loader

Building a secure environment using Fargate in Amazon Web Services

ABOUT THE PROJECT

A leading global marketing company providing strategic, creative, and integrated marketing services for healthcare and medical communications has contacted us to build an environment within Amazon Web Services (AWS).

The main concerns of the company are security and data privacy. The safety of patient’s data is the most overbearing barrier to access when considering the adoption of Healthcare Information Systems (HIS) in the healthcare industry. In order to prevent any security risk, our expert team proposed a series of solutions to enable data and privacy protection.
Our case study provides a comprehensive evaluation and implementation of HIS security, detailing the path of success in challenges and recommendations in its implementation.
Our project considered the analysis of the security perspective and some of the important concerns for the successful use of the information systems in healthcare.
The goal is to achieve perfect functionality, better than the already present on the less security restricted environment, in a fully automated way.

THE CHALLENGE

The project consisted of a small application that did not require a huge cluster or resources.

The main concern is that the environment needs to be highly available, scalable, and secured. We suggest running everything in AWS, where we have an excellent knowledge base in running such cluster environments in a highly secured manner.
In addition to the need for an extremely secure environment, we had short deadlines for its preparation. This project is a source of pride for our team because, despite the short time frame, everything was prepared on time without neglecting the security and the quality of execution.

THE SOLUTION

→We used Terraform and Ansible to spin up 3 Elastic Cloud Compute instances running MongoDB in ReplicaSet mode. All MongoDB information is stored on encrypted Elastic Block Storage. These instances are within the Private network, their security group is exposed only to the application containers.
→Using Terraform we spun up Elastic Container Service with Fargate for Container deployment and orchestration, an Application Load Balancer which is at the border between the private and public networks.
→AWS WAF (a web application firewall) gives control over which traffic to allow or block by defining customizable web security rules. We used it to whitelist only trusted IPs, also we have XSS and SQL injection filters. In conjunction with AWS WAF, CloudFront also helps secure web applications. Amazon CloudFront increases the performance of web applications and significantly lowers the latency of delivering content. Moreover, as AWS Shield was enabled by default, it served as another layer of prevention of DDoS attacks.
→A Lambda function updates all of the security groups of the Application Load Balancer in such a way that it will only accept traffic from Cloudfront entities. A load balancer serves as the single point of contact for clients. The load balancer distributes incoming application traffic across multiple targets, such as EC2 instances, in multiple Availability Zones. This increases the availability of the application. In our case, the Application load balancer is within the public network but accepts traffic only from Cloudfront.
→For maximum isolation we are using separate accounts for each environment:
We have a shared account where we manage all the users who will work with the AWS environments. It also contains all the additional tools we need – for CI/CD – Jenkins, for Static Code Analysis (SAST) – SonarQube, Elasticsearch service for Log Analytics; all bastion hosts (jump hosts) which are used when we need to access the MongoDB hosts for troubleshooting reasons for example.
Each account has its own VPC (Virtual Private Cloud) and they are connected to each other through VPC peering. In order to jump between different environments and accounts, we are using Roles, which are assumed by specific users in the Shared account in order to increase efficiency and lower downtime.

THE CONCLUSION

Using Cloudfront as an additional level of security, disposing all the computing resources inside a private network, and having encryption on traffic and data at rest, we achieved a high level of security, fulfilling the demands of our customers. Using ECS with Fargate, we managed to set up the environment prior to meeting the deadline.