diff --git a/README.md b/README.md index 3dcf3ff..1c9ac34 100644 --- a/README.md +++ b/README.md @@ -11,12 +11,6 @@ The cloudific Secure Cloud Monitor Monitor project is designed to enhance the se - **AWS WAF and Shield**: Services providing protection against DDoS attacks and other web exploits. - **AWS IAM**: Manages access to AWS services and resources securely. - **AWS VPC**: Isolates cloud resources with virtual networking environment. -- **AWS ALB**: Automatically distributes incoming application traffic across multiple targets. -- **Amazon GuardDuty**: Threat detection service that continuously monitors malicious or unauthorized behavior. -- **AWS Config**: Service that enables you to assess, audit, and evaluate the configurations of AWS resources. -- **AWS CloudTrail**: Service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. -- **AWS Systems Manager**: Helps you manage your AWS resources. -- **Aviatrix**: Cloud network platform with enhanced security and multi-cloud network visibility. ## Prerequisites @@ -36,28 +30,42 @@ Before you begin, ensure you have the following: ## Setup Instructions -1. **Clone the Repository**: +1. **Steps to configure GitHub Secrets:** - `git clone https://github.com/alvo254/cloudific.git cd cloudific` +- **Go to your GitHub repository**: Navigate to the GitHub repository where your project is hosted. +- **Settings**: Click on the **Settings** tab at the top of the repository. +- **Secrets**: From the sidebar, select **Secrets & variables** > **Actions**. +- **New repository secret**: Click on **New repository secret** to add each of the following: + - `AWS_ACCESS_KEY_ID`: Your AWS access key ID. + - `AWS_SECRET_ACCESS_KEY`: Your AWS secret access key. + - `DOCKER_PASSWORD`: Your docker password. + - `DOCKER_USERNAME`: Your docker username. + - Enter the **Name** and **Value** for each secret and click **Add secret**. + - These secrets can then be used in your GitHub Actions workflows without exposing them in your logs or repository files. -2. **Initialize Terraform**: In the root directory and run the initialization command. This will download all necessary Terraform providers. +2.**Clone the Repository**: - `terraform init` + `git clone https://github.com/alvo254/cloudific.git cd securecloud-monitor` -3. **Configure AWS Credentials**: Make sure your AWS credentials are configured by setting up the AWS CLI or by setting environment variables: +3.**Initialize Terraform**: Navigate to the Terraform directory and run the initialization command. This will download all necessary Terraform providers + + `cd terraform terraform init` + +4.**Configure AWS Credentials**: Make sure your AWS credentials are configured by setting up the AWS CLI or by setting environment variables: `export AWS_ACCESS_KEY_ID="your-access-key-id" export AWS_SECRET_ACCESS_KEY="your-secret-access-key" export AWS_DEFAULT_REGION="us-east-1"` -4. **Plan the Deployment**: Check the execution plan to see the resources Terraform plans to create: +5.**Plan the Deployment**: Check the execution plan to see the resources Terraform plans to create: `terraform plan` -5. **Apply the Configuration**: Deploy your infrastructure: - `terraform apply` +6.**Apply the Configuration**: Deploy your infrastructure: + `terraform apply` or `terraform apply -auto-approve` to skip the prompt + When prompted, type `yes` to proceed with the creation of resources. -6. **Verify Deployment**: After Terraform successfully applies the configuration, verify that all resources are created and functioning as expected in the AWS Management Console. +7.**Verify Deployment**: After Terraform successfully applies the configuration, verify that all resources are created and functioning as expected in the AWS Management Console. ## CI/CD Integration @@ -74,4 +82,4 @@ This project uses GitHub Actions for CI/CD. The workflows located in the `.githu ## Documentation and Training -- Keep all project documentation updated within the `sad.md` solutions architect document. +- Keep all project documentation updated within the `/docs` solutions architect document. diff --git a/SAD.md b/docs/SAD.md similarity index 98% rename from SAD.md rename to docs/SAD.md index 9be8d7d..f08d5ca 100644 --- a/SAD.md +++ b/docs/SAD.md @@ -1,4 +1,5 @@ # Solutions architect document + ## Table of Contents - Executive Summary @@ -13,6 +14,7 @@ - Maintenance and Monitoring ## 1. Executive Summary + The SecureCloud Monitor project aims to enhance the security and monitoring capabilities of a cloud infrastructure on AWS, specifically addressing the need for an integrated solution that utilizes AWS-native services for a cost-effective, scalable, and robust observability framework. This initiative follows a recent DDoS attack that caused significant downtime, underlining the need for improved resilience and threat management. ## 2. Current Architecture Review @@ -27,6 +29,7 @@ The SecureCloud Monitor project aims to enhance the security and monitoring capa - **AWS IAM**: Manages access control ## 3. Proposed Enhancements + - **Amazon ECS (Elastic Container Service)**: Manages the containerized application. - **Amazon CloudWatch**: For monitoring and logging. - **AWS WAF (Web Application Firewall)**: For protection against DDoS attacks and IP filtering. @@ -65,21 +68,22 @@ The SecureCloud Monitor project aims to enhance the security and monitoring capa - **Aviatrix Controller**: Centralized management of network security and operations. - **Aviatrix CoPilot**: Enhanced visibility and monitoring of network traffic. - **Aviatrix Security**: Advanced security controls including segmentation, firewall, and encryption. -#### **Centralized Network Visibility** + +#### **Aviatrix features** Aviatrix provides a centralized controller that allows you to visualize and manage your entire multi-cloud network through a single pane of glass. This includes: - **Topology Visualization**: Interactive, real-time diagrams of your entire network architecture across multiple clouds. This helps in quickly understanding the network layout and the interconnections between different network entities. - **Traffic Flow Analysis**: Insights into traffic patterns and flows within the network. This is crucial for identifying bottlenecks, understanding traffic behavior, and ensuring efficient routing of data. -#### **Advanced Analytics and Logging** +#### **Advanced Analytics and Logging** Aviatrix enhances its monitoring capabilities by integrating with native cloud services like AWS CloudWatch and also by providing its own detailed logging mechanisms: - **FlowIQ**: Aviatrix FlowIQ provides deep analytics into network traffic flows. It uses data collected from across the network to provide visibility into traffic based on source, destination, protocols, ports, and more. This is valuable for security monitoring, compliance audits, and troubleshooting network issues. - **NetFlow Data**: Aviatrix gateways can export NetFlow data, which can be integrated with third-party SIEM (Security Information and Event Management) systems for advanced analysis and threat detection. -#### **Alerting and Notifications** +#### **Alerting and Notifications** Aviatrix allows you to set up custom alerts based on a wide range of metrics related to network and security: @@ -153,32 +157,32 @@ A CI/CD pipeline will automate the build, test, and deployment processes, ensuri #### Implementation Steps 1. **Environment Setup** - + - **Blue Environment**: This is your current production environment. - **Green Environment**: This environment is created as an exact replica of the Blue environment. It is updated with the new release for testing and validation. 2. **Infrastructure Duplication** - + - Use Terraform to provision a complete replica of your existing production environment. This includes ECS services, databases, networking configurations, and any other dependent resources. - Ensure both environments are isolated and do not share stateful resources like databases unless these are also replicated or synchronized. 3. **CI/CD Pipeline Adaptation** - + - Adapt your CI/CD pipeline (implemented using GitHub Actions) to support Blue-Green deployments. - Deploy changes initially to the Green environment. Once deployed, conduct all necessary tests including load testing and security validation. 4. **Traffic Management** - + - Utilize AWS Route 53 or an Application Load Balancer (ALB) to manage traffic between the two environments. - Gradually route a small percentage of traffic to the Green environment (canary testing) and monitor performance and stability. - If the Green environment is stable, switch all traffic from Blue to Green. The ALB can facilitate this switch without downtime. 5. **Monitoring and Validation** - + - During the initial traffic rerouting phase, closely monitor application logs, performance metrics, and user feedback. - Utilize AWS CloudWatch and Aviatrix’s CoPilot for real-time monitoring and alerting. 6. **Rollback Strategy** - + - In case of any issues post-deployment, immediately reroute traffic back to the Blue environment. - Because the Blue environment remains untouched during the new release testing, rollback is safe and immediate. 7. **Final Cutover and Cleanup** - + - Once the Green environment has been validated and is fully operational without issues, decommission the previous Blue environment or repurpose it as the new staging area for the next release cycle. - Regularly update the rollback environment to keep it synchronized with production changes that occur post-deployment. @@ -215,23 +219,23 @@ A CI/CD pipeline will automate the build, test, and deployment processes, ensuri AWS Config plays a pivotal role in compliance and configuration management. It provides detailed insights into resource configuration and changes while ensuring that the configurations adhere to compliance guidelines. Here’s how AWS Config can be incorporated into the existing system: 1. **Configuration Recording**: - + - **Resource Tracking**: Automatically record configurations and changes for all AWS resources. This includes tracking changes in VPCs, EC2 instances, ECS services, IAM roles, and security groups. - **Inventory**: Maintain an inventory of all AWS resources, which helps in auditing and compliance. 2. **Compliance Enforcement**: - + - **Managed Rules**: Utilize AWS Config managed rules to assess compliance with common best practices and regulatory standards. - **Custom Rules**: Develop custom AWS Lambda functions to define and evaluate specific compliance requirements unique to your organizational needs. 3. **Continuous Monitoring**: - + - **Change Management**: AWS Config continuously monitors and records your AWS resource configurations and captures changes in real-time. This enables quick detection of non-compliant changes and unauthorized activities. - **Alerts and Notifications**: Integrate with Amazon SNS to send real-time alerts when non-compliant changes are detected. 4. **Compliance Auditing**: - + - **Audit Trail**: AWS Config maintains a record of all configuration changes over time, which serves as an audit trail for security audits and compliance checks. - **Compliance Dashboard**: Use the AWS Config dashboard to review current and historical configurations and their compliance status against the rules. 5. **Integration with CI/CD Pipeline**: - + - **Automated Compliance Checks**: Integrate AWS Config compliance checks into your CI/CD pipeline to ensure that all deployments are compliant before they are released to production. - **Rollback Mechanisms**: Automate rollback of changes that do not comply with defined compliance checks. @@ -240,15 +244,15 @@ AWS Config plays a pivotal role in compliance and configuration management. It p #### Revised Deployment Process 1. **Pre-Deployment Compliance Assessment**: - + - **Automated Compliance Check**: Before deploying new configurations or updates, automatically trigger AWS Config rules to ensure changes comply with security and regulatory policies. - **Approval Process**: Incorporate an approval step in the CI/CD pipeline where deployment proceeds only after compliance is confirmed. 2. **Post-Deployment Monitoring and Validation**: - + - **Continuous Compliance Monitoring**: After deployment, continuously monitor the compliance status of the new configuration using AWS Config. - **Compliance Reports**: Generate periodic compliance reports for internal audits and regulatory requirements. 3. **Documentation and Training**: - + - **Compliance Documentation**: Maintain detailed documentation of all compliance checks, configurations, and any exceptions granted. - **Training Programs**: Regular training sessions for the DevOps and cloud teams to update them on compliance requirements, AWS Config usage, and best practices in configuration management.