Versions Compared

Old Version 7

changes.mady.by.user Paul Hoang

Saved on

compared with

New Version 8

changes.mady.by.user Paul Hoang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • General

    • Reject by default - start with the least amount of permissions across the board (users, machines, services, access)

    • There should be no need for services to send traffic externally, this should be locked down

    • NACL’s to provide a second layer of security to ensure many mistakes with security groups don’t leave service wide open

    • Domain certificates to be per subdomain rather than wildcards. This will allow finer grain control to allow things like revokes if there were a breach

  • Encryption

    • In transit - this is relation to network traffic

    • At rest - when data is stored on disk (either as files or in a form of a database)

    • Network traffic within the VPC must be encrypted

    • Inbound network traffic on HTTP must be redirected to use HTTPS

  • Security groups

    • These behave like firewalls which limit (reject) certain types of traffic - can be attached to many types of resources

    • Many finely grained groups, named appropriately and not shared between VPC’s

    • Chained where it makes sense

  • WAF (Web application firewall)

    • Where it makes sense, to be placed in front of any application that receives traffic sourced externally

  • Controlled networking routes

    • Resources can only be reached via certain routes

    • No public IP’s

    • Applications must be stored in privates subnets with no direct accessible route from outside the VPC

  • Network traffic

    • Subnet to subnet traffic within a VPC will always allow to flow

    • VPC to VPC traffic would be heavily discouraged unless there was a valid reason and no other choice

    • VPC to on-prem/other cloud provider communication can be done via IPSEC VPN & BGP. This however is a large under taking and there may be better alternatives

...

dwddwdw

Application

The applications we develop and deploy fit roughly in 3 groups

...

Some investigations have already been kicked off around ECS and lambda but like previous sessions we should try and standardise before we invest into any one approach

Infrastructure as code

Like all other forms of infrastructure, AWS is prone to configuration drift (where configuration differ’s from environment to environment) and flakey highly customised unique resources that are treated like pets (See: The history of Pets and Cattle). To circumnavigate these issues, we already use tools such as Terraform and Ansible to build and manage infrastructure as well as configure them in a uniform way.

The TIS-OPS Github repository contains the source code for managing the infrastructure in AWS and conforms to a basic format

...

The two folders under terraform are what is of interest here

environments

Contain a number of sub folders that represent environments within AWS, within these environment folders consist of subsections for which the TIS team management, such as TIS, Revalidation and Trainee self service. Beneath these are services and networking configurations that have been applied to their respective areas e.g. VPC code

This folder also give an area for developers to create and experiment in their own area such that they wont conflict with existing infra or other developers (the local folder)

modules

This will contain the HEE developed terraform modules are allow developers to spin up whole environments / services with minimal copying and pasting while allowing to create resources in a standard manner

Other