Deployment related Information

This document is intended to provide security related information about the deployment process and the application.

Container users

Application and application related processes are run by a non-privileged user "appuser" in the containers.

AWS Resource privileges

All AWS resources are running with the least privilege that are defined in IAM roles. In all the IAM roles we use predefined AWS policies for least privileges or custom policies where we exactly define the actions on specified resources.

Policies:

• IAM roles could be created only from code (GitOps approach)
• IAM roles must be tested to have only the necessary pirivileges (least privileges model)
• IAM roles must be reviewed frequently (codereview)

Deployment IAM roles

Deloyment generates the following roles for each customers with the following policies:

• CodebeamerECSTaskExecutionRole
  • AmazonECSTaskExecutionRolePolicy: the default AWS policy
  • DockerRegistrySecretRead: Allow read access to secretsmanager
• HealthcheckServiceTaskExecutionRole
  • CloudwatchPutMetricData: Allow to put the metric data
  • DockerRegistrySecretRead: Allow read access to secretsmanager
• InstanceRole
  • AmazonEC2ContainerServiceforEC2Role: the default AWS policy
  • AssociateElasticIP: Allow AssocitaAddress
  • AttachVolume: Allow to attach specific volume resource to instances
  • CloudwatchPutMetricData: Allow to put the metric data
  • UseKmsKey: Allow using KMS features
  • WaitVolumeReady: Allow describe volumes to check if it's ready

Users must not create IAM roles manually. IAM role creation is allowed only from the code. IAM role changes are handled by a GitOps process.

Keys in AWS KMS

The following keys are used and stored in AWS KMS. Keys are created by IaaS tool. The keys are shared by region:

• Secret key for EBS
• Secret key for RDS

AWS secrets management

The currently used secrets are:

• IntlandDockerRegistryCredentials: Credentials for the registry.codebeamer.com repository
• IntlandDockerHubCredentials: Credentials for the Intland dockerhub
• BackupUrlSignerCredentials: Credentials of Backup-UrlSigner user

No other credentials are stored in AWS Secrets Manager.

Database credentials are stored in AWS Systems Manager Parameters Store.

Customer data encryption

Customer data is encrypted by KMS keys both on RDS and the attached EBS volumes. All data is encrypted with shared keys.

Policy for creating AWS resources

• All resource must be created by automation instead of manual creation
• Manually created resources must be deleted by automation to be run frequently
• Manually created resources must be added to code not to delete by automation (GitOps approach)
• Resources configurations must be stored in the automation tool supported format (yaml, json) centrally

Deployment test

During troubleshooting a clone is created with non-production data where all the troubleshooting steps/processes could be achieved.

Monitoring the Application

• CloudWatch is used for basic health monitoring
• Application monitoring is customer responsibility using the application built-in monitoring

Handling deployment failures

Since the deployments are created by CloudFormation (or other Infrastructure as a Code solutions) failures could be handled.

Handling Application failures

Application failures are handled by the support through the support process using the ticketing system.