SecureCart Journey
SecureCart is an AWS-native e-commerce platform that prioritizes security, scalability, and resilience across all workloads. As SecureCart expands, securing workloads and applications becomes a top priority to protect customer data, maintain compliance, and prevent unauthorized access.
This section focuses on how SecureCart secures its applications and workloads in AWS by leveraging AWS security best practices, secure network configurations, and access control mechanisms.
Secure Application Configuration & Credentials
Goal: Prevent credential leaks and unauthorized access to configuration data.
Implementation
Use AWS Secrets Manager to store sensitive data such as
Database credentials (Amazon RDS PostgreSQL)
API keys for payment gateways
OAuth tokens for third-party services
IAM Role-based access ensures that
Only authorized applications retrieve secrets.
Developers do not have direct access to production secrets.
AWS Systems Manager Parameter Store manages non-sensitive application configurations securely.
Use Case: SecureCart’s ECS Fargate tasks retrieve RDS credentials from AWS Secrets Manager, ensuring credentials are never stored in application code.
Implement Network Segmentation & Security
Goal: Enforce network-level security to isolate workloads and minimize exposure.
Implementation
VPC Architecture & Segmentation
Public Subnets → Only for Load Balancers (ALB) and API Gateway.
Private Subnets → Application servers, RDS databases, and backend services.
Security Groups
Restrict inbound/outbound access for each application component.
Security Group Rules for SecureCart Components
Component
Traffic Type
Source
Port Range
Direction
Purpose
Application Load Balancer (ALB)
HTTP/HTTPS
0.0.0.0/0 (Public)
80, 443
Inbound
Accepts web traffic from customers.
Application Load Balancer (ALB)
HTTP/HTTPS
VPC CIDR
80, 443
Outbound
Sends traffic to backend services.
ECS/EC2 Backend Services
HTTP
ALB Security Group
8080
Inbound
Only allows traffic from ALB.
ECS/EC2 Backend Services
Database
RDS Security Group
5432
Inbound
Allows backend services to connect to RDS.
ECS/EC2 Backend Services
All
Internet
Deny
Inbound
Blocks direct internet access.
ECS/EC2 Backend Services
HTTPS
S3 (AWS Services)
443
Outbound
Allows secure connection to AWS services like S3.
Amazon RDS (PostgreSQL)
Database
ECS/EC2 Backend Security Group
5432
Inbound
Ensures only backend services can access the database.
Amazon RDS (PostgreSQL)
All
Internet
Deny
Inbound
Blocks unauthorized direct database access.
Lambda Functions
HTTPS
Internet
443
Outbound
Allows Lambda to interact with AWS APIs securely.
Network ACLs (NACLs)
Provide additional filtering for subnet-level control.
Network ACL (NACL) Rules for SecureCart Subnets
Rule #
Subnet Type
Traffic Type
Source/Destination
Port Range
Direction
Action
Purpose
100
Public Subnet (ALB)
HTTP/HTTPS
0.0.0.0/0 (Internet)
80, 443
Inbound
Allow
Allows public web traffic to ALB.
110
Public Subnet (ALB)
All
0.0.0.0/0
All
Inbound
Deny
Blocks all other inbound traffic.
120
Public Subnet (ALB)
HTTP/HTTPS
VPC CIDR
80, 443
Outbound
Allow
Allows traffic to backend services.
130
Public Subnet (ALB)
All
0.0.0.0/0
All
Outbound
Deny
Blocks unintended outbound traffic.
200
Private Subnet (ECS/Backend Services)
HTTP
Public Subnet (ALB)
8080
Inbound
Allow
Allows ALB to send traffic to backend services.
210
Private Subnet (ECS/Backend Services)
Database
Database Subnet
5432
Inbound
Allow
Allows backend services to connect to RDS.
220
Private Subnet (ECS/Backend Services)
All
0.0.0.0/0
All
Inbound
Deny
Blocks all other inbound traffic.
230
Private Subnet (ECS/Backend Services)
HTTPS
0.0.0.0/0
443
Outbound
Allow
Allows secure AWS API access (e.g., S3, Secrets Manager).
300
Database Subnet (RDS)
Database
Private Subnet (ECS)
5432
Inbound
Allow
Ensures only backend services can access the database.
310
Database Subnet (RDS)
All
0.0.0.0/0
All
Inbound
Deny
Blocks unauthorized database access.
320
Database Subnet (RDS)
All
0.0.0.0/0
All
Outbound
Deny
Prevents unintended outbound connections.
AWS WAF (Web Application Firewall)
Protects API Gateway and ALB from attacks like SQL Injection and XSS.
The following AWS WAF rule set is applied to SecureCart’s ALB and API Gateway.
Rule Name
Type
Action
Purpose
Block SQL Injection
AWS Managed Rule
Block
Prevents SQL Injection attempts targeting API requests.
Block XSS Attacks
AWS Managed Rule
Block
Protects against JavaScript injection in web forms.
Rate Limiting
Rate-Based Rule
Block if > 100 requests in 5 min
Prevents bot-driven brute force attacks.
Block Known Malicious IPs
IP Reputation List
Block
Uses AWS Threat Intelligence feeds to block malicious actors.
Block Requests from Unapproved Countries
Geo-Blocking
Block
Restricts access to SecureCart’s API to U.S. and Europe only.
AWS WAF automatically updates managed rulesets, ensuring continuous protection against evolving threats.
AWS Shield
Defends SecureCart against DDoS attacks on its public endpoints.
Use Case: SecureCart’s RDS database is placed in a private subnet, ensuring only ECS tasks can connect through Security Groups and blocking all external access.
Enforce Secure Application Access
Goal: Implement strong authentication and authorization mechanisms to prevent unauthorized access.
Implementation
Amazon Cognito for Authentication
SecureCart customers authenticate via Cognito User Pools before accessing the platform.
IAM Role-based Access for Services
ECS tasks assume IAM roles to interact with S3 and DynamoDB.
Lambda functions assume roles to process customer orders securely.
API Gateway Authorization
Enforces Cognito-based authentication for API endpoints.
Use Case: SecureCart’s API Gateway allows only authenticated Cognito users to fetch order history, ensuring unauthorized requests are blocked.
Protecting Workloads from External Threats
Goal: Detect, prevent, and mitigate security threats targeting SecureCart’s workloads.
Implementation
AWS GuardDuty
Monitors for anomalous API calls, unauthorized access attempts, and data exfiltration.
AWS WAF Rules
Blocks malicious traffic such as SQL Injection and XSS attacks.
AWS Config
Ensures compliance by checking security settings (e.g., encrypted S3 buckets, security group rules).
AWS CloudTrail
Logs every API request for security auditing and investigation.
Use Case: If AWS GuardDuty detects a brute-force attack, SecureCart automatically updates WAF rules to block the attacker’s IP.
Automating Security & Compliance
Goal: Continuously enforce security controls and automatically respond to threats.
Implementation
AWS Security Hub
Centralizes security findings across GuardDuty, AWS Config, and IAM Access Analyzer.
AWS Lambda for Automated Security Remediation
Automatically revokes excessive permissions when detected.
Disables unused IAM access keys.
IAM Access Analyzer
Identifies unintended public access to resources.
AWS Config Rules
Ensures encryption is enabled for S3, RDS, and EBS volumes.
Use Case: SecureCart enforces automatic encryption for new S3 buckets using an AWS Config rule, preventing misconfigurations.
Last updated