Establishing a Secure Foundation for Kupala-Nich

Establishing a Secure Foundation for Kupala-Nich M 917 536 3378 maksim_kozyarchuk@yahoo.com

Establishing a secure foundation for the Kupala-Nich(https://kupala-nich.com) application is a critical step in transforming it from a demo to a multi-tenant application. This article outlines the security measures in place, focusing on access control, data protection, and API Gateway security. Feedback and critique are welcome to ensure these measures remain effective and resilient against emerging threats. Maintaining the integrity and confidentiality of the system is my top priority. 1. Application Access Security Securing access to the Kupala-Nich application is the first line of defense. The following practices ensure robust access control: Multi-Factor Authentication (MFA) is required for all AWS accounts accessing Kupala-Nich, reducing the risk of unauthorized access. Deployment Management is handled through OpenID Connect (OIDC), which ties deployments to specific roles and avoids the need to to create API access keys. Least Privilege Principle is applied to all Lambda functions, granting them only the permissions needed for their specific tasks. AWS CloudShell is used for administrative access, eliminating the need for static access keys. Dynamic Policies Lambda permissions are defined via CloudFormation templates, which are managed in code. Regular policy reviews are planned to maintain alignment with best practices and prevent privilege escalation. 2. Securing Data in AWS The Kupala-Nich application stores all sensitive data in DynamoDB, leveraging its robust security features. DynamoDB ensures that Data at Rest and in Transit is encrypted automatically,  meeting strict encryption compliance and regulatory requirements. Position and Transaction Data After evaluating addition additional encryption layers for position and transaction data I decided against it for the following reasons: Existing Security: DynamoDB already provides a secure storage solution. Development Complexity: Encrypting individual fields would require converting native DynamoDB data types into encrypted strings, complicating development and debugging processes. Performance Impact: Decrypting data on demand would introduce latency, degrading the user experience. Cost: Frequent encryption and decryption operations with AWS Key Management Service (KMS) would lead to significant costs. PII and Other Highly Sensitive Data While encryption secures the data within AWS, it does not protect against misuse of compromised accounts or roles. For highly sensitive data, such as personally identifiable information (PII) or vendor credentials, an additional encryption layer will be implemented Controlled Data Access Access to data is only available through API Gateways with built-in authentication and authorization, ensuring users can retrieve only the data they are authorized to access. More details on this are covered in the next section. Private Environments For users requiring additional security guarantees, private environments can be created. This builds on the existing separation of production and development environments to enhance data isolation. 3. Securing API Gateway Access( Under Construction ) Both WebSocket (WS) and HTTP API Gateways manage user interactions with the Kupala-Nich application. Several layers of security will ensure the protection of data: Authentication with Cognito Users authenticate via AWS Cognito, which issues JSON Web Tokens (JWTs) for session management. During WebSocket $connect, JWTs are validated, and a mapping is established between the connection ID and the authenticated user. Subsequent interactions within the session/connection use the established authentication. All communication through WS and HTTP API Gateways is secured with SSL. Authorization based on data ownership Portfolios, datasets, and other resources are tied to user ownership, enabling simple checks to determine whether a user is authorized to access specific data. Lambda functions ensure that only authorized data is returned, relying on defined schemas that include user IDs for validation. Queries to DynamoDB are structured such that either the sort key or an index is based on the user ID, making it natural to retrieve data for authorized users only. Automated tests validate API endpoints to ensure appropriate data is returned to user. Additional enhancements API Gateway will not initially require API keys. However, API keys may be introduced in the future to enable throttling and rate-limiting of API calls, adding an extra layer of security on top of JWT-based authorization. Combining Security Measures Kupala-Nich employs a combination of application access security, data security, and API security to provide a comprehensive approach to safeguarding the application and its data. Feedback and critique are encouraged to ensure these measures remain effective and resilient against emerging threats. As the implementation of API Gateway security is further developed, this document will be updated with additional details and implementation specifics.