System Hardening

The purpose of this document is to outline the hardening standards that should be implemented for newly deployed infrastructure. These standards are designed to ensure the security and integrity of our systems and data by mitigating the risks associated with potential security threats.

System Configuration

All systems should be configured according to the following guidelines:

Roles and Permissions

Each deployable system/application/job/service should run using a dedicated IAM role with permissions granting it minimal access to the operations and resources it requires.

Examples:

• open-api
• marketplace
• narrative-s3-connector

Credentials

All secrets, passwords, and tokens that applications need access to must be stored using AWS SSM ParamStore or AWS Secrets Manager

• AWS Secrets Manager is the preferred option for database passwords and connection details, given that it provides mechanisms to facilitate RDS credential rotations.
• SSM can be used for everything else

Examples:

• open-api
• marketplace
• ingestion-staging

EC2 Remote Access

When creating EC2 instances, remote access through SSH should be disabled and SSM StartSession should be used instead.

Examples:

• marketplace: SSH key disabled
• marketplace: SSM Managed Instance Core permissions
• marketplace: AMI compatible with SSM

Network Configuration

Applications and services should be deployed to the VPC that matches the target environment.

main-vpc-lookup can be used to lookup the VPCs, subnet ids, and other network characteristics of the target environment.

Examples:

• open-api

Programming

Refer to the System Deployment Security Checklists.