SECURITY CHECKLIST FOR ECS PRODUCTION INFRASTRUCTURE
| S.NO | AWS SERVICE | ACTION | DESCRIPTION | METHOD TO SOLVE | SUGGESTIONS |
|---|---|---|---|---|---|
1 |
ECR |
Repository policy |
Utilize ECR repository policies to control access at the repository level. Define policies that restrict or allow actions such as pull or push based on specific conditions. |
||
Tag Immutable |
By making tags immutable, you prevent accidental or intentional overwriting of images with the same tag, ensuring the integrity and traceability of your container images. Once a tag is set as immutable, it cannot be moved or updated. |
||||
Lifecycle policy |
Amazon ECR (Elastic Container Registry) allows you to manage the lifecycle of your container images using lifecycle policies. With lifecycle policies, you can define rules to automate the cleanup and removal of images from your repository based on criteria such as age or number of images. |
||||
2 |
ECS |
Lifecycle policy |
Amazon ECR (Elastic Container Registry) allows you to manage the lifecycle of your container images using lifecycle policies. With lifecycle policies, you can define rules to automate the cleanup and removal of images from your repository based on criteria such as age or number of images. |
||
3 |
LOAD BALANCER |
SSL/TLS certification |
Use valid and up-to-date SSL certificates.Regularly renew certificates before expiration. |
||
Health check |
Ensure that health checks are configured to monitor critical aspects of your application |
||||
Access control |
Secure backend instances by configuring security groups to only allow traffic from the load balancer. |
||||
4 |
S3 |
Bucket Policies |
Define restrictive bucket policies to control access.Use the principle of least privilege to grant permissions. |
||
Encryption |
Encryption often uses a “key” (usually a large number) stored separately from the data to ensure that only the key holder can read it. |
||||
5 |
API gateway |
Authentication & Authorization - Keycloak |
In the context of an API Gateway, authentication ensures that only legitimate and authorized users or systems are granted access to protected APIs and resources. |
||
AWS WAF integration |
Integrate API Gateway with AWS WAF (Web Application Firewall) to protect against common web exploits. Set up WAF rules based on application’s security requirements |
||||
Rate limiting |
The purpose of rate limiting is to prevent abuse, protect resources from being overwhelmed, and ensure fair usage of services. |
||||
6 |
EC2 |
Authentication & Authorization - Keycloak |
In the context of an API Gateway, authentication ensures that only legitimate and authorized users or systems are granted access to protected APIs and resources. |
||
Security Groups and IAM Roles |
Configure security groups to control inbound and outbound traffic to instances. |
||||
Security Benchmarks and Hardening Guides |
Security benchmarks are sets of best practices and configuration guidelines that help organizations secure their systems and applications. |
||||
7 |
RDS |
Encryption |
SSL/TLS Encryption:
Enable SSL/TLS encryption for data in transit between applications and RDS instances. |
||
Backup & recovery |
Enable automated backups for RDS instances.Set a retention period for automated backups. |
||||
Database Access Control(RBAC) |
Implement role-based access control to restrict database access based on user roles. Use database roles and grants to control permissions. |
||||
8 |
ROUTE 53 |
Domain Expiry Alerts |
Configure alerts for domain expiry dates to prevent unintentional domain expiration and potential security issues. |
||
DNS Query Rate Limiting |
Configure rate limiting on DNS queries to mitigate the impact of DDoS attacks and prevent abuse. |
||||
9 |
Cloudwatch logs |
Periodic Security Audits |
Review and update security measures based on audit findings. |