Amazon Web Services (AWS CodeDeploy): Auto Assignment of Elastic IP to green/blue deployment fleet replacement instances.

Image
With a blue/green deployment, you provision a new set of instances on which CodeDeploy installs the latest version of your application. CodeDeploy then reroutes load balancer traffic from an existing set of instances running the previous version of your application to the new set of instances running the latest version. After traffic is rerouted to the new instances, the existing instances can be terminated. Blue/green deployments allow you to test the new application version before sending production traffic to it. If there is an issue with the newly deployed application version, you can roll back to the previous version faster than with in-place deployments. Additionally, the instances provisioned for the blue/green deployment will reflect the most up-to-date server configurations since they are new. Problem with Blue/Green deployment is that once the fleet is replaces, if you had any EIP attached to the older instances, you have to manually reattch them to the new fleet. Here’s ho…

autobotAI practices for managing compliance with security standards

We at autobotAI take security very seriously. We know it is our responsibility to make sure that everything is secure when our customers are trusting us with their cloud infrastructure. We make sure that our system is security compliant all the time. We our self use autobotAI to keep the security compliance in check.
Here's some of the things that we do/have that make us the most secure platform.

OTP(Verification Code) based verification for critical skill invocations.

We want to make sure that every task autobotAI can do is verified. For every critical skill invocation like shutting down instance or resource cleanup we require customers provide Verification Code(OTP) that is shown in Alexa App. This makes sure to avoid any unauthorised access to the autobotAI skill. It WILL NOT execute any critical tasks until the user is verified. This is a small inconvinience for security untill we have have voice recognition base authentication in place. Here's some of the things that require OTP.
  • EC2 instance state change i.e. Shutting down/Starting up.
  • Resource usage cleanup.
  • Setting updating budget.
  • CloudFormation cache clearance.
  • AWS CloudWatch alarm configuration.
  • SSM installation and check.
  • VPN trouble shooting
  • And many more

Cognito as Authorization/Authentication Provider

We use AWS Cognito for Authorization and Authentication Provider. Cognito follows industry standard security practices. Cognito is PCI DSS Compliant since July 2017. This gives us more options, flexibility, and functionality to process and store sensitive data in the AWS Cloud.
Here's few points.
  • Cognito is Cognito is PCI DSS Compliant
  • No authentication details is available to the owner of the cognito user pool account. We our self do not have access to authentication data unlike in house developed auth service where data is stored in providers database.
  • Cognito User Pools is a standards-based Identity Provider and supports identity and access management standards, such as Oauth 2.0. We use OAuth 2.0 for all the auth requirements.
  • Amazon Cognito supports multi-factor authentication and encryption of data-at-rest and in-transit. Amazon Cognito is HIPAA eligible and PCI DSS, SOC, ISO/EIC 27001, ISO/EIC 27017, ISO/EIC 27018, and ISO 9001 compliant.

AWS best practices using IAM and Access Policy for internal and for customer accounts.

We make sure that we internaly use IAM to provide only required access to the team using Access Policies. Similarly we only aquire required policy from our customers. autobotAI account linking process CloudFormation template creates a role in customers account with only the access that we require to provide you the services and insight into their accounts. Here's some actions we do not aquire access in customers account currently.
  • EC2 instance termination.
  • Live servers shutdown.
  • EC2 instance state change to only the onces which are tagged by autobotAI.
  • Any kind of non infrastructure related access.

AWS Security Token Service for Customer Account Access

AWS STS enables us to aquire temporary, limited-privilege credentials for customer's AWS Identity and Access Management (IAM). This service only allows specific AWS account aquire temporary credentials to customers account. Here's few points to note.
  • We setup IAM policy on customer's account such using the security key and token only autobotAI(our AWS account) can aquire access credentials.
  • We use ExternalID to make it much secure. This key is required with every credential aquisition request on the top of security credentials.

AWS Key Management Service to Encrypt and Store sensitive information.

  • IAM and STS takes care of much of the security but to make it even more secure we use KMS.
  • KMS provides FIPS 140-2 validated hardware security for encryption/decription.
  • KMS is used to encrypt and store sensetive information like STS key, acccess credentials and ExternalIDs.
  • Everytime we aquire the access to customers account, we first decrypt the data and use it to aquire access creds.

Fully Serverless Architecture using AWS Lambda and AWS API Gateway.

Our infrastucture is fully Serverless. We don't have any servers running not even for development. We use API Gateway, Lambda and CloudFront for all the web services. Here's some points why this is much secure than conventional web application setup.
  • All the web service calls to autobotAI are through API Gateway, which inturn is secured by Cognito, It make sure that any web call is authenticated by Cognito.
  • API Gateway is PCI DSS Compliant
  • We use SSL certificates for secure communication as per the industry standard.

Internal Security Practices.

Here's the security practices we follow internally.
  • We have IAM roles setup for each individuals in team with only required access.
  • We have strong password policy in place and use MFA for authentication.
  • We use VPN for any access to the autobotAI platform.
  • We have test AWS accounts setup to validate and test our security compliance tasks.
  • Relase process goes through multiple environments and QA checks for functionality especially to avoid advers effects.
  • We ourself use autobotAI to check for security issues like unwanted security group, ports, password policy check and access credentials age etc.

Comments

Popular posts from this blog

Amazon Web Services (AWS CodeDeploy): Auto Assignment of Elastic IP to green/blue deployment fleet replacement instances.

Voice based virtual assistance for CloudOps