Security

Owned by EazyDI Main Account
Last updated: Jun 26, 2024
2 min read

 

1. Data Encryption at Rest and in Motion

Encryption at Rest:

  • Amazon S3: Enabled server-side encryption with S3-managed keys (SSE-S3) for React build files

  • Amazon RDS: Amazon RDS encryption to encrypt the database instance and its automated backups, read replicas, and snapshots using AWS KMS. On the database field level, sensitive data like connection parameters are also encrypted

  • Elastic Beanstalk: Elastic Beanstalk environments use encrypted EBS volumes.

Encryption in Motion:

  • Amazon CloudFront: Enable HTTPS for secure data transfer between clients and CloudFront. Using TLS/SSL certificates.

  • Elastic Beanstalk: Elastic Beanstalk environments to support HTTPS for secure communication between the application and clients.

  • Amazon RDS: Uses SSL/TLS to encrypt connections to the PostgreSQL database.

2. Data Transfer Protocols

Data Transfer Protocols:

  • Amazon CloudFront to S3: HTTPS is used to transfer React build files from CloudFront to S3.

  • Client to CloudFront: HTTPS is used to ensure secure communication between the end-users' browsers and CloudFront.

  • Elastic Beanstalk to RDS: Uses JDBC with SSL enabled for secure database connections.

  • Internal Communication: Uses VPC endpoints and private IP addresses for communication between different AWS services to avoid exposure to the internet.

 

3. Security Overview

Security Overview:

  • Identity and Access Management (IAM): least privilege access by creating specific roles for each service. Uses IAM policies to restrict access to S3 buckets, RDS instances, and other resources.

  • VPC Security Groups: Configured security groups to allow only necessary traffic between components. For example, restrict inbound access to Elastic Beanstalk environments only from CloudFront and internal services.

  • Monitoring and Logging: Utilizes AWS CloudWatch for monitoring application performance and health. Use AWS CloudTrail for logging API calls made within your AWS account for auditing purposes.

  • AWS WAF:

    • Provides additional security by filtering and monitoring HTTP/HTTPS requests to CloudFront.

Data Flow

 

  1. Client (Browser):

    • Users access the application through a web browser.

  2. AWS WAF:

    • Provides additional security by filtering and monitoring HTTP/HTTPS requests to CloudFront.

  3. Amazon CloudFront and Amazon S3

    • Distributes React build files stored in Amazon S3 and serves them to users via HTTPS.

    • Acts as a proxy for API calls from the React frontend to the API service hosted on AWS Elastic Beanstalk.

    • Data is encrypted at rest using SSE-S3

  4. AWS Elastic Beanstalk (API):

    • Hosts the API service. The environment is configured to use HTTPS for secure communication.

    • Communicates with the PostgreSQL database on Amazon RDS

    • Connects to the Engine service hosted on AWS Elastic Beanstalk (Engine).

  5. AWS Elastic Beanstalk (Engine):

    • Hosts the Engine service. The environment is configured to use HTTPS for secure communication.

    • Communicates with the PostgreSQL database on Amazon RDS

    • Receives requests from the API service.

  6. Amazon RDS (PostgreSQL):

    • Stores application data. The database is encrypted at rest using AWS KMS and connections are secured with SSL/TLS.

Data Transfer and Security Overview

  1. Client to CloudFront:

    • Protocol: HTTPS

    • Encryption: TLS/SSL

  2. CloudFront to S3:

    • Protocol: HTTPS

    • Encryption: TLS/SSL

  3. CloudFront to Elastic Beanstalk (API):

    • Protocol: HTTPS

    • Encryption: TLS/SSL

  4. Elastic Beanstalk (API) to Elastic Beanstalk (Engine):

    • Protocol: HTTPS

    • Encryption: TLS/SSL

  5. Elastic Beanstalk (API/Engine) to RDS:

    • Protocol: Encrypted JDBC

    • Encryption: SSL/TLS

  6. Elastic Beanstalk (API/Engine) to S3:

    • Protocol: HTTPS

    • Encryption: TLS/SSL