following:

30 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

1 Cloud ID ID To subscribe and

* Agency to procure separately via MGLP

What the terms mean:

Both Jumphost types Government Network

All of the following:

33 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

34 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

35 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

36 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

37 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

38 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

Recommended naming convention for LogGroup

40 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

3 Install the package on each EC2 instance

42 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.

43 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.