search

aws-samples / bedrock-claude-chat

AWS-native chatbot using Bedrock + Claude (+Mistral)
MIT No Attribution
688 stars 232 forks source link

Feature: Security Update #327

Closed fsatsuki closed 1 month ago

fsatsuki commented 1 month ago

Issue #, if available: None

Description of changes:

Security Update

  1. Perform static analysis of CDK using pdk-nag

  2. The DB username password is no longer written in plain text in ECS container environment variables. Make sure to retrieve it via SecretsManager

  3. The DB username password is no longer written in plain text in the Lambda environment variable. Make sure to retrieve it via SecretsManager

  4. Rotate RDS credentials stored in Secrets Manager

  5. Enable RDS minor upgrades

  6. Explicitly prohibit RDS public access

  7. Set up an access log to an S3 bucket

  8. Require authentication when connecting to a websocket

  9. Set encryption settings for new athena.cfnWorkGroup

  10. Enable RDS storage encryption

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

statefb commented 1 month ago

  1. [done] Apply pdk-nag or cdk-nag. According to AppSec standards, it should be cdk-nag. -> For now, implement pdk-nag. cdk-nag has too many errors, so if we do it, we need to do it seriously.

  2. [done] Discontinue storing database usernames and passwords in plaintext in the environment variables of ECS containers. Retrieve them via Secrets Manager instead.

  3. [done] Discontinue storing database usernames and passwords in plaintext in the environment variables of Lambda functions. Retrieve them via Secrets Manager instead.

  4. [done] Rotate the RDS authentication credentials stored in Secrets Manager.

  5. [done] Enable minor upgrades for RDS.

  6. [done] Explicitly set RDS public access to disabled.

  7. [done] Set access logs for S3 Buckets(?).

  8. [done] Change websocket authentication to occur at the beginning of establishing a session. Currently, the check is at the very end, allowing anyone to hit it. -> Reuse https://github.com/aws-samples/websocket-api-cognito-auth-sample/tree/main?tab=readme-ov-file

  9. [Excluded] Use VPC endpoints for S3 access(?). -> Postponed for now to avoid increased costs.

  10. [done] Set encryption configuration for new athena.CfnWorkGroup.

  11. [Excluded] Enable MFA for the user pool(?).

  12. [Excluded] Change API Gateway from HTTP to REST API so that WAF can be attached. -> Postponed for now since calling API Gateway requires going through Cognito authentication.

  13. [done] Enable storage encryption for RDS.

statefb commented 1 month ago

Closes #299 Closes #312