# SecureCart Journey SecureCart is an **AWS-native e-commerce platform** that prioritizes **security, scalability, and resilience** across all workloads. As SecureCart expands, **securing workloads and applications** becomes a top priority to protect customer data, maintain compliance, and prevent unauthorized access. This section focuses on **how SecureCart secures its applications and workloads** in AWS by leveraging AWS security best practices, secure network configurations, and access control mechanisms. *** ## **Secure Application Configuration & Credentials** **Goal:** Prevent credential leaks and unauthorized access to configuration data. #### **Implementation** * **Use AWS Secrets Manager** to store sensitive data such as * Database credentials (Amazon RDS PostgreSQL) * API keys for payment gateways * OAuth tokens for third-party services * **IAM Role-based access** ensures that * Only authorized applications retrieve secrets. * Developers do not have direct access to production secrets. * **AWS Systems Manager Parameter Store** manages **non-sensitive application configurations** securely. **Use Case:** SecureCart’s ECS Fargate tasks retrieve RDS credentials from AWS Secrets Manager, ensuring credentials are never stored in application code. *** ### **Implement Network Segmentation & Security** **Goal:** Enforce network-level security to isolate workloads and minimize exposure. #### **Implementation** * **VPC Architecture & Segmentation** * **Public Subnets** → Only for Load Balancers (ALB) and API Gateway. * **Private Subnets** → Application servers, RDS databases, and backend services. * **Security Groups** * Restrict inbound/outbound access for each application component. #### **Security Group Rules for SecureCart Components** | **Component** | **Traffic Type** | **Source** | **Port Range** | **Direction** | **Purpose** | | ----------------------------------- | ---------------- | ------------------------------ | -------------- | ------------- | ------------------------------------------------------ | | **Application Load Balancer (ALB)** | HTTP/HTTPS | 0.0.0.0/0 (Public) | 80, 443 | Inbound | Accepts web traffic from customers. | | **Application Load Balancer (ALB)** | HTTP/HTTPS | VPC CIDR | 80, 443 | Outbound | Sends traffic to backend services. | | **ECS/EC2 Backend Services** | HTTP | ALB Security Group | 8080 | Inbound | Only allows traffic from ALB. | | **ECS/EC2 Backend Services** | Database | RDS Security Group | 5432 | Inbound | Allows backend services to connect to RDS. | | **ECS/EC2 Backend Services** | All | Internet | Deny | Inbound | Blocks direct internet access. | | **ECS/EC2 Backend Services** | HTTPS | S3 (AWS Services) | 443 | Outbound | Allows secure connection to AWS services like S3. | | **Amazon RDS (PostgreSQL)** | Database | ECS/EC2 Backend Security Group | 5432 | Inbound | Ensures only backend services can access the database. | | **Amazon RDS (PostgreSQL)** | All | Internet | Deny | Inbound | Blocks unauthorized direct database access. | | **Lambda Functions** | HTTPS | Internet | 443 | Outbound | Allows Lambda to interact with AWS APIs securely. | * **Network ACLs (NACLs)** * Provide additional filtering for subnet-level control. #### **Network ACL (NACL) Rules for SecureCart Subnets** | **Rule #** | **Subnet Type** | **Traffic Type** | **Source/Destination** | **Port Range** | **Direction** | **Action** | **Purpose** | | ---------- | ----------------------------------------- | ---------------- | ---------------------- | -------------- | ------------- | ---------- | --------------------------------------------------------- | | 100 | **Public Subnet (ALB)** | HTTP/HTTPS | 0.0.0.0/0 (Internet) | 80, 443 | Inbound | Allow | Allows public web traffic to ALB. | | 110 | **Public Subnet (ALB)** | All | 0.0.0.0/0 | All | Inbound | Deny | Blocks all other inbound traffic. | | 120 | **Public Subnet (ALB)** | HTTP/HTTPS | VPC CIDR | 80, 443 | Outbound | Allow | Allows traffic to backend services. | | 130 | **Public Subnet (ALB)** | All | 0.0.0.0/0 | All | Outbound | Deny | Blocks unintended outbound traffic. | | 200 | **Private Subnet (ECS/Backend Services)** | HTTP | Public Subnet (ALB) | 8080 | Inbound | Allow | Allows ALB to send traffic to backend services. | | 210 | **Private Subnet (ECS/Backend Services)** | Database | Database Subnet | 5432 | Inbound | Allow | Allows backend services to connect to RDS. | | 220 | **Private Subnet (ECS/Backend Services)** | All | 0.0.0.0/0 | All | Inbound | Deny | Blocks all other inbound traffic. | | 230 | **Private Subnet (ECS/Backend Services)** | HTTPS | 0.0.0.0/0 | 443 | Outbound | Allow | Allows secure AWS API access (e.g., S3, Secrets Manager). | | 300 | **Database Subnet (RDS)** | Database | Private Subnet (ECS) | 5432 | Inbound | Allow | Ensures only backend services can access the database. | | 310 | **Database Subnet (RDS)** | All | 0.0.0.0/0 | All | Inbound | Deny | Blocks unauthorized database access. | | 320 | **Database Subnet (RDS)** | All | 0.0.0.0/0 | All | Outbound | Deny | Prevents unintended outbound connections. | * **AWS WAF (Web Application Firewall)** * Protects API Gateway and ALB from attacks like SQL Injection and XSS. The following **AWS WAF rule set** is applied to **SecureCart’s ALB and API Gateway**. | **Rule Name** | **Type** | **Action** | **Purpose** | | ---------------------------------------- | ------------------ | -------------------------------- | ------------------------------------------------------------- | | Block SQL Injection | AWS Managed Rule | Block | Prevents SQL Injection attempts targeting API requests. | | Block XSS Attacks | AWS Managed Rule | Block | Protects against JavaScript injection in web forms. | | Rate Limiting | Rate-Based Rule | Block if > 100 requests in 5 min | Prevents bot-driven brute force attacks. | | Block Known Malicious IPs | IP Reputation List | Block | Uses AWS Threat Intelligence feeds to block malicious actors. | | Block Requests from Unapproved Countries | Geo-Blocking | Block | Restricts access to SecureCart’s API to U.S. and Europe only. | **AWS WAF automatically updates managed rulesets**, ensuring **continuous protection** against evolving threats. * **AWS Shield** * Defends SecureCart against **DDoS attacks** on its public endpoints. **Use Case:** SecureCart’s **RDS database is placed in a private subnet**, ensuring **only ECS tasks** can connect through **Security Groups** and blocking all external access. *** ### **Enforce Secure Application Access** **Goal:** Implement strong authentication and authorization mechanisms to prevent unauthorized access. #### **Implementation** * **Amazon Cognito for Authentication** * SecureCart customers authenticate via **Cognito User Pools** before accessing the platform. * **IAM Role-based Access for Services** * **ECS tasks assume IAM roles** to interact with S3 and DynamoDB. * **Lambda functions assume roles** to process customer orders securely. * **API Gateway Authorization** * Enforces **Cognito-based authentication** for API endpoints. **Use Case:** SecureCart’s **API Gateway allows only authenticated Cognito users** to fetch order history, ensuring **unauthorized requests are blocked**. *** ### **Protecting Workloads from External Threats** **Goal:** Detect, prevent, and mitigate security threats targeting SecureCart’s workloads. #### **Implementation** * **AWS GuardDuty** * Monitors for **anomalous API calls, unauthorized access attempts, and data exfiltration**. * **AWS WAF Rules** * Blocks **malicious traffic** such as SQL Injection and XSS attacks. * **AWS Config** * Ensures compliance by checking security settings (e.g., **encrypted S3 buckets, security group rules**). * **AWS CloudTrail** * Logs every API request for **security auditing and investigation**. **Use Case:** If **AWS GuardDuty detects a brute-force attack**, SecureCart **automatically updates WAF rules** to block the attacker’s IP. *** ### **Automating Security & Compliance** **Goal:** Continuously enforce security controls and automatically respond to threats. #### **Implementation** * **AWS Security Hub** * Centralizes security findings across **GuardDuty, AWS Config, and IAM Access Analyzer**. * **AWS Lambda for Automated Security Remediation** * Automatically revokes excessive permissions when detected. * Disables unused IAM access keys. * **IAM Access Analyzer** * Identifies unintended public access to resources. * **AWS Config Rules** * Ensures encryption is enabled for **S3, RDS, and EBS volumes**. **Use Case:** SecureCart enforces **automatic encryption** for **new S3 buckets** using an **AWS Config rule**, preventing misconfigurations.