Our client is a global supply chain management provider who provides low-cost solutions, risk mitigation, and strategic sourcing. The way they managed their infrastructure was a manual and tedious process that relied on several different people, whose criteria determined what changes were made. This was a less than ideal way to manage resources, with little adherence to best practices. Due to this, and after a detailed analysis of the problem, 3XM proposed the client to adapt its infrastructure, based on best practices for security, incorporating the use of AWS resources and using Infrastructure as Code (IaC) through Terraform.
The solution had to allow the creation of a productive and development infrastructure in a quick way and at the same time compliant with given security standards. For this purpose, we used Infrastructure as Code for the provision of the infrastructure, which allows us to keep a detailed record of changes in the infrastructure and to replicate and deploy it with minimal effort.
Additionally, we adjusted the settings to improve security within the infrastructure. This was achieved by isolating environments from the Internet, and between each other.
This way, those who have access to one environment do not automatically acquire access to the rest. Likewise, a VPN service was implemented as the only point of access to the components of the infrastructure. Also, MFA mandatory use policies were implemented for all users who have access to the AWS console.
It is worth mentioning that necessary foundations were left in place for future implementations of high availability in the productive environment.
The client came to 3XM with the goal of improving security within their infrastructure. We used IaC to create it from Terraform code, so that it could be secured and easily recreated if necessary.
Among the benefits achieved can be mentioned:
- Creation of the entire infrastructure from Terraform code, which allows it to be versioned and protected in git.
- Isolation between development, production and legacy environments, and also among each other, eliminating the possibility of unrestricted access to them from outside.
- Access to infrastructure through a single access point, controlled and secured through a VPN server.
- Possibility of creating multiple development environments.
- Encryption of all databases using KMS.
- Facilitating access to web servers and DB servers within the infrastructure through internal name resolution, thanks to a Route53 private hosted zone.
- Optimization of AWS resources used.
- S3 bucket encryption.
- Detailed documentation of the new infrastructure was generated.
- Detailed instructions for the administration of the VPN were generated.
The following technologies were used in the solution:
- VPC Peering
- S3 buckets
- Web Application Firewall (WAF)
- Key Management Service (KMS)
- Certificate Manager
- API Gateway