Created
November 6, 2018 21:32
-
-
Save okram999/7f93d8a8c269fe8cf59f4c0b189e6e55 to your computer and use it in GitHub Desktop.
Security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Disable 80 listener on ALB Web Listeners (FE UI, BE API, Micro) or confirm they result in 443 redirections | |
| > Done | |
| 2. Confirm Port 8080 on the ALB target groups are configured for SSL only | |
| > Primitive approach. Refer this: https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/ | |
| 3. Confirm that SSL is enabled for the PGSQL listeners on TCP 5432 for AVA Backend and AVA Central Station db’s | |
| > Require changes in the app as well. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.SSL | |
| 4. Limit BackEnd service access to FrontEndWeb UI servers | |
| 5. Limit Microservices service access to BackEnd API servers | |
| > The above 2 needs for vetting from the application, to confirm the right architecture | |
| 6. Disable Kafka TCP 9092 and enable SSL on Kafka TCP port 9093 | |
| 7. Disable Zookeeper clientPort and enable Zookeeper secureClientPort | |
| a. If Zookeeper listeners only respond to localhost calls, then you could alternatively configure drops for other sources | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment