{"id":118,"date":"2025-01-20T20:45:43","date_gmt":"2025-01-20T19:45:43","guid":{"rendered":"https:\/\/www.raczynski.online\/?p=118"},"modified":"2025-01-21T14:26:35","modified_gmt":"2025-01-21T13:26:35","slug":"securing-an-aws-infrastructure-from-the-database-to-the-web-application","status":"publish","type":"post","link":"https:\/\/www.raczynski.online\/?p=118&lang=en","title":{"rendered":"Securing an AWS Infrastructure : From the Database to the Web Application"},"content":{"rendered":"\n
In a world where security risks scale as quickly as the cloud itself, building a robust AWS architecture requires weaving cybersecurity into each layer of the stack. From provisioning your first EC2 instance to orchestrating containerized applications on EKS\u2014and ensuring all traffic is encrypted by an HTTPS Load Balancer\u2014every decision impacts your overall security posture. This article dives deep into how Identity and Access Management (IAM) and network configurations function as pillars of a secure deployment, while suggesting both AWS-native and third-party tools to help you stay ahead of emerging threats.<\/p>\n\n\n\n
1. Context: Scenario and Requirements<\/h2>\n\n\n\n
This scenario outlines deploying a database on an EC2 instance, hosting a containerized web application in an Amazon EKS cluster, and securing inbound traffic through an HTTPS Application Load Balancer. All resources need to adhere to best practices, including restricting network access, rotating credentials, and enforcing the principle of least privilege via IAM. Regular backups to Amazon S3, monitoring logs with CloudWatch, and using AWS-native or third-party cybersecurity tools (GuardDuty, WAF, Suricata, etc.) round out the requirements for a resilient, production-ready setup.<\/p>\n\n\n\n
1.1 Database on EC2<\/h3>\n\n\n\n
\n
Primary Goal<\/strong>: Run MongoDB (or any other database) in a tightly secured environment. Restrict inbound connections to a specific CIDR range or private subnet.<\/li>\n\n\n\n
Backups & Disaster Recovery<\/strong>: Implement regular backups to Amazon S3, ensuring data is recoverable in the event of corruption or accidental deletion.<\/li>\n<\/ul>\n\n\n\n
1.2 Web Application on EKS<\/h3>\n\n\n\n
\n
Scalability & Automation<\/strong>: Host containerized workloads in a Kubernetes-managed cluster (EKS), allowing rolling updates, auto-scaling, and standardized deployments.<\/li>\n\n\n\n
Secret Management<\/strong>: Avoid storing credentials in Docker images; use AWS Secrets Manager or Parameter Store to provide them securely at runtime.<\/li>\n<\/ul>\n\n\n\n
1.3 HTTPS Load Balancer<\/h3>\n\n\n\n
\n
Secure Traffic<\/strong>: Enforce TLS\/SSL across the board, forcing HTTP (port 80) to HTTPS (port 443) redirection.<\/li>\n\n\n\n
WAF Integration<\/strong>: Optionnaly deploy a Web Application Firewall (WAF) to inspect requests for malicious payloads (XSS, SQLi, etc.).<\/li>\n<\/ul>\n\n\n\n
1.4 IAM (Identity & Access Management)<\/h3>\n\n\n\n
\n
Fine-Grained Permissions<\/strong>: Implement roles with the principle of least privilege, granting only necessary access to each AWS service or component.<\/li>\n\n\n\n
Traceability<\/strong>: Use CloudTrail and Security Hub to audit changes and detect potential misconfigurations.<\/li>\n<\/ul>\n\n\n\n\n\n\n\n
2. Deploying and Securing the Database on EC2<\/h2>\n\n\n\n
2.1 EC2 Instance Configuration<\/h3>\n\n\n\n
\n
OS and AMI Choice<\/strong>\n
\n
Select Ubuntu 22.04 LTS<\/strong> (or another distribution with robust, frequent security updates).<\/li>\n\n\n\n
Optionally enable EBS encryption at rest<\/strong> for the root and data volumes.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Security Groups<\/strong>\n
\n
Restrict port 27017 (MongoDB) to internal traffic. If you must expose it publicly (for remote admin tasks), whitelist only trusted IP ranges or set up a VPN\/bastion approach.<\/li>\n\n\n\n
Limit SSH (port 22) to a bastion host or your office\u2019s IP range. For ephemeral remote access, consider AWS Systems Manager Session Manager<\/strong> to avoid exposing port 22 entirely.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n
\n<\/figure><\/div>\n\n\n
As shown in the security group rules for i-095d3062b983b51f3<\/strong> (KR-MongoDB), there are a few common misconfigurations to be wary of. First, inbound \u201cAll Traffic\u201d from the EKS group and wide-open ports (0\u201365535 from 0.0.0.0\/0) greatly expand the attack surface, exposing numerous unused ports to the internet. Similarly, leaving SSH (port 22) publicly accessible means potential brute-force attempts. Although this setup might work for quick tests, it\u2019s risky in a production or publicly accessible environment. Instead, restrict traffic to the necessary ports\u2014ideally behind a bastion or an ALB for inbound requests\u2014and limit SSH or ephemeral ports to known IPs or private subnets.<\/p>\n\n\n\n
\n
Extra Hardening<\/strong>\n
\n
Disable password login; rely exclusively on key-based SSH.<\/li>\n\n\n\n
Keep the system patched.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
2.2 MongoDB Configuration<\/h3>\n\n\n\n\n
Access Control<\/strong>\n
\n
Enable auth in \/etc\/mongod.conf<\/code> by setting security.authorization: enabled<\/code>.<\/li>\n\n\n\n
Create role-specific users: for instance, an appUser<\/code> with readWrite<\/code> on a single database, and an admin user with broader privileges.<\/li>\n\n\n\n
Store credentials securely (e.g., in AWS Secrets Manager).<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Transport Layer Security<\/strong>\n
\n
If external services need to connect to MongoDB, consider generating a TLS certificate for secured connections.<\/li>\n\n\n\n
For internal usage, at least ensure you\u2019re restricting MongoDB to the private subnet.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Integrate with cron<\/code> for daily or weekly backups, then rotate old backups (e.g., older than 14 days).<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
2.3 Logs & Monitoring<\/h3>\n\n\n\n\n
AWS CloudWatch Logs<\/strong>\n
\n
Stream MongoDB logs to CloudWatch Logs using either an agent (e.g., the awslogs<\/code> driver) or a sidecar approach in Docker if containerized.<\/li>\n\n\n\n
Set alarms on high error rates or repeated authentication failures.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
AWS CloudTrail<\/strong>\n
\n
Every change in security group rules, IAM policy updates, or new resource creation is logged here.<\/li>\n\n\n\n
Consolidate logs from multiple regions or accounts to avoid missing critical events.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
While hosting MongoDB on an EC2 instance is a valid approach\u2014especially if you need granular control\u2014AWS offers several managed solutions that can reduce operational overhead and enhance reliability. For instance, Amazon DocumentDB<\/strong> (with MongoDB compatibility) offloads patching, scaling, and automatic backups, and integrates natively with other AWS services. Alternatively, using a fully managed database service like Amazon RDS<\/strong> or Amazon Aurora<\/strong> might be more cost-effective and less maintenance-intensive if a relational model suits your use case. Evaluating these managed options not only saves you from manual updates and security patches, but also ensures high availability and automatic failover, letting you focus on application development rather than database administration.<\/p>\n\n\n\n
Recommended Cybersecurity Tools<\/h4>\n\n\n\n
\n
AWS Security Hub<\/strong>\n
\n
Regularly checks resources against CIS and PCI DSS benchmarks, highlighting misconfigurations.<\/li>\n\n\n\n
Non-AWS Alternative<\/strong>: Wazuh<\/strong> (an OSSEC fork) or Elastic Security<\/strong> for compliance scanning and SIEM capabilities.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Amazon GuardDuty<\/strong>\n
\n
Monitors VPC Flow Logs and DNS queries to detect intrusion attempts or suspicious activity.<\/li>\n\n\n\n
Non-AWS Alternative<\/strong>: Suricata<\/strong> or Zeek<\/strong> for deep packet inspection and intrusion detection.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Amazon Detective<\/strong>\n
\n
Correlates GuardDuty findings with CloudTrail, VPC logs for deeper incident investigations.<\/li>\n\n\n\n
Non-AWS Alternative<\/strong>: Tools like Arkime<\/strong> or Malcolm<\/strong> for a self-managed network forensics platform.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n\n\n\n\n
3. Exposing the Web Application on EKS<\/h2>\n\n\n\n
3.1 EKS Cluster Setup<\/h3>\n\n\n\n\n
Networking<\/strong>\n
\n
Separate subnets: public<\/code> subnets for load balancers, private<\/code> subnets for worker nodes.<\/li>\n\n\n\n
If using AWS Fargate for serverless Kubernetes pods, define appropriate Fargate profiles.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
RBAC & IAM Roles<\/strong>\n
\n
Create a dedicated IAM role for the control plane, another for node instances.<\/li>\n\n\n\n
Map these roles to Kubernetes identities using aws-auth<\/code> ConfigMap, ensuring each node or user gets only the necessary privileges.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Autoscaling & Resilience<\/strong>\n
\n
Enable Cluster Autoscaler<\/strong> to handle node scaling based on real-time workload.<\/li>\n\n\n\n
Use Horizontal Pod Autoscaler<\/strong> to dynamically adjust pod replicas under CPU\/memory load.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
3.2 Containerization<\/h3>\n\n\n\n\n
Dockerfile Hardening<\/strong>\n
\n
Base images: prefer minimal distributions (e.g., alpine<\/code>), keep them updated.<\/li>\n\n\n\n
Multi-stage builds: remove development tools or secrets from the final image to reduce the attack surface.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Amazon ECR<\/strong>\n
\n
Encrypt images at rest by default.<\/li>\n\n\n\n
Use repository policies to limit push\/pull actions to certain IAM entities.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Application Secrets<\/strong>\n
\n
AWS Secrets Manager or Parameter Store integrates with EKS to inject secrets as environment variables or volumes.<\/li>\n\n\n\n
Avoid storing credentials in plain text within manifests or environment variables in Git.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
Block cross-namespace traffic by default, then allow communication only where required.<\/li>\n\n\n\n
Tools like Calico<\/strong> or Cilium<\/strong> can implement advanced eBPF-level filtering, providing layer 7 controls.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Audit Logging<\/strong>\n
\n
Configure Kubernetes audit logs (api-server flags) for deeper visibility into cluster-level changes (e.g., new roles, events).<\/li>\n\n\n\n
Combine them with CloudWatch or an external SIEM (Splunk, Graylog).<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n
\n<\/figure><\/div>\n\n\n
This screenshot displays critical details of an Amazon EKS cluster named eks-cluster-3<\/strong>, including its status (Active), the Kubernetes version in use (1.30), and the API server endpoint. It also shows the cluster\u2019s IAM role ARN, the certificate authority data (Base64-encoded), and the OIDC provider URL used for authenticating requests. These elements are essential for cluster operations but should typically be redacted if shared publicly to avoid exposing unique identifiers or endpoints.<\/p>\n\n\n\n
Recommended Cybersecurity Tools<\/h4>\n\n\n\n
\n
Amazon Inspector<\/strong>\n
\n
Scans containers for known CVEs or misconfigurations.<\/li>\n\n\n\n
Non-AWS Alternatives<\/strong>: Trivy<\/strong> or Clair<\/strong> for open-source scanning, integrated into CI\/CD pipelines.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
OPA\/Gatekeeper<\/strong>\n
\n
Enforces policies like \u201cno container runs as root\u201d or \u201conly signed images are deployed.\u201d<\/li>\n\n\n\n
Alternatives<\/strong>: Kyverno<\/strong>, Kubewarden<\/strong> for policy-as-code approaches.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Kubernetes Network Policies<\/strong>\n
\n
Minimizes lateral movement in case one pod is compromised.<\/li>\n\n\n\n
Enhanced Tools<\/strong>: Istio<\/strong> or Linkerd<\/strong> for mTLS between services, providing zero-trust networking.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n\n\n\n\n
4. Load Balancing and Traffic Encryption<\/h2>\n\n\n\n
This config ensures an ALB is created, uses a specified SSL certificate (ACM), and routes traffic to pods on port 8080.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Certificate Management<\/strong>\n
\n
Use AWS Certificate Manager (ACM)<\/strong> to provision\/renew certificates automatically.<\/li>\n\n\n\n
For multi-domain or wildcard certs, validate ownership via DNS or email.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Health Checks & Redirection<\/strong>\n
\n
Configure HTTP \u2192 HTTPS redirection at the ALB level, forcing secure connections.<\/li>\n\n\n\n
Health checks set to a custom path (e.g., \/health<\/code>) with an HTTP 200 OK response.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n
\n<\/figure><\/div>\n\n\n
This screenshot provides essential information about an Application Load Balancer (ALB)<\/strong> named my-go-app-lb<\/strong>, including its type (Internet-facing), the AWS region and subnets it spans (eu-west-3a\/b), and the DNS name used to route traffic. You can also see the listener on port 80 forwarding requests to a target group (my-go-app-target-group<\/strong>), where stickiness is disabled. The ARN references, hosted zone, and creation date supply further context on the load balancer\u2019s operational details, though any sensitive identifiers\u2014like ARN or DNS name\u2014are best redacted or partially hidden when sharing publicly for security.<\/p>\n\n\n\n
4.2 Security Group Rules<\/h3>\n\n\n\n\n
Inbound<\/strong>\n
\n
Permit port 443 from the Internet, optionally allow port 80 only for an immediate redirect.<\/li>\n\n\n\n
If internal-only, set the load balancer as an \u201cinternal ALB\u201d in the scheme annotation.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Outbound<\/strong>\n
\n
Let the ALB connect to EKS nodes on the required node port or cluster IP.<\/li>\n\n\n\n
If pods require external calls (e.g., to third-party APIs), confirm those egress rules are tightly scoped.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Additional Hardening<\/strong>\n
\n
For advanced setups, combine the ALB with AWS WAF to filter malicious payloads.<\/li>\n\n\n\n
Export ALB logs to S3 or a SIEM platform and analyze patterns in real time.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
Recommended Cybersecurity Tools<\/h4>\n\n\n\n
\n
AWS WAF<\/strong>\n
\n
Define rules to detect\/block common attacks (SQL injection, XSS).<\/li>\n\n\n\n
Non-AWS<\/strong>: ModSecurity<\/strong> (as a WAF engine with Apache\/nginx) or Cloudflare WAF<\/strong> for broader multi-cloud or edge coverage.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
AWS Firewall Manager<\/strong>\n
\n
Centralize WAF or Shield Advanced policies across multiple accounts.<\/li>\n\n\n\n
Alternatives<\/strong>: Imperva Cloud WAF<\/strong>, Akamai<\/strong> for distributed security enforcement.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
AWS Shield Advanced<\/strong>\n
\n
Enhanced DDoS mitigation for ALB, CloudFront, and Route 53.<\/li>\n\n\n\n
Non-AWS<\/strong>: Cloudflare DDoS Protection<\/strong>, Radware<\/strong> for enterprise-level DDoS defense.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n\n\n\n\n
5. Main Challenges: IAM and Load Balancing<\/h2>\n\n\n\n
5.1 IAM (Identity & Access Management)<\/h3>\n\n\n\n\n
Granular Policies<\/strong>\n
\n
Use JSON-based IAM policies specifying allowed actions, resources, and conditions.<\/li>\n\n\n\n
Tools like IAM Access Analyzer<\/strong> help find roles granting external or overly broad access.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
![\"\"](\"https:\/\/www.raczynski.online\/wp-content\/uploads\/2025\/01\/image-9-1024x281.png\")
<\/figure><\/div>\n\n\n![\"\"](\"https:\/\/www.raczynski.online\/wp-content\/uploads\/2025\/01\/image-12-1024x644.png\")
<\/figure><\/div>\n\n\n![\"\"](\"https:\/\/www.raczynski.online\/wp-content\/uploads\/2025\/01\/image-14-1024x519.png\")
<\/figure><\/div>\n\n\n