# SecureCart Journey SecureCart is an **AWS-native e-commerce platform** that prioritizes **security, scalability, and resilience** across all workloads. As SecureCart expands, **securing workloads and applications** becomes a top priority to protect customer data, maintain compliance, and prevent unauthorized access. This section focuses on **how SecureCart secures its applications and workloads** in AWS by leveraging AWS security best practices, secure network configurations, and access control mechanisms. *** ## **Secure Application Configuration & Credentials** **Goal:** Prevent credential leaks and unauthorized access to configuration data. #### **Implementation** * **Use AWS Secrets Manager** to store sensitive data such as * Database credentials (Amazon RDS PostgreSQL) * API keys for payment gateways * OAuth tokens for third-party services * **IAM Role-based access** ensures that * Only authorized applications retrieve secrets. * Developers do not have direct access to production secrets. * **AWS Systems Manager Parameter Store** manages **non-sensitive application configurations** securely. **Use Case:** SecureCart’s ECS Fargate tasks retrieve RDS credentials from AWS Secrets Manager, ensuring credentials are never stored in application code. *** ### **Implement Network Segmentation & Security** **Goal:** Enforce network-level security to isolate workloads and minimize exposure. #### **Implementation** * **VPC Architecture & Segmentation** * **Public Subnets** → Only for Load Balancers (ALB) and API Gateway. * **Private Subnets** → Application servers, RDS databases, and backend services. * **Security Groups** * Restrict inbound/outbound access for each application component. #### **Security Group Rules for SecureCart Components** | **Component** | **Traffic Type** | **Source** | **Port Range** | **Direction** | **Purpose** | | ----------------------------------- | ---------------- | ------------------------------ | -------------- | ------------- | ------------------------------------------------------ | | **Application Load Balancer (ALB)** | HTTP/HTTPS | 0.0.0.0/0 (Public) | 80, 443 | Inbound | Accepts web traffic from customers. | | **Application Load Balancer (ALB)** | HTTP/HTTPS | VPC CIDR | 80, 443 | Outbound | Sends traffic to backend services. | | **ECS/EC2 Backend Services** | HTTP | ALB Security Group | 8080 | Inbound | Only allows traffic from ALB. | | **ECS/EC2 Backend Services** | Database | RDS Security Group | 5432 | Inbound | Allows backend services to connect to RDS. | | **ECS/EC2 Backend Services** | All | Internet | Deny | Inbound | Blocks direct internet access. | | **ECS/EC2 Backend Services** | HTTPS | S3 (AWS Services) | 443 | Outbound | Allows secure connection to AWS services like S3. | | **Amazon RDS (PostgreSQL)** | Database | ECS/EC2 Backend Security Group | 5432 | Inbound | Ensures only backend services can access the database. | | **Amazon RDS (PostgreSQL)** | All | Internet | Deny | Inbound | Blocks unauthorized direct database access. | | **Lambda Functions** | HTTPS | Internet | 443 | Outbound | Allows Lambda to interact with AWS APIs securely. | * **Network ACLs (NACLs)** * Provide additional filtering for subnet-level control. #### **Network ACL (NACL) Rules for SecureCart Subnets** | **Rule #** | **Subnet Type** | **Traffic Type** | **Source/Destination** | **Port Range** | **Direction** | **Action** | **Purpose** | | ---------- | ----------------------------------------- | ---------------- | ---------------------- | -------------- | ------------- | ---------- | --------------------------------------------------------- | | 100 | **Public Subnet (ALB)** | HTTP/HTTPS | 0.0.0.0/0 (Internet) | 80, 443 | Inbound | Allow | Allows public web traffic to ALB. | | 110 | **Public Subnet (ALB)** | All | 0.0.0.0/0 | All | Inbound | Deny | Blocks all other inbound traffic. | | 120 | **Public Subnet (ALB)** | HTTP/HTTPS | VPC CIDR | 80, 443 | Outbound | Allow | Allows traffic to backend services. | | 130 | **Public Subnet (ALB)** | All | 0.0.0.0/0 | All | Outbound | Deny | Blocks unintended outbound traffic. | | 200 | **Private Subnet (ECS/Backend Services)** | HTTP | Public Subnet (ALB) | 8080 | Inbound | Allow | Allows ALB to send traffic to backend services. | | 210 | **Private Subnet (ECS/Backend Services)** | Database | Database Subnet | 5432 | Inbound | Allow | Allows backend services to connect to RDS. | | 220 | **Private Subnet (ECS/Backend Services)** | All | 0.0.0.0/0 | All | Inbound | Deny | Blocks all other inbound traffic. | | 230 | **Private Subnet (ECS/Backend Services)** | HTTPS | 0.0.0.0/0 | 443 | Outbound | Allow | Allows secure AWS API access (e.g., S3, Secrets Manager). | | 300 | **Database Subnet (RDS)** | Database | Private Subnet (ECS) | 5432 | Inbound | Allow | Ensures only backend services can access the database. | | 310 | **Database Subnet (RDS)** | All | 0.0.0.0/0 | All | Inbound | Deny | Blocks unauthorized database access. | | 320 | **Database Subnet (RDS)** | All | 0.0.0.0/0 | All | Outbound | Deny | Prevents unintended outbound connections. | * **AWS WAF (Web Application Firewall)** * Protects API Gateway and ALB from attacks like SQL Injection and XSS. The following **AWS WAF rule set** is applied to **SecureCart’s ALB and API Gateway**. | **Rule Name** | **Type** | **Action** | **Purpose** | | ---------------------------------------- | ------------------ | -------------------------------- | ------------------------------------------------------------- | | Block SQL Injection | AWS Managed Rule | Block | Prevents SQL Injection attempts targeting API requests. | | Block XSS Attacks | AWS Managed Rule | Block | Protects against JavaScript injection in web forms. | | Rate Limiting | Rate-Based Rule | Block if > 100 requests in 5 min | Prevents bot-driven brute force attacks. | | Block Known Malicious IPs | IP Reputation List | Block | Uses AWS Threat Intelligence feeds to block malicious actors. | | Block Requests from Unapproved Countries | Geo-Blocking | Block | Restricts access to SecureCart’s API to U.S. and Europe only. | **AWS WAF automatically updates managed rulesets**, ensuring **continuous protection** against evolving threats. * **AWS Shield** * Defends SecureCart against **DDoS attacks** on its public endpoints. **Use Case:** SecureCart’s **RDS database is placed in a private subnet**, ensuring **only ECS tasks** can connect through **Security Groups** and blocking all external access. *** ### **Enforce Secure Application Access** **Goal:** Implement strong authentication and authorization mechanisms to prevent unauthorized access. #### **Implementation** * **Amazon Cognito for Authentication** * SecureCart customers authenticate via **Cognito User Pools** before accessing the platform. * **IAM Role-based Access for Services** * **ECS tasks assume IAM roles** to interact with S3 and DynamoDB. * **Lambda functions assume roles** to process customer orders securely. * **API Gateway Authorization** * Enforces **Cognito-based authentication** for API endpoints. **Use Case:** SecureCart’s **API Gateway allows only authenticated Cognito users** to fetch order history, ensuring **unauthorized requests are blocked**. *** ### **Protecting Workloads from External Threats** **Goal:** Detect, prevent, and mitigate security threats targeting SecureCart’s workloads. #### **Implementation** * **AWS GuardDuty** * Monitors for **anomalous API calls, unauthorized access attempts, and data exfiltration**. * **AWS WAF Rules** * Blocks **malicious traffic** such as SQL Injection and XSS attacks. * **AWS Config** * Ensures compliance by checking security settings (e.g., **encrypted S3 buckets, security group rules**). * **AWS CloudTrail** * Logs every API request for **security auditing and investigation**. **Use Case:** If **AWS GuardDuty detects a brute-force attack**, SecureCart **automatically updates WAF rules** to block the attacker’s IP. *** ### **Automating Security & Compliance** **Goal:** Continuously enforce security controls and automatically respond to threats. #### **Implementation** * **AWS Security Hub** * Centralizes security findings across **GuardDuty, AWS Config, and IAM Access Analyzer**. * **AWS Lambda for Automated Security Remediation** * Automatically revokes excessive permissions when detected. * Disables unused IAM access keys. * **IAM Access Analyzer** * Identifies unintended public access to resources. * **AWS Config Rules** * Ensures encryption is enabled for **S3, RDS, and EBS volumes**. **Use Case:** SecureCart enforces **automatic encryption** for **new S3 buckets** using an **AWS Config rule**, preventing misconfigurations. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/task-statement-1.2-design-secure-workloads-and-applications/securecart-journey.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.