Project Concept ‐ Security Aspects - Campus-Castolo/m300 GitHub Wiki

graph TD
  A[Security Concept Overview]

  A --> IAM[Identity & Access Management]
  IAM --> IAM_Role[aws_iam_role.ecs_task_role]
  IAM --> IAM_ENI[aws_iam_policy.ec2_network_interface_management]
  IAM --> IAM_Benefit[✓ Least Privilege Enforcement]

  A --> NetSec[Network Security]
  NetSec --> SG[aws_security_group.*]
  NetSec --> Subnets[aws_subnet.public / private]
  NetSec --> Net_Benefit[✓ Zero Trust Segmentation]

  A --> DataSec[Data Protection]
  DataSec --> RDS_Enc[aws_db_instance.main + aws_kms_key.rds_encryption_key]
  DataSec --> Lambda_Policy[aws_iam_policy.lambda_rds_backup_policy]
  DataSec --> Data_Benefit[✓ Confidentiality & Snapshot Integrity]

  A --> Observability[Monitoring & Logging]
  Observability --> CW_Logs[aws_cloudwatch_log_group.ecs_logs]
  Observability --> Alarms[aws_cloudwatch_metric_alarm.high_cpu + aws_sns_topic.alerts]
  Observability --> Obs_Benefit[✓ Real-Time Monitoring & Alerts]

  A --> Secrets[Secrets & Config Management]
  Secrets --> SSM[data.aws_ssm_parameter.db_password]
  Secrets --> NoTfvars[No Secrets in terraform.tfvars]
  Secrets --> Secret_Benefit[✓ Encrypted Runtime Credentials]

  A --> TerraformState[Terraform State Security]
  TerraformState --> GitIgnore[.gitignore Excludes Sensitive Files]
  TerraformState --> RemoteState[S3 + DynamoDB Backend]

🔐 Updated Security Concept – Hardened Terraform-Based AWS Infrastructure

Following the integration of best practices and mitigations, the Terraform configuration now implements a hardened security posture. This document outlines the improved security model across Identity and Access Management (IAM), Network Security, Data Protection, Monitoring, and Secret Management.

1. Identity and Access Management (IAM)

🔐 Scoped IAM Roles

  • ECS tasks now use a dedicated IAM Task Role (ecs-task-role) instead of attaching policies to users.
  • The IAM policy for managing ENIs is explicitly scoped and attached only to this role.
  • Role assumption is restricted to the ECS task service principal: ecs-tasks.amazonaws.com.
resource "aws_iam_role" "ecs_task_role" {
  assume_role_policy = ...
}

🛡️ Benefits:

  • Enforces least privilege access.
  • Prevents policy misuse by IAM users.
  • Aligns with AWS-recommended role-based design patterns.

2. Network Security

🔒 Security Group Hardening

  • Security groups now follow default-deny with explicit allow rules:
    • ALB → ECS (HTTP/S only)
    • ECS → RDS (MySQL port 3306)
    • Internet → ALB (restricted IPs or open via HTTPS)
  • VPC segmentation is preserved via public and private subnets.
  • No security group allows open RDS access from the internet.

🛡️ Benefits:

  • Mitigates lateral movement risks.
  • Isolates backend services from direct exposure.
  • Enforces zero-trust access boundaries.

3. Data Protection

🔐 RDS Encryption

  • RDS MySQL instance is now encrypted at rest using an AWS KMS CMK.
  • Snapshots are encrypted by default using the same key.
resource "aws_db_instance" "main" {
  storage_encrypted = true
  kms_key_id        = aws_kms_key.rds_encryption_key.arn
}

📦 Lambda Snapshot Role

  • Lambda functions executing backups use a minimal permission IAM role with:
    • rds:CreateDBSnapshot
    • rds:DescribeDBInstances

🛡️ Benefits:

  • Ensures data confidentiality and integrity at rest.
  • Prevents excessive privileges in automation functions.

4. Monitoring & Logging

📊 CloudWatch Logs & Alerts

  • ECS and Lambda logs are streamed to CloudWatch with a 14-day retention policy.
  • Alarms trigger based on thresholds (e.g., high CPU), sending notifications via SNS.
resource "aws_cloudwatch_log_group" "ecs_logs" {
  retention_in_days = 14
}
  • SNS topics notify system administrators via email/SMS on anomalies.

🛡️ Benefits:

  • Facilitates real-time anomaly detection.
  • Logs support incident response and auditing.

5. Secret & Configuration Management

🔑 Secure Parameter Storage

  • Secrets (e.g., DB password) are no longer stored in tfvars.
  • Secrets are fetched at runtime from AWS SSM Parameter Store or Secrets Manager.
data "aws_ssm_parameter" "db_password" {
  name = "/project/db_password"
  with_decryption = true
}

🛡️ Benefits:

  • Secrets are encrypted and versioned.
  • Removes risk of credential leakage via version control or state files.

6. Terraform State Security

  • (Optional) Plans to move Terraform state to remote S3 with locking via DynamoDB.
  • .gitignore updated to exclude sensitive files: .terraform/, terraform.tfvars, .terraform.lock.hcl.

📌 Summary of Security Controls

Area Current Implementation
IAM Scoped ECS Task Roles, no user-bound policies
Network Security Default-deny SGs, strict inter-service access
Data Encryption RDS + Snapshots encrypted with KMS CMK
Logging & Monitoring CloudWatch + SNS alerts + log retention
Secrets Handling Secrets Manager / SSM integration for credentials
State & Git Hygiene Sensitive files excluded from version control

✅ Overall Maturity

With the applied updates, the Terraform infrastructure now adheres to a security-first DevOps strategy. Each layer—from identity to data and observability—is governed by scoped policies, encryption, and controlled access. This setup is suitable for staging or production workloads in a regulated environment.