SECURITY CHECKLIST FOR ECS PRODUCTION INFRASTRUCTURE

S.NO AWS SERVICE ACTION DESCRIPTION METHOD TO SOLVE SUGGESTIONS

1

ECR

Repository policy

Utilize ECR repository policies to control access at the repository level. Define policies that restrict or allow actions such as pull or push based on specific conditions.

Tag Immutable

By making tags immutable, you prevent accidental or intentional overwriting of images with the same tag, ensuring the integrity and traceability of your container images. Once a tag is set as immutable, it cannot be moved or updated.

Lifecycle policy

Amazon ECR (Elastic Container Registry) allows you to manage the lifecycle of your container images using lifecycle policies. With lifecycle policies, you can define rules to automate the cleanup and removal of images from your repository based on criteria such as age or number of images.

2

ECS

Lifecycle policy

Amazon ECR (Elastic Container Registry) allows you to manage the lifecycle of your container images using lifecycle policies. With lifecycle policies, you can define rules to automate the cleanup and removal of images from your repository based on criteria such as age or number of images.

3

LOAD BALANCER

SSL/TLS certification

Use valid and up-to-date SSL certificates.Regularly renew certificates before expiration.

Health check

Ensure that health checks are configured to monitor critical aspects of your application

Access control

Secure backend instances by configuring security groups to only allow traffic from the load balancer.

4

S3

Bucket Policies

Define restrictive bucket policies to control access.Use the principle of least privilege to grant permissions.

Encryption

Encryption often uses a “key” (usually a large number) stored separately from the data to ensure that only the key holder can read it.

5

API gateway

Authentication & Authorization - Keycloak

In the context of an API Gateway, authentication ensures that only legitimate and authorized users or systems are granted access to protected APIs and resources.

AWS WAF integration

Integrate API Gateway with AWS WAF (Web Application Firewall) to protect against common web exploits. Set up WAF rules based on application’s security requirements

Rate limiting

The purpose of rate limiting is to prevent abuse, protect resources from being overwhelmed, and ensure fair usage of services.

6

EC2

Authentication & Authorization - Keycloak

In the context of an API Gateway, authentication ensures that only legitimate and authorized users or systems are granted access to protected APIs and resources.

Security Groups and IAM Roles

Configure security groups to control inbound and outbound traffic to instances.

Security Benchmarks and Hardening Guides

Security benchmarks are sets of best practices and configuration guidelines that help organizations secure their systems and applications.

7

RDS

Encryption

SSL/TLS Encryption: Enable SSL/TLS encryption for data in transit between applications and RDS instances.
Encryption at Rest: Enable encryption at rest for RDS instances using AWS Key Management Service (KMS).

Backup & recovery

Enable automated backups for RDS instances.Set a retention period for automated backups.

Database Access Control(RBAC)

Implement role-based access control to restrict database access based on user roles. Use database roles and grants to control permissions.

8

ROUTE 53

Domain Expiry Alerts

Configure alerts for domain expiry dates to prevent unintentional domain expiration and potential security issues.

DNS Query Rate Limiting

Configure rate limiting on DNS queries to mitigate the impact of DDoS attacks and prevent abuse.

9

Cloudwatch logs

Periodic Security Audits

Review and update security measures based on audit findings.