Closed fsatsuki closed 1 month ago
[done] Apply pdk-nag or cdk-nag. According to AppSec standards, it should be cdk-nag. -> For now, implement pdk-nag. cdk-nag has too many errors, so if we do it, we need to do it seriously.
[done] Discontinue storing database usernames and passwords in plaintext in the environment variables of ECS containers. Retrieve them via Secrets Manager instead.
[done] Discontinue storing database usernames and passwords in plaintext in the environment variables of Lambda functions. Retrieve them via Secrets Manager instead.
[done] Rotate the RDS authentication credentials stored in Secrets Manager.
[done] Enable minor upgrades for RDS.
[done] Explicitly set RDS public access to disabled.
[done] Set access logs for S3 Buckets(?).
[done] Change websocket authentication to occur at the beginning of establishing a session. Currently, the check is at the very end, allowing anyone to hit it. -> Reuse https://github.com/aws-samples/websocket-api-cognito-auth-sample/tree/main?tab=readme-ov-file
[Excluded] Use VPC endpoints for S3 access(?). -> Postponed for now to avoid increased costs.
[done] Set encryption configuration for new athena.CfnWorkGroup.
[Excluded] Enable MFA for the user pool(?).
[Excluded] Change API Gateway from HTTP to REST API so that WAF can be attached. -> Postponed for now since calling API Gateway requires going through Cognito authentication.
[done] Enable storage encryption for RDS.
Closes #299 Closes #312
Issue #, if available: None
Description of changes:
Security Update
Perform static analysis of CDK using pdk-nag
The DB username password is no longer written in plain text in ECS container environment variables. Make sure to retrieve it via SecretsManager
The DB username password is no longer written in plain text in the Lambda environment variable. Make sure to retrieve it via SecretsManager
Rotate RDS credentials stored in Secrets Manager
Enable RDS minor upgrades
Explicitly prohibit RDS public access
Set up an access log to an S3 bucket
Require authentication when connecting to a websocket
Set encryption settings for new athena.cfnWorkGroup
Enable RDS storage encryption
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.