Courses

SecureCart Journey

SecureCart is an AWS-native e-commerce platform that prioritizes security, scalability, and resilience across all workloads. As SecureCart expands, securing workloads and applications becomes a top priority to protect customer data, maintain compliance, and prevent unauthorized access.

This section focuses on how SecureCart secures its applications and workloads in AWS by leveraging AWS security best practices, secure network configurations, and access control mechanisms.

Secure Application Configuration & Credentials

Goal: Prevent credential leaks and unauthorized access to configuration data.

Implementation

  • Use AWS Secrets Manager to store sensitive data such as

    • Database credentials (Amazon RDS PostgreSQL)

    • API keys for payment gateways

    • OAuth tokens for third-party services

  • IAM Role-based access ensures that

    • Only authorized applications retrieve secrets.

    • Developers do not have direct access to production secrets.

  • AWS Systems Manager Parameter Store manages non-sensitive application configurations securely.

Use Case: SecureCart’s ECS Fargate tasks retrieve RDS credentials from AWS Secrets Manager, ensuring credentials are never stored in application code.

Implement Network Segmentation & Security

Goal: Enforce network-level security to isolate workloads and minimize exposure.

Implementation

  • VPC Architecture & Segmentation

    • Public Subnets → Only for Load Balancers (ALB) and API Gateway.

    • Private Subnets → Application servers, RDS databases, and backend services.

  • Security Groups

    • Restrict inbound/outbound access for each application component.

Security Group Rules for SecureCart Components

Component

Traffic Type

Source

Port Range

Direction

Purpose

Application Load Balancer (ALB)

HTTP/HTTPS

0.0.0.0/0 (Public)

80, 443

Inbound

Accepts web traffic from customers.

Application Load Balancer (ALB)

HTTP/HTTPS

VPC CIDR

80, 443

Outbound

Sends traffic to backend services.

ECS/EC2 Backend Services

HTTP

ALB Security Group

8080

Inbound

Only allows traffic from ALB.

ECS/EC2 Backend Services

Database

RDS Security Group

5432

Inbound

Allows backend services to connect to RDS.

ECS/EC2 Backend Services

All

Internet

Deny

Inbound

Blocks direct internet access.

ECS/EC2 Backend Services

HTTPS

S3 (AWS Services)

443

Outbound

Allows secure connection to AWS services like S3.

Amazon RDS (PostgreSQL)

Database

ECS/EC2 Backend Security Group

5432

Inbound

Ensures only backend services can access the database.

Amazon RDS (PostgreSQL)

All

Internet

Deny

Inbound

Blocks unauthorized direct database access.

Lambda Functions

HTTPS

Internet

443

Outbound

Allows Lambda to interact with AWS APIs securely.

  • Network ACLs (NACLs)

    • Provide additional filtering for subnet-level control.

Network ACL (NACL) Rules for SecureCart Subnets

Rule #

Subnet Type

Traffic Type

Source/Destination

Port Range

Direction

Action

Purpose

100

Public Subnet (ALB)

HTTP/HTTPS

0.0.0.0/0 (Internet)

80, 443

Inbound

Allow

Allows public web traffic to ALB.

110

Public Subnet (ALB)

All

0.0.0.0/0

All

Inbound

Deny

Blocks all other inbound traffic.

120

Public Subnet (ALB)

HTTP/HTTPS

VPC CIDR

80, 443

Outbound

Allow

Allows traffic to backend services.

130

Public Subnet (ALB)

All

0.0.0.0/0

All

Outbound

Deny

Blocks unintended outbound traffic.

200

Private Subnet (ECS/Backend Services)

HTTP

Public Subnet (ALB)

8080

Inbound

Allow

Allows ALB to send traffic to backend services.

210

Private Subnet (ECS/Backend Services)

Database

Database Subnet

5432

Inbound

Allow

Allows backend services to connect to RDS.

220

Private Subnet (ECS/Backend Services)

All

0.0.0.0/0

All

Inbound

Deny

Blocks all other inbound traffic.

230

Private Subnet (ECS/Backend Services)

HTTPS

0.0.0.0/0

443

Outbound

Allow

Allows secure AWS API access (e.g., S3, Secrets Manager).

300

Database Subnet (RDS)

Database

Private Subnet (ECS)

5432

Inbound

Allow

Ensures only backend services can access the database.

310

Database Subnet (RDS)

All

0.0.0.0/0

All

Inbound

Deny

Blocks unauthorized database access.

320

Database Subnet (RDS)

All

0.0.0.0/0

All

Outbound

Deny

Prevents unintended outbound connections.

  • AWS WAF (Web Application Firewall)

    • Protects API Gateway and ALB from attacks like SQL Injection and XSS.

The following AWS WAF rule set is applied to SecureCart’s ALB and API Gateway.

Rule Name

Type

Action

Purpose

Block SQL Injection

AWS Managed Rule

Block

Prevents SQL Injection attempts targeting API requests.

Block XSS Attacks

AWS Managed Rule

Block

Protects against JavaScript injection in web forms.

Rate Limiting

Rate-Based Rule

Block if > 100 requests in 5 min

Prevents bot-driven brute force attacks.

Block Known Malicious IPs

IP Reputation List

Block

Uses AWS Threat Intelligence feeds to block malicious actors.

Block Requests from Unapproved Countries

Geo-Blocking

Block

Restricts access to SecureCart’s API to U.S. and Europe only.

AWS WAF automatically updates managed rulesets, ensuring continuous protection against evolving threats.

  • AWS Shield

    • Defends SecureCart against DDoS attacks on its public endpoints.

Use Case: SecureCart’s RDS database is placed in a private subnet, ensuring only ECS tasks can connect through Security Groups and blocking all external access.

Enforce Secure Application Access

Goal: Implement strong authentication and authorization mechanisms to prevent unauthorized access.

Implementation

  • Amazon Cognito for Authentication

    • SecureCart customers authenticate via Cognito User Pools before accessing the platform.

  • IAM Role-based Access for Services

    • ECS tasks assume IAM roles to interact with S3 and DynamoDB.

    • Lambda functions assume roles to process customer orders securely.

  • API Gateway Authorization

    • Enforces Cognito-based authentication for API endpoints.

Use Case: SecureCart’s API Gateway allows only authenticated Cognito users to fetch order history, ensuring unauthorized requests are blocked.

Protecting Workloads from External Threats

Goal: Detect, prevent, and mitigate security threats targeting SecureCart’s workloads.

Implementation

  • AWS GuardDuty

    • Monitors for anomalous API calls, unauthorized access attempts, and data exfiltration.

  • AWS WAF Rules

    • Blocks malicious traffic such as SQL Injection and XSS attacks.

  • AWS Config

    • Ensures compliance by checking security settings (e.g., encrypted S3 buckets, security group rules).

  • AWS CloudTrail

    • Logs every API request for security auditing and investigation.

Use Case: If AWS GuardDuty detects a brute-force attack, SecureCart automatically updates WAF rules to block the attacker’s IP.

Automating Security & Compliance

Goal: Continuously enforce security controls and automatically respond to threats.

Implementation

  • AWS Security Hub

    • Centralizes security findings across GuardDuty, AWS Config, and IAM Access Analyzer.

  • AWS Lambda for Automated Security Remediation

    • Automatically revokes excessive permissions when detected.

    • Disables unused IAM access keys.

  • IAM Access Analyzer

    • Identifies unintended public access to resources.

  • AWS Config Rules

    • Ensures encryption is enabled for S3, RDS, and EBS volumes.

Use Case: SecureCart enforces automatic encryption for new S3 buckets using an AWS Config rule, preventing misconfigurations.

PreviousTask Statement 1.2: Design Secure Workloads and ApplicationsNextApplication Configuration & Credential Security

Last updated